R/3 Security roles versus ESS Security Roles?

Similar Messages

• How to get security roles in a JSF portlet

  I need to get the LDAP user-roles available in the Sun Portal Server 7 in my JSF-168 portlet.
  I've added the mapping file, updated the portlet.xml and web.xml, deployed the portlet (psconsole). But the portlet shows the "content not available" error with javax....title title.
  I've probably messed up the descriptors, but I don't see what is wrong. Here they are:
  roleMaps.properties
  cn\=VSM.Administrator,dc\=neco,dc\=cz=Administrator
  web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <web-app version="2.4">
    <context-param>
      <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
      <param-value>server</param-value>
    </context-param>
    <context-param>
      <param-name>javax.faces.CONFIG_FILES</param-name>
      <param-value>/WEB-INF/navigation.xml,/WEB-INF/managed-beans.xml</param-value>
    </context-param>
    <context-param>
      <param-name>com.sun.faces.validateXml</param-name>
      <param-value>true</param-value>
    </context-param>
    <context-param>
      <param-name>com.sun.faces.verifyObjects</param-name>
      <param-value>false</param-value>
    </context-param>
    <filter>
      <filter-name>UploadFilter</filter-name>
      <filter-class>com.sun.rave.web.ui.util.UploadFilter</filter-class>
      <init-param>
        <description>
            The maximum allowed upload size in bytes.  If this is set
            to a negative value, there is no maximum.  The default
            value is 1000000.
          </description>
        <param-name>maxSize</param-name>
        <param-value>1000000</param-value>
      </init-param>
      <init-param>
        <description>
            The size (in bytes) of an uploaded file which, if it is
            exceeded, will cause the file to be written directly to
            disk instead of stored in memory.  Files smaller than or
            equal to this size will be stored in memory.  The default
            value is 4096.
          </description>
        <param-name>sizeThreshold</param-name>
        <param-value>4096</param-value>
      </init-param>
    </filter>
    <filter-mapping>
      <filter-name>UploadFilter</filter-name>
      <servlet-name>Faces Servlet</servlet-name>
    </filter-mapping>
    <servlet>
      <servlet-name>Faces Servlet</servlet-name>
      <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
      <servlet-name>ExceptionHandlerServlet</servlet-name>
      <servlet-class>com.sun.errorhandler.ExceptionHandler</servlet-class>
      <init-param>
        <param-name>errorHost</param-name>
        <param-value>localhost</param-value>
      </init-param>
      <init-param>
        <param-name>errorPort</param-name>
        <param-value>25444</param-value>
      </init-param>
    </servlet>
    <servlet>
      <servlet-name>ThemeServlet</servlet-name>
      <servlet-class>com.sun.rave.web.ui.theme.ThemeServlet</servlet-class>
    </servlet>
    <servlet>
      <description>Generated By Sun Java Studio Creator</description>
      <display-name>CreatorPortlet Wrapper</display-name>
      <servlet-name>VSMPortal</servlet-name>
      <servlet-class>org.apache.pluto.core.PortletServlet</servlet-class>
      <init-param>
        <param-name>portlet-class</param-name>
        <param-value>com.sun.faces.portlet.FacesPortlet</param-value>
      </init-param>
      <init-param>
        <param-name>portlet-guid</param-name>
        <param-value>VSMPortal.VSMPortal</param-value>
      </init-param>
    </servlet>
    <servlet-mapping>
      <servlet-name>ExceptionHandlerServlet</servlet-name>
      <url-pattern>/error/ExceptionHandler</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>ThemeServlet</servlet-name>
      <url-pattern>/theme/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
      <servlet-name>VSMPortal</servlet-name>
      <url-pattern>/VSMPortal/*</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
      <welcome-file>faces/null</welcome-file>
    </welcome-file-list>
    <error-page>
      <exception-type>javax.servlet.ServletException</exception-type>
      <location>/error/ExceptionHandler</location>
    </error-page>
    <error-page>
      <exception-type>java.io.IOException</exception-type>
      <location>/error/ExceptionHandler</location>
    </error-page>
    <error-page>
      <exception-type>javax.faces.FacesException</exception-type>
      <location>/error/ExceptionHandler</location>
    </error-page>
    <error-page>
      <exception-type>com.sun.rave.web.ui.appbase.ApplicationException</exception-type>
      <location>/error/ExceptionHandler</location>
    </error-page>
    <jsp-config>
      <jsp-property-group>
        <url-pattern>*.jspf</url-pattern>
        <is-xml>true</is-xml>
      </jsp-property-group>
    </jsp-config>
       <security-role>
            <role-name>Administrator</role-name>
       </security-role>          
  </web-app>
  portlet.xml
  <?xml version='1.0' encoding='UTF-8' ?>
  <portlet-app xmlns='http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd                         http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd' version='1.0'>
       <portlet>
            <description>Created By Java Studio Creator</description>
            <portlet-name>VSMPortal</portlet-name>
            <display-name>VSMPortal Portlet</display-name>
            <portlet-class>com.sun.faces.portlet.FacesPortlet</portlet-class>
            <init-param>
                 <name>com.sun.faces.portlet.INIT_VIEW</name>
                 <value>/Uctarna.jsp</value>
            </init-param>
            <expiration-cache>0</expiration-cache>
            <supports>
                 <mime-type>text/html</mime-type>
                 <portlet-mode>VIEW</portlet-mode>
            </supports>
            <supported-locale>en</supported-locale>
            <portlet-info>
                 <title>VSMPortal</title>
                 <short-title>VSMPortal</short-title>
                 <keywords>Creator</keywords>
            </portlet-info>
            <security-role-ref>
                 <role-name>Administrator</role-name>
                 <role-link>Administrator</role-link>
            </security-role-ref>          
       </portlet>
  </portlet-app>If I don't use the security-role and security-role-ref tags, the portlet works, and the isUserInRole method obviously doesn't.

  Nobody uses the LDAP roles in a portlet? Anybody knows other thread discussing similar issue (I can't find anything)?

• How to implement Oracle user/role security with Access front end?

  Hi,
  We have successfully migrated our Access database tables to Oracle 10g using SQL developer. We've recreated all the users and roles(i.e., access groups) in Oracle and granted rights to tables.
  In the Access front end database, in the Database window we have saved linked Oracle tables which replaced the Access tables. The forms, reports, queries run fine with the linked Oracle tables. All the linked table use one ODBC DSN to the Oracle database with the same Oracle user id.
  We need to be able to authenticate users into the Oracle database and RE-link the tables based on their own unique user id. By during so we can allow users to use the Oracle standard user id/role and system privileges to control select, update, ect. rights to the database.
  I've been able to use the VB code within Access to logon into the database with a unique id, but I have not been able to find out how to RE-link the tables to the unique user id using VB. There should be some way to relink tables dynamically, based on users login into the Access front end.
  I don't know a great deal about Access projects, but I do know with SQL server allows login into your Access project and link tables dynamically.
  Can someone give me some assistance or point me in the right direction?
  Thanks in advance,
  Larry

  We had one of our programmers here come up with a VB code solution for re-linking table within Access. However the relinking takes 3-4 minutes for 100+ tables.
  In an effort to help you understand the situation better, I will attempt to elaborate on the problem:
  We have an Access 2003 application which currently has a front end using Access(forms, reports, queries, & VB code) and a MS Access 2003 backend.
  We have migrated the backend tables to Oracle. However, we still have a need to maintain the front end in Access, since we have over 60 forms, 40 reports, 200+ queries in Access. Its easy to understand, we have a significant investment in the front end(Obviously, the plan is to migrate the front end also at some future date).
  In order to utilized the existing front end, we have to validate and modify the current front end connections to the new Oracle backend. One of the features of Access is that you can "link" tables and save the link for runtime. Each Access table can have its own link which is a separate ODBC/JET connection. As such, each separate link has its own userid/database information.
  The other issue with using the Access front-end is that Access utilizes a workgroup file to implement user and group security. The workgroup file contains all the users and which groups the users belong to in Access. Then within Access, you allow users access to object(tables, queries, ect) by their userid and or group. When users open an Access database with Access security enabled, they are required to log into Access. The login is authenticated by the workgroup file. Once, logged into Access, users have rights to Access objects based on their rights granted to their userid and groups they belong. The problem here is that when you remove the linked Access tables and replace them with linked Oracle tables, Access has knowledge about Oracle table rights granted to users; nor would you expect it to.
  The dilema is the disconnect between Access and the fact Oracle utilizes a similar but much more sophisticated security model. It creates users and roles(which are similar to Access groups), and again this is independent of Access security.
  Our solution was to still use the Access workgroup file security along with the Oracle security model. By using the Access userid and then creating a similar Oracle userid with similar table rights granted in Access, you could apply security within Access and also with the Oracle database.
  For example, a user BOB logs into Access via the workgroup file, using VB code, Access then establishes a Oracle connection logining into Oracle using the same unique userid BOB into Oracle.
  After connecting and validating user BOB into Oracle, then the Access tables are relinked to Oracle using the user BOB userid and table rights.
  This Oracle userid has been granted table rights specific for this userid.This allows the user BOB to use the Access application and still be authenticated into the Oracle database.
  The problem with this solution is that the relinking of the saved Access tables takes 3-7 minutes for about 100+ tables. This is not acceptable for users each time they log into the application.
  Our current alternative is to use one Oracle userid to login each user, and use Access form restrictions/security to allow/prevent users from updating/viewing data. Obviously, this is not the optimal solution in respect to security, but it at least allows us to control access to the data(via the forms) by using one logon required for each user, and quick startup time for the application.
  I understand SQL server does a better job in integration, but we use Oracle which is what I am trying to work with.
  Larry

• Security for Administrator Role in 11.1 and Upgrades

  Our Essbase is still on 6.5 with three applications/DB. I'd like to know:
  1. How much efforts to upgrade to 11.1. What are the most time consuming tasks in such upgrade.
  2. Can admin role be set up for ONLY one application/db, including user security, group, variables...
  Thanks for your responses.

  The amount of effort depends on your IT staff, number of users, and number of cubes. This could be anywhere from a few weeks for a small environment to a few months for a large environment.
  Major steps:
  Hardware procurment (hen going from 6.5 you can expect to purchase a whole new hardware environment)
  Installation of Hardware
  Installation of Software
  Data export from 6.5
  Data import to 11.x
  Exeuction of scripts to calc 11.X data
  Export/Import of security (Filters, Groups,Users)
  Update of client software (Add-in)
  Financial Reports Export/Import (if you use them)
  Update of all automation scripts (this one can really take a lot of time. One of my large clients had 1600 scripts on Unix -- we wrote automation to update all the paths for this one)
  Regards,
  John A. Booth
  http://www.metavero.com

• How to setup the security based on roles in Organization.

  Hi,
  How to setup the security based on roles in Organization.
  For example:Few users are Manager and a few user are Non Manager .Manager should have access to all work data including Non Manager and Non Manager should access based role.How to setup this? How OBI server identify the user role?
  kindly let me know.
  Regards.,
  CHR

  Hi,
  You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
  And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
  Hope this will solve your problem.
  Regards
  MuRam

• CRM 2011: Can you control which form is used based not security roles, but on a field value?

  I see that you can control which form is used based on security roles, but can you control it based on other field values?  I'd like a new record to use a different form until a given status is updated.  I have a status of draft and active. So
  it would be nice if I could use form1 for those in draft, form2 for those that are active.  But I only see where you can control that via the security roles.
  I can code all of this via JavaScript, but having the ability to use two separate forms would be nice.  Is that even possible.
  Best regards,
  Jon Gregory Rothlander

  Hello,
  Recheck following article - http://gonzaloruizcrm.blogspot.com/2014/11/avoiding-form-reload-when-switching-crm.html
  Dynamics CRM MVP/ Technical Evangelist at SlickData LLC
  My blog

• How to use security roles in Weblogic server?

  Hello Gurus,
  I am new to Weblogic server and I am trying to investigate how to make
  use of security roles in weblogic server (5.1.0). Can anyone point me
  to some documentation. Specifically, I am looking for instance level,
  and method level security and how to use it.
  Thanks for taking your time to read this e-mail.
  Thank You all in advance,
  Hari.

  You should read the security information in the Servlet 2.2 specification
  that WL 5.1 implements:
  http://java.sun.com/products/servlet/download.html
  Chapter 11 deals with declarative and programmatic security, and includes a
  section on roles:
  11.4 Roles
  A role is an abstract logical grouping of users that is defined by the
  Application Developer or
  Assembler. When the application is deployed, these roles are mapped by a
  Deployer to security
  identities, such as principals or groups, in the runtime environment.
  A servlet container enforces declarative or programmatic security for the
  principal associated with
  an incoming request based on the security attributes of that calling
  principal. For example,
  1. When a deployer has mapped a security role to a user group in the
  operational environment. The
  user group to which the calling principal belongs is retrieved from its
  security attributes. If the
  principal's user group matches the user group in the operational environment
  that the security
  role has been mapped to, the principal is in the security role.
  2. When a deployer has mapped a security role to a principal name in a
  security policy domain, the
  principal name of the calling principal is retrieved from its security
  attributes. If the principal is
  the same as the principal to which the security role was mapped, the calling
  principal is in the
  security role.
  Cameron Purdy
  http://www.tangosol.com
  "Hari" <[email protected]> wrote in message
  news:[email protected]..
  Hello Gurus,
  I am new to Weblogic server and I am trying to investigate how to make
  use of security roles in weblogic server (5.1.0). Can anyone point me
  to some documentation. Specifically, I am looking for instance level,
  and method level security and how to use it.
  Thanks for taking your time to read this e-mail.
  Thank You all in advance,
  Hari.

• How to retrieve Global Roles in a the current security realm?

  Is there a WLS API available that obtains a list of mapped global roles (defined in a security realm) from an application?
  I want to be able to do a getRoles call against an authenticated user. So far, I'm only able to use isUserInRole. What I need is a list of all global roles mapped to a user's group.
  Thanks all...
  Message was edited by:
  raymondng

  You can refer to the api
  http://e-docs.bea.com/wls/docs81/javadocs/weblogic/management/security/authorization/RoleReaderMBean.html#getRoleExpression
  -Ramkumar

• How to get security roles

  Hi All,
  I want to know how to get the security roles which we configured in adfsecurity.
  Regards,
  Smaran

  Hi,
  to get all roles associated with the current user, try
  SecurityContext secCtx = ADFContext.getCurrent().getSecurityContext();
  String[] roles = secCtx.getUserRoles();
  To get access to the roles defined on the system (not user specific) then this requires OPSS access. The JavaDocs are here:
  http://download.oracle.com/docs/cd/E17904_01/apirefs.1111/e10686/toc.htm
  From the top of my head. this is how get access to the JPS context to query system resources.
  JpsContextFactory jpsfact = JpsContextFactory.getContextFactory();
  JpsContext jpxCtx = jpdfact.getContext();
  IdentityStoreService store = jpxCtx.getServiceInstance(IdentityStoreService.class);
  ... from here on I have no further hint without trying it myself. However, I hope I go you started
  Frank

• Map security roles to group within LDAP using external 3rd Party LDAP

  I'm haveing a problem mapping my logical role defined in my web.xml to a role within Active Directory. I'm currently authenticating using Active Directory succsfully, however after the user is authenticated I get a message from the OC4J container that my role can not be found. Can you map a logical role to group within Active Directory? Below are details about my configuration.
  Any help would be greatly appreciated.
  Log.xml log entry that confirms webtA is communicating successfully with AD.
  SG_TEXT>JAAS-LDAPLoginModule: authenticating user wmgraham</MSG_TEXT>
  </PAYLOAD>
  </MESSAGE>
  <MESSAGE>
  <HEADER>
  </CORRELATION_DATA>
  <PAYLOAD>
  <MSG_TEXT>JAAS-LDAPLoginModule: DN for user wmgraham is cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi</MSG_TEXT>
  </PAYLOAD>
  </MESSAGE>
  <MESSAGE>
  <HEADER>
  Error reported in the log
  <MESSAGE>
  <HEADER>
  <TSTZ_ORIGINATING>2008-08-27T11:38:05.991-04:00</TSTZ_ORIGINATING>
  <COMPONENT_ID>j2ee</COMPONENT_ID>
  <MSG_TYPE TYPE="TRACE"></MSG_TYPE>
  <MSG_LEVEL>16</MSG_LEVEL>
  <HOST_ID>F2287032-W</HOST_ID>
  <HOST_NWADDR>30.30.16.14</HOST_NWADDR>
  <MODULE_ID>security</MODULE_ID>
  <THREAD_ID>14</THREAD_ID>
  <USER_ID>wmgraham</USER_ID>
  </HEADER>
  <CORRELATION_DATA>
  <EXEC_CONTEXT_ID><UNIQUE_ID>30.30.16.14:59560:1219851485804:6</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
  </CORRELATION_DATA>
  <PAYLOAD>
  <MSG_TEXT>for group=[JAZNGroupAdaptor: webta] there's no matching role found.</MSG_TEXT>
  </PAYLOAD>
  </MESSAGE>
  Web.xml Logical Role definition
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>allpages</web-resource-name>
  <url-pattern>/servlet/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>WEBTA_J2EE_USER</role-name>
  </auth-constraint>
  </security-constraint>
  <security-role>
  <role-name>WEBTA_J2EE_USER</role-name>
  </security-role>
  Orion-web.xml This file maps the logical role defined in webxml to a group within Active Directory.
  <security-role-mapping name="WEBTA_J2EE_USER">
  <group name="webta"/> <-- Group defined in AD -->
  </security-role-mapping>

  What is the name of the group in AD (provide the DN) that you want to map the j2ee logical role WEBTA_J2EE_USER? What are the group search base and group mapping attribute?
  When wmgraham logs into the app, the 3rd party ldap login module will attempt to query for the groups wmgraham is a member of - this is done using the group search base configuration for the provider.
  In this example, the DN is "cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and likely user search base is set to "ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi".
  Assuming group search base is (say) "ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and and group mapping attr is "cn", then the role mapping you mention should work for group DN "cn=webta,ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi"

• Data and Dashboard Security using ROLES Variable in OBIEE 11g

  Hi all,
  I'm currently using OBIEE 11g. I'm wondering how to implement the security for data and dashboard in the 11g.
  Below is the sample of how the security matrix requirement when I use the 10g version. In 10g, we usually use GROUP (for the data filter in RPD) and WEBGROUPS (for dashboard objects) variables in my initialization block to read from database. As we have 2 different variables, it is possible to control security separately for data and dashboard.
  GROUP | Country
  G1 | US
  G2 | FR
  G3 | UK
  WEBGROUPS | Dashboard
  WG1 | D1
  WG2 | D1
  WG3 | D1
  WG1 | D2
  WG2 | D2
  WG1 | D3
  WG3 | D3
  WG3 | D4
  Now, in 11g, the recommendation is to use ROLES variable (for application role). So, how would I apply the required security matrix above in 11g using just ROLES variable? Do I still create G1, G2, G3, WG1, WG2, and WG3 as application roles then only use G1-3 in the RPD to filter the data and only use WG1-3 in the analytics to serve as webgroups?
  Any advice on this? Thank you very much.

  "...Could you elaborate more?"
  I mean that role creation and user->role assignment will be managed outside of to the obiee interface - whether that's via the database, LDAP, fmw etc.
  Webgroup creation and assignment is managed within the obiee interface and I think that has a lot of benefits - generally you have people responsible for shared folders and dashboard creation, so having them responsible for webgroups and presentation permissions is preferable for me.
  "are you saying that I use the role G1-3 only in the RPD, while using the role WG1-3"
  Yes .. I'm assuming you have something like
  G1 | US
  G2 | FR
  G3 | UK
  WG1 | Finance
  WG2 | Marketing
  WG3 | Sales
  Which becomes
  R1 | US
  R2 | FR
  R3 | UK
  R4 | Finance
  R5 | Marketing
  R6 | Sales
  And John belongs to R1 and R4, Fred belongs to R2 and R4 etc. So you would set your data filters against R1-R3 and use R4-R6 like webgroups in the presentation services.
  Regards,
  Robert

• Invalid Security role-name error in Web Project

  Hi All,
  I have imported a J2EE application project built in JBOSS into NWDS 7.1.
  While building the project i get the following error
  <b>CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN</b>
  This error directs me to the following code in web.xml
  <security-constraint>
            <display-name>Default JSP Security Constraints</display-name>
            <web-resource-collection>
                 <web-resource-name>Portlet Directory</web-resource-name>
                 <url-pattern>/jsp/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <b><role-name>PEHNTAHO_ADMIN</role-name></b>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
  <b>I have tried out the following things to resolve this issue :</b>
  <b>1) Remove the role manually</b>(as suggested by various people in other J2EE forums), but then some other error came in to picture
  <b>2)Then I added the following code in web.xml</b>
  <security-role>
            <role-name>PEHNTAHO_ADMIN</role-name>
       </security-role>
  Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
  Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
       java.rmi.RemoteException:  class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
  sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
  version status: HIGHER
  deployment status: Admitted
  description:
            1. Error:
  Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
  ERRORS:
  Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
       <!-- whole web.xml-->
  </web-app>
  " is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
  WARNINGS:
  Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
  <b>3) I had also added the following code in web-j2ee-engine.xml</b>
  <security-role-map>
            <role-name>PEHNTAHO_ADMIN</role-name>
            <server-role-name>all</server-role-name>
       </security-role-map>
  but still i get the same deployment error.
  Please help me in resolving this problem.
  Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
  Thanks and Regards,
  Sruti

  Hi Malathy,
  Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
  Could you please let us know you created a roles named users in WLS ?
  Thanks & Regards,
  Murali.
  ============

• Dimension security is not working if user have two roles in SSAS while connecting from Excel

  Hello Genius,
  I am facing the issue when user trying to connect the cube from excel if user have more than one role in ssas db.
  Role 1: Countryuser, I have implemented the dimension security with country
  dimension and  countrycode attribute.
  Role 2: CityUser,   I have implemented the dimension security with
  city dimension and  citycode attribute.
  If user is mapped to any one of above role dimension security is working perfectly according to the logic but mapped to both role, cube is exposing all the data in this case dimension security is not working.
  Please give me the solution to fix this issue or incase I am wrong kindly advice.
  Thanks
  Ganesh

  This is the expected behaviour as allowed sets in roles are unioned together.
  This is not a problem when your roles are restricting across a single attribute.
  eg.
  US_role = {[Geography].[Country].[USA]
  France_role = {[Geography].[Country].[France] }
  as someone in both roles ends up seeing {[Geography].[Country].[USA], [Geography].[Country].[France] }
  But when you have different attributes:
  NY_role = {[Geography].[City].[New York] }
  France_role = {[Geography].[Country].[France] }
  The first role is unrestricted on countries and the second is unrestriced on cities which is effectively:
  NY_role = {[Geography].[Country].AllMembers , [Geography].[City].[New York]  }
  France_role = {[Geography].[Country].[France], [Geography].[City].AllMembers }
  And when you union those two sets together you end up with:
  {[Geography].[Country].AllMembers , [Geography].[City].AllMembers }
  Which means that someone in both roles can see everything.
  So if you want to restrict someone to City = New York and Country = France you have to create a
  single role where both attributes are restricted. So if you have a lot of these combinations you will either have to create a lot of "combination" roles or look at dynamic security.
  The other thing that might work is make sure that you only give some users access to certain cities and others access to certain countries. It's the mixing of the two for a single person that causes the issues.
  http://darren.gosbell.com - please mark correct answers

• Unable to assign all security roles to a user with a new custom security role

  Dear All,
  Happy New Year.!
  I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
  any desired security role to the new user.
  However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
  'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
  For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
  to assign some other security roles, including 'Support User Role', to new user 'y'.
  I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
  'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
  Appreciate any help that you can provide on the above issue.
  Thanks in anticipation.

  Hi,
  Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
  Refer:-
  http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
  Hope this helps!!!
  Thanks,
  Prasad
  Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

• Interaction of BW Roles and BWA Explorer Security

  We secure all our BW users via roles these roles have Analysis
  authorizations embedded in them which restrict access to specific
  infoproviders and values in these based on authorization relevant
  infobjects.
  When we try to create a BWA Explorer object in RSDDTPS we are forced to
  assign a userid and an analysis authorization directly in
  the "Authorizations" tab. Our security group only wants to have too
  assign roles to users either via SU01 or CUA.
  Configuration
  BO 2008 Enterprise Server (connected to BW system)
  BW system (Netweaver 7.01 EHP1)
  BWA 7.2
  1) How can we create BWA Explorer objects on a infoprovider without
  directly assigning users in Authorization Tab and how can we make the
  system ignore whatever is on this tab and base access to a BWA explorer
  object on the roles assigned to the user via SU01/CUA.
  2) If a User has roles assigned in BW that give them access to a
  specific infoprovider will this automatically also give them access to
  a BO Server published BWA explorer object built on that infoprovider.
  Related to this do we also need import the same roles and assign to the
  user in CMS server with link to BWA Explorer Server or does the user
  automatically get access to BWA Explorer as long as BWA Explorer is
  published on BO Server.
  3) If the user in BW is assigned roles that limit values based on an
  authorization relevant object is this restriction enforced in the
  values returned in published BWA Explorer for the user. Example
  Authorization Relevant object is Profit Ctr and the user has two value
  roles one contains access to all profit center that role up to a
  hierarchy node limited to the USA and the other contains hierarchy
  analysis authorization limiting access to all profit centers rolling up
  to hierarchy node representing Europe. When a user access's the BWA
  Explorer object which contain profit ctr will the values be limited
  only to USA AND Europe Profit centers or will the BW value based
  security be ignored.
  Please provide advice on above questions and document resources on how
  BW role based security interacts with BWA Explorer.

  Hi Expert,
  I need a solution for same scenario, anyone can give inputs.
  Regards,
  Ganesh