Issue:
When creating or duplicating an HCO through FSS UI, the following error is logged in Policy Server log:
[11/08/2017][11:58:30][1434][LogMessage:ERROR: Insufficient rights. (fetch, CA.SM::HostConfig@21-6a3ca23d-408d-5510-a3c1-73ad23b5e9cc(My_HCO_Name))]
Then, if an Agent is being registered to get that HCO, the same error appears and the registration fails.
Environment:
FSS UI in Policy Server R12.52 SP1
Cause:
In FSS UI, an Administrator with the "Manage System and Domain Objects" permissions under 'Tasks' in the Administrator Dialog was used to create all system objects. This included create/modify/delete a Host Configuration Object (HCO).
A separate permission 'Register Trusted Hosts' was used to register trusted host (for example, using smreghost tool).
Since Siteminder R12.0, a new design model was implemented - eXtensible Policy Store (or XPS). In this model, there are definitions in Security Categories for Administrators, to better manage administrator rights with more fine grained permissions (as well as other features such as workspaces, etc).
Administrators created using FSS UI are considered 'Legacy Administrators' to support old administrator accounts while transitioning to the new model, and the object stored as per legacy model. When an administrator is created using the FSS UI (or a Legacy Administrator in AdminUI), a corresponding administrator object is also created in XPS with the Permissions translated to the new Security Categories.
In the XPS model, there are different Security Categories: https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/accessibility-mode-for-the-administrative-ui
and one of them is "Host Administration" which is now used to create/modify/delete both Trusted hosts and Host Configuration Objects.
When using the FSS UI to create or modify an HCO, the FSS UI uses the older Admin Session API to create or modify the object in the Policy Store. Then the Policy Server is using the older, legacy code to save the modified object in the Policy Store.
After the object is saved in the Policy Store, the Policy Server Object Cache needs to be updated to reflect the changes. Policy Server uses the XPS model to refresh the cache, and in this model the newer Security Categories are checked for the administrator to verify that the administrator has the rights to perform the 'Fetch' of the new or modified HCO from the Policy Store.
If this legacy administrator does not have the 'Register Trusted Hosts' legacy permission (which corresponds to the new 'Host Administration' Security Category, then you will see the error in the Policy Server log file. The object was still created or modified correctly, but fetching the object into the Policy Server cache failed since the fetching (for all objects) is done using the newer XPS model.
Resolution:
Note that FSS UI is a deprecated tool which is still being provided for backwards compatibility with old legacy Federation setups, however since R12.0 we are providing AdminUI which is the tool recommended, and uses the new XPS model. Note that FSS UI is not provided anymore since R12.7 version.
If you would still want to use the FSS UI, then you need to add the 'Register Trusted Hosts' Permission for the administrator to avoid the error, as this will make the legacy administrator object representation in the XPS store to have the 'Host Administration' Security Category.
Additional Information:
KD : kb000008485