Troubleshooting: Missing policy for new controller command
A controller command was added without an accompanying access control policy.
Problem: A controller command was added without an accompanying access control policy.
Indication: An application error is displayed. In the trace.log file the Execute action will match several policies, but no resource groups will match.
PolicyManagerImpl.isAllowed isAllowed? User=510; Action=Execute;
Resource=com.ibm.commerce.scheduler.commands.ListRegistryCmdImpl;
Owner=-2001; Resource Ancestor Orgs=-2001,-2001; Resource Applicable Orgs=-2001
PolicyManagerImpl.isAllowed Found
PolicyName: BuyerAdministratorsExecuteBuyersAdministratorsCommands;
PolicyType: 2; PolicyOwner: -2001
PolicyManagerImpl.getPolicyApplicableOrgs Policy Applicable Orgs=-2001
PolicyManagerImpl.evaluatePolicy Evaluating PolicyName:
BuyerAdministratorsExecuteBuyersAdministratorsCommands
PolicyManagerImpl.evaluatePolicy ResourceGroup does not match
...
PolicyManagerImpl.isAllowed PASSED? =false
Solution:
- Create a policy for controller command. Refer to Adding a new controller command using existing policies for an example.
- Load the policy using the acpload utility.
- Update the Registry.