Agent Stop Responding after Making Access Control / Privilege Change

(Doc ID 1944357.1)

Last updated on SEPTEMBER 21, 2016

Applies to:

Oracle OpenSSO - Version 8.0.2 and later
Information in this document applies to any platform.

Symptoms

Sun legacy opensso 8 U2P3

After running a security scan on their Sun legacy opensso 8 U2P3 machine it was uncovered that the opensso console privilege "Read and write access to all configure Agent" under opensso console location "Access Control/Top Level Realm/Privilege" was enabled for a group and deemed to be a security vulnerability. After removing this privilege however, end user(s) assigned to the group had their attempted sessions fail with "Access denied as agent profile not found in access manager" displayed on their browser. The associated error logged in the opensso server debugs was of type

amIdentityServices:11/01/2014 01:28:17:448 PM EDT: Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]
ERROR: IdentityServicesImpl:list
Message:Permission to perform the read operation denied to id=dzqmwb01_crownweb,ou=user,dc=osso_config


Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms