IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  ISIM Request Account through Web Services

    Posted Sat October 05, 2019 10:59 AM
    Hello all,

    We are using ISIM Web Services to create/modify accounts on a particular service​ using ITIM Admin's session. The flow is working fine and ITIM Admin is able to create/modify accounts successfully on behalf of users.

    Now what we need to do is, allow a user to modify account for himself/herself through our portal from where we are calling ISIM Web Services (just like request account is executed by user using ISIM Self Service portal).

    As part of our testing, when we create Web Services session using ITIM Administrator, the account is modified successfully for a user whereas if we create the session using the user's credentials, we receive the error:


    com.ibm.itim.ws.services.WSApplicationException: CTGIMS009E You do not have the authority to perform this operation.
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    at java.lang.reflect.Constructor.newInstance(Unknown Source)
    at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(Unknown Source)
    at com.sun.xml.internal.ws.client.sei.StubHandler.readResponse(Unknown Source)
    at com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(Unknown Source)
    at com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(Unknown Source)
    at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown Source)
    at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(Unknown Source)
    at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(Unknown Source)
    at com.sun.proxy.$Proxy36.modifyAccount(Unknown Source)
    at com.highrise.isim.ws.ManageAccount.modifyIsamAccount(ManageAccount.java:307)
    at com.highrise.isim.ws.MyClient2.main(MyClient2.java:125)

    What could be the possible reason as the same user is able to request account using ISIM's default Self Service Console?

    Regards,



    ------------------------------
    Jahanzaib Sarwar
    ------------------------------


  • 2.  RE: ISIM Request Account through Web Services

    Posted Sun October 06, 2019 02:40 PM
    I would check the console - not ISC (I assume you mean ISC not SSUI when referencing ISIM Selfservice Portal - but this is not clear).
    The problem is ACIs - to find what ACI is missing you can raise the level of authorization in EnroleLogging.properties to DEBUG - be aware that it produces a lot of output and you will need some time to go through the output...
    In general there are subtle but important differences between the console, SSUI and ISC when it comes to processing requests.
    The console is most like the API - so it is the "reference" platform to use - if it works there it will mostly work all the other places although I know some special cases in earlier fixpaks where there are subtle differences.
    ISC works using Access Entitlements - they are not governed by ACIs but provisioning policies - so if a user is not entitled to an Access Entitlement ýour request will fail. Be aware although that Access enabled Roles follow the ACI logic.
    When doing something in context of an ISIM administrator all ACIs are disregarded (but not policies).
    HTH to find the problem...

    ------------------------------
    Franz Wolfhagen
    ------------------------------

    Original Message


  • 3.  RE: ISIM Request Account through Web Services

    Posted Sun October 06, 2019 03:22 PM
    Hi Franz,

    Thank you for your reply. No, I meant SSUI (/itim/self). The user is able to request account from the SSUII. If we talk about the console (/itim/console), the user is not allowed any permissions ​and following error is displayed:
    CTGIMU516E
    You are not authorized to perform any tasks. Contact your system administrator.
    Okay. I think I got the point. You mean that if a user has permissions on the console (/itim/console), the similar permissions will be applicable on all the other places? (ignoring special cases which you talked about). And those permissions will be same for web services as well?

    If my understanding is correct, then as the user currently has no permissions on the console, it means this is the reason the user has no permissions on the web services either. And if I set the user's permissions/ACIs for the console, allowing the user to successfully request the account from the console, then it will most likely solve the problem. Please correct if I am wrong.

    Best regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------

    Original Message


  • 4.  RE: ISIM Request Account through Web Services

    Posted Mon October 07, 2019 04:19 AM
    SSUI is more like Console than ISC - but anyhow it supports the Access Entitlements paradigm also.

    But yes - if a user can do it through the console then there is a good chance it works everywhere :-)

    Be aware - to test you will need to enable views (they are not strictly security things - but they enable you console/SSUI/ISC to show the relevant UIs) for the purpose. The best way to test this is to create a role/isim group that you attach the view and ACIs - then you can easily add people into the role when tested and verified.

    HTH

    ------------------------------
    Franz Wolfhagen
    ------------------------------

    Original Message


  • 5.  RE: ISIM Request Account through Web Services

    Posted Wed October 09, 2019 06:44 AM
    ​Hi Franz,

    Thank you, just did what you said and was able to request account by the end user through web services. As you suggested, I created the group and attached the ACIs on it. Now, the members of the group are able to request account for themselves through the app which in turn calls the web services. I don't want the user to log in to itim directly so I attached a View which doesn't allow any UI to user. So, the operations are only allowed from the custom portal.

    Thanks a lot for the help. I am really grateful. I have another question for which I am creating another thread as that is a different topic, hope to hear from you on that as well.

    Best regards,

    ------------------------------
    Jahanzaib Sarwar
    ------------------------------

    Original Message


Related Content