WLS: more fine granularity for User, Groups, Roles

Hi All,
in order to organize different user, groups in WLS, I need to use/define more condition/attributes than standard WLS User and Groups.
The Oracle WLS concept and OPSS is clear to me and I need some samples or practical cases.
- Oracle Fusion Middleware, Security Guides http://docs.oracle.com/cd/E21764_01/security.htm
- Oracle® Fusion Middleware Understanding Security for Oracle WebLogic Server 11g Release 1 (10.3.5) http://docs.oracle.com/cd/E21764_01/web.1111/e13710/toc.htm
- Oracle® Fusion Middleware Securing Oracle WebLogic Server http://docs.oracle.com/cd/E21764_01/web.1111/e13707/toc.htm
- Oracle Platform Security Services 11gR1 (White Paper)
Any idea?

Hello Suman,
Try avoid denial based security rights assignment instead you can specify the  unspecifed. As Greg said
Denied + Granted = Denied
Denied + Not Specified = Denied
Granted + Not Specified = Granted.
You should not deny rights for HR End User usergroup, Instead make them as unspecified. If you do so the whenever the user part of both the groups , your security rights aggregation would be
Granted + Not Specified = Granted.
Make sure you follow the approach as above.  You can refer the blog below for how to structure the folder, report and User group hierarchy and effective maintenance of security
BusinessObjects Administration - Content Management Plan

Similar Messages

  • Nesting of Rules for Auto Group (Role) Membership Rules in OIM 11gR2

    Does anyone know how to nest rules for auto group (role) membership in OIM 11gR2. The General rules in Design Console are no longer used for auto group membership and the rules that can be configured in the Role properties cannot be nested as far as I can see.
    Any info is appreciated.

    My mistake... this is possible in the web ui.

  • Query for user group

    Dear Team,
    When I am creating  Query for user group via T-code  SQ01.
    Query     ZDEMO1    then Create
    This messege is comming .
    System setting does not allow changes to be made to
    object AQQU /ISDFPS/OM  ZDEMO1
    Why this messege is comming .

    Dear Manu,
    Please check in SE06 >> change system options >> if the system and the relevant object is in modifiable status.

  • CP7 - Show 4 (or more) decimal points for User Variable?

    Is there a way to show 4 or more decimal points for user variables?
    For some reason, I'm only showing two decimal points for user variables in Captivate 7.

    Yeah, I was afraid of that.
    Right now, I have am dividing the values of two separate text box entry fields.  I have to calculate the values to determine if they are getting a promotion, lateral transfer or lower pay range.
    I'll figure out a workaround or just use java.

  • Planner provisioning for user groups lost in Shared services

    Hi All,
    Everything was fine. All of a sudden, no users were able to login in to planning.
    On investigation it was found that all the planner/planning provision to the groups is lost in the shared services.
    Digged into log for a while and couldnt find out any issues.
    What could be the reason we lost user group security provisioning only to planning?
    Could anyone please help on this?

    I used to have same experience every time migration happens from dev to UAT or prod etc.
    After migration, registering with shared service will be successful. When i try to sync, migrate user identities (provisionusers.cmd) from shared service all user group info vanishes in planning (Add/Edit access page). i.e hsp_access_control table is truncated or all rows are dropped.
    Then i have to set it up correctly. Guess this happens because usergroups have different id between different environments. When sync'g planning at target, it will not be able to recognize the wrong usergroup id of source system.
    My assumption:
    When provisionusers.cmd is run, planning fetches the usergroup provisioning information from shared services in to hsp_access_control planning repository table. could someone confirm the same?
    Is there any other way to overcome this issue recurring on every time migration happens?
    But the problem today was different: the provisioning is lost in the shared services itself which i havent witnessed so far. We didnt migrate recently, everything was file till 8 AM, but screwed around 8.10 AM. everything was up and running.

  • Active Directory Authentication and permissions for user group in APEX 4.0

    I am new to oracle APEX and I have searched the forum for active directory authentication for a user group and I am really confused about all the different threads. Can anyone please provide me the steps to follow; in order to implement AD authentication for a user group in Oracle APEX 4.0.
    These are the threads which i was looking at to get an idea like how AD authentication works but its really confusing for me.
    Help with Authentication (APEX_LDAP.AUTHENTICATE)
    Re: LDAP Authentication Via Groups

    You need to give it more than 30 minutes before bumping your own post. This is not an official support channel, so you need to be patient and wait for people to read, think and respond.

  • How many ways we can create authorization for user groups in sap query reports

    Hi Gurus, I am getting a problem when I am assigning users to user group in sap query report .The users other than created in user groups are also able to add &change  the users .So please suggest me how to restrict users outside of the user group.
    Please send me if u have any suggestions and useful threads.
    Thank You,
    Suneel Kumar.

    I don't think it can be done. According to the link below 'Users who have authorization for the authorization object S_QUERY with both the values Change and Maintain, can access all queries of all user groups without being explicitly entered in each user group.'
    Although I think you can add code to your infoset and maybe restrict according to authority group, i.e.:
    Use AUTHORITY-CHECK to restrict access to the database based on user.
    Press F1 on AUTHORITY-CHECK to find out how to use it in the code

  • How to hide/show dashboards for user/groups

    Please help on how to hide/show dashboard menu/sub menu to users/groups based on their profile settings.
    thanks in advance.

    Hi Jinu,
    1) Do some or all of those subreports span multiple pages?
    2) Do each of the Subreports start on a new page?
    If yes, for both, then here's what you need to do:
    1) Create a formula (@True) with this code:
    shared booleanvar SetStatus:= True
    2) Create another formula (@False) with this code:
    shared booleanvar SetStatus:= False
    Drag and drop the @True formula on the details sections for which you want the Page Footer to be suppressed.
    Similarly, drop the @False formula on the details sections for which you want the Page Footer to show up.
    Then, go to the Section Expert > Select Page Footer c > Click the formula button beside Suppress and use this code:
    shared booleanvar SetStatus;

  • Report for user with roles

    Dear all
    Please let me know how to get a report for the users created with the roles. I want the users created , roles assigned and the time stamp
    I tried a lot but could'nt get the solution for this.
    thanks and regards

    Found the solution finally. Custom report with "*attribute changed contains role"*
    And action =create, bulkcreate, provision
    Thanks and regards

  • Dynamic User Group Role for ASA 8 ACS 4 External Windows DB

    1. I've successfully got a Win2003 AD user to authenticate to the ASA via an ACS but the default group settings the dynamic user becomes part of don't get transfered to the user. How do I get the user to adopt the group settings?
    2. ASDM recommends nabling authentication for admin console sessions so you don't ssh into a box then have to login as the enable password which isn't logged. When I check the box for this feature I can ssh to the ASA but my password is denied ASA. How do I keep the user credentials all the way to the privilege exec mode?
    3. Back in the day I could configure the ACS shell, privilege 15, custom attributes cisco-av-pair "priv-lvl-15" to get a user to jump directly to privilege exec mode. This doesn't work now. Is there a different way to do this on ACS v 4?
    Thanks in advance,

    Try this:
    aaa authentication enable console
    aaa authorization command
    on ACS go to the user or group that the user is in and go to enable options and click on "Max Privilege for any AAA client" and set it to "15". Then go to the "tacacs+" section on click on "Shell(exec)" and click on "Privilege leve" and enter 15. Then go to the "Shell command authorization set" and set the default to permit any commands not listed. This will get the user into privilege mode. In ASA/Pix it requires command authorization and authentication for enable console. On IOS it requires that you use aaa authentication exec and then the aaa authorization exec/command. This will allow the user to go straight into privilege mode instead of user mode.

  • Propagating users/Groups/Roles into partner application

    I am very newbee to portal development. I have a following need.
    I want to use Single SingOn feature of Portal. Once the user logged in to the portal via SSo, there may be several applications(within the portal) to which S/He may have access to. Based on who S/He is, may have different level of authorization to what S/He can do into different applications within the portal. How I can make use of user entered for Single Signon, propagate to the application level inside the portal.
    My understanding so far with the portal is that you can develop a portal which has web clipping portlets, external/internal applications, items etc. When we create the users and groups and assign roles to the users, it is limited to the portal front page that we publish to public.
    My problem is further down, into different applications which I expose with the help of portlet or by any other means. And have control over in that particular application(individual), which portion of the application users should be able to see or take any action.
    Your help is highly appreciated.

    Any one has a clue?

  • Bypass password login for user group on windows 7 machines via windows server 2003?

    My management dislikes always having to log-in to a computer via passwords. To them, it's considered an inconvenient and one more thing to remember along side business. Therefore, they've asked if I can set the systems up to have which ever users
    selected to log-in without a password on their accounts. I'm not an expert in the windows 2003 server admin role, so I would like some help with this. 
        Note - Is there a way I can access the server through a user computer logged in as admin without going to the physical server itself. It's a bit of an inconvenience since it's in the storage area. (second level) 
    Our system is also on a domain, and there are over 10 machines running windows 7. 
    Thank you!!

    For security reason you can use security cards. This is suitable in Active Directory environment.
    If managers insist on autologon, then read (for example)
    PS: Lowering security by autologon is a very bad habit. I would try to avoid this, unless using security cards.

  • Reseeding cache for users with role based security

    I have role based security and trying to set up cache by purging all cache and later seeding cache by query. The query would be different for different users. What is the best way to purge all cache and reseed cache for administrator as well as all users. The EPT would purge cache based on updated tables. But how do I next go about reseeding cache for better performance to all the users. Thanks.

    I have created an ibot with the following:
    General - Normal Priority, Personalized (recipient's data visibility)
    Conditional Request - example_report
    Schedule - some schedule
    Recipients - Me(administrator) and User1
    Destinations - Oracle BI Server cache
    when the ibot runs 2 cache entries are created (for the 2 recipients).
    I have the report (example_report) on the dashboard (1 dashboard, 1 page, 1 report).
    After the ibot runs:
    When the administrator logs in first, there is a cache hit on the report. Followed by when the User1 logs in there is NO cache hit.
    On the other hand when the User1 logs in first, there is a cache hit on the report. Followed by when the administrator logs in there is no cache hit. The query log creates a Query issued to the database instead of cache hit on query.
    The User1 has a data level security.
    Please let me know where was I making an error in setting the ibot and how to get the cache seeding work for the different users with different role based security.
    Thanks for your inputs.

  • Payment Block Validation for User group

    Dear SAP Validation Expert,
    We like to allow only selected FI users to change Payment Block to ' ' (Free for Payment) in tcode: FB02, FB03 and FBL1N.
    Curently we have managed to block other un-selected users from changing the Payemnt block to Free for Payment.
    But our issues are Other fields also NOT able from changing/maintaining. For example in FB02, user NOT able to change Payment Block (BSEG-ZLSPR) from 'B' to  ' ' (Free for Payment) which is expected but user also NOT able to maintain other field such as Payment term(BSEG-ZTERM), Baseline date (BSEG-ZFBDT), Assignment (BSEG-ZUONR) and Text Field(BSEG-SGTXT).
    Below is our Validation, please advice how to improve it so that other fields can be changed too. Your swift reply is very much appreciated.
    ( ( SYST-TCODE = 'FB02' ) OR
    ( SYST-TCODE = 'FBL1N' ) OR
    ( SYST-TCODE = 'FB03' ) AND
    ( BSEG-ZLSPR = ' ' ) AND
    SYST-UNAME <> 'HIS20083'
    BSEG-ZLSPR <> ' '
    Message: E: You have no authorization.

    In your Validation small change has to be done.
    SYST-TCODE = 'FB02' ) OR ( SYST-TCODE = 'FBL1N' ) OR ( SYST-TCODE = 'FB03' )
    Message: E: You have no authorization.
    Try in the above procedure.

  • How to Create User ,Group ,Role in Jsf and Give  differ authentication to e

    Hi i am working in java server faces .
    i trying to create roles ,user with different abilities .
    Like one is normal user, admin , they have different abilities,
    i need that abilities on bases of module,form,field like Drupal like CMS they provide.
    So how to do that think in JSF plz help

    You can use one of the various ways Java EE provides you, e.g. container managed authentication.
    It's also all in the Java EE tutorial: [http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html].
    You can configure it in the application server as well: [http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html].
    Here is an example how to use it in JSF: [http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/].

Maybe you are looking for

  • Unable to see demand history in APO SPP via transaction /SAPAPO/SPPMDH

    Hello We are trying to view aggregated sales history data in APO SPP via transaction /SAPAPO/SPPMDH We have loaded sales order data from flat file into DSO 9ARAWDAT & infocube 9ADEMAND. We can see the data in the cubes & also via the standard queries

  • SLD Downtime

    In our prod, SLD in local to XI or in other words SLD using XI java engine. I installed the De-Central Adapter Engine and some of our important interfaces goes through it. If XI java goes out of memory, it is going to be restarted by its own, till th

  • How to remove Apple ID balance

    I Want to change my country/region but I can't due to the left over balance in my account. Can someone help me?

  • Pearl 9100 3G - OS 6 - no vibrate button anymore

    Pearl 9100 3G v6.0.0.481, Platform Recently upgraded to OS 6.  Love it.  However, when I had OS 5, when entered my password to unlock my BB, I can press and hold down my aA^/# key (to the right of the space/0 key, and to the left of the ret

  • IDE Controller Compatibility

    Sorry for having to post. I've been searching Google for the answer but haven't found anything promising yet. I have an old 400MHz "Yikes!" Power Macintosh G4 (PCI Graphics) being used as a small internet server, which suffers from this limit: http:/