When accessing the Metrics application first time after login, an com.ibm.websphere.wim.security.authz.AccessException is thrown for each user in SystemOut.log of the Cognos server. The exception is thrown when accessing “Global Metrics” (using an authorized user) as well as “Community Metrics” (using any community owner). The functionality of Metrics application seems to be not affected negatively.

Exception trace looks like:

[05/10/15 14:35:03:273 UTC] 00000210 exception E com.ibm.websphere.wim.security.authz.AccessException CWWIM2008E The principal 'cn=xxx,ou=xxx,ou=xxx,ou=xxx,o=xxx' is not authorized to perform the operation 'GET PersonAccount' on 'cn=xxx,ou=xxx,ou=xxx,ou=xxx,o=xxx'
[05/10/15 14:35:03:274 UTC] 00000210 exception E com.ibm.websphere.wim.security.authz.AccessException com.ibm.websphere.wim.security.authz.AccessException: CWWIM2008E The principal cn=xxx,ou=xxx,ou=xxx,ou=xxx,o=xxx' is not authorized to perform the operation 'GET PersonAccount' on 'cn=xxx,ou=xxx,ou=xxx,ou=xxx,o=xxx'
at com.ibm.ws.wim.env.was.JACCAuthorizationService.checkAccessResult(JACCAuthorizationService.java:1320)
at com.ibm.ws.wim.env.was.JACCAuthorizationService.checkPermission_GET(JACCAuthorizationService.java:578)
at com.ibm.ws.wim.security.authz.ProfileSecurityManager.checkPermission_GET(ProfileSecurityManager.java:188)
at com.ibm.ws.wim.ProfileManager.getImpl(ProfileManager.java:1860)
at com.ibm.ws.wim.ProfileManager.genericProfileManagerMethod(ProfileManager.java:365)
at com.ibm.ws.wim.ProfileManager.get(ProfileManager.java:418)
at com.ibm.websphere.wim.ServiceProvider.get(ServiceProvider.java:410)
at com.ibm.websphere.wim.client.LocalServiceProvider.get(LocalServiceProvider.java:364)
at com.ibm.tivoli.reporting.advanced.cognos.auth.service.AdminProvider$2.run(AdminProvider.java:343)
at com.ibm.tivoli.reporting.advanced.cognos.auth.service.AdminProvider$2.run(AdminProvider.java:339)
at java.security.AccessController.doPrivileged(AccessController.java:373)
at javax.security.auth.Subject.doAs(Subject.java:573)
at com.ibm.websphere.security.auth.WSSubject.doAs(WSSubject.java:195)
at com.ibm.websphere.security.auth.WSSubject.doAs(WSSubject.java:152)
at com.ibm.tivoli.reporting.advanced.cognos.auth.service.AdminProvider.get(AdminProvider.java:339)
at com.ibm.tivoli.reporting.advanced.cognos.auth.service.AdminProvider.getUserGroups(AdminProvider.java:106)

This exception is raised if a user, who has no administrator rights in Websphere, is accessing Cognos metrics.

The following steps had solved the problem here:

On Deployment Manager:

cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin 
./wsadmin.sh -lang jacl -username <wasadmin> -password <wasadmin password>

On WSADMIN prompt:

$AdminTask mapIdMgrGroupToRole {-roleName IdMgrReader -groupId ALLAUTHENTICATED} 
$AdminConfig save 
exit

Full Sync of all nodes

Stop and restart Cognos Server

For testing:

Login to eteaming as a normal user (not part of the Metrics Admin Group)

Open Metrics link in a Community

Check SystemOut.log of Cognos server and verify that the error message no longer appears.

Tagged with:  

One Response to Cognos (IBM Connections ): security.authz.AccessException

  1. Cheers Michael. Saved me scratching around for a solution.

Leave a Reply

© 2000-2015 Michael Urspringer