Propagating users/Groups/Roles into partner application

Similar Messages

• WLS: more fine granularity for User, Groups, Roles

  Hi All,
  in order to organize different user, groups in WLS, I need to use/define more condition/attributes than standard WLS User and Groups.
  The Oracle WLS concept and OPSS is clear to me and I need some samples or practical cases.
  - Oracle Fusion Middleware 11.1.1.5, Security Guides http://docs.oracle.com/cd/E21764_01/security.htm
  - Oracle® Fusion Middleware Understanding Security for Oracle WebLogic Server 11g Release 1 (10.3.5) http://docs.oracle.com/cd/E21764_01/web.1111/e13710/toc.htm
  - Oracle® Fusion Middleware Securing Oracle WebLogic Server http://docs.oracle.com/cd/E21764_01/web.1111/e13707/toc.htm
  - Oracle Platform Security Services 11gR1 (White Paper)
  http://www.oracle.com/technetwork/middleware/id-mgmt/opss-tech-wp-131775.pdf
  Any idea?
  Regards,
  Moh

  Hello Suman,
  Try avoid denial based security rights assignment instead you can specify the  unspecifed. As Greg said
  Denied + Granted = Denied
  Denied + Not Specified = Denied
  Granted + Not Specified = Granted.
  You should not deny rights for HR End User usergroup, Instead make them as unspecified. If you do so the whenever the user part of both the groups , your security rights aggregation would be
  Granted + Not Specified = Granted.
  Make sure you follow the approach as above.  You can refer the blog below for how to structure the folder, report and User group hierarchy and effective maintenance of security
  BusinessObjects Administration - Content Management Plan
  Regards
  Mani

• Dynamic User Group Role for ASA 8 ACS 4 External Windows DB

  1. I've successfully got a Win2003 AD user to authenticate to the ASA via an ACS but the default group settings the dynamic user becomes part of don't get transfered to the user. How do I get the user to adopt the group settings?
  2. ASDM recommends nabling authentication for admin console sessions so you don't ssh into a box then have to login as the enable password which isn't logged. When I check the box for this feature I can ssh to the ASA but my password is denied ASA. How do I keep the user credentials all the way to the privilege exec mode?
  3. Back in the day I could configure the ACS shell, privilege 15, custom attributes cisco-av-pair "priv-lvl-15" to get a user to jump directly to privilege exec mode. This doesn't work now. Is there a different way to do this on ACS v 4?
  Thanks in advance,
  Matt

  Try this:
  aaa authentication enable console
  aaa authorization command
  on ACS go to the user or group that the user is in and go to enable options and click on "Max Privilege for any AAA client" and set it to "15". Then go to the "tacacs+" section on click on "Shell(exec)" and click on "Privilege leve" and enter 15. Then go to the "Shell command authorization set" and set the default to permit any commands not listed. This will get the user into privilege mode. In ASA/Pix it requires command authorization and authentication for enable console. On IOS it requires that you use aaa authentication exec and then the aaa authorization exec/command. This will allow the user to go straight into privilege mode instead of user mode.

• How to Create User ,Group ,Role in Jsf and Give  differ authentication to e

  Hi i am working in java server faces .
  i trying to create roles ,user with different abilities .
  Like one is normal user, admin , they have different abilities,
  i need that abilities on bases of module,form,field like Drupal like CMS they provide.
  So how to do that think in JSF plz help

  You can use one of the various ways Java EE provides you, e.g. container managed authentication.
  It's also all in the Java EE tutorial: [http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html].
  You can configure it in the application server as well: [http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html].
  Here is an example how to use it in JSF: [http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/].

• AD Not all users groups brought into BO

  Post Author: ChrisNorris
  CA Forum: Authentication
  Hi,
  We have an issue that shows itself on a few sites.  User A belongs to AD groups X, Y, Z.  All of those groups are already existing in BOXI R2.
  What we find is that often with new users A will be imported BUT not for all of the groups, it may onyl bring in X, Y in the Users Tab for Group Membership.  Sadly though when looking at the members of group Z User A belongs to it.
  This has the effect that User A does not get the permissions of group Z because, from a user perspective they are not assoociated.
  Has anyone seen this problem, or know why / fix?
  I have logged this with Support ages ago, with no success, and it has appeared in a number of different installations.
  Cheers

  Post Author: TAZ
  CA Forum: Authentication
  Well the LDAP plugin has undergone some changes for the reason of scalability. As of the latest XIR2 patch it should be possible to run 10's of thousands of groups and 100's of thousands of users. If we removed our graph the problems would likely shift as the CMS which doesn't authenticate just authorizes would get slammed not having the graph.
  As far as the removing groups the product was patched, both AD and LDAP in XIR2 SP2 and further patched in FP 2.4. Removing groups from AD/LDAP will no longer bring down the plugins, instead we passively handle the error and keep the plugin running until the bad groups have been removed.
  I actually remember a case or two of yours maybe 1.5 - 2 years back. I was pretty new back then and couldn't provide much help. I think we were working on a multi forest issue in CE10, I think that was you, could just be another Lester.
  The only way to usually capture the problem is to run a constant CMS trace and packet scan of LDAP traffic. The tracing must be running before the problem(s) during and after. Then it's incredibly hard to find the queries between the CMS and IP scans but that's how we escalated the last synch issue that was fixed for the LDAP plugin -FP 3.7.
  I'm not sure it's feasible for you but if you use trusted auth in XIR2 or import users via script you can remove the AD/LDAP graph dependancy, something to consider.
  regards,
  Tim

• How to prepare permission matrix of users/groups for SharePoint web Application ?

  Hello,
  I am using SP Groups/users to assign to sharepoint objects.
  few SP Groups having AD groups.
  Is there any possibility/way to see/prepare user visibility in SP Group when AD Group is associated with SP Group ?
  Thanks and Regards,
  Dipti Chhatrapati

  Hi Dipti,
  So you want to find members of AD group in SharePoint 2010. Here are the links for your reference:
  Display members of AD groups web part ---
  http://sp2010adgroupmembers.codeplex.com/
  Getting members of an AD domain group using Sharepoint API ---http://stackoverflow.com/questions/4314767/getting-members-of-an-ad-domain-group-using-sharepoint-api
  Get a list of all SharePoint group’s users including active directory group ---
  http://christopherclementen.wordpress.com/2012/07/16/get-a-list-of-all-sharepoint-groups-users-including-active-directory-group/
  Regards,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected] .
  Rebecca Tu
  TechNet Community Support

• User= Group= SubGroup= Role: Now working when this link is used

  Hai,
  We are using EP 5.0 with LDAP 7.6 When a user id created it is attached to a group and the group is attached to a role. I introduced a nested group in this link as userid is attached to group, group is attached to sub group and subgroup is attached to role. When i did like this and login to the portal system the roles are not seen in the portal.
  Below are the things which i did,
  When a user id(Ex : MYTEST1) is created it is attached to a group(Ex : ESS_GE) by the below code.
         String group = "ESS_GE";
         String groupdn = "cn=" + group.toUpperCase() + "," + groupsRoot;
         String userdn = "cn=" + userid.toUpperCase() + "," + peopleRoot;
        // modifications for group and user
        LDAPModification[]  modGroup = new LDAPModification[2];
        LDAPModification[]  modUser  = new LDAPModification[2];
     // Add modifications to modUser
     LDAPAttribute membership = new LDAPAttribute("groupMembership", groupdn);
     modUser[0] = new LDAPModification( LDAPModification.ADD, membership);
     LDAPAttribute security = new LDAPAttribute("securityEquals", groupdn);
     modUser[1] = new LDAPModification( LDAPModification.ADD, security);
      // Add modifications to modGroup
      LDAPAttribute member = new LDAPAttribute("uniqueMember", userdn);
      modGroup[0] = new LDAPModification( LDAPModification.ADD, member);
      LDAPAttribute equivalent = new LDAPAttribute("equivalentToMe", userdn);
      modGroup[1] = new LDAPModification( LDAPModification.ADD, equivalent);
     // Modify the user's attributes
     lc.modify( userdn, modUser);
     // Modify the user's group attributes
      lc.modify( groupdn, modGroup);
  Group is attached to a role(EP_GE_USER_ROLE).  So the link is User =>Group=>Role which is MYTEST1=>ESS_GE=>EP_GE_USER_ROLE. This linke is working perfectly
  I introduced a nested group and changed the link as User=>Group=>Sub_Group=>Role  which is MYTEST1=>ESS_GE=>ESS_GE_ONLINE=>EP_GE_USER_ROLE.
  After this when I login with the user id MYTEST1 the Roles which are attached to ESS_GE_ONLINE is not shown. Any idea why the roles which are attached to group ESS_GE_ONLINE is not transferred to ESS_GE group. Should I have to add any other LDAP attributes apart from the one which are coded below.
    String group1 = "ESS_GE";
    String group2 = "ESS_GE_ONLINE";
    String groupdn1 = "cn=" + group1.toUpperCase() + "," + groupsRoot;
    String groupdn2 = "cn=" + group2.toUpperCase() + "," + groupsRoot;
    //Add ESS_GE_ONLINE group to ESS_GE group
    LDAPAttribute membership1 = new LDAPAttribute("uniqueMember", groupdn2);
    modGroup1[0] = new LDAPModification( LDAPModification.ADD, membership1);
    LDAPAttribute security1 = new LDAPAttribute("equivalentToMe", groupdn2);
    modGroup1[1] = new LDAPModification( LDAPModification.ADD, security1);
    //Add ESS_GE group to ESS_GE_ONLINE group
    LDAPAttribute membership2 = new LDAPAttribute("uniqueMember", groupdn1);
    modGroup2[0] = new LDAPModification( LDAPModification.ADD, membership2);
    LDAPAttribute security2 = new LDAPAttribute("equivalentToMe", groupdn1);
    modGroup2[1] = new LDAPModification( LDAPModification.ADD, security2);
    lc.modify( groupdn1, modGroup1);
    lc.modify( groupdn2, modGroup2); 
  Thanks & Regards,
  H.K.Hayath Basha.

  change that to the following and retest:
  Joshua Fowler wrote:
  I think you're correct. Under the Publish settings of the document, that's what "Class" points to.
  Here's the first main section of the code:
  package com.anselmbradford
    import flash.display.MovieClip;
    import flash.events.TimerEvent;
    import flash.utils.Timer;
    public class Main extends MovieClip
    * Create a new CountDown object, listen for updates and pass it the date to countdown to.
    public function Main()
    var cd:CountDown = new CountDown();
    cd.addEventListener( CountDownEvent.UPDATE , _updateDisplay );
    cd.init( new Date(2015,3,9,20,00) );
    * Update the display.
    private function _updateDisplay( evt:CountDownEvent ) : void
  Does this look correct?
  Thanks again!

• Java and Partner Applications - EXTREMELY URGENT

  gurus,
  i'm trying to register a single sign on servlet application as a partner application.
  i followed ths steps as mentioned in the SSO SDK version 307 and when i try to run the application i get the following error -
  ******* START ERROR ********
  Error oracle.security.sso.enabler.SSOEnablerException: oracle.security.sso.enabler.SSOEnablerException: java.sql.SQLException: ORA-06510: PL/SQL: unhandled user-defined exception ORA-06512: at "DVIPARTAPP.WWSEC_SSO_ENABLER_PRIVATE", line 304 ORA-06512: at line 1
  ********* END ERROR *********
  the environment here is -
  database - 8.1.7
  portal - 3.0.8
  os - windows NT
  has anyone faced the same problem before.
  any help would be greatly appreciated.
  thanx a bunch.
  null

  Thank you very much once again for your prompt reply and suggestions. I tried the later solution using Developing Statically Protected PL/SQL (or j2ee) Applications described in Oracle® Application Server Single Sign-On Application Developer's Guide 10g (9.0.4).
  Protect the servlet(or jsp) by entering the following lines in the mod_osso.conf file:
  <Location /servlet>
  require valid-user
  authType Basic
  </Location>
  When this particular application added inside the portal (try to web clipp, it redirects to SSO login page.) In this case users have to login twice. Once to the default portal page, and another to this stand alone out side application. Defeats the purpose of SSO using Portal.
  Your question "is it an app that you want to be able to invoke from a link within Portal?" hits the nail right on the head. The difference here is, I do not want to add as a page link, ideally I want this web application to be able to web clipped inside the portal.
  Now, this is the external application (and not developed as a portlet). I have not completely understood how any web application developed as a portlet can get the user information (user/groups/roles etc) when user logs in to portal default page. And, the authorization is implemented inside this web application. They(users) do not need to authenticate once again since that is done when they login to the portal. I hope I am making sense.
  I am not clear on the web application developed as a portlet. Can users, groups, and roles be implemented inside this application? If it is developed as portlet. The problem here is you have to rewrite all of your existing applications as a Portlet (either PL/SQL or J2EE). Not all applications are developed using this technology.
  Your help is highly appreciated.
  Very Best Regards,
  -Dhiren.

• Partner application authorization model missing

  We have written our own portal using j2ee technologies. Based upon user identity, we construct a launch pad for the applications that a user has authorization to. It have 260 different applications.
  We want to migrate to Oracle Portal. I would like to make each of these applications a partner application. They all share the same user repository.
  The problem is that Oracle does not have a user to Partner application authorization model.
  I could encapsulate all the applications as portlets, then Oracle portal would be able to manage the authorization to the portlets. To do this would be a major effort, changing thousands of JSP's and classes that render links. But this is not possible if they are just partner applications.
  I know, Oracle is going to say "Portal is just a launch pad, it does not handle menuing of individual applications. That is the individual application's responsibility."
  THIS does not apply. I thought long and hard on this issue. I am not asking Oracle Portal to take over menuing of an application, rather, I am asking it to be a launchpad to my 260 different applications, and to provide the facility that would allow the assignment of user and groups to execute partner applications.
  One thing I may have to do is on the initialization of the partner application is to make a call back to the login server and check whether they are authorized to use the partner application.
  There is a big difference between authentication and authorization.
  Thanks,
  Phillip

  Did you try checking the partner application entries on the SSO-login server page?
  please login as orcladmin or some other user with membership in, i beleive, iasadmins group. verify that for this partner application, what you see here corresponds to the application URL. it looks like your login page call may have issues. so check for login url too.
  also check the ORASSO.WWSSO_LS_CONFIGURATION_INFO$ for entries corresponding to Apex application.

• WLCS USer/Group Management

  Hi,
  I am having a problem with the WLCS3.1 UserManagement part.
  The application we are buildin basically consists of two pieces, Internet
  and extranet( site
  accessible to our customers/partners by logging in).
  The internet part has couple of forms that our prospect customers submit and
  this user profile information gets stored in Oracle.
  The second piece isour extranet, which works in sync with our Customer
  Relationship Management appliction. The users information is put into
  Netscape DirectoryServer(NDS) by our CRM application ans we just use it for
  authentication and single sign on into both the application.
  Since the User Management system works in conjunction with the WebLogic
  Server's security realm (which happens to be LDAP for us), we cannot store
  user/groupes anymore into oracle by using JSP taglibraries.
  My question is, if we can store just the user (and password) in NDS LDAP and
  the
  GROUP and profile in WebLogic and personalize the content based on this
  info.?
  If so, what is the best workaround for this..
  Any help is greatly appreciated.
  Thanks
  -sarath

  Hi Tracy,
  Are you trying to create property sets?
  If you are trying to create a user/group property set, then you do that with the EBCC tool. See the "Site Infrastructure" tab and
  use
  File --> New --> Site Infrastructure --> User Profile to create a new one. See "Creating a Property Set Definition" at
  http://edocs.bea.com/wlp/docs70/dev/usrgrp.htm#998997 .
  Tracy Ward wrote:
  How do you assign Property sets in the user group management - the set shows in users and groups - but not in the management window--
  Ture Hoefner
  BEA Systems, Inc.
  4001 Discovery Drive
  Suite 340
  Boulder, CO 80303
  www.bea.com

• Auto forward specifig user / group to an url

  Hello,
  is it possible to forward a user after login to a url that is specific to the user / group / role?
  Thanks, Vanessa

  Hi Vanessa,
  You can write a Desktop rule that forwards a user, group or role member to a specific desktop.  The rules are created in System Administration > Portal Display > Portal Administrators > Super Administrators > Main rules.
  Best regards,
  Duncan

• Getting Logged on User'Information in an Oracle-Form SSO Partner Application

  Hi.
  I could run Flight-of Fancy Application and capture user's information by calling the
  "Parse_cookie " Procedure.(use the Scenario 2 - Access the Portal and then the FOF App)
  and defined an Oracle-Form application as Partner application like FOF.
  I want to have Logged on user'Information in the "Oracle-Form" . But the Fucntion owa_cookie.get dosen't work correctly.please let me know what can I do ?
  Thanks in advanced.

  Hi.
  I could run Flight-of Fancy Application and capture user's information by calling the
  "Parse_cookie " Procedure.(use the Scenario 2 - Access the Portal and then the FOF App)
  and defined an Oracle-Form application as Partner application like FOF.
  I want to have Logged on user'Information in the "Oracle-Form" . But the Fucntion owa_cookie.get dosen't work correctly.please let me know what can I do ?
  Thanks in advanced. If you're writing your own partner application, then you are correct to get the user information from the output variables
  from the parse_url_cookie procedure. You should then set the information you want to keep track of in the cookie, or combination
  of cookie and persistent storage in the database. Take care of the security implications while doing this.
  On subsequent calls to your application, the user info should be obtained from the cookie and the database, if you
  are using a combination of the cookie and database storage to keep your info.
  The owa_cookie.get routine is used to read the cookie, which is generated with owa_cookie.send.
  These routines work fine, when invoked correctly.
  If you are having trouble with them, you're probably not using the calls properly.
  The following code provides an example of how to use the owa_cookie calls...
  create or replace package testcookie
  is
      procedure show (p_name IN VARCHAR2);
      procedure send
          p_name    IN VARCHAR2,
          p_value   IN VARCHAR2,
          p_path    IN VARCHAR2 default null,
          p_expires IN VARCHAR2 default null
  end testcookie;
  show error package testcookie
  create or replace package body testcookie is
      procedure show (p_name IN VARCHAR2) is
          v_cookie owa_cookie.cookie;
      begin
          v_cookie := owa_cookie.get(upper(p_name));
          htp.htmlopen;
          htp.bodyopen;
          htp.print(v_cookie.vals(1));
          htp.bodyclose;
          htp.htmlclose;
      exception
          when others then
              htp.htmlopen;
              htp.bodyopen;
              htp.print('NO COOKIE FOUND.');
              htp.print(SQLERRM);
              htp.bodyclose;
              htp.htmlclose;
      end;
      procedure send
          p_name    IN VARCHAR2,
          p_value   IN VARCHAR2,
          p_path    IN VARCHAR2 default null,
          p_expires IN VARCHAR2 default null
      is
          v_cookie owa_cookie.cookie;
          l_agent varchar2(30);
          l_expires varchar2(30);
          l_path varchar2(100);
      begin
          if p_expires is null then
              l_expires := null;
          else
             l_expires := to_date(p_expires, 'MMDDYYYY');
          end if;
          if p_path = 'ALL' then
              l_path := '/';
          else
              l_path := null;
          end if;
          owa_util.mime_header('text/html', FALSE);
          l_agent := owa_util.get_owa_service_path;
          l_agent := substr(l_agent, 1, length(l_agent) - 1 ) ;
          owa_cookie.send(
              name    => upper(p_name),
              value   => p_value,
              expires => l_expires,
              path    => l_path
          owa_util.http_header_close;
          htp.htmlopen;
          htp.headopen;
          htp.headclose;
          htp.bodyopen;
          htp.print ('Cookie set.');
          htp.bodyclose;
          htp.htmlclose;
      end;
  end testcookie;
  show error package body testcookie;
  grant execute on testcookie to public;If you load this into a schema which a DAD can access, then you can invoke the show and send procedures to view and
  generate cookies.
  To generate a cookie, issue the following from your browser ...
  http://server.domain.com/pls/dad/schema.testcookies.send?p_name=test&p_value=hello
  To view the cookie:
  http://server.domain.com/pls/dad/schema.testcookies.show?p_name=test

• Is it possible to prevent a group of users be added into other groups?

  We have a admin group named "app admin" which has full privileges to a target OU "ou=apps,ou=services,dc=xxx,dc=com".
  And we are looking for solution to prevent members in the admin group putting their own account or group members into the target OU.
  Tried the aci with "deny self write", but it only prevents admin user put their own DN into the target OU.
  And they still can add their group members into the target OU.
  Just wondering is it possible to prevent a group of users be added into the target OU while they still can add/delete/modify normal users into the target OU?
  The version of our Directory Server is 6.3.1.
  Thanks

  goog,
  For each data member, you will need a unique URL. There is not a way to bundle them into one URL.
  Randy Hoskin
  Applications Engineer
  National Instruments
  http://www.ni.com/ask

• Developer role to the application user

  Hi All,
  We have developed an application, for which we are storing users with different roles in database table.
  What I am trying to achieve:
  If the user with admin role logs into our application, the Apex developer toolbar should get visible to him/her for editing the page. (In other words, Our Application Admin user should be treated as Apex developer).
  Can someone explain how can this be achieved?
  Thanks,
  Pooja
  Note: Our application is Oracle SSO protected.
  Application Express 3.1.1.00.09
  Database : 11g

  Pooja - The developer toolbar will appear only if a developer has already authenticated to the apex development environment in the same browser process in which the application is being accessed and then only if the authenticated username in the application matches that used to access the apex development environment and then only if the application being accessed belongs to the same workspace as the workspace to which the developer authenticated.
  So there is no way to do what you described.
  Scott

• LDAP user and group configuration in ADF application

  Hi All,
  I have to use LDAP user and groups in my ADF application. I have configured the LDAP on WLS server successfully and can see all users/groups under tab "User and Groups". I have added the Enterprise Role in jazn-data.xml matching the name of groups. Created Application role in jazn-data.xml and assigned a role of Enterprise Role.
  However not added any user in jazn-data.xml. Which i guess not required because it will picked from LDAP.
  Now how to configure the JDeveloper to use those users ? What changes need to make in jazn-data.xml ? or in jps-config.xml / web.xml/ weblogic-application.xml
  Am i missing nay configuration step. i have referred ADF Security set up - step by step tutorial - quick question but not found useful
  I am using JDeveloper 11.1.1.5.
  Thanking you all in advance.
  Mukesh.

  I have below changes in files
  1] In jps-config.xml
  -- Added identity store and selected it from drop down in Security Context tab.
  2] In weblogic-application.xml
  In Security tab --> Role assignment mapped valid-users to principle name.
  <security>
  <realm-name>myrealm</realm-name>
  <security-role-assignment>
  <role-name>valid-users</role-name>
  <principal-name>DERDev</principal-name>
  </security-role-assignment>
  </security>
  3] Same thing done in weblogic.xml . I do not know the difference between weblogic-application.xml and weblogic.xml configuartion and which will work.
  4] Added security role "DERDev" along with the default/automatically added role "valid users"
  <security-role>
  <role-name>DERDev</role-name>
  </security-role>
  Still no luck ...... i am missing again ? I referred many links but found not a single document mentioning all steps
  Mukesh