The Security Zone Has No
Permissions
Problem Description
This section deals with permissions problems on portal components’ security zone definitions. It is applicable when you are working with the portal and trying to run various portal components.
The problem occurs when a portal component fails to run, because the user does not have permissions for the security zone that the component is assigned to.
For example, you want to run a portal component that has the following security zone: com.sap.portal/low_safety, but you have no end-user-read permission on that security zone.
The problem can arise at any time when you are trying to run a portal component such as wizards, editors (through an iView or direct URL).
The portal issues an error message on screen, indicating a Portal Runtime Error has occurred, and referring to the portal logs. The message also displays the iView name and/or the component name that caused the problem.
iView: pcd:portal_content/com.sap.pct/admin.templates/iviews/editors/ com.sap.portal.roleeditor
Component Name: com.sap.portal.pcd.admintools.roleeditor.default
In most cases, the browser message indicates that the problem is related to the security zone. The console log and/or the relevant log also record a message that indicates that the problem is related to the security zone.
|
Scenario Type: |
Error analysis |
|
NetWeaver Component: |
Enterprise Portal (EP) design/runtime environment |
Decision Roadmap
Analysis
...
1. Activate the pcd log file.
You have two options:
a. Go to System Administration → Monitoring.
In the Detailed Navigation pane, browse to Logging Console. Select pcd_logger, and the number of rows to display. Select Configuration Mode, check your configuration values, and verify that for Logger Activated the value is set to true, and select ALL for Level. Select Apply and then View Mode. Now, on the view mode, make sure that you select all the checkboxes for Select Logger Levels for Display, and select Display. The logs should be displayed.
b. Open the file: ~saploc/j2ee/cluster/server0/apps/sap.com/irj/servlet_jsp/irj/root/WEB-INF/portal/system/xml/logger.xml.
Find the string “pcd_logger.
In the Logger node change the attribute isActive to true, and in LoggerClass nodes change the attribute level to ALL. Save the changes, and restart the J2EE server.
The log is located in ~saploc/j2ee/cluster/server0/apps/sap.com/irj/servlet_jsp/irj/root/WEB-INF/portal/logs/pcd.log. Note that ~saploc is the parent folder of the portal installation such as c:\usr\sap\K11\JC00.
In the log, check if the following error appears:
Permission check failed - Object <security zone folder full path> Permissions: Pcd.Use Principal: Not available.
Open the console error log, located in ~saploc/j2ee/cluster/server0/log/console_logs/error.log.
The console log traces the following exception:
com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: com.sap.portal.runtime.system.console.Go - user: Guest
[Stack Trace]
Caused by:
javax.naming.NamingException: Access is denied:
com.sap.portal.system/applications/com.sap.portal.runtime.system.console/components/Go
-
security zone:com.sap.portal/high_safety
[Stack Trace]
Caused by:
com.sapportals.portal.application.applicationrepository.ParObjectFactory$AccessDeniedException:
Access is denied:
com.sap.portal.system/applications/com.sap.portal.runtime.system.console/components/Go
–
security zone:com.sap.portal/high_safety
[Stack Trace]
Caused by:
com.sapportals.portal.pcd.gl.PermissionControlException: Access denied
(Object(s):
com.sap.portal.system/security/com.sap.portal/high_safety)
[Stack Trace]
These messages indicate that there is a permission problem on the requested component regarding its security zone. It means that the portal component that was supposed to run is assigned to a security zone for which the user does not have end-user-read permission.
2. Go to System Administration → Permissions, browse to Security Zones/<specified path>, right-click → Edit Permissions. Look at the assigned permissions; if the problem is permissions, then the relevant user does not have end-user-read permission.
Solution
● Before solving the problem, you can perform an additional check on the problem:
Go to System Administration → Support. Under the Area column select Portal Runtime. Scroll down to the JNDI Browsers section, and select Security Zones Browser. Drill down to the location of the security zone that is noted in the log (for example, the security zone indicated by the logs is: com.sap.portal.system/security/com.sap.portal/high_safety. You need to select com.sap.portal, and then select high_safety). Now you get a list of the components that are assigned to that security zone. Look for the relevant component name.
● Go to System Administration → Permissions, browse to Security Zones/<specified path>, right-click → Edit Permissions. Add end-user-read permission to the relevant user (or one of the groups or roles the user is assigned to).
● Ask the relevant user to refresh the browser.
Additional Information
-