Troubleshooting: Policy group subscription
A policy that you expect to grant access appears in the trace, however it is not being applied.
Problem: A policy that you expect to grant access appears in the trace, however it is not being applied.
Indication: An error similar to the following example is logged to the trace.log file.
PolicyManagerImpl.isAllowed isAllowed? User=510; Action=Execute; Protectable= com.ibm.commerce.catalog.commands.ProductDisplayCmdImpl; Owner=2002; Resource Ancestor Orgs=2002,-2001; Resource Applicable Orgs=2002 PolicyManagerImpl.isAllowed Found PolicyName: AllUsersExecuteResellerUserCmdResourceGroup ; PolicyType: 3; PolicyOwner: -2001 PolicyManagerImpl.getPolicyApplicableOrgs No organizations subscribe to a policy group with this policy PolicyManagerImpl.isAllowed Policy does not apply to the resource's applicable organizations ... PolicyManagerImpl.isAllowed PASSED? =false
Solution:
- Ensure that the resource owner is subscribing to the correct policy groups. For example, the file:
WC_installdir\xml\policies\xml\defaultAccessControlPolicies.xml
shows that the AllUsersExecuteResellerUserCmdResourceGroup belongs to the B2CPolicyGroup:<PolicyGroup Name="B2CPolicyGroup" OwnerID="RootOrganization"> <PolicyGroupPolicy Name="AllUsersExecuteResellerUserCmdResourceGroup" PolicyOwnerID="RootOrganization" /> <PolicyGroupPolicy Name="AllUsersExecuteResellerUserViews" PolicyOwnerID="RootOrganization"/> </PolicyGroup> - Query the ACPLGPSUBS database table to determine whether there is a correct association between the necessary access control policy groups and the organizational entities. For example, ensure that the current store's organization is associated with B2CPolicyGroup
orgentity_id acpolgrp_id 2002 10001(ManagementAndAdministrationPolicyGroup) 2002 10003 (CommonShoppingPolicyGroup) - Subscribe the organization to the policy group. (In this example, the organization should subscribe to the B2CPolicyGroup).