Following is a troubleshooting guide for SAP NetWeaver Portal administrators who suspect an issue with permissions, or encounter an “Access Denied” error (displayed in the default trace as: “PermissionControlException: Access denied“).
Follow the steps according to the chart, to decide which actions to perform:
Section A – Check that permissions are configured correctly:
Check that permissions are configured according to the how-to guide. Connect to the portal with the super admin user in order to perform this check:
Section B – Permission issues after performing a fresh installation of NW 7.0X or lower, or an upgrade from NW640 to a NW7.0X release:
Check if the initial permission XML file was executed successfully. This is done by checking where the system was installed in the file system under:
/usr/sap/<Java EE instance name>/JC<instance_number>/j2ee/cluster/server0/apps/sap.com/irj/servlet_jsp/irj/root
Check whether the suffix of the InitialPermissions.xml is .bak.
If it isn’t, then the permissions weren’t configured correctly in the portal you need to run it again. This can be done by making sure that the name of the file is InitialPermissions.xml with no additional suffix (for example .template), and restarting the system.
After the restart make sure that the .bak suffix was added.
Section C – Permission issues after performing a fresh installation or upgrading to NW 7.1X, NW 7.2X or 7.3X releases:
Starting from 7.1X a new service, called InitialPermissionService is responsible for running the InitialPermissions.xml file.
This service is located in SAP NetWeaver Administrator (NWA) under the following path:
· NW7.1X & NW7.2X: Configuration Management -> Infrastructure -> Application Modules.
· NW7.3X: Configuration -> Infrastructure -> Application Modules.
Search for the com.sap.portal.initialPermission module.
This service has a property, called run, which turns from “true” to “false” once the Initial Permission Service runs successfully.
In the case of an initial permissions problem, this property stays “true” after restart.
In such cases:
1. Change the severity of the traces under the location com.sap.portal.initialPermission to all.
2. Restart the system.
3. Check whether the service ran successfully after restart, and now the property is “false”.
4. Don’t forget to change the severity of the trace back to “error”.
If you installed NetWeaver 7.3 version, refer to SAP notes 1650913 and 1619731 for more information.
Section D – Check user permissions:
If there is an exception in the trace with Access Denied – check the user displayed in the exception, and the path of the content with the problem.
The path is either to a PCD object (for example: pcd:portal_content/…) or to a security zone (for example: com.sap.portal.system/security/sap.com/NetWeaver.Portal/no_safety …).
a. Login with the super administrator, and browse to System Administration -> permissions.
b. In the Portal Catalog, go to the location of the path displayed in the exception.
c. Open the permission editor for the specific object and check that the user from the exception has the required permissions. The permissions can be assigned implicitly if the user belongs to a group or assigned to a role. You can check this via the Identity Management tool, located in the User Administration role).
For more information about portal permissions, see http://help.sap.com/saphelp_nw70/helpdata/en/f6/2604f005fd11d7b84200047582c9f7/frameset.htm. (This documentation is for NW7.0. Similar documentation exists for other versions).
d. If the user is missing the required permissions, assign the permissions according to the use case.
Section E – Open a support message:
When opening a message the following information should be provided:
· Does this happen to all users?
· Does the Super Admin user has the same issue?
· Is this a fresh installation, or an upgrade? Did the problem start suddenly?
· If only a few users are experiencing the issue, provide their user ID.
· Provide all the steps performed prior to the problem, as well as the steps taken to try to solve the problem .
· Provide the last default trace, which includes the exception ID of the Access Denied error.
· Provide steps for to reproducing the problem.
There are a number of tools available in the permissions area that can help you manage your portal permissions correctly:
1. List permissions:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/5ff84165c907dce10000000a42189d/frameset.htm– shows the permissions in the portal. This might be helpful if the Super administrator is experiencing problems navigating to the permissions in the Portal Catalog.
It also includes instructions for fixing any missing inner ACLs (for more details: SAP Note 1002832).
2. Initial permissions creator:
Creates an XML with the configured permissions – this is another way to see the permissions on the portal. This is also a way to transfer permissions between systems (http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/4c5752dd3658d8e10000000a421937/frameset.htm).
3. Security Zones checker:
Checks for and clears unused security zone paths in the security zones area (they are created when security zones were changed for an application – the old one is not deleted although it is no longer relevant.). The tool can be launched by a Super Administrator via the following URL: http://<host>:<port>/irj/servlet/prt/portal/prtroot/com.sap.portal.runtime.system.console.SecurityZonesChecker