Wednesday, July 27, 2011

Permission to perform the edit operation denied


In one of the OpenSSO projects I'm currently in, we have customized attributes defined in Sun DSEE 7. These attributes extend from inetorgperson.

In the Post Authentication Processing module, we would want to update one of the attributes if a certain condition is met. 

So I have the following code segment:

AMIdentity amIdentity = new AMIdentity(ssoToken);
:
Map attrs = new HashMap();
Set values = new HashSet(1);
values.add (valueToSet);
attrs.put (SUNLDAPUser.ATTRIBUTE_MUSTCHGPWD, values);
amIdentity.setAttributes(attrs);
amIdentity.store();

Looks good! But when we run it, we encountered the following error:
"Permission to perform the edit operation denied ..."



Strange! Why?

After much investigation, I then realized we need to loosen the policy in the embedded OpenDS store.

There is a xmlpolicy attribute in ou=SelfWriteAttributes,ou=Policies,ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMPolicyService,ou=services,o=sunamhiddenrealmdelegationservicepermissions,ou=services,....


So, the trick is to add the attribute that we want to modify into the UserSelfCheckCondition.


Restart OpenSSO. Test. Done.


.

1 comment:

  1. Nice find, must have taken a while to get to the bottom of this one!

    ReplyDelete