Cannot Evaluate Policy on the basis of Group membership

This topic contains 1 reply, has 2 voices, and was last updated by  william.hepler 1 month, 1 week ago.

  • Author
    Posts
  • #25043
     rasarkar 
    Participant

    Hi Team,

    I am using ForgeRock AM 6.5. For user store I am using ForgeRock DS 6.5. I have users and groups in ForgeRock DS and the membership seems fine.

    However after authenticating I cannot authorize a member on the basis of group memberships. I have tried the following in Authorization policies-
    1. Users and Groups under subjects tab
    2. LDAP Query with isMemberOf under Environments tab
    3. Identity membership under Environments tab

    Nothing works. Can anybody help me with this. I am using J2EE policy agent 5.5.1 for Tomcat

    #25074
     william.hepler 
    Participant

    https://backstage.forgerock.com/knowledge/kb/article/a26924504

    There’s an example of restricting based on group membership here:

    Group membership

    https://backstage.forgerock.com/docs/am/6.5/authorization-guide/#configure-authz-apps

    Is the User Store your using in the same realm as the policy your using?

    Is your Agent set to use SSOONLY?
    com.sun.identity.agents.config.sso.only

    Are you testing the Policy from a curl?
    From: https://backstage.forgerock.com/knowledge/kb/article/a10205600
    Testing a policy
    You should test your policy during creation (as discussed in the Creating a complex policy section) and after creation. We recommend you test your policy using the REST API as this calls the XACMLRequestProcessor class directly.

    You would use a curl command similar to this; the URL changes depending on which version you are using. For example:

    AM 5 and later:
    $ curl -X POST -H “iPlanetDirectoryPro: AQIC5…DU3*” -H “Content-Type: application/json” -H “Accept-API-Version: resource=2.0” -d ‘{
    “resources”: [
    “http://www.example.com/index.html”,
    “http://www.example.com/do?action=run”
    ],
    “application”: “iPlanetAMWebAgentService”
    }’ https://host1.example.com:8443/openam/json/realms/root/policies?_action=evaluate

    With Message level debug you could review Entitlement and Policy to track why this is failing further.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?