When accessing the Metrics application first time after login, an com.ibm.websphere.wim.security.authz.AccessException is thrown for each user in SystemOut.log of the Cognos server. The exception is thrown when accessing “Global Metrics” (using an authorized user) as well as “Community Metrics” (using any community owner). The functionality of Metrics application seems to be not affected negatively.
Exception trace looks like:
[codesyntax lang="text"]
[05/10/15 14:35:03:273 UTC] 00000210 exception E com.ibm.websphere.wim.security.authz.AccessException CWWIM2008E The principal 'cn=xxx,ou=xxx,ou=xxx,ou=xxx,o=xxx' is not authorized to perform the operation 'GET PersonAccount' on 'cn=xxx,ou=xxx,ou=xxx,ou=xxx,o=xxx' [05/10/15 14:35:03:274 UTC] 00000210 exception E com.ibm.websphere.wim.security.authz.AccessException com.ibm.websphere.wim.security.authz.AccessException: CWWIM2008E The principal cn=xxx,ou=xxx,ou=xxx,ou=xxx,o=xxx' is not authorized to perform the operation 'GET PersonAccount' on 'cn=xxx,ou=xxx,ou=xxx,ou=xxx,o=xxx' at com.ibm.ws.wim.env.was.JACCAuthorizationService.checkAccessResult(JACCAuthorizationService.java:1320) at com.ibm.ws.wim.env.was.JACCAuthorizationService.checkPermission_GET(JACCAuthorizationService.java:578) at com.ibm.ws.wim.security.authz.ProfileSecurityManager.checkPermission_GET(ProfileSecurityManager.java:188) at com.ibm.ws.wim.ProfileManager.getImpl(ProfileManager.java:1860) at com.ibm.ws.wim.ProfileManager.genericProfileManagerMethod(ProfileManager.java:365) at com.ibm.ws.wim.ProfileManager.get(ProfileManager.java:418) at com.ibm.websphere.wim.ServiceProvider.get(ServiceProvider.java:410) at com.ibm.websphere.wim.client.LocalServiceProvider.get(LocalServiceProvider.java:364) at com.ibm.tivoli.reporting.advanced.cognos.auth.service.AdminProvider$2.run(AdminProvider.java:343) at com.ibm.tivoli.reporting.advanced.cognos.auth.service.AdminProvider$2.run(AdminProvider.java:339) at java.security.AccessController.doPrivileged(AccessController.java:373) at javax.security.auth.Subject.doAs(Subject.java:573) at com.ibm.websphere.security.auth.WSSubject.doAs(WSSubject.java:195) at com.ibm.websphere.security.auth.WSSubject.doAs(WSSubject.java:152) at com.ibm.tivoli.reporting.advanced.cognos.auth.service.AdminProvider.get(AdminProvider.java:339) at com.ibm.tivoli.reporting.advanced.cognos.auth.service.AdminProvider.getUserGroups(AdminProvider.java:106)
[/codesyntax]
This exception is raised if a user, who has no administrator rights in Websphere, is accessing Cognos metrics.
The following steps had solved the problem here:
On Deployment Manager:
[codesyntax lang=”bash”]
cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin ./wsadmin.sh -lang jacl -username <wasadmin> -password <wasadmin password>
[/codesyntax]
On WSADMIN prompt:
[codesyntax lang=”python”]
$AdminTask mapIdMgrGroupToRole {-roleName IdMgrReader -groupId ALLAUTHENTICATED}
$AdminConfig save
exit [/codesyntax]
Full Sync of all nodes
Stop and restart Cognos Server
For testing:
Login to eteaming as a normal user (not part of the Metrics Admin Group)
Open Metrics link in a Community
Check SystemOut.log of Cognos server and verify that the error message no longer appears.