Last updated on DECEMBER 05, 2016
Applies to:Enterprise Manager for Fusion Middleware - Version 126.96.36.199.0 and later
Oracle Platform Security for Java - Version 188.8.131.52.0 and later
Information in this document applies to any platform.
In Fusion Middleware 184.108.40.206 environments, when trying to revoke Application Roles from Fusion Middleware Control, also known as Enterprise Manager or EM, the revoke Role operation fails with error:
Note that the Role Name may vary depending on your install, and that the principal ID is listed, instead of the user/group name.
This issue is detected in FMW Environments having external users and groups imported from LDAP server (in the initial issue occurrence it was Tivoly LDAP server):
- Default Policy Store configuration; which is XML file
- Open LDAP authentication provider was being used for the
- Identity Store is configured with the external LDAP server and OPSS property "Virtualize = true" is correctly configured and with PROPERTY_ATTRIBUTE_MAPPING.
- The problem can be reproduced for roles initially granted with FMWControl ONLY, which means
- For new roles granted/revoked via WLST (with grantAppRole/revokeAppRole), both operations work in WLST
- For new roles granted with WLST (with grantAppRole), FMW Control is able to revoke the Application Role in FMW Control, although the "id" is displayed instead of the user/group name
- For new roles granted with FMW Control, neither FMWControl or WLST is able to revoke the applicatoin role either via WLST or via FMW Control.
- When looking at the log files you can find error messages:
Some roles were granted via EM which can not be revoked now either from EM or from WLST
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms