Solaris WBEM Developer's Guide

If an Authorization Check Fails

If a client is not authorized to access or modify the data associated with a request to the WBEM server, that server returns a CIM security exception. This exception includes the ACCESS_DENIED error.

The ACCESS_DENIED error indicates that a request could not be completed because the user or role does not have access to the data managed by that request.

Check the security messages in the WBEM log for the failed request. For information about viewing log data, see Viewing Log Data Through Log Viewer. Authorization failure log messages specify Access denied in the Summary column. The User column lists the name of the authenticated user or the role name that was used in the check. The Source column lists the name of the provider that is making the check. Note that the provider name that is listed in this column is not the class of the provider implementation, but a user-friendly provider name.

The detailed message contains the name of the permission that was being checked, and that permission has not been granted to the user or role.

If the permission appears as namespace:right, the authorization check was using a namespace ACL. The authenticated user has not been granted that permission (read or write) for that namespace.

Use Sun WBEM User Manager (wbemadmin) to grant the user the appropriate permission. Sun WBEM User Manager is described in Using Sun WBEM User Manager to Set Access Control.

If the permission appears as solaris.application.right, the authorization check was using an RBAC authorization.

Use the Administrative Role tool in the Solaris Management Console User tool collection to grant the rights that you want to the user or role. This procedure is described in “Changing Role Properties” in System Administration Guide: Security Services.