If RA Administrator profile belongs to a certain Namespace, when it tries to create a new role in > RA > Role Management > Roles > Create New Role, the new role is not added.
Also there is no option in the role creation to choose the Namespace. Same test with an Administrator Role that has no Namespace is successful.
Error in the server.log:
2018-02-21 12:33:59,343 WARNING [javax.enterprise.resource.webcontainer.jsf.lifecycle] (default task-11) #
: org.cesecore.authorization.AuthorizationDeniedException: Current AuthenticationToken is not authorized to the namespace ''.
To reproduce this error:
- Create a Administrator Role that belongs to a Namespace with for example the access rules in the picture attached to this ticket.
- Create end entity, generate a certificate for it.
- Add the certificate serial number to the Administrator role created in step 1.
- Login with the new certificate to /ejbca/ra
- Go to Role Management > Roles > Create New Role
- Fill the parameters and click Add