1. Overview of Solaris Web-Based Enterprise Management
2. Using the CIM Object Manager
7. Creating JavaBeans Components Using the MOF Compiler
Using Sun WBEM User Manager to Set Access Control
What You Can and Cannot Do With Sun WBEM User Manager
How to Start Sun WBEM User Manager
How to Grant Default Access Rights to a User
How to Change Access Rights for a User
How to Remove Access Rights for a User
How to Set Access Rights for a Name Space
How to Remove Access Rights for a Name Space
Using the Solaris WBEM SDK APIs to Set Access Control
How to Set Access Control for a User
This section describes what to do in the following situations:
A client (user) cannot be authenticated by the CIMOM on the WBEM server
A role cannot be assumed
An ACCESS_DENIED error occurs
If a client cannot be successfully authenticated by the CIMOM on the WBEM server, the WBEM server returns a CIM security exception. This exception is returned when the server attempts to establish the CIM client handle in the client application. The exception contains an error code that indicates why the authentication attempt failed.
If the WBEM server cannot verify the user identity and credential and the user's identity is invalid, the WBEM server returns a CIM security exception. This exception includes the NO_SUCH_PRINCIPAL error. If the WBEM server cannot verify the user's identity and credential and the user's password is invalid for that user's identity, the WBEM server returns a CIM security exception. This exception includes the INVALID_CREDENTIAL error.
If the WBEM server cannot verify the Solaris OS role identity, the WBEM server returns a CIM security exception that includes the NO_SUCH_ROLE error.
If the role password is invalid for the specified role identity, the WBEM server returns the INVALID_CREDENTIAL error in the CIM security exception.
If both the role identity and role password are valid but the user is not allowed to assume the role, the WBEM server returns the CANNOT_ASSUME_ROLE error in the CIM security exception.
These CIM security exceptions are described in more detail in the following table.
|
The WBEM server can return other error indications in the CIM security exception. However, these indications typically identify a system failure in the authentication exchange. The WBEM client configuration might not be compatible with the WBEM server configuration for the security options in the authentication exchange.
If these error indications occur, check the client application CLASSPATH setting to ensure that sunwbem.jar and the extension directory are in the CLASSPATH.
If a client is not authorized to access or modify the data associated with a request to the WBEM server, that server returns a CIM security exception. This exception includes the ACCESS_DENIED error.
The ACCESS_DENIED error indicates that a request could not be completed because the user or role does not have access to the data managed by that request.
Check the security messages in the WBEM log for the failed request. For information about viewing log data, see Viewing Log Data Through Log Viewer. Authorization failure messages in the WBEM log specify Access denied in the Summary column. The User column lists the name of the authenticated user or the role name that was used in the check. The Source column lists the name of the provider that is making the check. Note that the provider name that is listed in this column is not the class of the provider implementation, but a user-friendly provider name.
The detailed message contains the name of the permission that was being checked, and that permission has not been granted to the user or role.
If the permission appears as namespace:right, the authorization check was using a name space ACL. The authenticated user has not been granted that permission (read or write) for that name space.
Use Sun WBEM User Manager (wbemadmin) to grant the user the appropriate permission. Sun WBEM User Manager is described in Using Sun WBEM User Manager to Set Access Control.
If the permission appears as solaris.application.right, the authorization check was using an RBAC authorization.
Use the Administrative Role tool in the Solaris Management Console User tool collection to grant the rights that you want to the user or role. This procedure is described in How to Change the Properties of a Role in System Administration Guide: Security Services.