4 tiered security vs. task based security design

I have recently joined a company that has only FICO implemented. They are currently ramping up to implement all modules globally.
The current security model is 4 tiered security approach, in other words, there are 4 single roles which are roled up into a composite depending on what your position is in the hierarch. For example, an end user AP Clerk will get the basic role and probably one other. The AP clerks boss would get those 2 roles plus one other role and so on. Because the security is not very granular, they have a huge amount of mitigating controls in GRC to pass the yearly audits.
Most companies I have worked at are changing to a task based security approach to make the security more granular and therefore easier to manage and manipulate (for want of a better word) and possibly eliminate having to create and maintain a huge number of mitigating controls. Task single roles would be added to a composite per job position.
My question is, which version would be the SAP best practice approach? The 4 tiered approach is easier up front but a lot more maintenance going forward. The task based approach is a lot of work up front but less maintenance going forward.
No matter what road we take, there may also be derived roles thrown into the mix!

@Lovin_JV_941794
The welcome page is public available since it does not have appropriate PageDef file.
Login page comes not from the welcome page, it comes after attempt to access the test page. So after the login succeeded the test page appears, because redirect to welcome page after successful login is not configured. I do not need to return the welcome page at this moment, I need to go to the test page.
It seems the task flow call stack to be destroyed after redirect to login page.
Edited by: user13307311 on Apr 17, 2013 12:45 AM

Similar Messages

MOAC / "Org-Based" Security

Hello,
I'm developing custom pl/sql for submitting concurrent requests/sets. For reference, here is what my initialization 'block' looks like in the pl/sql:
apps.fnd_global.apps_initialize(user_id, resp_id, app_id);
apps.mo_global.set_policy_context('M');
apps.mo_global.init(appShortName);
(or)
apps.fnd_global.apps_initialize(user_id, resp_id, app_id);
apps.mo_global.set_policy_context('S', org_id);
apps.mo_global.init(appShortName);
(depending on whether the user chooses a 'multi-org' context or 'single-org' context)
I just have a few general questions.
1) Is the "mo_global.set_policy_context" followed by "mo_global.init" proper form?
2) I understand that if you choose multi-org (set_policy_context('M')), it reads the 'fnd_global.apps_initialize'd user's "allowed orgs" from his profile options (I forget the exact ones at this moment). Is this correct?
3) Is the sole purpose of "multi-org" security for performing multiple operations on multiple orgs without having to switch responsibility?
4) Most importantly (saved this one for last), I'm reading about the various different kinds of security (namely, http://docs.oracle.com/cd/E14223_01/bia.796/e14219/security.htm#BGBIFAIG):
Operating Unit Org-Based security
Inventory Org-Based Security
Company Org-Based Security
Business Group Org-Based Security
HR Org-based Security
Payables Org-Based Security
Receivables Org-Based Security
SetID-Based Security
Position-Based Security
Ledger-Based Security
My question is, are all of these various "securities" all managed with organizations? In other words, will my code (above) enable users to use ANY of these different kinds of security, if they so choose?

Hey so seeing as this question hasn't really been answered yet I figure I'll give it another go.
I'm going to be very specific this time:
I run PL/SQL scripts against the EBS database in order to do things like schedule requests/request-sets. The first thing I do (always) is initialize the apps context:
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
Next, depending on the situation (still unsure when/why, but whatever), we initialize the org context. This is done by performing exactly one of the following steps.
apps.mo_global.set_policy_context('M', null);
OR
apps.mo_global.set_policy_context('S', org_id);
OR
apps.mo_global.init('appname');
Now, the ORG_ID comes from this statement:
SELECT organization_id FROM apps.org_organization_definitions2 WHERE organization_name = 'blah'
Again, I don't know why/when we need to do this or apparently what any of these things do but it's kind of beyond the scope of what I do. SOMEBODY chooses one of these, depending on their mood (or whatever factors :) ). Based on my model, the following are the possibilities thus far:
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
OR
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
apps.mo_global.set_policy_context('M', null);
OR
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
apps.mo_global.set_policy_context('S', org_id);
OR
apps.fnd_global.apps_initialize(u_id, r_id, a_id);
apps.mo_global.init('appname');
After this, I use
apps.fnd_submit.submit_program('appName','progName','STAGEXYZ', args); <-- however many times I need
apps.fnd_submit.set_request_set('appname','requestSetName');
OR
apps.fnd_request.submit_request('appName','progName','description',starttime,FALSE, args);
My question is twofold:
1) Is this model generic enough? In other words, without doing anything extra, will people be able to do pretty much everything you could think of, at least in terms of running concurrent requests / sets? Will I ever - EVER - need to chain "set_policy_context" with "init"? <-- I would really love a yes/no answer because I am in no way/shape/form an EBS expert. I've read all the docs that I've been presented with thus far but I haven't found a straight answer to this yet.
2) I understand there are all different kinds of "org-based" security. Could I use my current code to initialize an inv_org, for example? If not, where could I turn for help? Are there other tables I should use for inv_orgs, hr_orgs, etc?
THANKS! YOU ARE THE BEST!

Research on the Security of NGDC Based on ASP

Research on the Security of NGDC Based on ASP
Zhang Li Gong Jianya Zhu Qing
Key Words
active server pages (ASP); national geospatial data clearinghouse (NGDC); geographic information system (GIS); Internet
Abstract
On the basis of the authors? experience of setting up an NGDC Web site, this paper attempts to present some significant aspects about the security of NGDC based on ASP. They include data storing, database maintenance, new technical support and so on. Firstly, this paper discusses how to provide the security of data which is saved in the host of NGDC. The security model of ?New works ?DB Sever-DB-DB Object? is also presented. In Windows NT Server, Internet Information Server (I IIS) is in charge of transferring message and the management of Web sites. ASP is also based on IIS. The advantages of virtual directory technique provide by IIS are emphasized.
An NGDC Web site, at the Research Center of GIS in Wuhan Technical University of Surveying and Mapping is also mentioned in this paper. Because it is only an analogue used for case study, the transmission of digital spatial products is not included in the functions in this NGDC Web site. However, the management of spatial metadata is more important and some functions of metadata query are implemented in it. It is illustrated clearly in the functional diagram of the NGDC Web site.
1 Introduction
Needless to say, it is very important for most GIS users to acquire and integrate the geospatial information from various districts. However, the current situation of geospatial information production and dissemination in the world is still unsatisfactory. On one hand, users do not know where the geospatial data files are stored and what geospatial data is useful for their applications, or have not necessary computer facilities. On the other hand, due to the lack of coordination and cooperation, the duplication of geospatial data production widely exists. Most of geospatial information is stored by different organizations including governmental organizations, commercial companies. What?s more, the lack of geospatial data exchange and sharing mechanism results in relative low benefit of geospatial data use. It is difficult for some products to get necessary information from other producers to integrate with or to update their own databases. In short, the value of geospatial information has not been shown exactly in GIS industry of China.
It is obvious that the information distribution technique based on Internet can play a great role in GIS industry. National Geospatial Data Clearinghouse users will be able to query what geospatial data is being produced, how about is quality, where it is produced, and how to get the geospatial data economically and conveniently.
2 NGDC and ASP technology
As mentioned above, NGDC is a geospatial information distributed network system which is concerned with geospatial data producers, managers and users. So the relationship among them must be harmonized. The NGDC provides the service of geospatial information through internet. In detail, it will allow various data formats to exist in this opened geospatial information service system and it supports the share and query of the geospatial data from different sources. The main mission of NGDC is to offer a means of fast, efficient, safe, economical service of geospatial data provision to users. At the same time, it will offer means for data providers to advertise their new products and collect users? demands and feedbacks in order to promote the geospatial data production.
To date, the model of NGDC is usually described as a provider-oriented model. In this model, every geospatial data provider is linked with internet as an NGDC node... user?s access NGDC nodes through internet and browses the catalogues of geospatial data stored in NGDC, and then they query the metadata about the available products for their applications. After selecting the desired data set, the user can send an order to the relevant producer on-line or by E-mail system. If users can not find the geospatial data available in this NGDC node for their applications, they will be able to access other NGDC nodes.
So the construction of NGDC is concerned with the planning and maintenance of dynamic Web sites linked with internet. Since Active Server Pages (ASP) came out with its peculiar characteristics several years ago, which is applied to the construction of more and more dynamic Web sites in the diverse fields? In comparison with common gateway interface (CGI), ASP is more effective and flexible as a server scripts environment.
With html pages, script commands and active X components, ASP can set up dynamic, interactive and efficient Web server programs. It is not important whether browsers can run those ASP codes, because all of ASP programs including scripts plugged in html, such as VBScript, JScript, are executed in servers. ASP programs will send a series of commands to the script engine, and then the script engine translates the commands into some codes which can be executed by servers. After running the executive codes, the results will be sent by servers to users? browsers in html. In this way, it is sufficient for browsers to have basic function of browse. As a result, the speed of the system increases rapidly.
NGDC Web site provides users with a catalogue of geospatial data entity, data entity and the relevant metadata. Therefore it is inevitable to access various databases in the construction of NGDC. It is convenient to connect database systems with ASP plug-in Active X components, so Web pages can be linked to all kinds of databases which provide ODBC interfaces for other programs. Active X components provide the objects whose tasks are to finish certain functions. So Active X components are of great significance in setting up Web programs.
3 Research on security of NGDC
This paper attempts to present some significant aspects about the security of NGDC base on ASP, such as data storing, database, maintenance, new technical supporting and so on.
3.1 Security of data storing
The information stored in NGDC includes geospatial data, relevant metadata and catalogues of data products. The maintenance of all the information is a very hard task. Of course, the security of data storing is included in it. From the point of system maintenance, the security of data storing in NGDC is concerned with disk error-tolerance and back-up supporting.
With the rapid development of manufacturing technique of hard disk, the life-span of hard disk has been lengthened. Disk error-tolerance decreases usually the possibility of data-losing because of errors of hard disks. It is inevitable that some errors cannot be limited in spite of any error-tolerance system. In order to maintain the security of data, the significance of data should be assessed firstly and so should the loss of data-losing. There are three kinds of dump plans for database or data files: full data dump, increment data dump and combination of them. As in NGDC the need of data back-up depends on its significance.
3.2 Security of database maintenance
As for popular large-scale database systems such as Microsoft SQL Server, Sybase, Oracle, Informix, security maintenance is implemented by four levels of ?New works ?DB Sever-DB-DB Object? security model. Every user has his network login ID and his password, with which the user ID and the password, users can login into network. Take Windows NT Server for example, Windows NT Server provides some security maintaining methods such as encoded password, minimum password length and so on.
In general, network cannot automatically permit its network users to access databases in it. The fact that a user can access databases does not mean that he can automatically access databases in it. Only those users who have their database user IDs stored in system tables in database can access database.
3.3 Security with ASP
In the environment of Windows NT Server, Internet Information Server (IIS) is in charge of distributing information and maintenance of Web sites. ASP is also based on IIS. When users access some ASP files in their browsers, the relevant ASP scripts will run in server and the results will be sent users in Web pages.
Virtual directories are different from physical directories in hosts or servers. Net work administrators may make good use of the mechanism of virtual directory in order to maintain the security. IIS supports virtual directory which plays a great role in the security maintenance of Web sites. Firstly, virtual directory conceals the information about actual directory structure. In normal browsers, users can get the path information of a certain Web site; the directory information of Web sites will be exposed to users linked with Internet. As a result, it is easy for the Web sites to be attacked by hikers. Secondly, it is convenient to transfer the WWW service from one server to another without updating the code in Web pages if there is the same virtual directory structure in two servers. Finally, when putting Web pages into virtual directories, administrators can assign different attributes to the directories. For example, in the construction of NGDC Web site, it is important to put normal html files and ASP files into different virtual directories. The attribute of directories in which normal html files are stored may be ?Read? while the attribute of directories in which ASP files are stored may be ?Execute?. On one hand, it simplifies the maintenance and management of NGDC Web sites. On the other hand, ASP source files will never be sent to user browsers. In other words, hikers cannot get the ASP source codes through their browsers. Thus it improves the security of ASP files.
4 An NGDC model Web site in WTUSM
Some other security aspects in operational model, programming, management in the plan and construction of NGDC should be concerned. As an example the construction of an NGDC model Web site is presented below in order to explain the security maintenance of NGDC in detail. On the basis of authors? research on relevant problems, this NGDC model Web site was planned and deployed in early 1999. As a model project, the purpose of construction of this Web site is to provide some useful experiences for other projects on NGDC. Therefore the process of geospatial metadata plays a great role in this Web site. In fact, there are not actual geospatial data products stored in this NGDC model Web site. The main task of this Web site is to provide relevant geospatial metadata services, so the functions of data product maintenance cannot be found. Geospatial metadata is stored into meta-database in Microsoft SQL Server. With ?New works -DB Sever-DB-DB Object? security model in Microsoft SQL Server, the relations between user and access rights are set up. In order to simplify the problem, those two tasks are assigned to two DB users. One is a user who is the owner of DB objects. (Of course, he has all rights to access, update and delete DB objects); the other is a normal user who can only access DB objects such as tables. While developing ASP programs in the integrate developing environment of Microsoft Interdev, the functions may be fulfilled by script programs running either in clients or in servers. As a result, it improves the confidentiality of ASP programs and the efficiency of NGDC service system.
In the NGDC Web site, something has been done in order to improve the security of operation: a table named providers? information table is stored in NGDC to keep some useful information about relevant geospatial data providers, such as name, ID, passwords, contact methods and son on. The information may be a long, irregular string whose length is less than 1024. It is produced and maintained by NGDC. The providers? information table is stored in the server in NGDC. In this way, data producers provide geospatial products together with their identifying information through Internet.
5 Conclusions
In short, it is very convenient and efficient to distribute geospatial data in the NGDC nodes through internet. On the other hand, with the development and construction of NGDC, there will come more and more challenges and problems about the security of NGDC. Obviously some researches and discussions in this field need to be further carried on.

Jaya
We have two ways to achieve this scenario
1.Going with PCR where we Query No of Years Completed
2. Going for Custom Function
In the above two ways we have to maintain the year of completion in Date Specification Either Manually or Thorugh Dynamic Action which shd automaticallly update....IT00041
I prefer the second one since PCR is some wht complicated

Using container managed form-based security in JSF

h1. Using container managed, form-based security in a JSF web app.
A Practical Solution
h2. {color:#993300}*But first, some background on the problem*{color}
The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
- Username
- Group
- Password
The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
1. Start up your app server and log into the admin interface (http://localhost:4848)
2. Drill down into Configuration > Security > Realms.
3. Here you will see the default realms defined on the server. Drill down into the file realm.
4. There is no need to change any of the default settings. Click the Manage Users button.
5. Create a new user by entering username/password.
Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
h2. {color:#993300}*Step 2: Create the project*{color}
Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
1. Start by creating a new Visual Web JSF project.
2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
1. login.jsp (A Visual Web JSF file)
2. loginproxy.jspx (A plain JSPX file)
3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
Code follows for each of the files:
h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
    <navigation-rule>
<from-view-id>/login.jsp</from-view-id>
        <navigation-case>
<from-outcome>loginproxy</from-outcome>
<to-view-id>/loginproxy.jspx</to-view-id>
        </navigation-case>
    </navigation-rule>
NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
    <jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
    <f:view>
        <webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:textField binding="#{login.username}"
id="username" style="position: absolute; left: 216px; top:
96px"/>
<webuijsf:passwordField binding="#{login.password}" id="password"
style="left: 216px; top: 144px; position: absolute"/>
<webuijsf:button actionExpression="#{login.button1_action}"
id="button1" style="position: absolute; left: 216px; top:
216px" text="GO"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
        </webuijsf:page>
    </f:view>
</jsp:root>h3. *login.java -- implent the
button1_action() method in the login.java backing bean*
    public String button1_action() {
        setValue("#{requestScope.username}",
(String)username.getValue());
setValue("#{requestScope.password}", (String)password.getValue());
        return "loginproxy";
    }h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="2.0">
<jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
doctype-system="http://www.w3.org/TR/html4/loose.dtd"
doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
<jsp:directive.page contentType="text/html"
pageEncoding="UTF-8"/>
<html>
<head> <meta
http-equiv="Content-Type" content="text/html;
charset=UTF-8"/>
<title>Logging in...</title>
</head>
<body
onload="document.forms[0].submit()">
<form
action="j_security_check" method="POST">
<input type="hidden" name="j_username"
value="${requestScope.username}" />
<input type="hidden" name="j_password"
value="${requestScope.password}" />
</form>
</body>
</html>
</jsp:root>
{code}
h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
target page, placed in the secure folder to test access*
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
<jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
<f:view>
<webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:staticText id="staticText1" style="position:
absolute; left: 168px; top: 144px" text="A Secure Page"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
</webuijsf:page>
</f:view>
</jsp:root>
{code}
h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
*web.xml will be used to define:*
- Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
- Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
- Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
*sun-web.xml will be used to define:*
- This is where you map a Role to the Users or Groups that are allowed to use it.
+I know this is confusing the first time, but basically it works like this:+
*Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
{code}
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description/>
<url-pattern>/faces/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name/>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>User</role-name>
</security-role>
{code}
h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
{code}
<security-role-mapping>
<role-name>User</role-name>
<group-name>Users</group-name>
</security-role-mapping>
{code}
h3. {color:#ff6600}*Almost done!!!*{color}
h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
h3. {color:#ff6600}*_Gotcha #1_*{color}
You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
h3. {color:#ff6600}*_Gotcha #2_*{color}
Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
*DONE!!!*
h2. {color:#993300}*_Here's how it works:_*{color}
1. The user requests the a page from your context (http://localhost/MyLogin/)
2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
5. The user enters username and password and clicks a button to submit.
6. The button's action method stores away the username and password in the request scope.
7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
9. The hidden username and password fields grab the username and password variables from the request scope.
10. The loginproxy page is automatically submitted with the magic action "j_security_check"
11. j_security_check notifies the container that authentication needs to be intercepted and handled.
12. The container authenticates the user credentials.
13. If the credentials fail, the container forwards the request to the login.jsp page.
14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
+Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
+The user is now at the secure welcome page.+
If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
Kerry Randolph

If you want login security on your web app, this is one way to do it. (the easiest way i have seen).
This method allows you to create a custom login form and error page using JSF.
The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
I'm new to programming, so none of this may be a good practice, or may not be secure at all.
I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
--Kerry

Dynamic, rules based security

My organization has an application that needs a very fine grained scurity model, that changes very often and is based upon a rules machnisem (written in PL/SQL). Is there a way to combine a rule based mechanism with the internal ACL mechanism of the iFS ?
null

Hi Harvey_SO,
According to your description, you get the security ignored when using custom dynamic role-based security. Right?
In Analysis Services, it has some role overlapping scenarios, if two roles used to secure attributes in two different dimensions, which might both apply to some users simultaneously, it can cause the user has no security applied from either role. Please
refer to workarounds in the link below:
The Additive Design of SSAS Role Security
If you have any question, please feel free to ask.
Best Regards,
Simon Hou
TechNet Community Support

RBAC / Role Based Security Set Up in R12

We are working with a 3rd party consulting organization to implement Role Based Access Control in E-Business Suite R12. We have approximately 50 users and with 35 responsibilities today and are currently in the process of designing our role based security set up. In advance of this the consulting company has provided us with effort estimates to cutover from the current responsibility structure to RBAC. We are told this must be done while all users are off the system. The dowtime impact to the business is very high, expecially considering our small user base.
With RBAC cutover downtime estimates such as these I can't understand how any company larger than ours could go live with it?
Does anyone have previous Role Based Access Control implementation experience in EBS R11i or R12 and could provide some insight on their experience and recommendations, best practice for cutover to mitigate impacts to the business as we cannot accept the 90 hours of downtime outlined by the consulting company below?
Disable users old assignments:
*12.00 hours*
Disable Responsibilities targeted for the elimination:
*12.00 hours*
Disable Responsibilities targeted for the elimination:
*16.00 hours*
Setup OUM options and profiles:
*6.00 hours*
Setup Roles and Hierarchies:
*14.00 hours*
Grant Permissions:
*12.00 hours*
Setup Functional Security and disable the obsolete responsibilities:
*12.00 hours*
Setup Data Security and disable the obsolete data accesses:
*6.00 hours*
Total *90 hours*
Note - all activities must be performed sequentially*
Any advice or experiences you could share would be extremely valuable for us. Thank you for taking the time advance to review & respond.

On Srini`s comments "Creating Roles.. will have to be done manually "... I would like to know will the same approach be followed for PRODUCTION instance also. Say if we need to create 35 responsibilities and 50 roles so should this be done manually in PRODUCTION.
I have not worked on this but I know that in my previous company this was done using scripts. Need to find more on this.

Info provider based Security

Gurus,
We build the multi provider with cube A and B, and planing to implement object based security on Infoprovider, the purpose have a one report common for 2 business and enforce security while accessing the data.
1 Created 2 Authorization Object AO1 and AO2 based on info provider A and B.
2.Addd these authorization objects to Roles R1 and R2 respectively.
3 Assigned roles R1 and R2 to 2 test user U1 and U2.
The User U1 still able to access data from the cube B and the same way Use U2 able to see data from cube B.
Any suggestion how can I enforce this design at security level..
Thanks for your inputs..
Raman.

Hi Raman,
Are you using BW7.0? In BI7 BW is doing more rigorous authorization/security checks.
If you are using BW3.X versions then you need to implement the concept:
"Unless the user has access to a resource...DO NOT ALLOW access"..
In RSSM (3.5) you can limit access by InofrArea OR InfoCube.
You need to explicitly limit access only to the relevant InfoCubes.
Additional Useful info:
http://help.sap.com/saphelp_nw04/helpdata/en/55/2bb33b90131e73e10000000a11402f/frameset.htm
Good luck, BB

New Technical Article: Securing a Cloud-Based Data Center

Securing a Cloud-Based Data Center
by Orgad Kimchi, Ron Larson, and Richard Friedman
Orgad, Ron, and Richard and explain the precautions you need to take when deploying a private cloud in a data center, and show you how to employ the security features in Oracle Solaris 11 to protect its infrastructure. Part 2 of a three-part article on cloud deployments that use the Oracle Solaris Remote Lab as a case study.
- Rick

The beautiful curve drawn by LDPC code caught my eyes, but several points hardly built up user confidence.Some details should be submitted carefully, especially comparison with BCH codes. In my opinion, X-axis is exact error bit count and Y axis is frame error rate. Then, BCH comparison is a theoretical vertical line. LDPC code will be well described in a group of points.
Moreover, can Xilinx provide more codes with different rate to support flexible design?

How can I turn off the WLS 6.1 security in order to develop my own application-based security module?

Dear Colleagues,
I am currently developing a J2EE application using WLS 6.1.
My team and I have to implement a security requirement to suit our company's needs.
The security requirements are that, users' password need to be aged (30 days maximum) and we need to provided a GUI front-end (JSP) to allow users to change their password when these expire after 30 days.
Our internal contacts in the company, have already taken the lead to find out about whether we will be able to use the WLS 6.1 platform to do this and the answer we got back, was.
Now we need to develop our own security module.
I have 2 questions:
1. How can we turn off the WLS security in order develop our own application-based security module?
2. How can we develop a security module that allows us to age users' password and provide them with facilities to change their passwords when these expire?
At the moment, we are using the default BEA WebLogic login.jsp page and there some configuration in the web.xml for this. I will be grateful if you could advise me on how to turn this default security off so that we can write our own security module.

hi,
1.You can write your own realm in 61 which can plugged for your security
calls.
2. once you write your ownrealm.. you can access it through weblogic
api/ur api..
thanks
kiran
"Richard Koudry" <[email protected]> wrote in message
news:3dd0d081$[email protected]..
Dear Colleagues,
I am currently developing a J2EE application using WLS 6.1.
My team and I have to implement a security requirement to suit ourcompany's needs.
>
The security requirements are that, users' password need to be aged (30days maximum) and we need to provided a GUI front-end (JSP) to allow users
to change their password when these expire after 30 days.
>
Our internal contacts in the company, have already taken the lead to findout about whether we will be able to use the WLS 6.1 platform to do this and
the answer we got back, was.
>
Now we need to develop our own security module.
I have 2 questions:
1. How can we turn off the WLS security in order develop our ownapplication-based security module?
>
2. How can we develop a security module that allows us to age users'password and provide them with facilities to change their passwords when
these expire?
>
At the moment, we are using the default BEA WebLogic login.jsp page andthere some configuration in the web.xml for this. I will be grateful if you
could advise me on how to turn this default security off so that we can
write our own security module.

What is the mean of using Portal with Role Based security as entry point

Hi Experts we have requirement of integration of Portal and MDM
I am completely new to the MDM. So please give me some idea , what is the meanin for following points.
1) Using the Portal with Role Based security as entry point for capacity and Routing Maintaince(These two are some modules).
2) Additionally , Portal should have capability to enter in to the MDM for future master data maintence. Feeds of data will need to be come from SAP 4.6c
Please give me the clarity of what is the meanin of second point
Regards
Vijay

Hi
It requires the entire land scape like EP server and MDM server both should be configured in SLD.
Your requirement is maintaing and updating the MDM data with Enterprise portal.We have some Business Packages to install in Portal inorder to access the functionality of MDM.
Portal gives you a secure role based functionality of MDM through Single sign on (login into the portal access any application) to their end users.
Please go through this link
http://help.sap.com/saphelp_mdmgds55/helpdata/EN/45/c8cd92dc7f4ebbe10000000a11466f/frameset.htm
You need to develope some custom applications which should be integrated into the portal to access MDM Server master data
The estimation involves as per your requirement clearly
Its depends upon the Landscape settings, Requirement complexity,Identify how many number of custom applications need to be developed
Regards
Kalyan

HR Business Group Based Security

Hi All,
We have implemented the EBS and OBIEE integration without any security enabled.
We have tried to implement the Business Group Org Based Security.
When we have enabled that initialization block and saved it.
SQL used in intialization block is
SELECT
DISTINCT 'BUSINESS_GROUP',
TO_CHAR(FND_PROFILE.VALUE_SPECIFIC('PER_BUSINESS_GROUP_ID', USER_ID, RESPONSIBILITY_ID, RESPONSIBILITY_APPLICATION_ID))
FROM
+(SELECT+
USER_ID,
RESPONSIBILITY_ID,
RESPONSIBILITY_APPLICATION_ID
FROM
FND_USER_RESP_GROUPS
WHERE
START_DATE < SYSDATE
AND (CASE WHEN END_DATE IS NULL THEN SYSDATE ELSE TO_DATE(END_DATE) END) >= SYSDATE
AND USER_ID = (CASE WHEN 'VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE)' = 'Integrated'
THEN VALUEOF(NQ_SESSION.OLTP_EBS_USER_ID) ELSE (SELECT USER_ID FROM FND_USER WHERE USER_NAME = ':USER') END)
AND RESPONSIBILITY_ID = (CASE WHEN 'VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE)' = 'Integrated'
THEN 'VALUEOF(NQ_SESSION.OLTP_EBS_RESP_ID)' ELSE RESPONSIBILITY_ID END)
AND RESPONSIBILITY_APPLICATION_ID = (CASE WHEN 'VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE)' = 'Integrated'
THEN 'VALUEOF(NQ_SESSION.OLTP_EBS_RESP_APPL_ID)' ELSE RESPONSIBILITY_APPLICATION_ID END))
It is retuning error.
+[nQSError: 13011] Query for Initialization Block 'Business Groups' has failed.+
+[nQSError: 17001] Oracle Error code: 932, message: ORA-00932: inconsistent datatypes: expected CHAR got NUMBER+
at OCI call OCIStmtExecute.
Do any one have idea about how to reslove this issue ?
Thanks & Regards
Vishwanath

the first thing I can think of is: have you integrated eBS with OBIEE?
I know this initblock just works fine, but when I look to you error... I really don't have a clue...
But it must be the RESPONSIBILITY_ID or the RESPONSIBILITY_APPLICATION_ID.. but both are numbers already...

Error in Role Based security using weblogic 9

Hi All,
Currently I am working with Weblogic Server 9. I am trying to use role based security. Below is the entries for web.xml.
<security-constraint>
     <web-resource-collection>
          <web-resource-name>Success</web-resource-name>
          <url-pattern>/form.jsp</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
          <role-name>admin</role-name>
     </auth-constraint>
     <user-data-constraint>
<transport-guarantee>INTEGRAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>myrealm</realm-name>
</login-config>
<security-role>
     <role-name>admin</role-name>
</security-role>
When I am calling form.jsp from the browser it is asking for the username and password, but after giving the username and password it is showing the followig error:
Error 403--Forbidden
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
So can any one provide me the solution for the above problem.
Thanks in advance.
By,
Sandip Pradhan

Here is a blog post for the backend (WebLogic Admin GUI) http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-role.html and a blog post for the web.xml in your project http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-ear.html.

Form based security in WebLogic 7.0 - back button quirk

I have an application comprised of several JSPs that are protected via Form based
security and enforce an SSL connection via the appropriate declarations in the
web.xml. This aspect of the application seems to be working with the exception
of one small quirk.
If a user presses that back button until such time as the receive the container
provided login page once again, and subsequently provide a valid user id and password,
they are NOT successfully logged in. Rather, they receive the ugly 403 Forbidden
error that states that the server understood the request, but is refusing to fufill
it. This only seems to happen given the above course of events involving the
use of a back button in the browser (or selection of an item from the history
list). I suspect that this has something to do with the session id being cached
or something, but I'm not sure? Can anyone offer any assistance on this one?
Also, does anyone know of a way of preventing the user from bookmarking this container
provided login page as this also seems to be causing problems for users. If they
bookmark the first protected page of the application all is fine, but if they
bookmark the login page they receive the 403 error.
Thanks in advance!

The cure for the symtops described below was to simply add a welcome-file-list
element with appropriate welcome pages to the web.xml descriptor. It makes sense
now that I have worked it out.
Todd
"Todd Gould" <[email protected]> wrote:
>
I have an application comprised of several JSPs that are protected via
Form based
security and enforce an SSL connection via the appropriate declarations
in the
web.xml. This aspect of the application seems to be working with the
exception
of one small quirk.
If a user presses that back button until such time as the receive the
container
provided login page once again, and subsequently provide a valid user
id and password,
they are NOT successfully logged in. Rather, they receive the ugly 403
Forbidden
error that states that the server understood the request, but is refusing
to fufill
it. This only seems to happen given the above course of events involving
the
use of a back button in the browser (or selection of an item from the
history
list). I suspect that this has something to do with the session id being
cached
or something, but I'm not sure? Can anyone offer any assistance on this
one?
Also, does anyone know of a way of preventing the user from bookmarking
this container
provided login page as this also seems to be causing problems for users.
If they
bookmark the first protected page of the application all is fine, but
if they
bookmark the login page they receive the 403 error.
Thanks in advance!

Form based security in WebLogic 7.0

I'm sorry for the beginner level question, but I seem to be missing a critical step
in getting Form based security to work. I have a Web application comprised of several
JSPs. I want to attache simple FORM based security contrainsts to all pages in the
app. Here are the exceprts from my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>DTSTAT</web-resource-name>
<url-pattern>/StateServlet/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Sysops</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/StateServlet/login.html</form-login-page>
<form-error-page>/StateServlet/login-error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>Sysops</role-name>
</security-role>
The app deploys correctly and I have verified that the constrinsts, etc. are recognized
by WebLogic by inspecting the content displayed from the Admin console under the
"Edit Web Apllication Deployment Descriptor" link - all looks as I had expected and
matches the XML configuration above.
I then use the "Define Resources and Roles for Web Resource Collections" link. Under
the "Define Policies" section I see the constraints as defined above. I then use
the "Define Roles" link to define the "Sysops" role for this application and add
the condition "Caller is a member of the group" and use Administrators as the Group.
From this point, I invoke one of the JSPS in the app and presented with the Login
page as expected. However, no matter what I enter for user and password, I always
get the login-error page back. I'm purposely trying to keep this simple so that
I can use the system user as a test case (who is a member of the Administartors group).
However, I have also created an additional separate user and added them to the Administartors
group as well with the same unsuccessful results.
Can anyone help me out please? I've been reading the docs and seem to be missing
a key element somewhere.
Thanks in advance,
Todd

          Try to refer to the documentation for
          Configuring Security in Web Applications at
          http://e-docs.bea.com/wls/docs70///webapp/security.html
          Does the weblogic.log file contain any error or warning
          messages corresponding to your problem ?
          If you have a test case to reproduce the problem, you
          can contact BEA support at [email protected]
          Thanks
          Developer Relations Engineer

R12: Role based security : Hiding a button in OAF page for roles

Hi All,
We have a requirement where in which, we have to hide a "Create" button in AR customer search form for some roles ... we have implemented UMX - Roles based security in our project and we cant hide it based on user or resp ...
Any ideas ... Is it feasible with this new featue of RBAC?
Thanks and Regards,
Senthil

Hi Ajay,
metalink note 2778881.1 is discussing "Page access tracking report".
but here i want to implement access restrictions to a particular page.
Regards,
Naren.

4 tiered security vs. task based security design

Similar Messages

Maybe you are looking for