Technical Blog Post
Finding _DENY permissions in IBM Sterling B2B Integrator
One thing that can be a bit confusing in IBM Sterling B2B Integrator is _DENY permissions. The _DENY permissions don’t exist by default, so you have to add them to your system. The problem is that you need to know the correct name of the permission for it to work. Here is a process I use to find the correct permission names.
This won't give you a full list of _DENY permissions, but it will help you find the ones that are used in the part of the UI you are trying to restrict.
1) Create a test account.
Give the test account permission to get to whichever part of the dashboard you are working on. Don’t give the test account admin privileges. If the account has admin privileges, the _DENY permissions don’t affect it.
For example: I want to find the _DENY permissions for the envelope screens. So I created a test user and added the group permission ENVELOPES.
2) Turn on the User Authentication log.
Go to Operations > System > Logs
Beside User Authentication click on the paper and pencil icon.
Select On and click Save
3) Go into the logs directory and open the most recent Authentication.log.
I generally do this on Unix and run tail -f on the log so I can watch messages as they are added.
4) Log on as the new user and navigate to the section that you want to see the deny permissions for.
Watch in the Authentication.log. You will see the _DENY permissions being checked as you go to screens or make changes in the UI.
In my example I went to the envelopes window and created a new envelope.
I saw this message in Authentication.log:
[2017-10-02 14:42:25.13] DEBUG [ResourceAccessRequest] Verifying permission for MyTestAccount to updateenvelope on permission (_DENY_updateenvelope)
The permission name is listed at the end of the message _DENY_updateenvelope Create this permission, add it to the user and then test.
5) Turn off the User Authentication log when done.
Leaving this on will create a lot of unneeded logging.