CTGIMS009E You do not have the authority to perform this operation.

在项目中，有时会用到webSphere Application Server的IBM中间组件，进行用户访问控制等操作，比如IBM的一个产品：IBM Tivoli Identity Manager, 简称 TIM, 是IBM身份的生命周期的管理工具。

我在一个项目中，TIM作为下游系统，需要连接TIM，将数据推送到TIM中，进行数据集成统一，所以需要与TIM进行二次开发有两种方式：
1、集成TIM的jar-api进行开发
2、调用TIM的webservice进行开发

不管哪种方式都会牵涉到TIM的数据操作。

我就遇到了如下问题：
com.ibm.itim.apps.exception.AppProcessingException: CTGIMS009E You do not have the authority to perform this operation.

经过了两天的排查，终于找到了原因：
原因是：对TIM的Person对象进行修改时，修改到了某个时间属性，这个时间属性值得格式不对。

排错过程：
1、找到下游TIM程序的日志文件：
可以采用命令：find / -name “trace.log”

查看：```
2018.08.08 14:49:12.565+08:00
ITIMDev2
CTGIM
com.ibm.itim.apps.ejb.organization
server1

WebContainer : 15 <![CDATA[com.ibm.itim.apps.exception.AppProcessingException: CTGIMS009E You do not have the authority to perform this operation. at com.ibm.itim.apps.ejb.organization.PersonManagerBean.checkAttributeWriteAccess(PersonManagerBean.java:767) at com.ibm.itim.apps.ejb.organization.PersonManagerBean.modifyPerson(PersonManagerBean.java:1345) at com.ibm.itim.apps.ejb.organization.EJSRemoteStatelessenroleejb_PersonManagerHome_98299293.modifyPerson(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) at java.lang.reflect.Method.invoke(Method.java:611) at com.ibm.CORBA.iiop.ClientDelegate$3.run(ClientDelegate.java:1165) at java.security.AccessController.doPrivileged(AccessController.java:417) at com.ibm.CORBA.iiop.ClientDelegate.invoke0(ClientDelegate.java:1162) at com.ibm.CORBA.iiop.ClientDelegate$ClientDelegate0.invoke(ClientDelegate.java:1399) at com.sun.proxy.$Proxy121.modifyPerson(Unknown Source) at com.ibm.itim.apps.ejb.organization._PersonManager_Stub.modifyPerson(_PersonManager_Stub.java:1068) at com.ibm.itim.apps.identity.PersonMO$5.run(PersonMO.java:612) at com.ibm.itim.apps.impl.websphere.WebSpherePlatformContextImpl.doAs(WebSpherePlatformContextImpl.java:97) at com.ibm.itim.apps.identity.PersonMO.update(PersonMO.java:602) at com.ibm.itim.apps.identity.PersonMO.update(PersonMO.java:505) at com.ibm.itim.apps.identity.PersonMO.update(PersonMO.java:468) at com.bamboocloud.itim_web.service.TestService.save(TestService.java:111) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) at java.lang.reflect.Method.invoke(Method.java:611) at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:397) at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:186) at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:454) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at javax.servlet.http.HttpServlet.service(HttpServlet.java:595) at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327) at javax.servlet.http.HttpServlet.service(HttpServlet.java:668) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1232) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:781) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:480) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178) at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1114) at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3926) at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:304) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1007) at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:200) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:463) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:530) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:316) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:287) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113) at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175) at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217) at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161) at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138) at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204) at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775) at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881) ]]> ``` 发现并没有什么有价值的信息，由Trace Level="MIN"知道这个日志级别是最低的

2、我在想是不是登录TIM的账号没有管理员的权限呢，不能进行增删改操作，就用这个账号登录到TIM的控制台随意修改了一个测试账号，发现可以修改，排除这个原因

3、那有没有可能是某个属性没有修改权限呢，可以要怎么看有没有权限呢，google一下，上面说可以通过修改日志级别来查看属性权限 http://www-01.ibm.com/support/docview.wss?uid=swg21384050

还说了有可能是：当供应策略授权参数中包含日期字段，且窗体上显示的日期与从供应策略参数中检索到的日期不同时，将发生此异常 ftp://129.35.224.19/ecc/sar/CMA/TIA/00v3l/0/5.0.0.9-TIV-TIM-FP0009.README

Symptom: The exception “CTGIMS009E: You do not have the authority to perform this operation” may occur when end users request accounts for themselves via the SSUI. This exception occurs when a date field is included in Provisioning Policy entitlement parameters and if the date displayed on the form differs from the date retrieved from the provisioning policy parameters.

4、打开TIM最高的日志级别：
找到TIM服务器上的enRoleLogging.properties文件
加入：
logger.trace.com.ibm.itim.authorization.level=DEBUG_MAX
logger.trace.com.ibm.itim.apps.ejb.account.level=DEBUG_MAX
logger.trace.com.ibm.itim.apps.ejb.organization.level=DEBUG_MAX
每十分钟刷新下配置，或是重启tim（建议等上几分钟，毕竟TIM不是自己产品）。

可以看到每个属性的权限：

<Trace Level="MAX">
 <Time Millis="1533720361496"> 2018.08.08 17:26:01.496+08:00</Time>
 <Server Format="IP">ITIMDev2</Server>
 <ProductId>CTGIM</ProductId>
 <Component>com.ibm.itim.authorization</Component>
 <ProductInstance>server1</ProductInstance>
 <LogText><![CDATA[Permissions granted {octsobid=rw, street=rw, erlastoperation=rw, octorgorder=rw, persontype=rw, octiamid=rw, departmentnumber=rw, octentrytime=rw, teletexterminalidentifier=rw, userid=rw, erroles=rw, registeredaddress=rw, photo=rw, postalcode=rw, octcomid=rw, x121address=rw, octgmlevel=rw, erlocale=rw, homepostaladdress=rw, displayname=rw, telephonenumber=rw, octorgname=rw, uid=rw, physicaldeliveryofficename=rw, title=rw, sn=rw, octpersonpinyin=rw, st=rw, octpid=rw, octpopertime=rw, cn=rw, l=rw, o=rw, employeenumber=rw, octinputtime=rw, octjobid=rw, facsimiletelephonenumber=rw, ersharedsecret=rw, givenname=rw, internationalisdnnumber=rw, octstafforder=rw, octapp001=rw, octapp002=rw, octapp003=rw, octapp004=rw, octapp005=rw, octplurid=rw, octapp006=rw, preferreddeliverymethod=rw, octapp007=rw, octapp008=rw, octapp009=rw, octbirthday=rw, eruri=rw, mobile=rw, ercustomdisplay=rw, octjobname=rw, manager=rw, octapp010=rw, initials=rw, octapp011=rw, octapp012=rw, eraliases=rw, octapp013=rw, octstaffstatus=rw, octapp014=rw, octapp015=rw, octmainid=rw, octapp016=rw, octapp017=rw, octapp018=rw, mail=rw, x500uniqueidentifier=rw, octapp019=rw, secretary=rw, businesscategory=rw, destinationindicator=rw, octorgshortname=rw, pager=rw, erroleassignments=rw, issync=rw, octstaffnum=rw, postaladdress=rw, jpegphoto=rw, octapp020=rw, octapp021=rw, octapp022=rw, octapp023=rw, octapp024=rw, octapp025=rw, octapp026=rw, octapp027=rw, ersupervisor=rw, audio=rw, telexnumber=rw, preferredlanguage=rw, erimageuri=rw, octorgid=rw, octgender=rw, roomnumber=rw, octleavetime=rw, octplurorgid=rw, ou=rw, employeetype=rw, carlicense=rw, postofficebox=rw, homephone=rw, labeleduri=rw, octstafftype=rw, appid=rw, description=rw, octorgsoborgid=rw}]]></LogText>
 <Source FileName="com.ibm.itim.authorization.DefaultAccessAuthorityStrategy" Method="getOperationsAllowedForAttributes"/>
 <Thread>WebContainer : 0</Thread>
</Trace>

这样打印出来就知道哪个属性是只读权限了（r=read ,w=write）
发现这些属性都是自定义属性，没有默认属性在里面

这时就能看到我想看到的日志了：

<Trace Level="MAX">
 <Time Millis="1533719878324"> 2018.08.08 17:17:58.324+08:00</Time>
 <Server Format="IP">ITIMDev2</Server>
 <ProductId>CTGIM</ProductId>
 <Component>com.ibm.itim.apps.ejb.organization</Component>
 <ProductInstance>server1</ProductInstance>
 <LogText><![CDATA[The following attributes is not writable according to ACIs. Details- entity: com.ibm.itim.dataservices.model.domain.BusinessUnitEntity: erglobalid=0_0_1,ou=orgChart,erglobalid=000000000,ou=CHIXXX,dc=CHIXXX,dc=COM, targetClass: OCTemployee, attributes: {erpersonstatus=
	attribute name: erpersonstatus
		attribute values: 
			0, ercreatedate=
	attribute name: ercreatedate
		attribute values: 
			201808081717, ersynchpassword=
	attribute name: ersynchpassword
		attribute values: 
			*6*}]]></LogText>
 <Source FileName="com.ibm.itim.apps.ejb.organization.PersonManagerBean" Method="checkAttributeWriteAccess"/>
 <Thread>WebContainer : 17</Thread>
</Trace>```	

LogText标签中会出现详细错误：The following attributes is not writable according to ACIs.Details - entity:...................
（类似这样的，忘记保存日志了）

我的原因找到了，就是由于erpersonstatus/ercreatedate/ersynchpassword属性值引起的，删了就没问题了，因为这些都是系统默认属性，没有权利更改这个属性，一旦数据有变化，这些数据会跟着变化。希望可以帮助到跟我一样遇到此类问题的人。