My Oracle Support Banner

Agent Stop Responding after Making Access Control / Privilege Change (Doc ID 1944357.1)

Last updated on SEPTEMBER 21, 2016

Applies to:

Oracle OpenSSO - Version 8.0.2 and later
Information in this document applies to any platform.

Symptoms

Sun legacy opensso 8 U2P3

After running a security scan on their Sun legacy opensso 8 U2P3 machine it was uncovered that the opensso console privilege "Read and write access to all configure Agent" under opensso console location "Access Control/Top Level Realm/Privilege" was enabled for a group and deemed to be a security vulnerability. After removing this privilege however, end user(s) assigned to the group had their attempted sessions fail with "Access denied as agent profile not found in access manager" displayed on their browser. The associated error logged in the opensso server debugs was of type

amIdentityServices:11/01/2014 01:28:17:448 PM EDT: Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]
ERROR: IdentityServicesImpl:list
Message:Permission to perform the read operation denied to id=dzqmwb01_crownweb,ou=user,dc=osso_config


Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.