Troubleshooting: Policy group subscription

A policy that you expect to grant access appears in the trace, however it is not being applied.

Problem: A policy that you expect to grant access appears in the trace, however it is not being applied.

Indication: An error similar to the following example is logged to the trace.log file.

PolicyManagerImpl.isAllowed isAllowed? User=510; 
Action=Execute; 
Protectable=
com.ibm.commerce.catalog.commands.ProductDisplayCmdImpl;

Owner=2002; Resource Ancestor Orgs=2002,-2001; Resource Applicable
Orgs=2002

PolicyManagerImpl.isAllowed Found PolicyName: 

AllUsersExecuteResellerUserCmdResourceGroup
;
PolicyType: 3; PolicyOwner: -2001

PolicyManagerImpl.getPolicyApplicableOrgs 
No organizations subscribe to a policy group with this
policy

PolicyManagerImpl.isAllowed Policy does not apply to the resource's
applicable organizations
...

PolicyManagerImpl.isAllowed 
PASSED? =false 

Solution:

  1. Ensure that the resource owner is subscribing to the correct policy groups. For example, the file:

    WC_installdir\xml\policies\xml\defaultAccessControlPolicies.xml

    shows that the AllUsersExecuteResellerUserCmdResourceGroup belongs to the B2CPolicyGroup:
    
    <PolicyGroup Name="B2CPolicyGroup"
    OwnerID="RootOrganization">
            <PolicyGroupPolicy
    Name="AllUsersExecuteResellerUserCmdResourceGroup" 
            PolicyOwnerID="RootOrganization" />
            <PolicyGroupPolicy
    Name="AllUsersExecuteResellerUserViews" 
                    PolicyOwnerID="RootOrganization"/>
    </PolicyGroup>
    
  2. Query the ACPLGPSUBS database table to determine whether there is a correct association between the necessary access control policy groups and the organizational entities. For example, ensure that the current store's organization is associated with B2CPolicyGroup
    orgentity_id acpolgrp_id
    2002 10001(ManagementAndAdministrationPolicyGroup)
    2002 10003 (CommonShoppingPolicyGroup)
  3. Subscribe the organization to the policy group. (In this example, the organization should subscribe to the B2CPolicyGroup).