CUA and role assignment
Hi forum,
I have a CUA configured where I want the profile and the role assignment to be distributed global from the central system. I can create new roles with PFCG assign, users there, but I dont see these new roles in the user details in SU01.
What am I doing wrong?
Thank you!
Hi Chris,
Seems pretty simple to me. Since it is a new role you need to do a text comparision.
In the central system of CUA execute the report SUSR_ZBV_GET_RECEIVER_PROFILES in SE38 transaction.
In receiving systems give all the systems that are part of CUA including the central system (in this particular case only central system can be input since the new role is present in central system) Now execute it and then do the role assignment wither through SU01 or PFCG once again. Check once more.
After every new role creation this report needs to be executed. This is what is known as Text comparison of roles which can also be done in SU01. Check for the pushbutton for text comparision under tabsrtip Roles within SU01.
Regards.
Ruchit.
Similar Messages
-
Background job fails for BDC profile creation and role assignment
Hi Experts,
I have created a BDC Function module for Tcode 'PFCG' for profile creation and role assignment, and called this FM in my zprogram. the problem is that when i run this program in foreground it executes succesfully, but if i schedule it in background it fails throwing error in job log 'Role 'Z...' does not contain any active authorizations'. But i have created one more program to create authorization objects which runs before this zprogram.I have also checked the authorization object in 'RSECADMIN', it reflects active. I dont understand whats happening exactly when it runs background.
Below is the process of job
1. ZMIS_AUTH_OBJECT_CREATE
Variant : auth-create
2. ZMIS_AUTH_ASSIGN_TO_ROLE
Variant : auth-assign
The problem is in second program, runs in foreground but fails in background.
Code which i have written in my second program
***BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
***Generation of Profile created
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14 .
Experts please help me out its very urgent. your help is appreciated and rewarded. Thanking you in advance.
Regards,
ChetanHi Praveen,
Yeah definately, my requirement is that I have to access of some BI reports to certain users, so contract data will be downlaoded from ECC on application server, need to read that file from application server and for the each contract i ahould create a authorization object, role creation and assigning of role to the user and profile generation and activation.
To achieve this i have written two programs
1) ZMIS_AUTH_OBJECT_CREATE- This program will create the Authorization Object using BDC and Role creation Using the BAPI
"" Creation of Authorization Object
CALL FUNCTION 'ZAUTHOBJ'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
g_authname_001 = 'ZDUMMY_MIS'
g_targetauth_002 = wa_tab-auth
g_authtxt_003 = wa_tab-short_desc
g_authtxtmd_004 = wa_tab-med_desc
marked_04_005 = 'X'
g_authtxt_006 = wa_tab-short_desc
g_authtxtmd_007 = wa_tab-med_desc
tctiobjnm_04_008 = 'ZBUS_UNIT'
g_authtxt_009 = wa_tab-short_desc
g_authtxtmd_010 = wa_tab-med_desc
marked_05_011 = ''
opt_01_012 = 'EQ'
low_01_013 = wa_tab-bu
g_authtxt_014 = wa_tab-short_desc
g_authtxtmd_015 = wa_tab-med_desc
marked_04_016 = 'X'
g_authtxt_017 = wa_tab-short_desc
g_authtxtmd_018 = wa_tab-med_desc
tctiobjnm_04_019 = 'ZCONTRCT'
g_authtxt_020 = wa_tab-short_desc
g_authtxtmd_021 = wa_tab-med_desc
marked_05_022 = ''
opt_01_023 = 'EQ'
low_01_024 = lv_contract
g_authtxt_025 = wa_tab-short_desc
g_authtxtmd_026 = wa_tab-med_desc
g_authtxt_027 = wa_tab-short_desc
g_authtxtmd_028 = wa_tab-med_desc
g_authname_029 = wa_tab-auth
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
"" Creation of role
LOOP AT it_role INTO wa_role.
CLEAR wa_text.
wa_text-text = wa_role-desc.
wa_text-langu = 'E'.
APPEND wa_text TO it_text.
wa_jobrole-agr_name = wa_role-role_name.
wa_parentrole-agr_name = 'ZM_CT_DUMMY_MIS'.
wa_method-usmethod = 'CHANGE'.
CALL FUNCTION 'ZBAPI_JOBROLE_CLONE'
EXPORTING
jobrole = wa_jobrole
parent = wa_parentrole
method = wa_method
TABLES
* RETURN =
shorttext = it_text
* LONGTEXT =
* MENU_NODES =
* MENU_TEXTS =.
ENDLOOP.
2) ZMIS_AUTH_ASSIGN_TO_ROLE - This program will generate the profile created assign it to the role.
""*BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message .
COMMIT WORK AND WAIT.
""*Generation of Profile created
LOOP AT it_role INTO wa_role.
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
ENDLOOP.
For creating authorization objects, role & profile i have created one dummy auth, dummy role & dummy profile respectively.
i have created dummy objects to copy the roles from dummy object and assign the same to new Auth obj, role & profile.
Let me know what needs to be done. because these both the programs run perfectly in foreground, but fails in background.
Regards,
Chetan -
Report to see user type and roles assigned to users in EP?
Hi,
a) Is there any reporting mechanism in EP? Any specific report which throws up user types and roles assigned to the users? There is an option of 'Export' in the user management role but unfortunately it does not give information on User Type.
b) If the group is assigned a role, How can we see ( in any report) the roles assigned to a group? In the 'export' option of the 'User Management' this information does not come.By default Portal UME comes along with the installation of portal.
Sometimes we may integrate external users using LDAP. At that time users come from ABAP stack or some active directories. But you can also create users in the portal UME. The purpose of using LDAP is to maintain the users centrally rather than creating again in portal.
You can check them in user administration->identity management and search for the users.
THere you can see some users will be from UME and some from LDAP.
User Admin tool is nothing but User Administration only.
Raghu -
Making users available for OpenSSO realm group and role assignment?? Help.
Here is the situation. We have 3 Open SSO realms set up. One we have called OpenSSO-Admin, a second called OpenSSO-Provider and a third OpenSSO-Internal. We are having issues provisioning and managing the OpenSSO-Internal OpenSSO-Provider realms, but OpenSSO-Admin seems to be fine.
Here is the behavior that is manifest.
In the 2 'broken' realms, when we create users and assign them to the appropriate Open SSO realm, they appear to be provisioned correctly in IDM as well as the realm (We have validated user creation in LDAP and everything about the user appears to be fine). When we view the groups and roles in the specific resources, we are presented with a list of users that are in Brackets and appear to be provisioned. The brackets indicate that the users are not found as available users. The bracketed users can not be unassigned, nor can any others. note, our bracketed users in the list of assigned users are created from a workflow which assigns them directly to the appropriate group and role based on their business role.
The third realm, OpenSSO-Admin works fine and we can add, and manage users in the groups and roles within the realm.
We have ruled out the workflow as a source as the problem persists when we use the tool to manage users. We can create a user from scratch and add them to the realms. In the 'Broken' relms, the users do not appear in thelist of available users to be assigned to the groups or roles. Yet in the 'good realm, everything appears fine. We can move users from one realm to another and the problem persists in the broken realms, but when a user is added to the 'good' realm, everything is fine.
I have tried reconciling and get no different results.
Question is, We have isolated that the issue seems to be in the generation / management of the left hand "Available Users" list. How and where is this generated from and how can we check/fix or regenerate this list?
Thanks.
JoeI should clarify. We are using Sun IDM 8.1
-
List of Users and Roles Assigned in Portal (producer & consumer)
Hi
We are running federated portal EP 7.0 EHP1 SPS07, we need to pull the list of users and their roles assigned from tables or thru report in our federated portal, so that we can have a consolidated list of users and their roles in both producer and consumer portal
Thanks
SenthilHi Senthil,
Use report RSUSR002 to get list of roles for the users.
Regards,
Marasa. -
Custom Auth. Object with Profile and role assignment not working
Hi,
I have created custom Authorization Object with field ACTVT with allowed values - 01,02, 03. Now test it with custom program using AUTHORITY-CHECK OBJECT 'Z_AUTHORIZ' it is working fine and returning sy-subrc 12. At this point i have not created any role using this Auth Object.
Now I have created custom role ZPM_**** and assigned above Auth object to it with value ACTVT 03. Assigned this role to user.
When I try to test the above custom program with any ACTVT value it is giving sy-subrc as 0. Used below custom code in program.
AUTHORITY-CHECK OBJECT 'Z_AUTHORIZ'
ID 'ACTVT' FIELD '01'.
Am I missing anything? The profiles are generated correctly.
Best Regards,
NileshBelow are the screen shots for PFCG:
-
Hi,
one question regarding layouts. When you create a new layout you have to assign it to the roles, for which the new layout should be visible. And I have seen for parametric roles you have to/can choose the parametric value as well. But I would like to assign it to a complete parametric role, not just some values of it. Is there an easier way than just assign it to all values? Especially since the values for my parametric role will change quite frequently, it would be a little bit annoying.
Regards
MatthiasHi,
one question regarding layouts. When you create a new layout you have to assign it to the roles, for which the new layout should be visible. And I have seen for parametric roles you have to/can choose the parametric value as well. But I would like to assign it to a complete parametric role, not just some values of it. Is there an easier way than just assign it to all values? Especially since the values for my parametric role will change quite frequently, it would be a little bit annoying.
Regards
Matthias -
Indirect Role Assignment Within CUA
Hi Experts,
Weu2019re implementing indirect role assignment in SAP HR and exploring the feasibility to include this client as part of CUA. Has anyone implemented this before? Appreciate if you could share.
I understand that CUA able to distribute DIRECT role assignment made from central client to the child client(s), but not so sure if it is possible for INDIRECT role assignment approach. My previous project exclude client with indirect role assignment from the CUA distribution landscape and I wonder why.
Appreciate your input in this matter and looking forward for further discussion.
Best regards and million thanks in advance.Hi,
So I worked on a CUA managed landscape that had systems that featured indirect org assignment hooked in. The association between the User ID and the HR org based position was still maintained locally as the local system contained the HR Org structure, but direct access was still blocked by CUA The roles assigned indirectly were visible from CUA in a different colour. You can still maintain users directly from CUA on top of this. This may be an alternative to consider.
If the local system does not contain the HR Org structure you are probably going to have to export the structure, so if that is the case you might as well import it to CUA if all org relevant users are maintained there and manage it centrally via the advised link anyway.
Cheers
Steve -
Role assignment to user in child system
Hi,
We have a CUA with role assignment in SCUM defined as global. There is any way of assigning roles to users in child system when CUA system is not available? There is any way to allow roles assignement in both Parent and child systems?
Many thanks for your help!!
RaquelOne way would be to temporarily delete the CUA assignment in the child and then maintain locally, but you will need to attach it again... and decide whether you want the CUA master to know about what you have done.
Plan B on older Support Packs is to take a look at the correction instructions of [SAP Note 1504495|https://service.sap.com/sap/support/notes/1504495] but for this you need full access () to the S_USER objects, in which case you could detatch the CUA anyway.
However as a temporary workaround in Test systems it could have been usefull.
Plan C: Allow reference user assignments locally and authorize the role indirectly. Via the available authorizations of and access to the reference users you can then contain the scenario. Works fine for me if the concept of reference users is understood.
However in most cases you should do it via the CUA and will end up doing this anyway via the CUA - that is what you have a CUA for. So... logon to your CUA in the morning, give the SAPGui scheme a nice bright colour and administrate the users and role assignments there. This is a small price to pay compared to not having a CUA or IdM...
Cheers,
Julius -
Whats the functional difference between CUA and UME?
Hi All,
A small query regarding UME (User Management Engine) and CUA ( Central User Administration). Whats the functional difference between these two. I read in help documents that UME will be used for SAP WebAS Java server. But I read that it can be used for ABAP engine as well. Then why do we need to use CUA when we have user friendly interface tool like UME. According to my knowledge from help documentation, UME comes pre installed. so we dont need to install it as we have to do for CUA.
Can any help me in understanding the difference between these two. Thanks in advance. Good day.
Regards,
Farooq.Hi,
Indeed good question.
It depends on installation type you selected. But are responsible for user administration in terms of creating, deleting, updating and role assignment tasks to users and groups.
--CUA is meant for ABAP Installation. CUA is responsible for entire landscape user administration works with RFC connection talking to all ABAP systems
--UME is meant for Java installations, plus UME is responsible for handling communication between ABAP users and java users.
UME
For more details see below links all advantages and disadvantages of both systems and comparisons deliberately.
http://help.sap.com/saphelp_nw2004s/helpdata/en/d2/3e3842b23d690de10000000a155106/frameset.htm
Thanks,
Amit Lal
P.S Please don't forget to reward pts. -
Hello,
I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
1. Connected CUABOX to GRCBOX like a plug-in system.
2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
Any help in this regard is very helpful.
Thank you,
PawanHi Alessandro,
I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
2. Approvals provided to assign the ECC role.
3. I see the following in GRFNMW_DBGMONITOR_WD.
Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage GRAC_SECURITY
New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
T-CUA_CHILD User does not exist in target system CUA
GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
Thank you for your help!
Pawan -
CUA sync with child client issue for indirect role assignment.
Hello Security experts,
we have a indirect role assignment set up in our ECC environment. there is a syncronization issue from the parent CUA to the chlild client. The role assignments have been made to role although they are not always reaching target system without having to sync up either the role or the IDu2019s position # manually. This has been an ongoing issue CUA has on any role or user from time to time. any hint on fixing this issue. please help..Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
CUA has its own pros -
Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
Rakesh -
Role Assignment does not get distributed from CUA
Hi all.
I create user and role in CUA client.
There is no error in role generation.
When I try to find my role in SU01 by pressing F4 of my role (Y*), system give me message role not found. But that's not my biggest problem.
I can assign my role by typing manually.
My biggest problem is only SAP ID get distributed into target system, not the role assignment.
So in the target system I can see my user id without role assign to it.
I checked my user id from SCUL. User and profile does not contain any error message in target client.
I tried with transaction RSCCUSND, still my user id does not contain role.
I checked my SCUM transaction, profiles and roles has Global settings.
Does someone can give me a clue why this happens and how to solve this issue.
Many thanksLets try to simplify the thing in layman language.
CUA is to manage user ids of different SAP systems (client level) centrally from one system without logging into each of those child systems. To do so, the Central system stores the information of the Roles (and their Text and Generated Profile Name ONLY) and Profiles (standard or non-generated profiles) in few of it's tables like: USLA04, USRSYSACT, USRSYSACTT, USRSYSPRF, USRSYSPRFT etc.
It doesn't mean that the Roles for the corresponding child system is present in the central system and no need of creating (or making available) such roles in the Child systems. The physical existence of the Role for each system doesn't get transferred in the Central system when you do the Text comparison rather the identity only against the corresponding system.
So the Roles has to be there in the corresponding Child systems and the Assignment (not physical assignment - only linking the name for that child system) of them to the user ids can be done from Central system.
Also you have got the idea of Text comparison and requirement of keeping or creating roles in each system based on it's nature from the other posts.
Let us know any more questions you have.
regards,
Dipanjan -
Role Assignment Discovery Issue for Files and Folders through Sharepoint REST services
To preface, I am a decided Sharepoint newbie in every sense. I am trying to use the Sharepoint REST services (Sharepoint 2013) to walk the folder and file structure of my Sharepoint server and, determine as I go, the Role Assignments (and subsequently
Permissions) on those folders and files. I'm using an Administrator credentials and I'm actually able to successfully do it but I've run into some caveats. All the caveats begin with this; when I'm examining a folder, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/ListItemAllFields
I receive either an empty list or an error response doc when following the link supplied for ListItemAllFields. When following that kind of link for folders, I either get:
<d:ListItemAllFields
m:null="true"
/>
or an error response document that says "The object specified does not belong to a list." When I hit the /ListItemAllFields endpoint for files, I receive a response with a link for Role Assignments which subsequently also works and I get the
info I need. So, is this a bug? Why does the link returned from Sharepoint work for files and not folders? So, google, google, google, and I discover that there is another possible way to get at the Role Assignments (and that the object does, indeed, belong
to a list!).
If I know the Title (or the guid) of the folder in question, I can use the following endpoint:
/_api/Web/Lists/GetByTitle('Development')
If I use that endpoint, I get the information I would have expected to get from following /ListItemAllFields and the subsequent Role Assignments links all work and I get what I need. If there's a bug and this is how I have to work around it, that's fine
but I have yet to discover how to dynamically determine the Title of a given folder nor am I sure if all Titles are supposed to be unique within a given Sharepoint server. I'm assuming that the folder name as represented in the server relative URL and the
Title may be different and this is where my newbishness may start to shine if I'm misunderstanding what a "List" is supposed to be in Sharepoint. Anyway, I did find that I could use the Properties endpoint to perhaps get the Title, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/Properties
gives me:
<d:vti_x005f_listtitle>Development</d:vti_x005f_listtitle>
whose value I assume I could then supply to the /GetByTitle endpoint and be golden. However, "vti_x005f_listtitle" just sounds a little too deep to be something I should be relying on but maybe that's kosher. That's part of what I'm trying to
find out. Also, if there is a way to use the Sharepoint REST API to discover the guid of a given object, then I could look it up in that way.
So, in summary:
1. Am I going about getting folder Role Assignment information in the wrong way? Based on the CSOM examples I've seen, I believe I'm doing it correctly and that the answer to #2 below is a resounding "Yes!" :)
2. Is it a bug if I'm not able to use /ListItemAllFields on folders using the server relative url?
3. If I'm supposed to use GetByTitle as a workaround, am I discovering that Title correctly through /Properties? Seems quite circuitous and awkward. Are Titles required to be unique throughout a given Sharepoint server?
4. If I'm supposed to use the guid, how can I use the REST interface to discover an object's guid? Once we get down to the Role Assignments and other links, the guid appears in those links but I don't know how to discover it independently if that's the
path I should use to get the data I described above.Upon further research, I'll answer my own question for the benefit of some other potential future newbie. The answer to question number 1 above is "Not exactly.". The server relative URLs I was using corresponded to lists (which are
returned as a collection through /_api/web/lists). I was treating them mentally like regular folders. That, coupled with the fact that accessing their data as I showed above returns a ListItemAllFields link, made me think that was the way to get
the Role Assignments just as I would for files and, as it turns out, "real" folders and sub-folders created under these lists. That was the other problem with thinking of these lists as regular folders. So, ListItemAllFields works on
all files and folders in a list. However, if you want Role Assignments for the lists themselves, you can keep track of the Titles and\or Guids from the /_api/web/lists that you're interested in (in my case, all non-hidden "document library"
type lists) and then access those Role Assignments as I discussed in questions 3 and 4 above. For example, from the /_api/web/lists collection from my test server, the "Development" document library Role Assignments are accessable via /_api/Web/Lists(guid'cd242eeb-aafa-4efa-aecc-9bbdf8e3d459')/RoleAssignments
or /_api/Web/Lists/GetByTitle('Development')/RoleAssignments. -
Security-role and security-role-assignment not working in WL7.0
Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.comBelow are the screen shots for PFCG:
Maybe you are looking for
-
Cannot "systemctl enable root-suspend"
I have recently installed arch and want to run custom scripts on when using systemctl suspend. I have been following the wiki but when i try "systemctl enable root-suspend" for root/system actions or "systemctl enable suspend@marno && systemctl enabl
-
Best practices for coding in Exits
Does anyone have any documents on the Dos and Don'ts in BADIs, Exits and SD routines from the angle of System performance and how to minimise the load. Iam not talking about the generic Optimisation documents but something specific to SD routines and
-
Why 2 Desktop Windows IN Finder after RESTART?
After EVERY restart (whether internal or external drive) Two IDENTICAL windows appear in front Each window lists two item: 1-icon and name of the internal HD (and external drive if any) AND 2- the NETWORK icon similar too what we see in the System Pr
-
Try to reset to factory settings/missing file"windows\system32\winload.efi
I have Toshiba Serial #XXXXXXXXX, model P75-A7200 Bought it brandnew at best buy almost a year ago. I did not make any recovery disc's or flash drive. It is getting slow and someother minor issues while on internet, so I want to do a Full Reset to f
-
15% off Lightroom at Adobe online store
For anyone who's been waiting till last minute like me! This is just an FYI, but if you paste the following into the promotion code field in Adobe's online store's shopping cart Macworld07 it will take an extra 15% off the price of Lightroom ($169 in