Article Number
000031057
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager Prime
Issue
The following error displays when logging in to the Help Desk Administration Portal (HDAP) fails with the message:
You are not authorized for the operation.
Image description
The Help Desk Administration Portal log (hdap.log) located in /opt/rsa/primekit/logs/hdap, reports the following error:
2015-08-26T11:21:05,303+1000,70953139 [http-bio-8282-exec-6] ERROR com.rsa.pso.lap.web.UtilityBean - getPermissions() =>
hdapadmin is not assigned to any administrative roles that support allow access to hdap. Contact your administrator to grant access to hdap
2015-08-26T11:21:05,303+1000,70953139 [http-bio-8282-exec-6] ERROR com.rsa.pso.lap.web.UtilityBean - Exception occurred sending status code
403/com.rsa.pso.exception.UnAuthorizeException: You are not authorized to view this page
2015-08-26T11:21:05,303+1000,70953139 [http-bio-8282-exec-6] ERROR com.rsa.pso.lap.web.UtilityBean - Exception occurred sending status code
403/java.lang.Exception
Cause
The Help Desk Admin Portal uses the RSA Authentication Manager administrative roles that are defined in the Security Console to map claims for HDAP administrative users. The role names that are defined in the <HDAP_home>/config/lapProto.xml file must match the administrative roles that are defined in the Security Console.
Resolution
To resolve this issue,
- Using an administrative account for the RSA Authentication Manager Security Console, add the administrative role that matches the name of the role name that is used by the Help Desk Admin Portal. For example:
Image description
An administrative role is a collection of permissions that can be assigned to an administrator. A role determines what level of control the administrator has over users, user groups, and so on. You can add administrative roles to your deployment, and assign these roles to users. If you assign multiple administrative roles to a user, the permissions are combined.
Before You Begin
To create an administrative role, you must have an administrative role that:
- Grants permission to create administrative roles
- Includes the permissions added to the new administrative role
- Allows the administrator to delegate the permissions that are granted to the role. This is set with the Permission Delegation setting for the role that is assigned to the administrator who is creating the role
Procedure
- In the Security Console, go to Administration > Administrative Roles > Add New.
- In the Administrative Role Name field, enter a name for the new administrative role.
- (Optional) If you want to allow administrators to delegate their role permissions to other administrators, select Permission Delegation.
- In the Security Domain Scope tree, select the security domains in which the new administrative role grants permissions.
- In the Identity Source Scope field, select the identity sources where you want this administrative role to grant permissions.
- Click Next.
- Assign general permissions to the administrative role.
- (Optional) To restrict attributes,
- In the User Attribute Restriction field, select May only access specific attributes.
- An Attributes drop-down menu appears. Select Modify, View, or None for each attribute. If you select None, the attribute is hidden.
- The value in this field must be consistent with the value that is specified in the Entry Type field on the Add an Identity Attribute Definition page.
- If the attribute definition is read-only, do not select Modify for the User Attribute Restriction.
- If the attribute definition is required, do not specify View or None in the User Attribute Restriction. If you do, you cannot add the role.
- Click Next.
- Assign authentication permissions to the administrative role.
- Click Next.
- Assign self-service permissions to the administrative role.
- Click Next.
- Use the Security Domain drop-down menu to select the security domain that is associated with the administrative role.
- Review the summary of the administrative role, and click Save.
Notes