How to Set Access Rights for a Namespace
Start Sun WBEM User Manager.
In the Namespace Access portion of the dialog box, click Add.
A dialog box opens. The dialog box lists the available namespaces.
Select the namespace for which you want to set access rights:
Note - By default, users have read-only access to a namespace.
To allow no access to the namespace, make sure that the Read and Write check boxes are not selected.
To allow write access, click the Write check box.
To allow read access, click the Read check box.
To save changes and close the User Manager dialog box, click OK. To save changes and keep the dialog box open, click Apply.
How to Remove Access Rights for a Namespace
Start Sun WBEM User Manager.
In the Namespace Access portion of the dialog box, select the namespace for which you want to remove access control, and then click Delete.
Access control is removed from the namespace, and the namespace is removed from the list of namespaces on the Sun WBEM User Manager dialog box.
To save changes and close the User Manager dialog box, click OK. To save changes and keep the dialog box open, click Apply.
Troubleshooting Problems With WBEM Security
This section describes what to do when:
A client (user) cannot be authenticated by the CIM Object Manager on the WBEM server
A role cannot be assumed
An ACCESS_DENIED error occurs
If a Client (User) Cannot Be Authenticated by the CIM Object Manager on the WBEM Server
If a client cannot be successfully authenticated by the CIM Object Manager on the WBEM server, the WBEM server returns a CIM security exception when it attempts to establish the CIM client handle in the client application. The exception contains an error code that indicates why the authentication attempt failed.
Error | Probable Cause | Solution |
|---|---|---|
NO_SUCH_PRINCIPAL | Specified user identity was not valid in the Solaris operating environment on the WBEM server, or the user account for that user identity either has no password or is locked. | Check that the user has a valid user identity, that is, the user can log in to the Solaris operating environment on the WBEM server machine. The Solaris system that is set up as the WBEM server might be using user identities from a name service configured on the server, so you might need to check the name service tables. |
INVALID_CREDENTIAL | Password for the specified user (or role, if assuming a role identity) is not valid for that user in the Solaris operating environment on the WBEM server. | Check that the user's password is correct. |
NO_SUCH_ROLE | Role identity that is assumed in the authentication to the WBEM server is not a valid RBAC role in the Solaris operating environment on the WBEM server. | The role identity might be a valid entry in the passwd table on the server, but you will not be able to log in to the server under that identity (Solaris does not allow you to log in directly to role identities). So, you must check the passwd table for the role identity, and check the user_attr table to ensure that the role is defined as a role type of user. Role identities in the user_attr table each contain an attribute in the syntax type=role. You can also check for a valid user or valid role identity by using the Solaris Management Console User tool. You can use User Management to check for a user, and you can use Role Management to check for a role. However, when using the User tool, you must know the correct source of the tables on the CIM Object Manager server. In other words, if the CIM Object Manager server is using a name service such as NIS, you must access the master server for that name service. |
CANNOT_ASSUME_ROLE | Role identity is valid, but the specified user identity in the authentication exchange is not configured to assume that role. | Explicitly assign users to roles by using the Administrative Role tool in the Solaris Management Console User tool collection, which is described in "Changing Role Properties" in System Administration Guide: Security Services. |
If Other CIM Security Exception Errors Appear
The WBEM server can return other error indications in the CIM security exception. However, these indications typically identify a system failure in the authentication exchange. The WBEM client configuration might not be compatible with the WBEM server configuration for the security options in the authentication exchange.
If these error indications occur, check that the WBEM installation on the client machine contains the appropriate configuration property values for security in WbemClient.properties. This file is usually located in the vendor extension subdirectory in the WBEM installation directory /usr/sadm/lib/wbem/extension.
Also, check the client application CLASSPATH setting to ensure that sunwbem.jar and the extension directory path name are on the class path.
If an Authorization Check Fails
If a client is not authorized to access or modify the data associated with a request to the WBEM server, the WBEM server returns a CIM security exception for that request that includes the ACCESS_DENIED error.
The ACCESS_DENIED error indicates that a WBEM request could not be completed because the authenticated user or the role has not been granted the appropriate access to the data being managed by that request.
Check the security messages in the WBEM log for the failed request (viewing log data is described in "Viewing Log Data Through Log Viewer"). Authorization failure log messages specify Access denied in the Summary column. The User column lists the name of the authenticated user or the role name that was used in the check. The Source column lists the name of the provider that is making the check. Note that the name of the provider that is listed in this column is a user-friendly provider name, not the provider implementation class name.
The detailed message contains the name of the permission that was being checked, and that has not been granted to the user or role.
If the permission appears as namespace:right, the authorization check was using a namespace ACL. The authenticated user has not been granted that permission (read or write) for that namespace.
Use Sun WBEM User Manager (wbemadmin) to grant the user the appropriate permission. Sun WBEM User Manager is described in "Using Sun WBEM User Manager to Set Access Control".
If the permission appears as solaris.application.right, the authorization check was using an RBAC authorization.
Use the Administrative Role tool in the Solaris Management Console User tool collection to grant the rights that you want to the user or role. This procedure is described in "Changing Role Properties" in System Administration Guide: Security Services.