Disabled User doesn't get Authorized as it was in Policy Server 6

Document ID : KB000008758
Last Modified Date : 14/02/2018
Show Technical Document Details

We're running Policy Server, and for a specific URL, the Policy Server never authorizes the User as it should. Before, the former Policy Server version 6 was authorizing this access, and there wasn't any configuration change on this.

Why do we see this behavior change? How can we fix this?


Policy Server 12.52SP1 on RedHat 6 64bit; (Policy Server was upgraded from 6.0SP5CR05)AdminUI 12.52SP1 on RedHat 6 64bit;Web Agent 5QMR7CR00 on Windows 2003SP2

The authorization fails because of the User not being found in the authorization mapping: The User is disabled.

The User is not authorized when requesting a GET on the protected resource. 


The Policy Server 12.52SP1 does not find it in one of the LDAP servers defined for that resource:



The former Policy Server 6.0SP5CR05 had a bug which was corrected in 6.0SP5CR25, to fix a known issue for a condition that was allowing access even if the User was disabled.


From smps-6_0_5_35-readme.txt :


80437 The policy server directory mapping feature will no longer

authorize a user when the authorization user directory has disabled

the user but the authentication user directory has not disabled them.




Enable the User from the User Store, so the Authorization call works with the Authorization Mapping.