My Oracle Support Banner

Permission Error For User When Executing Actions Through REST API (Doc ID 2521884.1)

Last updated on FEBRUARY 21, 2020

Applies to:

Identity Manager - Version 12.2.1.3.180713 and later
Information in this document applies to any platform.

Symptoms

With large number of organizations and number of users assigned to them, running Role addition and Role removal membership operation using REST API in a loop , shows error for one of the member roles not having rights to do the operation . Following is the error stack captured :

####<Jan 16, 2019 11:16:59,875 PM IST> <Info> <EJB> <HOSTNAME>
<SERVERNAME> <[ACTIVE] ExecuteThread: TID for queue:
'weblogic.kernel.Default (self-tuning)'> <USERNAME> <>
<ECID> <NUMBER>
<[severity-value: 64] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] >
<BEA-010227> <EJB exception occurred during invocation from home or business:
oracle.iam.identity.rolemgmt.api.RoleManager_b1p7rx_Intf generated exception:
oracle.iam.identity.exception.AccessDeniedException: IAM-3054101:The
logged-in user USER_KEY1 does not have deleteRoleMemberships permission on Role
tesrole1 entity.:USER_KEY1:deleteRoleMemberships:Role:tesrole1 >

 

On re running the request,  it completes successfully.  

Steps that show the issue : 

------------------------------------

 

1. Create the following set of entities on OIM 12c :

a.) 7-8 users and assign them UserViewer Admin capability . 


b.) 2000 + Organizations under Top or any other custom Org - 

c.) Create a new Custom Role


d.) Create a sub-admin role and assign Org Administrator , Role Administrator and UserViewer Admin roles 

2. Assign all users from 1.a to the custom org and set "inheritance" to True.

3. Set up the auto approval WF for Role Modify and Assign Role operation . 

4. Assign 1 user from step 1.a to role "tesrole1" as Direct assignment . Verify the details are correct from USG table for the corresponding UGP_KEY .

5. Set up a test suite on Postman / SoapUI where the following 2 operations are being done :

a.) Request Role Membership - for one of the user from Step 1.a with the auth user being the one from step 4.

b.)Remove Role Membership - set up the role membership removal operation using sub-admin user as auth user.

6. Run this test operation for 10 iterations or more with a delay of 5 secs b/w steps 5.a and 5.b .

7. Observe the aforementioned set of error messages captured in oim_server1.log file :

This error message is seen after first 3-4 iterations and intermittently in 1 out of 5 runs (approximately).

Changes

REST / SCIM operation being used : 

Submit Role Request membership . Request being raised by USERNAME (usr_key USER_KEY1) for USERNAME2 (usr_key USER_KEY2) .

Authorization : Basic

normal user / <pwd>

Content Type : application/json

POST http:/hostname:PORT/iam/governance/selfservice/api/v1/requests

Body :
---------

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.