Roles are assigned at authentication, so this type of trace is found in the catalina.out file of Identity Server. This is a trace of a user who does not match the requirements to be assigned the Manager Role (for a definition of this Role policy, see Figure 34-9).
<amLogEntry> 2009-06-11T15:38:38Z INFO NIDS Application: AM#500199050: AMDEVICEID#9921459858EAAC29: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc= : IDP RolesPep.evaluate(), policy trace: ~~RL~0~~~~Rule Count: 1~~Success(67) ~~RU~RuleID_1181251958207~Manager~DNF~~1:1~~Success(67) ~~CS~1~~ANDs~~1~~False(68) ~~CO~1~LdapGroup(6645):no-param:hidden-value:~ldap-group-is-member-of~SelectedLdapGroup(66455):hidden-param:hidden-value:~~~False(68) </amLogEntry>
This trace describes the following about the policy.
RL trace: Indicates that the policy has one rule and that the policy evaluated without error.
RU trace: Indicates that the rule (RuleID_1181251958207) has one condition and one action and that the rule evaluated without error.
CS trace: Indicates that the condition set evaluated to False (the user logging in does not match the conditions of the set).
CO trace: indicates that the condition evaluated to False (the user logging in does not match the condition).
When you troubleshoot why a user is not granted access to a resource that uses a role in its authentication policy, first look at the Identity Server file and determine whether the user was assigned the role. In this trace, you can see that the user was not assigned the role. To fix this problem, you can either change the conditions of the Role policy to match the user or change the user’s information so that the user matches the existing condition in the role policy.