--- title: Error cases description: The following topic discusses troubleshooting possible error cases and solutions. component: pingdirectory version: 11.0 page_id: pingdirectory:consent_solution_guide:pd_cs_error_cases canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/consent_solution_guide/pd_cs_error_cases.html revdate: September 13, 2023 section_ids: consent-service-is-unavailable: Consent Service is unavailable requester-lacks-sufficient-rights-to-perform-operation: Requester lacks sufficient rights to perform operation subject-and-actor-do-not-match: Subject and actor do not match unindexed-search: Unindexed search search-size-limit-exceeded: Search size limit exceeded --- # Error cases The following topic discusses troubleshooting possible error cases and solutions. ## Consent Service is unavailable If the Consent Service is unavailable, check the following: * Ensure that the service is enabled and that communication with the service is available. * Confirm that the service account for the Consent Service has been properly provisioned. * If the Consent Service resides on a PingDirectoryProxy server, make sure that the service account exists on the PingDirectoryProxy server and all PingDirectory servers behind the PingDirectoryProxy server. ## Requester lacks sufficient rights to perform operation A request might be rejected with a 403 for the following reasons: * The bearer token does not contain a required scope. Check the `privileged-consent-scope` and `unprivileged-consent-scope` properties of the Consent Service configuration. * The bearer token does not contain a required `audience` claim. Check the `audience` property of the Consent Service configuration. * Authentication was successful, but the requester is `unprivileged` and attempted to perform an operation that only a `privileged` requester can perform. For example, the requester attempted to act upon a consent record that it does not own, or it attempted to delete a consent record. When using basic authentication, the requester must be listed in the Consent Service configuration `service-account-dn` property to be considered `privileged`. ## Subject and actor do not match Only a `privileged` requester can `create` or `modify` a consent record whose `subject` and `actor` values do not match. ## Unindexed search The Consent Service doesn't allow a client to make an unindexed search. In most cases, a client should be able to fix this by refining the search. For example, if a search by `subject` is unindexed, perform a search by `subject` and `definition` ID. ## Search size limit exceeded The Consent Service caps the maximum number of records that can be returned in a search result using its `search-size-limit` configuration property. This limit can be increased, or the client might be able to refine the search to produce fewer results.