IBM Support

Authorization failed, Not granted any of the required roles

Troubleshooting


Problem

Getting an error "Authorization failed, Not granted any of the required roles" when accessing one of the JRules/ODM modules.

Symptom

For example, the following error is displayed in the server logs when you are testing the Decision Validation Services (DVS) availability on WebSphere Application Server (WAS):

Authorization failed for user admin:defaultWIMFileBasedRealm while invoking GET on testJRL:testing/success.jsp, Authorization failed, Not granted any of the required roles: resAdministrators resDeployers

Such message may also show in the server logs when calling DVS from a Test Suite or Simulation ran from Rule Team Server (RTS)/Decision Center. In that case, the message Connection failed on server '<your server>'. HTTP error when contacting "/testing/sspService", HTTP status 403: Forbidden shows on the RTS side.

When connecting to RTS or the Rule Execution Server console, you may see the message "This user does not have the correct role." in the login page while an error similar to the first one above is seen in the logs.

Cause

This error indicates that security is enabled on the server and that the required roles have not been defined for the application.

Indeed, when security is enabled, DVS require all groups or users who are allowed to access it to be mapped to one of the two mandatory roles: resAdministrators or resDeployers.

For Rule Execution Server, those roles are: resAdministrators, resDeployers, and resMonitors.

For RTS/Decision Center: rtsAdministrator, rtsConfigManager, rtsInstaller, and rtsUser.

Environment

Java EE application server with security enabled.

Diagnosing The Problem

Refer to the error in the server logs and verify the security settings of the application at the application server level.

Messages in RTS/Decision Center or the Rule Execution Servcer console such as "Invalid username/password" and "Your username and password were not recognized" indicate that either the user does not exist, or that the password is incorrect. But in any case, refer to the server to confirm what the cause of the issue is.

Resolving The Problem

You must map all the groups or users who are granted access to the module to one of the required roles, as indicated in installation guide for the corresponding module.

For example, the documentation to install DVS on WAS, at WebSphere ILOG JRules BRMS V7.1: Java EE add-ons > Installing on WebSphere Application Server > Installing Decision Validation Services > Deploying the Decision Validation Services archive (see point '8.' of that page), indicates how to proceed for 'step 9', Map security roles to users or groups, of the WAS admin console deployment wizard.

If you omit this step when you deploy the corresponding module, the error described above might be displayed.

For other modules or other application servers, refer to the corresponding section of the documentation at "WebSphere ILOG JRules BRMS V7.1: Java EE add-ons > Installing on <your application server> > Installing <module> > Deploying ..."

[{"Product":{"code":"SS6MTS","label":"WebSphere ILOG JRules"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Installation","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1;7.0;6.7;6.6","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSQP76","label":"IBM Operational Decision Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Installation","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5;8.0;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21578192

Page Feedback