RBAC / Role Based Security Set Up in R12

We are working with a 3rd party consulting organization to implement Role Based Access Control in E-Business Suite R12. We have approximately 50 users and with 35 responsibilities today and are currently in the process of designing our role based security set up. In advance of this the consulting company has provided us with effort estimates to cutover from the current responsibility structure to RBAC. We are told this must be done while all users are off the system. The dowtime impact to the business is very high, expecially considering our small user base.
With RBAC cutover downtime estimates such as these I can't understand how any company larger than ours could go live with it?
Does anyone have previous Role Based Access Control implementation experience in EBS R11i or R12 and could provide some insight on their experience and recommendations, best practice for cutover to mitigate impacts to the business as we cannot accept the 90 hours of downtime outlined by the consulting company below?
Disable users old assignments:
*12.00 hours*
Disable Responsibilities targeted for the elimination:
*12.00 hours*
Disable Responsibilities targeted for the elimination:
*16.00 hours*
Setup OUM options and profiles:
*6.00 hours*
Setup Roles and Hierarchies:
*14.00 hours*
Grant Permissions:
*12.00 hours*
Setup Functional Security and disable the obsolete responsibilities:
*12.00 hours*
Setup Data Security and disable the obsolete data accesses:
*6.00 hours*
Total *90 hours*
Note - all activities must be performed sequentially*
Any advice or experiences you could share would be extremely valuable for us. Thank you for taking the time advance to review & respond.

On Srini`s comments "Creating Roles.. will have to be done manually "... I would like to know will the same approach be followed for PRODUCTION instance also. Say if we need to create 35 responsibilities and 50 roles so should this be done manually in PRODUCTION.
I have not worked on this but I know that in my previous company this was done using scripts. Need to find more on this.

Similar Messages

  • R12: Role based security : Hiding a button in OAF page for roles

    Hi All,
    We have a requirement where in which, we have to hide a "Create" button in AR customer search form for some roles ... we have implemented UMX - Roles based security in our project and we cant hide it based on user or resp ...
    Any ideas ... Is it feasible with this new featue of RBAC?
    Thanks and Regards,
    Senthil

    Hi Ajay,
    metalink note 2778881.1 is discussing "Page access tracking report".
    but here i want to implement access restrictions to a particular page.
    Regards,
    Naren.

  • Role-Based Security In SQL Server Reporting Services

    Hi
    I have created Reports,
    Now I need to assign Role-Based Security, ie like some particular clients can access only some particular report.
    http://localhost/reports/Pages/Folder.aspx
    Here in the above link i can see the property tool bar where i need to set the user assignement roles.
    could any one please help me out how to set different login assigned to a set of report.
    Or is there any tutor links for this.
    Thanks a lot.
    Shan

    Create folders under the Home page (the link you have there).  For each folder set group athentication (AD) or harder managed, user account roles for the folders and the reports under the folder.
    If you set security at that home level you will not be able to control what reports they see or can't see.  You'll need to go all the way to the folder/report level.
    It's also not best practice to deploy reports directly to the home level.  Not best practice in it creating a very hard to manage security level.  Think of the levels in security as such to SQL Server.  Set the connect to sql level, database level and then down to the objects in them.  Same priciples apply to SSRS.
    Here is a cast going through some security settings as well http://technet.microsoft.com/en-us/sqlserver/dd391734.aspx fro creating your roles and utilizing them
    Ted Krueger Blog on lessthandot.com @onpnt on twitter

  • Reseeding cache for users with role based security

    I have role based security and trying to set up cache by purging all cache and later seeding cache by query. The query would be different for different users. What is the best way to purge all cache and reseed cache for administrator as well as all users. The EPT would purge cache based on updated tables. But how do I next go about reseeding cache for better performance to all the users. Thanks.

    I have created an ibot with the following:
    General - Normal Priority, Personalized (recipient's data visibility)
    Conditional Request - example_report
    Schedule - some schedule
    Recipients - Me(administrator) and User1
    Destinations - Oracle BI Server cache
    when the ibot runs 2 cache entries are created (for the 2 recipients).
    I have the report (example_report) on the dashboard (1 dashboard, 1 page, 1 report).
    After the ibot runs:
    When the administrator logs in first, there is a cache hit on the report. Followed by when the User1 logs in there is NO cache hit.
    On the other hand when the User1 logs in first, there is a cache hit on the report. Followed by when the administrator logs in there is no cache hit. The query log creates a Query issued to the database instead of cache hit on query.
    The User1 has a data level security.
    Please let me know where was I making an error in setting the ibot and how to get the cache seeding work for the different users with different role based security.
    Thanks for your inputs.

  • What is the mean of using Portal with Role Based security as entry point

    Hi Experts we have requirement of integration of Portal and MDM
    I am completely new to the MDM. So please give me some idea , what is the meanin for following points.
    1) Using the Portal with Role Based security as entry point for capacity and Routing Maintaince(These two are some modules).
    2) Additionally , Portal should have capability to enter in to the MDM for future master data maintence. Feeds of data will need to be come from  SAP 4.6c
    Please give me the clarity of what is the meanin of second point
    Regards
    Vijay

    Hi
    It requires the entire land scape like EP server and MDM server both should be configured in SLD.
    Your requirement is maintaing and updating the MDM data with Enterprise portal.We have some Business Packages to install in Portal inorder to access the functionality of MDM.
    Portal gives you a secure role based functionality of MDM through Single sign on (login into the portal access any application) to their end users.
    Please go through this link
    http://help.sap.com/saphelp_mdmgds55/helpdata/EN/45/c8cd92dc7f4ebbe10000000a11466f/frameset.htm
    You need to develope some custom applications which should be integrated into the portal to access MDM Server master data
    The estimation involves as per your requirement clearly
    Its depends upon the Landscape settings, Requirement complexity,Identify how many number of custom applications need to be developed
    Regards
    Kalyan

  • Error in Role Based security using weblogic 9

    Hi All,
    Currently I am working with Weblogic Server 9. I am trying to use role based security. Below is the entries for web.xml.
    <security-constraint>
         <web-resource-collection>
              <web-resource-name>Success</web-resource-name>
              <url-pattern>/form.jsp</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
         </web-resource-collection>
         <auth-constraint>
              <role-name>admin</role-name>
         </auth-constraint>
         <user-data-constraint>
    <transport-guarantee>INTEGRAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <login-config>
         <auth-method>BASIC</auth-method>
         <realm-name>myrealm</realm-name>
    </login-config>
    <security-role>
         <role-name>admin</role-name>
    </security-role>
    When I am calling form.jsp from the browser it is asking for the username and password, but after giving the username and password it is showing the followig error:
    Error 403--Forbidden
    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
    10.4.4 403 Forbidden
    The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
    So can any one provide me the solution for the above problem.
    Thanks in advance.
    By,
    Sandip Pradhan

    Here is a blog post for the backend (WebLogic Admin GUI) http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-role.html and a blog post for the web.xml in your project http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-ear.html.

  • JHeadStart Security problem-error page cannot be found- role based security

    JHeadStart Security problem-error page cannot be found- role based security
    Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
    Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

    Thand you very much for your reply! Unfortunately there is a specific restriction-convention in the project I work in. I am supposed to perform role based security with my own tables and no by the jheadstart’s ones. Could you find out what is my fault with the steps I follow trying to perform the process?
    To remind you my steps I paste the following again:
    JHeadStart Security problem-error page cannot be found- role based security
    Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
    Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

  • Role based security and ACLs

    Hello,
    I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
    Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
    So:
    1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
    2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
    3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
    Your response is appreciated.

    Hello,
    I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
    Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
    So:
    1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
    2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
    3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
    Your response is appreciated.

  • RBAC (Roles Based Access Control) "Broken" in WCS

    In my opinion, RBAC in WCS is broken. They have taken a good concept and implemented it wrong. The way it is currently working is as follows. Roles are defined in WCS. In ACS (or whatever Radius server you want to use), you have to first set up a new "Service" in the TACACS "Interface" configuration called "Wireless-WCS". All this is good. In WCS you then have to go to the "role" or Group that you want, click on task list and it will give you both a TACACs and Radius output that you have to take and then paste into the "Wireless-WCS" custom attribute box in ACS. An example for "SuperUser" role would be a list like below, note the real list is 48 different "tasks", I shortened it here.
    role0=SuperUsers
    task0=Users and Groups
    task46=Auto Provisioning
    task47=Voice Audit Report
    Here is the problem. Why, if you have the role defined in WCS, do you have to repeat its definition in ACS? Why can't you simply pass the first line ("role0=SuperUsers") and have it use the defined role in WCS? This just seems silly. They changed the role of the "SuperUser" in the new 5.0 code too, which means if you assigned these at the user level, you would have to potentially go update a ton of User accounts in ACS so people would have access to their appropriate roles.
    The last time I complained I was told that the reason for it was "The reason it had to be done that way is b/c WCS is not IOS based and the code dictates that it must be done that way.". Seems like a silly reason for not doing things in a good way...
    Just letting everyone know so they can complain when they come across it. Maybe with enough complaints they'll fix it.. 8-)

    Hi,
    I believe all your questions are answered in "System Administrator's Guide - Security" manual.
    Applications Releases 11i and 12
    http://www.oracle.com/technology/documentation/applications.html
    You may also review this document.
    Note: 753979.1 - E-Business Suite Diagnostics RBAC Basics
    https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=753979.1
    Regards,
    Hussein

  • Role based reflection security manager?

    Hi,
    I am trying to find out whether there is a possibility to implement a role based Security Manager to control access to reflection operations (such as checkMemberAccess() for example).
    I need to implement an application where using reflection is totally forbidden, except for some very specific parts of the code. Is this possible? If yes, how should I proceed? Is there a concept of identity around the security manager? Should I use ReflectPermission? If yes how?
    I have been doing some reading, but it is still not clear to me. I am looking for a general implementation procedure.
    Thanks.

    Jrm wrote:
    Ok, fair enough regarding storing data on end user PC.
    But I see a contradiction here (or I mis-read you). I understand that SecurityManagers are used for applets to restrict some of their actions. What if people are able to bypass SecurityManagers? What is the point of having them? If a .jar application is started with a SecurityManager, can an end user strip it and replace it with its own security manager (from its own code for example)?First of all, the SecurityManager is provided by the local computer, not the applet. But, the most important point is that the SecurityManager used when running third-party applet code is not trying to protect the third-party code, it is trying to protect the local computer from unknown third-party code. the user is perfectly able to disable the SecurityManager and/or give the third-party code whatever permissions it desires if they decide to trust the code. you are trying to protect your code (+which is the third-party code with respect to the user+) from the user. that is the opposite situation, and does not work.
    I would be happy if I could deliver a .jar application with my customized and 'unremovable' SecurityManager. Is that possible or can one always fiddle the .jar to remove it?
    Because if people can always remove it, it is a permanent open door for man-in-the-middle attacks when code is delivered to end-users, correct? Is there any way to protect .jar from tampering?As i said in my previous post, there is no way to stop this. as a software developer, i'm sure you are aware that you can find "cracked" versions of any commercial software that you are interested in (if you know where to look). what makes you think that your java program is any more "secure" than those other programs?

  • Cannot implment security setting on the report level - SSRS 2012

    Hi All:
    I am having a weird problem on my SSRS 2012 reporting portal, I cannot click any of the drop down list like the example below. Is there anything from the setting?
    It is not only about the reporting level, any arrow on the reporting server, like data source, are kind of dead as well.
    Please kindly help and thanks in advance.
    Cheers
    Johnny

    Hi JohnnyKahWang,
    According to your description, you can view folders and reports on report manager, but you could not click any of the drop down list.
    Reporting Services uses role-based security to grant user access to a report server, and there are two types of roles: Item-level roles and System-level roles. Access to reports, folders, models, shared data sources, and resources is controlled through item-level
    role assignments. Each user who requires access to a report server must have at least one item-level role assignment. On a new installation, only local administrators have access to a report server. In this case, a local administrator need to create a role
    assignment which has Manage folders and Manage reports task to the account by following steps:
    Click Home at the top of the page to open the Report Manager home page.
    Click the drop-down arrow next to the folders and reports.
    Click New Role Assignment.
    In Group or user name, specify the name of a group or account.
    Select a role which can perform Manage folders and Manage reports tasks.
    Click OK to save the role assignments.
    For more information about Setting Item-Level Permissions on a Report Server, please refer to the following document:
    http://technet.microsoft.com/en-us/library/aa337471(v=sql.105).aspx
    If you have any more questions, please feel free to ask.
    Thanks,
    Wendy Fu
    Wendy Fu
    TechNet Community Support

  • Is role base security supported by WLS 5.1?

    To what extent is role based security supported by servlets under WLS 5.1?
              Declarative role based security does not seem to be supported?
              Are any of the following methods supported?
              HttpServletRequest.isUserInRole()
              HttpServletRequest.getUserPrincipal()
              If so, where are the roles declared? Where is the role/principal mapping
              done? Does getUserPrinicipal() return the principal using the WLS security
              realm?
              Thank you.
              Marko.
              

    Cool. Bonus mystery feature. I will call support.
              Thanks Winston.
              Marko.
              Winston Koh <[email protected]> wrote in message
              news:[email protected]...
              > no, i am not referring to ACL. to my knowledge, the servlet security
              > features docs do not make it into the WLS 5.1. I understand its a bit hard
              > to use the features properly without proper documentation. contact support
              > for more info
              >
              > thanx
              >
              > Winston
              > Marko Milicevic <[email protected]> wrote in message
              > news:[email protected]...
              > > The only servlet authorization mechanism I can see documented is ACL's.
              > Is
              > > this what you are referring to Winston? If so, I believe ACL are
              > different
              > > than declarative role based security. An ACL grants access to a servlet
              > for
              > > a set of principals (users and/or groups). But a role is not a
              > prinicipal.
              > > A role name is mapped to a set of principals.
              > >
              > > If you are referring to roles, can you give a URL to the documentation
              > which
              > > discusses this?
              > >
              > > Thanks Winston.
              > >
              > > Marko.
              > > .
              > >
              > > Winston Koh <[email protected]> wrote in message
              > > news:[email protected]...
              > > > both declarative and programmtic based security roles are supported by
              > WLS
              > > > 5.1.
              > > >
              > > > if you don't specify any specific security realm in the
              > > weblogic.properties
              > > > file, a default WebLogic Security realm is assumed. you could specify
              > the
              > > > group and its associated users and passwords there in the properties
              > file.
              > > > in the web.xml file associated with each web app, you could speciify
              the
              > > > security constraints for each servlet
              > > >
              > > > I would imagine when accessing a secured servlet within a web app, a
              > > client
              > > > would supply her credentials thru some sort of authentication, and
              based
              > > on
              > > > the credentials, we find out the role name from the
              weblogic.properties
              > > file
              > > > which in turn mapped to the web.xml which specify the security role
              that
              > > > could access the particular servlet. if the role matches, access to
              the
              > > > servlet is granted
              > > >
              > > > refer to WL Docs for more specific details
              > > >
              > > > thanx
              > > >
              > > > Winston
              > > > Marko Milicevic <[email protected]> wrote in message
              > > > news:[email protected]...
              > > > > To what extent is role based security supported by servlets under
              WLS
              > > 5.1?
              > > > >
              > > > > Declarative role based security does not seem to be supported?
              > > > >
              > > > > Are any of the following methods supported?
              > > > >
              > > > > HttpServletRequest.isUserInRole()
              > > > > HttpServletRequest.getUserPrincipal()
              > > > >
              > > > > If so, where are the roles declared? Where is the role/principal
              > > mapping
              > > > > done? Does getUserPrinicipal() return the principal using the WLS
              > > > security
              > > > > realm?
              > > > >
              > > > > Thank you.
              > > > >
              > > > > Marko.
              > > > > .
              > > > >
              > > > >
              > > > >
              > > >
              > > >
              > >
              > >
              >
              >
              

  • Dynamic, rules based security

    My organization has an application that needs a very fine grained scurity model, that changes very often and is based upon a rules machnisem (written in PL/SQL). Is there a way to combine a rule based mechanism with the internal ACL mechanism of the iFS ?
    null

    Hi Harvey_SO,
    According to your description, you get the security ignored when using custom dynamic role-based security. Right?
    In Analysis Services, it has some role overlapping scenarios, if two roles used to secure attributes in two different dimensions, which might both apply to some users simultaneously, it can cause the user has no security applied from either role. Please
    refer to workarounds in the link below:
    The Additive Design of SSAS Role Security
    If you have any question, please feel free to ask.
    Best Regards,
    Simon Hou
    TechNet Community Support

  • Duet Enterprise 1.0 SP2 - SAP Role based authantication

    Hi All,
    We have implemented Duet Enterprise 1.0 SP2 in our landscape. Now we try to implement SAP Role based authantication.
    But don't know which role to assign for which authorisation. In my scenario i have created 2 users. For one user i want to have only read access to all lists (Contact, Employee, etc) and for another user i want to have all acess (read, write, modify, delete) on all lists available at sharepoint.
    Can someone help me to tell what roles (template) need to assign for what operation.
    Which roles i do assign to user in SAP that which ristrict users access at Sharepoint.
    Thanks & Regards
    Virender Solanki
    09818316550

    Hi Binson,
    I want to ristrict the crude operation (create, update etc) by giving roles in backend system. i am able to apply restriction at sharepoint end but i don't want that. i want SAP role based security.
    So i want, according to given roles in backend system user is able to do operations at sharepoint.
    Thanks & Regards
    Virender Solanki

  • Is there any difference in upgrade for position based security model

    Hello Gurus,
    I am working on a Upgrade project from 4.6c to ECC6.0 , In 4.6C R/3 system position based security concept is used.
    Are there any extra precautions need to be taken while upgrading in a position based security model ?
    Or
    Is it the same procedure either it is a role based security model or a postion based security model.
    iam new to this upgrade stuff, please kindly direct me in the right direction.
    Also please provide if any documents are available.
    Thanks,
    Sanketh.

    Hi,
    Already there are many document posted on SDN on same . Security upgrade is standard and mostly deal with role modification and can you elaborate more on Position based. Positiong related assignment also taken care with respective functional team  for ex :HR and technical team Workflow if there are any issues.
    Better you go throug the upgrade document .see post already available in forum before starting with upgrade.
    Experts correct me in case of correction.

Maybe you are looking for

  • Downloads to a computer or device not previously associated with an Apple ID?

    Apple sends me emails telling me that my Apple ID was used to download an app from the App Store to a computer or device that had not previously been associated with my Apple ID.  Apple advises me reset my password. I have reset my password about 20

  • Getting double intercompany invoice from one STO orders

    Have you already implemented the following flows and if yes how ? I would like to build an intercompany STO between company A plant 1 and company B plant but with a 3rd company C responsible of the order, That means that i would like to get 2 interco

  • Writing JAXRPC Object to XML Stream  by using LiteralObjectSerializerBase

    I am trying to write the JAX-RPC object to a file before I dispatch it to the service provider. What I currently have is : QName type = new QName("http://solms.co.za/utils/appsupport", "LicenseRequest"); XMLWriter writer = XMLWriterFactory.newInstanc

  • IMovie 08, Sony HD camcorder and a Power PC G5

    I'm considering buying an HD Sony camcorder. My husband insists on the HD. I've got a powerpc G5, 2.0 Ghz, 1Gb Ram, and iMovie 08. Which camcorder should we choose? I keep hearing negative things about the HDR-SR5 and models like it when trying to do

  • My time zone says denver, but im in phoenix?

    Question. What setting should be used for the time zone? If i leave it to set automatically it says denver, but im in phoenix? Should i just set the time zonenmanually to phoenix?