Access Control - Class of Service

Similar Messages

• Oracle EPM 11.1.1.3 - Assign Access Control in Shared Services for filters

  We are using 11.1.3 version of EPM.
  We have configured Essbase with Shared Services.
  When I try to click Assign Access Control , it gives "loading.." thats it. Nothing else.
  I have registered the application from EAS with Shared Services
  Could you pelase suggest what I can do assign filters to users.
  cheers,

  Hi,
  Provision the user with which you are logging into shared services as an Esssbase User and try.May this will solve your issue
  Thanks.
  Edited by: user9976039 on Oct 23, 2009 12:57 PM

• "Assign Access Control" returns error for essbase apps in shared services

  Hello,
  I installed and configured Oracle EPM 11.1.2 (Foundation, Essbase, Planning, Reporting&Analysis):
  OS: Windows Server 2008 Sp2 (32bit)
  Default Installation with default ports,
  Installation of all components on the same server,
  no clustering
  EPM System Diagnostic says that everything is OK.
  Now I want to assign filter access for an essbase database in the Shared Services.
  Starting the menu item "Assign Access Control" in Shared Services returns the following error:
  Error 404--Not Found
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  +10.4.5 404 Not Found+
  The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
  +....+
  Can anybody help ???
  best regards,
  Nicole

  Hello,
  here's what I found out so far:
  I get the error if I start the shared services console via the URL "http://servername:port/interop/index.jsp" and then select the "assign access control" for an essbase database.
  If I start the shared services console via the workspace everything works fine.
  Does anybody know what to do so that it also works if I start the shared services console via URL?
  best regards,
  Nicole

• Shared Services Assign Access Control for Essbase

  Hi we have a used who has his provisioning in form of filters in essbase group. I tried assigning his filter to thim through Assign Access Control in shared services. I'm able to see the user and also the the filter I created for the user but when I try to assign it to him and save it is really not getting assigned. It still stays the user doesnot have any filters assigned to his account. Am I missing anything.
  Thank you.

  Have you given maxl a try:
  grant filter appname.dbname.filtername to user;
  Cheers
  John
  http://john-goodwin.blogspot.com/

• I have problems with the Assign Access Control in HFM

  I have problems when I want assign Access Control by Shared Services in application HFM. I login with user admin and send me this message
  Processing Error:
  Description: Invalid argument.
  Code: -2147220951
  Trace: Number:-2147220951
  Description:
  Source:General Security Error
  Page:
  Actor: General Security Error
  Anyone can't help me

  I've seen this error when the application isn't registered properly. Try re-registering via Workspace.

• SharePoint Provider Hosted App (401) Unauthorized Microsoft.SharePoint.SPException: The Azure Access Control service is unavailable

  Hello,
  I'm attempting to get a SharePoint 2013 Provider Hosted Application working in a brand new SharePoint environment.  I've created snapshots of both my dev and the sharepoint environments along the way and have meticulously documented every step of the
  way.  I've followed these instructions (among many other resources found along this journey) :
  http://msdn.microsoft.com/en-us/library/fp179923(office.15).aspx
  http://technet.microsoft.com/en-us/library/fp161236(office.15).aspx
  http://msdn.microsoft.com/library/office/fp179901%28v=office.15%29
  Upon package and publish of my application to SharePoint, I get a 401 Unauthorized error.  I use Fiddler to obtain the SPErrorCorrelationID to ultimately obtain the following ULS Viewer Output.  Please explain how to fix if you're able.
  Please Note:  I was under the impression that a Provider Hosted Application does not use the Azure Access Control service, so I'm confused as to why my system is attempting to make this connection?
  Also Note:  I've used a self signed and godday obtained certificate to successfully f5 debug my basic web.title (out of the visual studio 2012 box) sharepoint provider hosted application... so I know my certs are good.
  Here's my ULS output:
  03/24/2014 08:54:47.83    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    Logging Correlation Data    xmnv    Medium    Name=Request (GET:http://portal.cltenet.com/_layouts/15/appredirect.aspx?instance_id=22d5252f%2D392c%2D4f68%2Db820%2Da3053b9d4f24)  
   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.83    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    Authentication Authorization    agb9s    Medium    Non-OAuth request.
  IsAuthenticated=True, UserIdentityName=0#.w|cltenet\sp.apps, ClaimsCount=25    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.83    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    Logging Correlation Data    xmnv    Medium    Site=/    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.84    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Deployment    acjjg    Medium    The current user has System.Threading.Thread.CurrentPrincipal.Identity.Name
  = 0#.w|cltenet\sp.apps, System.Security.Principal.WindowsIdentity.GetCurrent().Name = NT AUTHORITY\IUSR, System.Web.HttpContext.Current.User.Identity.Name = 0#.w|cltenet\sp.apps.    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.84    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsrv    Medium    redirectLaunUrl after getting it from query
  string, web or app instance: https://hightrust31.cltenetapps.com/Pages/Default.aspx?{StandardTokens}    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    General    aib0n    High    trying to get app tokens for site: 888b71f7-51ee-40f5-8344-8de4869d37d0
  Unable to load app tokens from appInstanceId: 22d5252f-392c-4f68-b820-a3053b9d4f24    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsrw    Medium    redirectLaunUrl after getting token replacement:
  https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http%3A%2F%2Fportal%2Ecltenet%2Ecom&SPLanguage=en%2DUS&SPClientTag=0&SPProductNumber=15%2E0%2E4420%2E1017    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsry    Medium    m_oauthAppId after NormalizeAppIdentifier()
  i:0i.t|ms.sp.ext|[email protected]8df36d5d.  Now getting app principal info.    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsr0    Medium    decided that we need to do a POST to the
  app.    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsr1    Medium    m_redirectMessage: EndpointAuthorityMatches  
   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsr2    Medium    realm matched attempting to get app token
  using GetAccessToken()    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    advzm    High    Error when get token for app i:0i.t|ms.sp.ext|[email protected]8df36d5d,
  exception: Microsoft.SharePoint.SPException: The Azure Access Control service is unavailable.     at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)    
  at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext
  userIdentityContext, String applicationId, Uri applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext
  serviceContext, String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken)    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    ajsr3    High    App token requested from appredirect.aspx
  for site: 888b71f7-51ee-40f5-8344-8de4869d37d0 but there was an error in generating it.  This may be a case when we do not need a token or when the app principal was not properly set up.  LaunchUrl:https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http://portal.cltenet.com&SPLanguage=en-US&SPClientTag=0&SPProductNumber=15.0.4420.1017
  Exception Message:The Azure Access Control service is unavailable.  Stacktrace:    at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)    
  at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext
  userIdentityContext, String applicationId, Uri applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext
  serviceContext, String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenFromThreadIdentityOrUserToken(SPServiceContext
  serviceContext, String appId, Uri appEndpointUrl, SPApplicationContextAccessTokenType tokenType, SPAppPrincipalInfo appPrincipal, Boolean useThreadIdentity, SPUserToken userToken)     at Microsoft.SharePoint.ApplicationPages.AppRedirectPage.ValidateAndProcessRequest(). 
  Since this is a nonfatal error, it will be sanitized and posted to the app as part of the app launch.    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    General    ajlz0    High    Getting Error Message for Exception Microsoft.SharePoint.SPException:
  The Azure Access Control service is unavailable.     at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)     at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext
  serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext userIdentityContext, String applicationId, Uri
  applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext serviceContext,
  String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken)     at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenFromThreadIdentityOrUserToken(SPServiceContext
  serviceContext, String appId, Uri appEndpointUrl, SPApplicationContextAccessTokenType tokenType, SPAppPrincipalInfo appPrincipal, Boolean useThreadIdentity, SPUserToken userToken)     at Microsoft.SharePoint.ApplicationPages.AppRedirectPage.ValidateAndProcessRequest()  
   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    App Auth    aib0p    Medium    Doing appredirect from appredirect.aspx:
  in site: 888b71f7-51ee-40f5-8344-8de4869d37d0 with RedirectLaunchUrl: https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http%3A%2F%2Fportal%2Ecltenet%2Ecom&SPLanguage=en%2DUS&SPClientTag=0&SPProductNumber=15%2E0%2E4420%2E1017  
   306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  03/24/2014 08:54:47.85    w3wp.exe (0x1448)    0x22D8    SharePoint Foundation    Monitoring    b4ly    Medium    Leaving Monitored Scope (Request (GET:http://portal.cltenet.com/_layouts/15/appredirect.aspx?instance_id=22d5252f%2D392c%2D4f68%2Db820%2Da3053b9d4f24)).
  Execution Time=26.5933938531294    306c809c-66a1-d0d5-d8e2-89d3631ce1bf
  Your help is very much appreciated.
  With Respect,
  Larry

  Yes, actually - I was able to resolve it.
  However I don't know how, unfortunately.  I suspect it was because I needed to have the names of the certificates, defined during the certificate registration (to sharepoint) process, different.
  I have a complete document that shows step by step instructions on the exact process I took to complete the provider hosted application creation, deployment and publishing.  It was a daunting task, but I finished it successfully.
  If there's a way to send private message on this forum, please do so and I'll respond with a way to obtain my document.
  NOTE:  I'm not all impressed with the way this forum works.  This is supposed to be a Microsoft resource and I'll be damned if I ever get a response to highly technical questions.  Completely lame.  Boooooo Microsoft.

• Change in Access Control components on the Service Marketplace

  Hello GRC community:
  We would like to inform you that as of yesterday (5/30) the Access Control components for support messages/SAP Notes have been changed (they have actually been replaced so all messages/notes logged under the old component will be moved/replaced to the new).
  The main 4 components are now:
  New: GRC-SAC-ARA     Access Risk Management
  Old: GRC-SAC-SCC          Risk Analysis & Remediation (formerly Compliance Calibrator) 
  New: GRC-SAC-ARQ     Access Request
  Old: GRC-SAC-SAE          Compliant User Provisoning (formerly  Virsa Access Enforcer) 
  New: GRC-SAC-EAM     Emergency Access Management
  Old: GRC-SAC-SFF          Superuser Privilege Management (formerly Virsa Firefighter) 
  New: GRC-SAC-BRM     Business Role Management
  Old: GRC-SAC-SRE          Enterprise Role Management (formerly Virsa Role Expert)
  There are also NEW components specific to areas of functionality. If you are not sure of what component to log your message under, please use the main components above.
  GRC-SAC-ADS          Directory Services
  GRC-SAC-BI             Access Control BW
  GRC-SAC-CONF       Configuration
  GRC-SAC-DAS          Dashboard
  GRC-SAC-REP          Repository
  GRC-SAC-RPT          Reporting
  GRC-SAC-UAR          User Access Review
  GRC-SAC-UPG          Installation & Upgrade
  GRC-SAC-WF           Workflow
  Ramelyn Paredes
  AGS Primary Support

  Hello COmmunity,
  To Summarise in Short: New features introduced to V10.0 : GRC 10.0 is ABAP based, so extraction of data from users is fast & analysis as well.
  As usual, the names for the Access control tool has been changed
  A. Access Risk Analysis (RAR)
  1. USOBT & object information will be automatically updated with GRC rather than manual upload (earlier version)
  2. Mass Users can be imported from .CSV file for risk analysis, Role analysis etc.,
  3. Variant creation / reuse for any report analysis
  4. Option of having multiple rule sets & simulating users across multiple rule sets at same time
  5. Risk analysis for CUA, Composite roles
  6. Mitigation by system, risk id, mass mitigation for users, audit trail etc.,
  7. Risk analysis for HR objects
  B. Emergency Access Management (SPM)
  1. Mass reporting for all FF users, Ids, Executions
  2. Centrally maintained for all systems rather than individual ERPs.
  C. User Access Management (CUP)
  1. Customizable Access request forms
  2. HR based role assignment for position, org unit
  3. IDM integration using GRC Web services
  D. Business Role Management (ERM)
  1. Concept of Business role mapping for Technical roles.
  2. Audit Trails & PFCG Change history.
  Finally, the look, reporting format has been changed to provide additional information for analysis.
  More important - GRC V5.3 support is till 2015 & SAP has planned to push the customers to upgrade to 10.0. Eventually SAP is also planning to release GRC 11.0 by mid next year. So we have to wait & watch the show

• "Assign access control" not appearing under Essbase in shared services

  Hi Everyone,
  Can anyone point out the reason behind this? This is leading to all sorts of problems. Configuration is as follows:
  App Server: Foundation, EAS, Planning, Reporting, Web Analysis, Workspace on Tomcat
  DB Server: Essbase and SQL Server
  Essbase is on Shared Services mode.
  This is actually very urgent. Would be grateful for any help.
  Thanks,
  Sayantan

  This has been posted in the essbase forum > "Assign access control" not appearing under Essbase in shared services
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Unable to use the Assign Access Control feature in shared services

  Hi,
  When I try to right click on the essbase applicaiton in Shared Services to assign access control( to assign a new filter) I keep getting the following error
  " Internet cannot display the webpage" message with the following
  This problem can be caused by a variety of issues, including:
  Internet connectivity has been lost.
  The website is temporarily unavailable.
  The Domain Name Server (DNS) is not reachable.
  The Domain Name Server (DNS) does not have a listing for the website's domain.
  There might be a typing error in the address.
  If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section
  All the services are running file and I can create new users/ groups and also perform appication migration.
  I'm using Hyperion 11.1.3.24 on windows 2003 r2.
  Any help is appreciated. Thanks.
  Regards

  vs wrote:
  John,
  I tried the refresh button and nothing appears. I have created a group and gave it filter access. Now I'm trying to attach that filter to the group.
  Appreciate your help.Can we replace backup .sec file for shared services?
  For example: In planning if the .sec file corrupted then we replaced with old .sec file...rite...the same way can we do it in shared services?
  I know if we replace the old sec in planning...it will take old securities only...
  Edited by: Prabhas on Feb 12, 2013 9:27 PM

• Problem with shared services,, cannot load "assign access control"

  i m using 11.1.1.3 version of EPM.
  I have configured Essbase with Shared Services.
  When I do right click on application on shared services and select "Assign Access Control" , it gives "loading.." .it remains same for hours..
  I re configured essbase ,, but problem remained same...
  Could you please suggest what I can do assign filters to users.

  Have you given maxl a try:
  grant filter appname.dbname.filtername to user;
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Certificate and Key Expiration information regarding your Access Control Service (ACS) 2.0 Namespace

  I've received an email from Windows Azure Team ([email protected]) with the above title. It suggests
  I 
  We are writing to inform you that certificates or keys related to one or more of your Namespaces are about to expire between July 8, 2012-November 8, 2012.
  Please find below the list of your Namespaces that need Certificate or Key rollover:
  fiftyeggs-cache
  These namespaces can be viewed by signing in to your Windows
  Azure portal subscription. After you have signed in you are redirected to the Management Portal page. On the lower left-hand side of this page, click Service Bus, Access Control & Caching. To see
  the registered namespaces under your subscription, under Services click Access Control/Service Bus/Caching.
  However, this is a cache-namespace which appears to be a Managed Namespace
  http://msdn.microsoft.com/en-us/library/gg185943.aspx and I don't believe there is any way of managing keys. Can anyone help or point me to the relevant article. I don't want the cache keys to expire (the site will die) but there doesn't appear to
  be any actions for me to take.

  Did you add a X509/Symmetric Key/Password based "Service Identities" (Re Carson Wa above). If not, my year
  is up on the 27th so I'll schedule for random failures! That will not keep my clients happy.
  Can you keep us informed of the progress of your ticket here please :-)
  I got an email from MS yesterday...
  We inadvertently sent an email message to you between June 12 and June 18, 2012, that
  described updating expiring certificates and keys in the Access Control Service (ACS) namespaces used by your Service Bus or Cache namespaces. The message referred to the following namespaces:
  fiftyeggs-cache
  The message was sent in error, and we sincerely apologize. No action is required.
  Did you get that?
  Andrew

• Controlling Access to Classes

  Hi,
  I know that you can use the keywords private and protected for methods and variables, but can you also use these keywords at the class level? I understand that the public modifier enables a class to be accessed outside of its package, and that if no modifier is used, then the class can be accessed by any class within the same package. But what would the private and protected keywords mean at the class level?
  Thx.

  I know that you can use the keywords private and
  protected for methods and variables, but can you also
  use these keywords at the class level? I understand
  that the public modifier enables a class to be
  accessed outside of its package, and that if no
  modifier is used, then the class can be accessed by
  any class within the same package. But what would the
  private and protected keywords mean at the class
  level?They cause a compile-time error.
  It's can be explained.
  private modifer forbid(? a don't know how to translate :) ) access to class, why you must need class that you can't access?
  protected modifer used when you inheritr something/ but tou newer inherite class. You inherit it'as member.
  It was simple question :)

• How to control class file access

  Hi
  I am developing an application in java. I am keeping only one class where the user has to enter valid password. different classes are called later as soon as the user run the application. I guss, any one can access other class even those has not main class by way of writing a new class having main method and calling all other class from that class. Will any one suggest how do I protect it?
  Thanks in advance

  package mypackage;
  public class myEntryClass { // public as this class is the only one that is to be used by others
  private boolean isLoggedIn; // no one can change this value except myEntryClass
  public myEntryClass() {
  public final void login(String user, String password) { //anyone can attempt to login - the mehod may not be overridden however by subclasses as it is final
  if ( /* check if username and password is ok */ ) {
  this.isLoggedIn = true;
  public void callAMethod() {  // anyone logged in may do so
  if (this.isLoggedIn) {
  AnotherClass.aMethod();
  package myPackage;
  class AnotherClass {  // package/default visibility
  static void aMethod() {    // package/default visibility
  // do something
  Hope that helps
  rh

• ADF UIX Role Based Access Control Implementation

  Hi,
  Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
  The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
  Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
  Thanks a lot.
  Sathya

  Brenden,
  I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
  If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
  1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
  The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
  2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
  The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
  1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
  Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
  Two links that you might be interested in to read are:
  http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
  http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
  Frank

• ISG does not send Access-Request to download service definition

  Hi guys, 
  I got these configs on my ISG and when I see the packets between AAA and ISG router, there's no access-request for downloading the service definition! 
  policy-map type control PPPoE_MAIN_POLICY
   class type control always event session-start
    10 authenticate aaa list PPPoE_AUTHE 
    15 authorize aaa list PPPoE_AUTHO password cisco identifier source-ip-address
    20 service local
   class type control always event service-start
    5 collect identifier source-ip-address
    10 service permit
    20 service-policy type service identifier service-name
    30 log-session-state 
   class type control always event account-logon
   service-policy type control PPPoE_MAIN_POLICY
  And here's the picture of Access-Accept with bunch of specified not-cached services 
  Any idea I appreciate it in advance. 

  Hi,
  Could you share your full config? It would be good to check your AAA config since that will influence how service profiles are downloaded.
  Also, could you briefly explain the goal of your config? Do you simply want to apply services "SRV_INTERNET_PRIMARY" and "SR_INTERNET_128K_5G" via autosevice?
  Regards