It's all about the answers!

Ask a question

SECJ0129E: Authorization failed for user once loging in with any user - via ldap SSO

Shirley Jhirad (514150) | asked Feb 22 '16, 3:34 a.m.
I have installed CLM 6.0.1 (+iFix 001) with WAS and SSO connection via ldap users.

I have made sure the relevant users are part of the relevant Jazz groups and  i also see them within CLM and i can see there groups assignment.

But Once the users try to login they receive an error message: 

"Permission Denied

Your account does not have the group memberships required to access the requested resource."

Now in WAS as i test the connection to ldap i see that the connection is successful and all  LDAP settings are correct.

Checking the system out log i see the following error message:

"SECJ0129E: Authorization failed for user <user_name> while invoking GET on default_host:/jts/secure/authenticated/identity, Authorization failed, Not granted any of the required roles: JazzUsers JazzAdmins JazzGuests JazzProjectAdmins "

What can be the problem?

Hope someone can help

3 answers

permanent link
Ralph Schoon (62.9k33645) | answered Feb 22 '16, 5:34 a.m.

In your setup LDAP, /jts/customSetup#/steps/6 note the second sub step provides information and links. Follow the link and follow the description there to test and verify your LDAP settings and parameters. I am pretty sure there is an issue with your LDAP setup.

Follow the link below:

Step 2:Configure Jazz Team Server to use an LDAP server to act as my user registry
Once you have configured your application server and LDAP server as described in the server setup guide, complete this form to configure the Jazz Team Server to use your LDAP server for user and group information.
For additional reference and help browsing your directory, see the topic How to verify LDAP parameters for Jazz Team server configuration.

permanent link
Kot T. (1.5k11219) | answered Feb 22 '16, 3:56 p.m.
Did you get Permission Denied when accessing all, /jts/admin, /ccm/web, /ccm/admin? If this is specific to certain applications and/or certain pages (/web versus /admin), I would suspect that the user/group mapping in WebSphere may need to be re-done. Note that you do not need to bring WebSphere down to remap the group for each application. (refer to step 9 in

Donald Nong commented Feb 22 '16, 10:49 p.m.

The application will be restarted when the security setting is changed, and all associated user sessions will be terminated - users will get prompted to re-login. Just to be aware.

permanent link
Donald Nong (14.5k414) | answered Feb 22 '16, 10:47 p.m.
Note that SSO only deals with authentication, not authorization (Java security role mapping). A simple way to verify the authorization is to access the URL https://<host>:<port>/<app>/authenticated/identity (replacing <app> with jts, ccm, qm and rm) after logging in in the normal way. You should get a JSON presentation of the current logged in user Id and the associated roles (JazzAdmins and etc). If you see different result for any particular application, you need to double check the Java security role mapping for that application.

Your answer

Register or to post your answer.