Roles and Rules for workflow.

Similar Messages

• Implementing roles and rules based authorisation with Azure AD

  Hi all,
  I would greatly appreciate some input on feasibility and patterns I should look at for a complex technical requirement that I am currently tasked with designing.
  We have a system that comprises a web and mobile app. In the past we have implemented session based authentication through ADAM and authorisation through custom business rules contained within the applications. The authentication mechanism is in the process
  of being migrated to Azure AD and authorisation is planned to be moved to Azure AD for our next release.
  Existing authorisation within our web application is already complex. We have users that belong to different groups with a range of permissions such as read, write or admin. Additionally each user is granted access to N customers and also N locations within
  each customer. We have a requirement that any number of combinations of customers and locations be supported. Users also need to have different permissions for each entity, i.e. read access to customer 1 location 2, write access to customer 4 and administer
  customer 7. Currently these privileges are maintained within a relational database and enforced as part of each PageLoad(). Essentially this is a combination of roles and rules based authorisation.
  We are struggling to represent this complex matrix structure within Azure AD and efficiently implement the authorisation decision in Azure AD. The driver for this technical requirement is to provide re-usability of the authorisation component to other (as
  yet unidentified) applications.
  Currently the best option we have come up with is implementing custom attributes for each class of permissions and storing within this 2048 bit field a bitmask that represents whether this permission is granted for a given location (which has a many to one
  relationship with customer).
  Any help or comment would be gratefully received,
  Phil

  Hi
  When "Advance routing" is used for Task assignment; the task service asserts the folllowing fact types : Task, PreviousOutcome and TaskAction to the rules engine. These facts gives all the reqd info about the task (like outcome of the participant, task stage .. etc)
  Now in the defined ruleset; we can have rules as per our requirement that can extract info from the asserted fact types and assign task to the required/next participant.
  Also note that we write the advance rules for exception cases only.
  For example; let's say all participants have 2 possible Outcomes [COMPLETE, RECHECK]. We have defined the ideal task routing flow as :
  Participant A -> Participant B -> Participant C. This is the flow when all participant selects "COMPLETE"
  Now suppose B selects outcome as "RECHECK" then the task shld move back to A. So for this case only we need to write a advance rule.
  Pls refer to the code sample at : http://download.oracle.com/technology/sample_code/hwf/workflow-106-IterativeDesign.zip
  Also dev guide : refer to section 28.3.7.2 http://download.oracle.com/docs/cd/E14571_01/integration.1111/e10224/bp_hwfmodel.htm#BABBFEJJ
  Thanks
  Edited by: Kania on May 19, 2010 2:41 AM

• Difference between roles and rules

  Hi,
      I like to know the difference between the roles and rules from basic..
  Pls do  the needful.

  Rules tells the object identification of the standard task.Many workflow systems allow for escalation rules to be built into the process, ie when a manager does not action a task it gets escalated via the workflow to another manager. If the escalation time frame is set to 5 days, you need to ensure your tests take this into account and the result might be longer test cycles.
  Tasks can be assigned to an organizational unit but the strength of the workflow system is to enable business rules which select users <b>according to the data being processed</b>. For example, you might have one group of users associated with one quality notification type. The workflow can be configured to query the QM module directly to determine the users. You can define fallbacks using the default role associated with a task and allow agents to be specified on the fly by a supervisor.
  Using workflow, one can manage various tasks or steps to be executed by different users (based on users or roles).An action can be assigned to user or to a role.The routing mechanism for work items uses roles and organizational assignments to determine who receives which work item.roles can be assigned to users while creating organization structure in ppoce.
  hope this information helps
  Neerja

• How to create the roles and rule

  i buddies,
  here i have small requirement, but i am confusing to do that as i am new to OIM. my requirement is
  1) i have to create 2 roles named a and b.
  2)then i have to create one rule which states that these two roles can'be the same in that organization.
  3)after that i have to create one user and i have to assign the first role i.e a.
  4)if i assign the second role ie b to the same user , it should not allow me.
  to accomplish this task what is the work flow i have to create ? please tell me the steps...
  Thanks
  Balu

  First create 2 user groups called Group A and Group B.
  Create the group membership rules for A and B which will instruct oim to evaluate group membership rules when a user is created in OIM.
  for example: If user's cost center (on the user form) is "AAA" then he should be assigned to Group A. this will be your group membership rule for group A
  Then for constrcuting the group membership rule for Group B you can say,
  if user's cost center !="AAA". This will ensure that any single user in the system will not be a part of both groups at any given time, depending upon this attribute called cost center.
  you can then define access poclicies on the groups/roles which is used to auto-provision resources for any member of that role/group.

• Absence management/substition rules for workflows in UI5

  Hi,
  we would like to set the substition rules for the workflows in UI5 because some users don't use the SAPGUI but UI5 and need to maintain the substitution in case of planned absences (and maybe also in general) in case of an unplanned absence.
  Therefore we are searching for the possibility to set the substition rule for the workflows within an UI5 application. Does ist already exist (maybe as Fiori app) or are there any NW GW services like WFService that support this as a good starting point for our development?
  Regards, Vanessa

  Hi,
  Set substitution app is included in My Inbox (Wave 7), for more details please check
  Solving the workflow inbox clutter - Manage all your workflow tasks in SAP Fiori

• WebDynpro for Java and GuideProcedure for workflow.

  Hi All,
  I need inputs on how to create Webdynpro java screns for GP and create a workflow using them .
  I will be thankfull if someone could help to know how to send an email notification also in this workflow scenario.
  Thanks and Regards,
  Sai

  Hello,
  WebDynpro Java will be 'exposed' as callable objects - these callable objects are assigned to particular actions in a business process designed. First off, read through Guided Procedures and how processes are designed.
  As for the e-mail, there's a template to send e-mails via Guided Procedures -- you can define that e-mail via a template available with a particular callable object.
  For more details on implementing the scenario, look through the context menu of this tutorial:
  [http://help.sap.com/saphelp_nw70ehp1/helpdata/en/b1/019742ad14c46ae10000000a155106/frameset.htm]
  Goodluck.
  Regards,
  Jan

• SAP Roles and Access for SAP Implementation team members

  Hi,
  Is it correct practice to give SAP_ALL role access for all SAP Implementation team members in Dev and QA?
  If not, what is the correct practice?
  Kindly let me know

  Madhu,
  It is NOT correct practice to give anyone SAP_ALL in any of the systems; not DEV, not QAS, and certainly not PRD. However, many implementation teams (and particularly consultants from SIs) insist that they cannot possibly do their jobs without it. This is completely incorrect as there are specific roles for them to use for that purpose. The only circumstance where it could be justified is if you require a special "firefighter" role - and even then, I would still be a bit doubtful.
  You should also consider that once you have given someone SAP_ALL, they will fight tooth and nail to keep it. It also means that they probably are not testing the user roles correctly. Most of those that insist they need it simply do not understand the security issues and probably don't care.
  Just think; if they have access to do soemthing that they shouldn't and then cause a big problem, are they the ones that will have to fix it or are they going to expect you to do it? If they expect you to clear up after them, then you have the right to insist on restricting their access to cause issues in the first place.
  But I know just how demanding they can be....
  Best of luck
  Tony

• Role and Privileges for OLAP metadata

  Hi,
  Is there any document which specifies what all roles and privileges are required for creating any OLAP meta data ( Dimension, Cube, Measure and Catalog etc)?
  I think these are impt roles:-
  SELECT_CATALOG_ROLE
  EXECUTE_CATALOG_ROLE
  DELETE_CATALOG_ROLE
  RECOVERY_CATALOG_OWNER
  OLAP_DBA
  OLAP_USER
  Through system/manager I created one user TEST_BI_OLAP and granted CONNECT.
  After login as TEST_BI_OLAP I am able to create dimension. Why it is possible whereas doc says user should have OLAP_USER or OLAP_DBA role associated with it.
  OR only CONNECT is sufficient for creating OLAP metadata!!!!!
  regds
  P

  The difference is in what the end user sees. Say you want to deploy an analytical workspace based off of a ROLAP dimensional cube. Here is how I've been approaching the problem:
  1. Create a new user with the OLAP_USER role to hold the AW (say "AW_USER")
  2. Now log in with a userid that has OLAP_DBA role, and create the AW utilizing the ROLAP cube - but direct the AW to be stored in the AW_USER schema. Note that because it is in a separate schema from the ROLAP cube, you will not need to append characters to the dimension or measure names.
  3. Have end users log in using the AW_USER name. Then they will see the AW information, but they will not have access to the ROLAP cube data.
  Hope this helps,
  Scott

• Standred Roles and profiles for OSS Connection User

  Dears,
  We open OSS connections several times for SAP support in which we also provide login credentials to SAP to login in our system.
  Is there any standred roles or profile for this user in QAS and PRD that we can give to maintain our servers confidentiality.
  Please suggest.
  Shivam

  Not really. A note related to your question popped up in a previous discussion:Re: Exclude T-code from SAP all
  > If you take a look at [SAP Note 1118396 - Roles for support activities|https://service.sap.com/sap/support/notes/1118396] you will see this explained nicely...

• Defining roles and access for OWB Designer

  Hi,
  Can i Define roles and access rights to different on 1 OWB Designer repository?
  I want to send my mappings for code review but i dont want them to log into the OWB designer with write access.
  How can i achieve this in the same OWB designer repository as the one i am using?
  I am using OWB 10.1.
  I found some table - WMP_USER_ROLES,WMP_GROUP_ROLES,WMP_GROUP_REPOSITORIES
  when i logged into the designer schema through sqlplus
  Thanks
  Sagar

  Hi Sagar,
  Yes you can do that. Basically you can create a db user, and then register the user with a repository. By default that user has all privileges, however it now is audited per user as to what he/she did. How to do this look at the doc (find SecurityHelper)
  To enable you to protect metadata there are a couple of strategies (implemented via a simple PL/SQL API). For an example (this one works with policies on the module level) take a look here (http://www.oracle.com/technology/sample_code/products/warehouse/files/Dev_Status_Policy.SQL)
  This would work as follows:
  - Create user REVIEW
  - Register user REVIEW to repos QA
  - For a module you want review for, set the status to QA
  Now the REVIEW user logs in and he can look at QA but cannot touch.
  Hope this helps,
  Jean-Pierre
  In your situation

• AE - Can we setup a system to only approve some roles and not for others ?

  I would like to setup a test system with no approval of roles access except for some of them ?  Will that be possible and how ?
  Any suggestion ?
  I would appreciate any feedback.
  Thanks.

  Hello Frank,
  Thanks for the information and nice suggestion. This infact is a limitation. We can use this only in case our request has other roles, which have Role owners.
  Dear Patrick,
  Now you may use any of the options mentioned as per what kind of access requests comes in your organization but better to use the one which Frank suggested as this would hold true in all teh cases.
  Regards,
  Hersh.

• Filters and rules for Data Synchronizer

  Unfortunately or luckily our datasync server is positioned in the internal
  network. The main reason is the archiving solution for groupwise mail which
  uses a special connector on the datasync server to capture all email for
  specific mailboxes. So the entire mailflow can remain in our internal
  network and is not transferd out in the DMZ.
  But for few devices (like iPhone, iPad or smartphones with Android) with active
  sync protocol I want to sync the groupwise email, appointment and contacts
  to that devices.
  My problem, however is that the mobile devices want to use a secure connection on port 443 to get over 2 Bordermanager 3.9 SP2 servers.
  I did́ t find any examples on filters and rules in the documentation to
  do this.
  My idea is to use a nated public ip adress on the outer BM-server and
  acceleration on the inner BM-server.
  Maybe I am wrong and there are or is a better solutions.
  It would be great, if there is anyone who can help me with this problem
  Best regards

  jeep,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Roles and Privileges for 10g AWR and ASH reports

  Are there specific roles and privileges are required for one to run AWR and ASH reports for users who don't have DBA roles? If so, I would like to know about them.

  I think sysdba privilege need to run AWR report.
  Also check, how privilege is granted to PERFSTAT user in $ORACLE_HOME/rdbms/admin/spcuser.sql, you might get some clue!!!
  Cheer,
  Virag

• ABAP User Roles and Query for accessing particular T- codes and Reports

  dear Gurus
  I have one problem, i want to know about ABAP User Query ,i have one requirement my user wants to Lock all the HR Std versus Customized reports in T- code SQ01,other department peoples also see the Payslips and Hr personal reports which is harmfull to the dept so i want to Lock all the reports in Std T- code in SQ01 and i have created one Customized User Roles or Query in which the T-codes and Reports are assigned only those particular user can access the T-codes and Std reports .how can it be possible i dont have any idea about user roles and Queries .
  kindly help me out or send me some documents related to user roles and queries
  regards ritesh sharma

  Hi Ritesh,
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/103cafc2-7a64-2b10-14b3-eddb7d324561
  Regards,
  Flavya

• Extraction list roles and users for entreprise portal.

  Hi Everyone,
  I work on Enterprise Portal only java.
  I want to extract the list of all these users with their roles
  How do I proceed?
  Thanks for the help!
  Regards Giglio

  Giglio,
  Its possible to access the list of user and their roles from portal in several ways:-
  Approach 1:
  User Admin -> Import/Export -> User Data Export -> Press Export Button -> Copy the user content and store in a seperate file -> Done.
  Approach 2:-
  You can write a custom progrram in Java using UME API to get the portal user information. You can use webdynpro for java or JSP Dynpage/abtract portal component to use UME API.
  Ram