on 11-13-2012 4:24 PM
Hello community,
I need your help again, another "little" problem just won't go away quietly.
My problem:
It's pretty simple really... when I call http://<host>:<port>/idm/admin in our (prod) portal 7.3, I get the following:
What's not right with this picture is, the status of the IdM applications in the NWA look like this:
The NWA clearly thinks, the services are running (except for the one that's not needed). I even stopped and started them several times, but the message just won't change (except when I stopped the IDM Data Source, then I got a nice big error).
Some comments:
1. I know that the action idm_monitoring_administration is needed. It's added to a role named idm.monitoring and that role is assigned to my user.
2. My user has also IdM admin rights.
3. We have a test portal with the same release and SP versions, same action-role-user-combo, same status in the NWA and it's working just fine on that system.
My question:
Why is the service down and more important: how do I get it running? Is there another place I need to start something, too? I read the doc Installing and configuring the Identity Management User Interface (page 30 "Access to Monitoring ("Monitoring" tab)" is the thing I'm talking about here) and there is no mention of starting something to use that tab/service.
I just don't know where to look anymore. Help, please.
Hello guys,
so I'm back with more news.
Indeed I found something in the logs:
retrieveGlobalConstants[EXCEPTION]com.sap.idm.jmx.exceptions.IdmException:
No permission to view configuration data at com.sap.idm.jmx.impl.SAP_ITSAM_IDM_Service_ConfigChangeImpl.retrieveGlobalConstants(SAP_ITSAM_IDM_Service_ConfigChangeImpl.java:537)at com.sap.idm.jmx.impl.SAP_ITSAM_IDM_Se...
And another thing, too:
I logged on with the standard "administrator"-account (UME-user) and you won't believe it, that one worked.
Which confuses me even more, because my account has (among others) the superadmin-role and the administrator-role AND is a member of the administrators-group.
So I tested with a simple ume-user, which has just the everyone-role assigned. I gave it the superadmin-role, too and the idm.authenticated and idm.monitoring-role and... that one can call the monitoring-tab, too!
But my LDAP-account with the same rights can't. At least in the prod portal, because in the testsystem it's working. I'm just... -.-
So it IS a problem with the priviledges (yay for the misleading message), but I just don't know WHAT is missing. I even compared my priviledges from test- and prod-portal and everything I have assigned in the testportal I also have assigned in the prod-system.
Has anybody any ideas left? I don't want to log out from the portal and log in with an UME-account just to be able to see that monitoring tab (and I'm pretty sure my colleague thinks like that, too).
Regards,
Steffi.
EDIT
After a lot of account copying and testing with UME and LDAP accounts it's safe to say: it's something about my account.
Tried with another LDAP account of mine: works
Copied my LDAP account to a UME account: works
Copied my LDAP account to a test LDAP account: works
Obviously it's nothing general, though I don't understand what's causing this chaos. BUT I have a solution/workaround, so there's that at least.
I'll talk to my colleague next week (who has the same problem) and we'll try to kind of re-create our LDAP accounts, since that seems the way to go here.
Thank you all for your help on this.
Regards,
Steffi.
Message was edited by: Steffi Warnecke
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I'm having the same trouble except that we are not connected to a ldap but we use UME databse directly. Even my nwa administrator account doesn't get the monitoring tab but just the "Service is down" message. IDM web UI works fine.
You managed to workaround it with new accounts but did you eventually find what was causing the problem?
Regards,
Clotilde
Hi Steffi,
You may have a registration of 1 user in two different places. I.e. user A have a registration in LDAP and the same user A has a registration in UME(database). In my case was that way.
Now you should remove one of these to user registrations. Either the one in LDAP, or the one in UME(database) and this will solve your case.
Best regards,
Ivan
Hello Clotilde,
could you show which IDM-roles you have attached to the user, that should have access? Maybe something is missing in your case, because I had only problems with 2 users, but not with the access itself (because with other accounts, even completly new ones just created for the test it worked).
Thank you for the new direction, your thoughts and time! I'm really grateful.
I have tried the URL with my normal account just now and now it works! We had the upgrade to 7.31 in between (since I opened and closed this thread), so somehow that may have fixed this issue. But now I'm able to access the url without problems. WOHOO!
Regards,
Steffi.
Hello Everyone.
I know that this post is quite old, but perhaps this information will prove useful to someone.
I have had exaclty the same issue and it occured, that I actually have had too much authorizations.
In my case however, it was not about UME authorizations, but Identity Store authorizations, where I have had following privilege assigned (amongst others):
MX_PRIV:WD:TAB_TRACE
When I removed this priv from my user in Identity Center, suddently Admin page loaded properly.
I hope that helps someone.
Kind Regards,
Darek.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Steffi,
I fully agree that this is not to be considered as an ultimate solution to the issue, but rahter a workaround that worked in my case.
It seems to me, that there is something wrong with the "Trace" functionality in our case, and this tab is what prevents "Admin" panel from opening (ending up with a "Service down" message).
Removing the Trace authorizations enables me to open the admin panel, but investigating the reason why Trace functionality is not working is of course the next step on my to do list.
Kind Regards,
Darek
Hello Clotilde,
I have read Your reply and I have set the MX_TRACE_RT to FALSE (I had it set to TRUE), but it didn't solve the issue. But Your post pointed me to the Trace privilege. Removing it from my user made me able to use the admin panel.
And, as Steffi has noticed, this is actually just a workaround, as it makes me unable to use the Trace functionality from the UI.
Do You see the "Trace" tab in Admin panel after setting the MX_TRACE_RT constant to FALSE?
Kind Regards,
Darek.
Hi Steffi,
It is possible on a production system to have your user in two different places (i.e. UME and Active Directory). If it is so, you should remove one of the registrations and this will resolve your problem.
Best regards,
Ivan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Steffi,
You may have a registration of 1 user in two different places. I.e. user A have a registration in LDAP and the same user A has a registration in UME(database). In my case was that way.
Now you should remove one of these to user registrations. Either the one in LDAP, or the one in UME(database) and this will solve your case.
Best regards,
Ivan
Hello Matt and Ivan,
well, I hope I understand correctly, what you both mean:
It's just one user-account and that one comes from LDAP. We have UME-users, too (created there and only existing in the portal), but with the accounts in this case it's not that way. They are pure LDAP-users, that are connected and used in our portal system.
If I'm searching for my user in the user administration of the portal, I just get one:
So I guess, there in nothing to remove/de-register?
Or I'm completly stupid right now and don't get, what you guys are trying to say. I have more and more the feeling, that's the problem here. Oh boy...
Regards,
Steffi.
I think the point that is being made is, when you installed the portal, you FIRST authenticated via the UME. Then you may have "Added" LDAP authentication, however, you didn't delete the UME repository, you can't. So, what is being asked is, does the admin ID (that you are using) have an identically named ID in both the UME and LDAP user repositories. You have to keep in mind that Administrator (ID) in the LDAP, is a totally different user than the Administrator (ID) in UME. Even if they have the same password. In this instance, place the LDAP admins in a certain LDAP group and in your Portal query criteria, exclude that group. THEN, the Administrator (ID) from the LDAP will not show up nor conflict with the Administrator (ID) from the UME. This issue will arise whenever there are duplicate IDs in both user repositories. You can always tell if there is going to be a conflict if you can search for a name in the UME and see two identically named ID's that are in two different repositories; a problem waiting to happen.
Steffi,
From where I sit, you have it right! There is a potential for conflict when there is an identical user account in both places.
It might be worthwhile to create a separate account from UME (swarnecke2) with the same permissions that you have in the (swarnecke) account and see what happens then.
Matt
I had tested that, too (see the edit in the big green post ) and with a new ume-user (that had just very little permissions) and even a new ldap-user (copy of mine) it worked perfectly. It was just a problem with this particular account and the one of my colleague, too. That's why I was so confused. ^^
But as I said, now it works with both accounts.
I guess the problem is with the data source name - Your datasource name should be "IDM_DataSource" , please check and give a try.
Thanks ,
Dev
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Dev,
but the name is the same in our test portal and there it works.
And doesn't the IdM-Service itself use this IDM Data Source, too? I mean, http://<host>:<port>/idm is working fine. Just the admin-tab http://<host>:<port>/idm/admin won't do. That's why it's so confusing.
Regards,
Steffi.
Since it's my user, yes. ^^
The role with the required action is assigned to my account. I even tried changing to the idm_monitoring_support action (giving read only access to "Monitoring" tab), but it didn't matter.
I'll create a complete new role with that action and assign it to my user. Maybe that helps.
Steffi,
What UME and IDM roles does your account have? Have you checked against the install document to make sure that the monitoring.administration role was created correctly (and has not been changed) also have you also assigned the read only role? You might want to try that one just to make sure everything is OK.
Matt
Hello Matt,
I have portal and IdM admin rights, so full power to me. ^^
Creating the UME role, assigning the action to it and assigning the role to the user is easy enough. That's why I'm so confused, that it won't work (because it did for the test system) and that maybe something else is missing, that should run.
But our IdM is working in the portal, so it's not the connection or the application itself. Just a part of it, the admin-page.
But I don't know where to look and check anymore. I even checked the services on the IdM-servers, because I'm this stuck. Really frustrating.
Funny thing is, the prod IdM is still also callable over the old portal 7.0 (we switched recently) and THERE I can open the monitoring tab. And the UME role is exactly configured like in the portal 7.3.
...
I hope, that's not it now. Just because the same IdM can be called over two different portals wouldn't cause this message. Or would it?
If that's it, I really need to go on vacation...
Hello Michael,
our test portal and prod portal have the same versions. We checked that for a ticket not that long ago. Since we always first deploy in our test portal and currently have no "open" updates like that, the portals are on the same level.
We have also two IdM systems:
The test system is connected to the test portal and there the http://<host>:<port>/idm/admin shows me what I want to see. It's working.
The prod system is connected to two portal systems. Our old 7.0, where the url is working, too. And our new 7.3, where I get "service is down", wenn I call the url.
On all portals and IdM systems I have admins rights, I have the according to the documentation necessary actions and roles.
Since I'm in the mood, maybe this helps understanding the connections:
Sometimes text isn't enough to shed light on something.
Regards,
Steffi.
If you look at the defaultTrace / any Trace with NWA, does it tell you something you didn't know?
Maybe you have to adjust LogLevels for that (or use the NW DiagTool)...
If you hit F5 (or Ctrl+F5) (possibly several times), does the service work then?
Did you change anything in the DataSource Properties (Initial / Max Connections)?
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.