If an Authorization Check Fails

If a client is not authorized to access or modify the data associated with a request to the WBEM server, the WBEM server returns a CIM security exception for that request that includes the ACCESS_DENIED error.

The ACCESS_DENIED error indicates that a WBEM request could not be completed because the authenticated user or the role has not been granted the appropriate access to the data being managed by that request.

Check the security messages in the WBEM log for the failed request (viewing log data is described in Viewing Log Data Through Log Viewer). Authorization failure log messages specify Access denied in the Summary column. The User column lists the name of the authenticated user or the role name that was used in the check. The Source column lists the name of the provider that is making the check. Note that the name of the provider that is listed in this column is a user-friendly provider name, not the provider implementation class name.

The detailed message contains the name of the permission that was being checked, and that has not been granted to the user or role.

If the permission appears as namespace:right, the authorization check was using a namespace ACL. The authenticated user has not been granted that permission (read or write) for that namespace.

Use Sun WBEM User Manager (wbemadmin) to grant the user the appropriate permission. Sun WBEM User Manager is described in Using Sun WBEM User Manager to Set Access Control.

If the permission appears as solaris.application.right, the authorization check was using an RBAC authorization.

Use the Administrative Role tool in the Solaris Management Console User tool collection to grant the rights that you want to the user or role. This procedure is described in “Changing Role Properties” in System Administration Guide: Security Services.