Symantec Access Management

  • Private Community
 View Only

  • 1.  No applicable policy found(not authorized)

    Posted Sep 25, 2018 08:40 AM

    Hi All,

     

    We have sailpoint application integrated with CA SSO 12.7. However, it is not able to fetch the correct policy and hence getting unauthorized. We have validated several time and there does not seem to be any issue with the policy. All the users have been added as part of authorization. The user store is AD. We are able to successfully connect to AD and search users. There are no ldap connectivity errors in smps. We have just added one rule for web agent actions(get,post,put). Please assist.

     

     

     

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][SmAuthorization.cpp:1453][CSmAz::IsOk][][][][testE044672][][DEVSPRealm][DEVSailPointDomain][][][][][][][][][][][][][][Start of user policy analysis for realm.]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][SmAuthorization.cpp:1854][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][SmAuthorization.cpp:1856][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][SmAuthorization.cpp:2303][CSmAz::IsOkGlobal][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOkGlobal]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][SmAuthorization.cpp:2325][CSmAz::IsOkGlobal][][][][testE044672][][DEVSPRealm][DEVSailPointDomain][][][][][][][][][][][][][][Evaluating OnAccessReject global policies in the realm.]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][SmAuthorization.cpp:1414][CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsOk]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][SmAuthorization.cpp:1453][CSmAz::IsOk][][][][testE044672][][DEVSPRealm][DEVSailPointDomain][][][][][][][][][][][][][][Start of user policy analysis for realm.]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][SmAuthorization.cpp:1854][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][SmAuthorization.cpp:1856][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][SmAuthorization.cpp:2339][CSmAz::IsOkGlobal][][][][][][][][][][][][][0][][][][][][][][Leave function CSmAz::IsOkGlobal]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][Sm_Az_Message.cpp:409][CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Az_Message::SendReply]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s1497/r11][devinternal_ag][][testE044672][][DEVSPRealm][DEVSailPointDomain][][][][][][][][][][][][][[.(y][Send response attribute 153, data size is 4]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s1497/r11][devinternal_ag][][testE044672][][DEVSPRealm][DEVSailPointDomain][][][][][][][][][][][][][[.(y][Send response attribute 154, data size is 4]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s1497/r11][devinternal_ag][][testE044672][][DEVSPRealm][DEVSailPointDomain][][][][][][][][][][][][][[.(y][Send response attribute 155, data size is 4]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s1497/r11][devinternal_ag][][testE044672][][DEVSPRealm][DEVSailPointDomain][][][][][][][][][][][][][....][Send response attribute 225, data size is 4]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s1497/r11][devinternal_ag][][testE044672][][DEVSPRealm][DEVSailPointDomain][][][][][][][][][][][][][... ][Send response attribute 226, data size is 4]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s1497/r11][devinternal_ag][][testE044672][][DEVSPRealm][DEVSailPointDomain][][][][][][][][][][][][][GVDByIgP5UQVWW2mKo0y0a8aps0=][Send response attribute 205, data size is 28]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s1497/r11][devinternal_ag][][testE044672][][DEVSPRealm][DEVSailPointDomain][][][][][][][][][][][][][][Send response attribute 146, data size is 0]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s1497/r11][devinternal_ag][][testE044672][][DEVSPRealm][DEVSailPointDomain][][][][][][][][][][][][][][Send response attribute 147, data size is 0]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s1497/r11][devinternal_ag][][testE044672][][DEVSPRealm][DEVSailPointDomain][][][][][][][][][][][][][][** Status: Not Authorized. ]

    [09/25/2018][20:22:17.571][20:22:17][1652][2788][Sm_Az_Message.cpp:602][CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Leave function CSm_Az_Message::SendReply]

     

    Regards,

    Aishwarya



  • 2.  Re: No applicable policy found(not authorized)

    Posted Sep 25, 2018 09:00 AM

    Hi,

     

    First, in previous lines of the Policy Server traces (previous than the ones you shared) you should see which policies are being considered, and the result, and these lines should bring you the information needed to solve the issue. You can collect a new set of traces enabling all components and data fields in Profiler settings if needed.

     

    You can check if the existing policies are really including the users (at least the user which you are testing with), as sometimes the rule is not matched by a policy, and therefore not finding it. It could happen that the policy is created, but not bound to a rule. Also, you can try to set a policy that allows all users (using the "Add All" option in Users tab).

     

    Also, check in the Realm definition that you have enabled both Process Authentication Events and Process Authorization Events.

     

    I hope it helps!



  • 3.  Re: No applicable policy found(not authorized)

    Posted Sep 25, 2018 10:55 AM

    Hi Albert,

     

    I have already verified all the above details. I had also tested by adding all the users and the single test user alone but nothing worked which is actually weird



  • 4.  Re: No applicable policy found(not authorized)

    Posted Sep 26, 2018 12:05 PM

    Hi Aishwarya,

     

    Maybe you should collect full traces and open a Support case so the policy verification journey can be analyzed and find why it is happening.

     

    Also, you could try to uncheck the nested security option (under Global Tools in AdminUI) just as a test to see if in this way it is working correctly or not, so we can suspect of another policy taking precedence or a problem with subdomains, etc

     

    I hope it helps



  • 5.  Re: No applicable policy found(not authorized)

    Broadcom Employee
    Posted Oct 02, 2018 05:55 PM

    Hi Aishwarya,

    Were you able to open a Support ticket or find any additional details that may help with troubleshooting?

     

    For this type of issue, as Albert noted, it is best to get a set of logs to Support for review.

     

    Thanks!