Global Roles

Similar Messages

• How to retrieve Global Roles in a the current security realm?

  Is there a WLS API available that obtains a list of mapped global roles (defined in a security realm) from an application?
  I want to be able to do a getRoles call against an authenticated user. So far, I'm only able to use isUserInRole. What I need is a list of all global roles mapped to a user's group.
  Thanks all...
  Message was edited by:
  raymondng

  You can refer to the api
  http://e-docs.bea.com/wls/docs81/javadocs/weblogic/management/security/authorization/RoleReaderMBean.html#getRoleExpression
  -Ramkumar

• Configure global roles in weblogic express

  Weblogic Express 8.1 sp2 does not allow you to configure global roles using the
  Admin console.
  I know this is the expected functionality. How do you configure these global
  roles without the use of the Admin Console.

  As far as i know you could never create roles via WLST offline, only via WLST online.
  Thanks,
  -satya
  BEA Blog: http://dev2dev.bea.com/blog/sghattu/

• Creating a Global Role using weblogic.Admin command

  Hi,
  Does anyone have an example of creating a global role using the weblogic.Admin commands? I think I have to use the INVOKE command with the DefaultRoleMapper and createRole method, but I'm not quite sure what the rest of the syntax is.
  Thanks,
  Gabriel

  Gabriel,
  The following works for me:
  weblogic.Admin -url t3://localhost:80 -username weblogic -password weblogic INVOKE -mbean "Security:Name=myrealmDefaultRoleMapper" -method createRole "" "MyGlobalRole" "Grp(Administrators)" ""
  The null first parameter identifies this role as a global role.
  The second param is the name of the role.
  The third parameter is the policy expression. Here, I've mapped the role to the Administrators group. You can also map it to users or a combo of the two. For example, to map it to the "weblogic" user, use "Usr(weblogic)" as the policy expression. If you leave this parameter empty, the role will be created but will not be mapped to anything.
  I'm not sure what the fourth parameter is for. It's not defined in the RoleEditorMBean docs but not including it causes an error. I suspect it's a description field because WLS does not seem to care what you put there.
  HTH,
  Mike

• Migrate 8.1 Global roles include Role Conditions

  Hi all,
  have one question. I want migrate Global Role conditions from one WebLogic 8.1 server to another. When I export DefaultRoleMapper provider, I can see in exported file list of Global Roles only. I cannot see any mapping item in this file. Please, know someone how migrate Global Roles including mapping ?
  TY very much,
  Lada

  Hi,
  I export DefaultRoleMapper through Security-Realms-myrealm-Providers-Role Mapping-DefaultRoleMapper/Migration-Export in WL console.
  In exported file I can see only list of defined Global Roles, for example:
  dn: cn=::AbortTaskRole,ou=ERole,ou=@realm@,dc=@domain@
  objectclass: top
  objectclass: ERole
  cn: ::AbortTaskRole
  createTimestamp: 201000261052Z
  creatorsName: cn=admin
  EExpr:: fALDp01DQWRtaW5Hcm91cArDp01DU3BBZG1pbkdyb3VwCg==
  wlsCreatorInfo: mbean
  modifyTimeStamp: 201000261147Z
  modifiersName: cn=admin
  dn: cn=::CancelTaskRole,ou=ERole,ou=@realm@,dc=@domain@
  objectclass: top
  objectclass: ERole
  cn: ::CancelTaskRole
  createTimestamp: 201000261053Z
  creatorsName: cn=admin
  EExpr:: fALDp01DQWRtaW5Hcm91cArDp01DU3BBZG1pbkdyb3VwCg==
  wlsCreatorInfo: mbean
  modifyTimeStamp: 201000261148Z
  modifiersName: cn=admin
  But in this file I dont see any conditions which are bound to these Roles (myrealm-Global Roles-<concrete role>-Conditions). I cannot find these conditions in any other files generated through export wholes security realm.
  TY for your help,
  Lada

• Creating Global Roles in 9.1 using WLST

  Hi,
  Did anyone try creating Global Roles in Weblogic 9.1 ?
  Since in Weblogic 9.1, the Authorizer and Role Mapper providers are XACML based, I am not sure if we can use WLST offline to create global roles.
  Can someone please shed some light on this.
  Thanks -agreddy

  As far as i know you could never create roles via WLST offline, only via WLST online.
  Thanks,
  -satya
  BEA Blog: http://dev2dev.bea.com/blog/sghattu/

• Set global roles

  Hi,
  Is there a way to set global roles through weblogic ant tasks or command line utilities ?
  I am using weblogic 8.1SP5
  Thanks,
  Manish
  Edited by manish25 at 02/02/2007 1:24 PM

  Hi,
  There certain things you need to check
  1. Did you do user comparsion?
  2. Did you check the SCUL log?
  SCUL  ->choose (error,unconfirmed & warning)  user / roles / profiles execute -> you will get list of users
  Priority of resolving would be the same order   1. Error (red) 2. Unconfirmed (Gray) and 3. Warnings.(Yellow).
  based on the error you can re distrubute the idoc.
  Procedure :
  Select the user which you would like to re-distribute for a particular system -> it will display user  / roles / profile ->
  Let stay roles  are Grayed -> highlight on the role -> click on F7 button or  cross mark(Distrbution)  . You will receive new window with selection of IDOC type. Select appropriate IDOC type -> choose roles -> continue.
  3. Text comparsion
  To get a newly created role to a system quickly avoiding  Text Comparison to all systems i.e from CUA. Instead you can do text comparsion from child systems.
  Finallly your SCUM settings are correct.
  Thanks,
  Sri

• Granting Global Roles

  I'm trying to assign global roles to enterprise users via the ESM but it doesn't seem to work. I'm able to connect to the database and I can see that I'm correctly authenticated using sys_context('userenv','external_name'),sys_context('userenv','session_user'), but I don't get any global roles associated with the enterprise role I'm assigned to.
  Ideas? Anyone has an idea how can I debug this or set a trace to see if I'm even really associated with the Enterprise Role?
  Edited by: [email protected] on Dec 9, 2008 10:53 PM

  You can't unless you use a DDL event trigger
  http://www.psoug.org/reference/ddl_trigger.html
  or write a stored procedure that allows the user to grant privileges presented as input parameters and contains a hard coded list of those privs that can be granted.
  Personally I find the idea of giving anyone, other than a DBA or trusted security officer, the ability to grant privs a violation of governance and security practices and would discourage you from doing so except within the context of a procedure as described above.

• WLST 92 - How to Create Global Role and Role Condition?

  I'm currently using WLS 9.2 and trying to use WLST to create a global role and defining a role condition. Anyone know how to do so using WLST for WLS 9.2?
  Trying to:
  - create Global Role, testRole
  - create condition where 'username = testuser'
  thanks!

  Did you find out a solution for this?

• Setting global roles via command line

  I have lots of global roles defined. today I use the admin console to create them
  leaving room for typo errors, missing one or more roles. Is there a way to use
  a command line tool to accomplish this just like I can set the autheticator provider
  parameters ?
  please help
  premS

  "Satya Ghattu" <[email protected]> wrote in message
  news:[email protected]..
  Cross posting to security newsgroup.
  premS wrote:
  I have lots of global roles defined. today I use the admin console to
  create them
  leaving room for typo errors, missing one or more roles. Is there a wayto use
  a command line tool to accomplish this just like I can set theautheticator provider
  parameters ?
  Unfortunately, the expression language is not public so that makes it
  difficult. There have
  been a fair amount of requests for this functionality. We will probably look
  to do something
  with XACML in the long term.

• Adding employees to Global roles

  Are there any additional setups required to be able to add an employee to Global roles?
  We are trying to add an employee in Canada but the employee name does not show up on the Global roles screen. Another employee from another country is already in one of the global roles. I checked the records of that employee and didn't see anything setup differently.

  The person must be an application user inorder to appear in global roles from. Create a user for the person that you have created and he/she will show up in the list.
  Hope this helps..
  -Jay

• Global/Role wise Portal Favourites

  Hi,
  Is it possible to set up the Portal favourites in such a way that the administrator can set some favourites which should appear in the Portal Favourites iview of all the users?
  Also is it possible to configure it in such a way that only users assigned to a particular role gets to see particular global favourites in their portal favourites?
  Thanks in advance
  Regards
  Ranjith

  Hi Vineeth,
  Thanks a lot for the idea.
  But if I implement it, the end users will not be able to add any personal favorites. I am looking for something which provides both these (global and personal favourites) functionalities. I guess I will have custom develop some component to achieve this.
  Thanks again
  Regards
  Ranjith

• How to create a global role with WLST in WL 10

  Hi All:
  The approach in the protect_resources.py found in dev2dev, doesn't work. I've managed to convert the user and group creation to work with WL 10, but I can't for the life of me figure out how to create the role. There doesn't seem to be a createRole() on what I would think are the appropriate MBeans in poking around.
  Anyone know how to do this, or will I have to come up with a screen scraping solution that does this via the weblogic console, where it's so easy to do so?
  TIA
  Forrest

  Not having X's programing background I think of an action reference as something that tells Photoshop what to do. And yes it is like a little action that you write instead of record. For example the code that I and X posted could also be written like this
  var ref = new ActionReference();
  ref.putProperty( charIDToTypeID( "Prpr" ), stringIDToTypeID('tool') );// what key to get
  ref.putEnumerated( charIDToTypeID("capp"), charIDToTypeID("Ordn"), charIDToTypeID("Trgt") );// where to get it from
  var cTool = executeActionGet(ref);// in this case returns a one key descriptor
  var cToolTypeID =  cTool.getEnumerationType( stringIDToTypeID('tool') );// get the value of that key
  alert( typeIDToStringID( cToolTypeID ) );// make that value readable
  Most of the ordinals you will see will be target as Photoshop likes whatever you are working on to be active. You sometimes see next or previous. I can't recall seeing a 'normal ordinal' like first or second.
  There is not much in the way of documentation. Most of what I know comes from looking at the scriptlistner log, xtools and X himself, and a little bit of code I put together for exploring action descriptors and action list. It's not as nice as X's getterdemo but works more the way I think. It sends it's output to the ESTK console window
  var ref = new ActionReference();
  ref.putEnumerated( charIDToTypeID("Lyr "), charIDToTypeID("Ordn"), charIDToTypeID("Trgt") );
  var desc = executeActionGet(ref)
  var c = desc.count ;
  //for(var i=0;i<c;i++){ // to enumerate list
  //  $.writeln('Key '+i+' = '+desc.getType(i))
  for(var i=0;i<c;i++){ //enumerate descriptor's keys
    $.writeln('Key '+i+' = '+typeIDToStringID(desc.getKey(i))+': '+desc.getType(desc.getKey(i)))

• SAP CRM Service - Global role out

  Hi Yaa,
  We have implemented SAP CRM Service currently and the client want me to assist in roll out of SAP CRM service into other country.
  Could some one tell me what are the neccessary steps that needs to be taken into consideration .
  What is the methodology that needs to follow, does SAP provides and solution to this kind of implementation.
  I would appreciate your valuable inputs.
  Points will be rewarded for the gur's who replied me promply, this is very urgent please please advise.
  Thanks in advance
  Regards
  Vani

  Hi Vani,
  You must consider below points for new roll out in different countries.
  Initial phase is - information gathering about Master data.
  1. Setting Org model - Get the info on number of org units, positions and it's attributes. This will help you to design Org determination profile.
  2. Business Partners - Various types / Roles. Here you have to define different number range/ BP roles etc., You must also consider downloading of BPs from ECC if your landscape has it. You have to plan data migration as well.
  3. Products - Needs to be downloaded from ECC
  Transactions:
  Copy master transactions and configure them to suite business needs.
  This is in brief about new roll out.
  Remember that the success lies in information gathering.
  Rgds
  Hari

• SSO and how to Managing User Roles/Privileges with Forms using Oracle db

  We are in the process of implementing Oracle Application Server SSO with our custom Forms application using Oracle database -- all 10.2.0.1.0 version.
  In our Forms Applications, we have about a dozen roles we have assigned to various users. We need to identify each user using our Forms because we are using the GLOBAL USER throughout the application.
  Questions:
  -- Do we have to create users/passwords in both OID and application database?
  -- Is there a way to easily manage the user and passwords between SSO and Forms App/database in one place? For example, how does a user change their password once, but actually change it in both the database and SSO?
  Any advice and/or direction would be greatly appreciated.
  Thank you,
  Mika
  Edited by: user11846198 on Sep 1, 2009 1:41 PM
  Edited by: user11846198 on Sep 1, 2009 1:53 PM

  Yes, you can have global roles in the DB and assign this roles to specific OID users, and the will heritage the privilages, you can do this using Oracle Identity Management Web Tool http://hostname:7777/oiddas is not complicated.
  Greetings.