Roles are assigned at authentication, so this type of trace is found in the catalina.out file of Identity Server. This is a trace of a user who does not match the requirements to be assigned the Manager Role (for a definition of this Role policy, see Figure 33-9).
<amLogEntry> 2009-06-11T15:38:38Z INFO NIDS Application: AM#500199050: AMDEVICEID#9921459858EAAC29: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc= : IDP RolesPep.evaluate(), policy trace: ~~RL~0~~~~Rule Count: 1~~Success(67) ~~RU~RuleID_1181251958207~Manager~DNF~~1:1~~Success(67) ~~CS~1~~ANDs~~1~~False(68) ~~CO~1~LdapGroup(6645):no-param:hidden-value:~ldap-group-is-member-of~SelectedLdapGroup(66455):hidden-param:hidden-value:~~~False(68) </amLogEntry>
This trace describes the following about the policy.
The RL trace indicates that the policy has one rule and that the policy evaluated without error.
The RU trace indicates that the rule (RuleID_1181251958207) has one condition and one action and that the rule evaluated without error.
The CS trace indicates that the condition set evaluated to False (the user logging in does not match the conditions of the set).
The CO trace indicates that the condition evaluated to False (the user logging in does not match the condition).
When you are troubleshooting why a user is not granted access to a resource that uses a role in its Authentication policy, the first step should be to look at Identity Server file and determine whether the user was assigned the role. In this trace, you can see that the user was not assigned the role. To fix this problem, you can either change the conditions of the Role policy to match the user or change the user’s information so that the user matches the existing condition in the Role policy.