Resolve "Service Access ID Not Granted Entitlement" in the API Gateway

Home > Search

Some API Gateway policies correlate to an application in a JVM. In the API Gateway, use the Route via HTTP assertion to determine if the policy correlates to a particular JVM. If so, check the application logs. If “Service Access ID Not Granted Entitlement” is found in the application log, this means the cause of Assertion Falsified 600 is that the user does not have access to the operation being requested. In this example, the user with ID JohnDoe does not have access to the operation being requested.

JohnDoe  394725  /  WebContainer : 5  ERROR  - Exception Occurred - Service Access ID Not Granted Entitlement


The API Gateway audit log will identify the operation being requested, such as myOperation. The user requesting the operation needs to have the entitlement, such as “cn=svc_application_myOperation,ou=entitlements,o=Acme”. The Associated Logs tab can be used to determine the entitlements the user has been granted.  After the Query LDAP event should be a record that returns the entitlements that the user has been granted. If the user does not have the entitlement, they will need to submit a request for the entitlement.

If the user has the appropriate entitlement, Assertion Falsified 600 may still be displayed based on the type of token being used, such as an OnBehalfOf or ActAs token. For example, the user may have entitlement to the operation with an OnBehalfOf token, but may not have entitlement with an ActAs token. You should be able to see in the Request tab in the audit log if OnBehalfOf or ActAs is being used.


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter in the box below so that we can be sure you are a human.