Some API Gateway policies correlate to an application in a JVM. In the API Gateway, use the Route via HTTP assertion to determine if the policy correlates to a particular JVM. If so, check the application logs. If “Service Access ID Not Granted Entitlement” is found in the application log, this means the cause of Assertion Falsified 600 is that the user does not have access to the operation being requested. In this example, the user with ID JohnDoe does not have access to the operation being requested.

JohnDoe  394725  /  WebContainer : 5  ERROR  - Exception Occurred - javax.xml.ws.soap.SOAPFaultException: Service Access ID Not Granted Entitlement

The Gateway Audit Events log will identify the operation being requested, such as myOperation. The user requesting the operation needs to have the entitlement, such as “cn=svc_application_myOperation,ou=entitlements,o=Acme”. The Associated Logs tab can be used to determine the entitlements the user has been granted.  After the Query LDAP event should be a record that returns the entitlements that the user has been granted. If the user does not have the entitlement, they will need to submit a request for the entitlement.

If the user has the appropriate entitlement, Assertion Falsified 600 may still be displayed based on the type of token being used, such as an OnBehalfOf or ActAs token. For example, the user may have entitlement to the operation with an OnBehalfOf token, but may not have entitlement with an ActAs token. You should be able to see in the Request tab in the audit log if OnBehalfOf or ActAs is being used.