Error handling
Operation failures are indicated by SOAP faults. There are two types of SOAP faults:
- BusinessFault: The operation could not be completed successfully because of a logical error (e.g., a malformed query or a password policy violation). A BusinessException will be thrown. The elements of BusinessException are described in the table below.
- TechnicalFault: The operation could not be completed due to a technical failure (e.g., a database query timeout). A TechnicalException will be thrown. The elements of TechnicalException are described in the table below.
| Type | Elements | Description |
|---|---|---|
| BusinessException | message | A specific textual message describing the business error that occurred. |
| reason | A reason code according to the table, which can be evaluated and handled automatically by the client. | |
| elementIndex | This element is returned for bulk operations only, e.g., deleteCredentials(). It denotes the index of the erroneous entry. Note: first entry has index 0. | |
| TechnicalException | message | A textual message describing the technical error that occurred. |
Reason codes
The table lists the existing reason codes. Reason codes give a rather general idea of the problem. Detailed information is usually printed along with the reason code. All reason codes start with error.. In the table below, this prefix has been suppressed for the sake of simplicity.
Reason code (without prefix error.) | Description |
|---|---|
| addIdmToApplDataroom | It is not possible to add the nevisIDM to a data room. |
| applDataroomDenied | Permission denied due to application data room restriction. |
| archiveCredentialDenied | Permission denied because the credential cannot be archived. |
| assignDisabledUnit | Permission denied because tried to assign a disabled unit to a profile or another unit (as subunit). |
| assignProfilelessUnit | Permission denied because tried to assign a profileless unit to a profile. |
| assignSubunitAsParent | It is impossible to assign a parent unit as subunit to one of its subunits (cyclic relation). |
| attrAccessForbidden | Permission to attribute (or to modify the attribute) denied. |
| certificateExists | The same certificate has been registered for another user. The certificate can only be assigned to a single user. |
| certificatePolicyViolated | The certificate policy has been violated. |
| clientDataroomDenied | Permission denied due to client data room restriction. |
| combinedDataroomDenied | Permission denied due to data room restrictions: The user does not have the combined data room authorization. |
| credentialNotActive | A credential is not active, not valid anymore or not yet valid. |
| CredTypeClientPolicyViolated | A credential type that is not allowed according to the corresponding client policy has been selected. |
| CredTypeUnitPolicyViolated | A credential type that is not allowed according to the corresponding unit policy has been selected. |
| deleteDefaultEntity | It was not possible to delete an entity because it was the default entity. Define another entity as default first, then execute the removal again. |
| dimensionNotMatch | The OpenOffice template and the card dimension of an OTP credential do not match. |
| duplicateEmail | Uniqueness constraint of e-mail address has been violated. |
| duplicateMobile | Uniqueness constraint of mobile number has been violated. |
| duplicateName | Uniqueness constraint of a name attribute has been violated. |
| duplicateValue | The uniqueness constraint of some attribute has been violated. |
| enterpriseRolesDisabled | The enterprise role feature is not enabled. |
| eRoleDataroomDenied | Permission denied due to enterprise role data room restriction. |
| filesystemIO | IO fault related to file system operations, e.g., read or write permission missing. |
| history.norecord | No history record found for the object. |
| identifierPolicyViolated | The identifier (ID) violated the policy (certain characters are prohibited in identifier strings). |
| inconsistentClientAssignment | An inconsistency between a client and an assigned object (authorization, application, etc.) has been discovered. |
| inconsistentData | Generic reason for inconsistent data in nevisIDM database. |
| insufficientFineGrainedRights | Permission denied because the user does not have sufficient fine-grained permissions. |
| insufficientRightsFunction | Permission denied because the user does not have sufficient permissions. |
| invalidConfig | The configuration is not valid. |
| invalidData | Generic reason for invalid data in nevisIDM. |
| invalidDate | The date does not have a valid format. |
| invalidDateInterval | The data interval is not valid. |
| invalidParameter | The input parameter is not valid, e.g., the format was not correct. |
| kerberosExists | The user already has a Kerberos credential (only one per user is allowed). |
| loginIdGeneratorFailed | The login ID generator was unable to generate a new login ID. |
| mailModule | Generic failure occurred in the e-mail module. |
| missingMandatoryPlaceholder | One or more mandatory placeholders in the template could not be resolved. |
| missingReferenceData | Reference data nevisIDM requires was not found in the nevisIDM database. |
| mobileCannotBeDeleted | If a user has an mTAN credential, but one tries to remove the user's mobile number, this reason code is used. |
| mobileCannotBeDeleted | Occurs if the mobile number of a user is deleted that has an mTAN credential. |
| mobileMissing | The SMS sending failed because the user's mobile number is not set. |
| mobileSignatureExists | The user already has a mobile signature credential (only one per user is allowed). |
| modifyArchivedCredential | Permission denied because archived credentials cannot be modified anymore. |
| modifyArchivedProfile | Permission denied because archived profiles cannot be modified anymore. |
| modifyArchivedUser | Permission denied because archived users cannot be modified anymore. |
| modifyExtId | Permission denied because external IDs cannot be modified. |
| modifyLoginId | Permission denied because the user's login ID cannot be modified. |
| modifyReadonlyData | Attempted to modify read-only data. |
| msisdnFormat | Format of MSISDN is not valid. |
| msspIdentifierMissing | The MSSP identifier is missing in the mobile signature credential and no default value is set in the policy configuration. |
| mTanExists | The user already has an mTAN credential (only one per user is allowed). |
| nocertcred | If a certificate upload should be performed, the user needs an empty certificate credential first. |
| noClientFound | The client was not found because it was not or incorrectly specified. |
| noDefaultUnitInClient | Default unit of the client could not be found or was not defined. |
| nomobile | The user has no mobile, or the number is not a valid mobile number. |
| norecord | No record was found and at least one was expected. |
| noSmtpConnection | The SMTP server configured in the credential policies or in the configuration is not available. |
| noTemplate | No template was found. |
| nullParameter | The input parameter is not valid, e.g., it was "null" but should have a value. |
| oathSecretIsShared | The secret sharing for the OATH credential failed because the secret had been shared already. |
| passwordChangeDeadlineExceeded | Password change deadline exceeded. |
| passwordExists | The user already has a password credential (only one password credential per user is allowed). |
| pcyconf.invalidParamValue | The defined parameter value in the policy configuration is not valid. |
| pcyconf.missingParam | A mandatory parameter in the policy configuration is missing. |
| pcyconf.missingProfilePolicy | Profile policy is missing. |
| pcyconf.multipleClientPolicy | More than one client policy for the same client exists. |
| pessimisticLockingFailure | Pessimistic locking was not enough to handle the concurrency. |
| policyViolation | The policy configuration is violated. |
| potentialPrivilegeEscalation | Permission denied due to privilege escalation constraints. |
| profilelessFlagCannotBeSet | Permission denied because tried to set the profileless flag to a unit with profiles. |
| property.regexinv | The property's regular expression is not valid. |
| property.stringregex | The property value did not match the property's regular expression. |
| propertyUniquenessViolated | Property value violated uniqueness constraints (depend on the property definition). |
| propety.stringmaxlen | Property value lengths exceed max. lengths defined for the property. |
| PUKexists | The user already has a PUK credential (only one per user is allowed). |
| pwdPolicyViolated | One or more password policy constraints have been violated. |
| qrCodeGenerationFailed | The QR code generation for the OATH credential failed due to a technical problem. |
| recordDeleted | The record has already (concurrently) been deleted. |
| referenceDataChangeDenied | Permission denied because read-only reference data cannot be modified. |
| safewordExists | The user already has a safeword credential (only one per user is allowed). |
| samlAttributeFormat | Format of a SAML federation attribute is not valid. The value of the SAML federation attributes must match the regular expression set in the SAML federation policy. |
| securidExists | The user already has a SecurID credential (only one per user is allowed). |
| securityQuestionsExists | The user already has a security question credential (only one per user is allowed). |
| securityQuestionsMaxReached | The security question reached the maximum reveal, success or failure number. Therefore, it cannot be used for authentication anymore. |
| tableTypeMismatch | The OTP card challenge format does not match the provided template. |
| techUser.oneProfile | Technical users can only have one profile. |
| tempStrongPasswordExists | The user already has a temporary strong password credential (only one per user is allowed). |
| ticketExists | The user already has a ticket credential (only one per user is allowed). |
| tooManyOTPCards | The user has too many OTP credentials. The user may have at most two (during the OTP renewal process). |
| tooManySearchResults | The query returned too many search results. This may occur to protect nevisIDM against performance intensive actions, or because a defined limitation for queries has been exceeded. |
| undeletedDependencies | Deleting a certain object is not possible because there are still subobjects/dependencies that have to be deleted first. |
| unitDataroomDenied | Permission denied due to unit data room restriction. |
| urlTicket.invalidFormat | Unable to decode URLTicket string. |
| URLTicketExists | The user already has a URL ticket credential (only one per user is allowed). |
| urlTicketMissingURLPrefix | The URL prefix is not set for the URL ticket. Without it, the URL ticket cannot be created. |
| userEmailFormat | The user's e-mail address is not valid. |
| userEmailNull | The user's e-mail address is mandatory but was "null". |
| userFirstNameNull | The user's first name is mandatory but was "null". |
| userMobileNull | The user's mobile number is mandatory but was "null". |
| userNameNull | The user's name is mandatory but was "null". |
| userPhoneFormat | Format of user's phone, fax or mobile number is not valid. |
| vascoExists | The user already has a Vasco Digipass token credential (only one per user is allowed). |