ACCESS CONTROLS -  UME ROLES (RAR)

Similar Messages

• GRC Access Controls v5.3 RAR Batch Job Risk Analysis Incr Analysis

  Hi All!
  re: GRC Access Controls v5.3 RAR Batch Job Risk Analysis Incr Analysis
  Can anyone list or direct me to a help link that has the progress list of processes that are contained in this batch job?
  Thanks!

  Hi All,
  I have answered my own question. The processes are:
  User Permission Analysis
  Profile Action Analysis
  Role Action Analysis
  User Action Analysis
  Role Permission Analysis
  -john

• Access Control 5.3 RAR - BW Reporting 0GCC_UPV

  Hi experts,
  I have activated the SAP GRC Access Control content and everything works fine so far. However, I can't report risks by users properly, as mitigated controls are not taken into account in cube 0GCC_UPV. Mitigated users are stored in 0GCC_MTUS.
  Has anyone experience with this ? Of course we want to report on users which are not mitigated and still have risks.
  The query select * from virsa_cc_prmvl on Java Stack says that MITREFNO is always empty. However, there is the possibility on the java stack to report on users and select/deselect mitigation. I don't believe they join two tables during runtime !
  Any help is appreciated !
  Thanks,
  Max

  Hi Annie,
  For your first question check this thread -
  GRC 5.3 Zero Violations & unable to exclude critical profiles
  Question 2:
  When I change the background job parameters for Batch Risk Analysis with specific usergroup and specific role range, why it doesnt reflect in the mgt view->risk violations? it still show me all the users in the systems and not the range of users that i specified.
  As per my uderstanding mgt-risk violation will show you the results based upon the selected criteria in the view and not based upon the background job you selected. Once Full Batch Risk Analysis is done, the data is there in GRC database. After that it keeps syncing each time you run a new batch risk analysis and adds any new changes.
  Showing in mgmt report is based upon what you select to see.
  Regards,
  Sabita

• Access Control 5.3 - RAR

  Hi Experts,
  Help needed. I am a newbie with GRC.
  I have executed the background jobs for RAR:
  - roles/profiles/users sync
  - batch risk analysis
  - mgt rpt
  all full sync and with * values
  Once completed, the infor was updated in the informer tab under mgt view.
  Question 1: What is puzzling me is, though i have setup the rule architect with critical roles and profiles (SAP* roles & S profiles) and under config tab to ignore critical roles and profiles (set to YES). Why is the mgt view->risk violations still showing me IDs assigned with SAP_ALL? This is definitely not a good place for top mgt to view the report since it is not reflecting the "accurate" situation of the system. Right?
  Is risk analysis->user analysis, role analysis the "right" place for top mgt to view the reports then? Please advice.
  Question 2:
  When I change the background job parameters for Batch Risk Analysis with specific usergroup and specific role range, why it doesnt reflect in the mgt view->risk violations? it still show me all the users in the systems and not the range of users that i specified.
  Thanks.

  Hi Annie,
  For your first question check this thread -
  GRC 5.3 Zero Violations & unable to exclude critical profiles
  Question 2:
  When I change the background job parameters for Batch Risk Analysis with specific usergroup and specific role range, why it doesnt reflect in the mgt view->risk violations? it still show me all the users in the systems and not the range of users that i specified.
  As per my uderstanding mgt-risk violation will show you the results based upon the selected criteria in the view and not based upon the background job you selected. Once Full Batch Risk Analysis is done, the data is there in GRC database. After that it keeps syncing each time you run a new batch risk analysis and adds any new changes.
  Showing in mgmt report is based upon what you select to see.
  Regards,
  Sabita

• GRC Access Control 5.3 - RAR Risk Analysis in offline mode

  Hi expert,
  I'm trying to do RAR Risk Analysis in offline mode following this guide (https://www.sdn.sap.com//irj/sdn/go/portal/prtroot/docs/library/uuid/20a06e3f-24b6-2a10-dba0-e8174339c47c). But to generate User Action file the ABAP have a problem when try to get a COMPOSITE ROLE field for a Role that is asociate to many Composite role as the unique record consists of fields IDUSER, ROLE and ACTIONFROM . Someone know how we can solve this conflict?
  Best Regards!

  I'm sorry, I think I haven't made myself clear enough. The thing is that the User Action File has a "Composite Role" field and we don't know how fill it when the Single Role belongs to multiple Composite Roles. This is because of the primary key, we can't make multiple records for each userid/role combination, each one with one different Composite Role, such as the following example:
  USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1
  USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE2
  USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLEN
  Should we instead do only one record with all the composite roles? What character should we use to separate the composite role names? A ",", a ";"? For example:
  USERIDX/ROLEX/ACTIONX/ACTIONX/PROFILEX/COMPOSITEROLE1_,_ COMPOSITEROLE2_,_ COMPOSITEROLE3
  Hope I explained myself. Thanks for your help.

• To run OHS at port 80 using solaris role based access control

  Hi.
  I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
  On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
  /etc/user_attr:
  oracle::::type=normal;defaultpriv=basic,net_privaddr
  Change OHS httpd.conf Listen from port 8888 to port 80.
  However, opmnctl startproc process-type=OHS
  failed as below with nothing showing in the diag logs:
  opmnctl startproc: starting opmn managed processes...
  ================================================================================
  opmn id=truffle:6701
  0 of 1 processes started.
  ias-instance id=asinst_1
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  ias-component/process-type/process-set:
  ohs1/OHS/OHS/
  Error
  --> Process (index=1,uid=187636255,pid=25563)
  failed to start a managed process after the maximum retry limit
  Thx,
  Ken

  Just to add my two cents here.
  The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
  # usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
  Restart the opmnctl daemond.
  After that OHS/Apache user can bind to lower TCP ports.
  Regards.
  Edited by: Tuelho on Oct 9, 2012 6:05 AM

• Role Based Access Control in Java

  Hi,
  we are designing a software solution that makes use of the Role Based Access Control pattern to control access of functions, EJBs, Servlets to certain users based on their "role".
  I have not been able to understand clearly how that pattern can be implemented in Java. In addition, I stumbled on the java.security.acl and I wondering how will the package work together with RBAC pattern (Or is the pattern already implemented in some package)?
  Does any1 have any comments on this? Thnx
  Dave

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• ADF UIX Role Based Access Control Implementation

  Hi,
  Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
  The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
  Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
  Thanks a lot.
  Sathya

  Brenden,
  I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
  If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
  1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
  The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
  2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
  The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
  1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
  Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
  Two links that you might be interested in to read are:
  http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
  http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
  Frank

• Access Control View All Role

  Hello Experts,
  We are currently implementing GRC Compliant User Provisioning for the client. Apart from the configuration team with role AEAdmin, we have few client experts to look into the sandox system and understand the cnfiguration we made is as per the requirement.
  In doing so, they tend to modify some or other configuration at times knowingly/ unknowingly which lead us to longer debugging time.
  Is there a way I can create a UME role with only View Configuration Action to avoid such circumstances.
  Thanks
  Rashmi

  Hi Rashmi,
  1- Assign following actions to Role:-
  ViewReject
  ViewHold
  ViewCopyRequest
  ViewCreateRequest
  ViewSearchRequestAll
  ViewRequstAuditTrail
  ViewForwardRequest
  ViewReRoute
  ViewAccessEnforcer
  ViewSelectPDProfiles
  ViewMitigation
  ViewRiskAnalysis
  ViewSelectRoles
  ViewReaffirms
  ViewRiskAnalysis
  ViewSelectRoles
  ViewReaffirms
  ViewApprove
  ViewApproverDelegation
  Using this action You can saw following Tabs in Access Enforcer
  1- Access Enforcer
          -Requests For Approval
          -Create Request
          - Search Requests
          -Requests On Hold
          -Approver Delegation
          -Copy Request
          -Search Request Audit Trail 
          -Role Reaffirms
  2-Informer Tab
          -Services Level For Requests
          -Conflicts And Mitigations
          -Request By Roles And Role Owners
          -List Roles And Owners
          -Requests By PD/Structural Profiles
  3-Configuration Tab
          -Monitoring
                    -System Log
                    -Application log
         - Upgrade
  Rest of the Tabs in Configuration is running along with Modify action in  AE5.2.
  2- Some new actions are added by SAP GRC RND Team  In Compliant User Provisioning 5.3( Access Enforcer 5.3) for only view the Initiators,Stages,Path,Connectors,Provisioning,HR Trigger,Userdefaults Etc.
  In AE 5.3 independent  View and Modify actions are available
  for each tab like for initiators ,Connectors Ect, But this type of provision is not available in AE 5.2.
  Regards,
  Jagat

• Any best practice to apply role based access control?

  Hi,
  I am starting to apply the access permissions for new users as being set by admin. I am choosing Role Based Access Control for this task.
  Can you please share the best practices or any built-in feature in JSF to achieve my goal?
  Regards,
  Faysi

  Hi,
  The macro pattern is my work. I've received a lot of help from forums as this one and from the Java developers community in general and I am very happy to help others and share my work.
  Regarding the architect responsibility of defining the pages according to the roles that have access to them : there is the enterprise.software infrastructure.facade
  java package.
  Here I implemented the Facade GoF software design pattern in the GroupsAndRolesAccessFacade java class. Thus, this is the only class the developer uses in order to define groups and roles of users and to define their access as per page.
  This is according to Java EE 6 tutorial, section VII Security, page 471.
  A group, role or user is created with an Identity Management application or by a custom application.
  Pages of the application and their sections are defined or modified together with the group, role or user who has access to them.
  For this u can use the createActiveGroup and createActiveRole methods of the GroupsAndRolesAccessFacade class.
  I've been in situations where end users very strict about the functionality of the application.
  If you try to abstract web development, u can think of writing to database, reading from database and modifying the database as actions.
  Each of these actions should have suggester, approver and implementor.
  Thus u can't call the createActiveGroup method for example, without calling first the requestActiveGroupCreationHelper and then the approveOrDeclineActiveGroupCreationHelper method.
  After the pages a group has access to have been defined with the createActiveGroup method, a developer can find out the pages and their sections a group has access to by calling the getMinimumInformationAboutGroup method.
  Further more, if the application is very strict, that is if every action which envolves writing to the database must be recorded, this concept of suggester, approver and implementor is available throught the recordActiveGroupAction method.
  For example, there is a web shop, its managers can change the prices of the products, but the boss will want to know who had the dared to lower prices.
  This action of lowering prices, is an action of modifying the information in the database and u can save in the database who suggested it, who approved it and who implemented it.
  Now that I write about the functionality of the macro pattern, I realise that some methods should have more proper names and I haven't had time to write documentation in the API, but this will be a complete when I add the web pages for the architect to use for defining access control and for the end users to view who and what is doing with their application.

• Role Based Access Control and FIM

  Hi,
  Would these statements about RBAC and FIM (not BHOLD) be true:
  RBAC in FIM Sync is essentially governed by the built-in FIM Groups (e.g. FIMSyncAdmins, etc)
  RBAC in FIM Portal is essentially governed by FIM Portal Sets & MPRs
  Thanks,
  SK
  PS. not looking at BHOLD above, just FIM

  This can be true in a narrow sense. If we are just thinking of access to FIM and not on the managed organizational resources.
  FIM Synch:-
  Through FIM Synch groups, we are just controlling the access to FIM Synch service. We are not separating access based on roles(say organizational role).
  For FIM Portal, again it can be true if we are thinking of access to FIM Portal only and not the managed organizational resources.
  Thanks,
  Mann

• 401 Unauthorized Error when accessing a task from REST API which contains Role or Privilege in Access Control definition

  Hi Team,
  As of IDM 7.2 SP8 patch2, when we use Enterprise role or Privilege in the access control definition of a task, accessing this task from UI5 i.e REST API is giving unauthorized error even though user is already having the required role or privilege.
  But the task is working fine if we use fixed user ID or keeping blank value in allowed users field.
  Attached the current access control definition of the task we configured & the error message info for reference
  Regards,
  Venkata Bavirisetty

  Hi Ralitsa,
  Thanks for your response and sorry for late reply.
  The XXXX in role is not used as a wild card. the name itself is in that format. I have searched the role and then selected from search list.
  Let me know if you need any clarifications?
  Refards,
  Venkata Bavirisetty

• Using Roles with Access Control Pages

  Hi,
  I was curious if someone might be able to shed some light for me on an issue. I have a matrix of users
  who can read or write on different pages. So there are various roles created
  Admin can write all pages
  Reader can read all pages
  Medium Users can read some pages and write some pages
  Power User can Write most pages and read some pages
  I am thinking of using access control pages but I dont want to have to enter every single user for each page.
  I am wondering if I can create some sort of Roles that I can apply to access control lists. And set the role
  at login time and based on that decide what data they can edit or just view?
  Thanks in advance!

  Hi,
  Have you check or try use Authorization Schemes ?
  http://download.oracle.com/docs/cd/E14373_01/appdev.32/e11838/sec.htm#sthref1943
  Br, Jari

• Importing a pkg with rely on server storage and roles for access control

  Hi we run std 2008 r2.  I'm reading documentation on prot levels during pkg import to catalog at
  https://msdn.microsoft.com/en-us/library/ms141747(v=sql.105).aspx but unfortunately the definition of prot level "rely on server storage and roles for access control"
  isn't clear.  They used the prot level name to define it which didn't help me.
  This option looks appealing but it isn't clear why I need to enter a pswd when choosing this option.  Will my peers need to know that pswd when they export?  Will the sql agent job need to present that pswd when running?  If I just keep current
  prot level "encrypt with user" will the agent job be able to run it?  I'm sure it (agent) isn't running with my creds now.  Also, how can I tell what prot level it was deployed with last?  I rt clicked on the pkg in the catalog
  and don't see anything obvious about that.  I already understand that on export prot level is changed to encrypt with user. 
  I'm going to look at the sql agen job right now to see what creds it runs with.

  First thing to understand is that protection level is used for determining how package (dtsx) file have to be protected. Once package is deployed in server and executed from agent, the conventional way is to use method of configurations or parameters if
  2012 to get required connection etc values and execute using it. It never uses the values that were set during the design time. So it doesnt matter what protection level was so far as its based on config
  However if you're planning to export existing package to your system and do modification thats where protection level comes to play. If its set to any of ENcryptSensitive... type value then you'll to provide the value (either a passowrd or your userkey which
  it takes automatically from login info) to see the sensitive info (connection info,passwords etc) The package will still open and so far as you manually type in missing values you will be able to execute the package. If protection level is set to one of ENcrptAll
  then you will have no way to open package itself unless you provide password/ have correct userkey.
  The rely on server storage option uses sql server security context itself ie it doesnt do any encryption within package by itself but will assume values based on sqlserver security. This is used when you store package itself in SQLServer itself (MSDB)
  Please Mark This As Answer if it solved your issue
  Please Vote This As Helpful if it helps to solve your issue
  Visakh
  My Wiki User Page
  My MSDN Page
  My Personal Blog
  My Facebook Page

• SCCM 2012 R2 Role Based Access Control Weird Issue

  Thank you in advance. I have 3 security groups added for remote control operators role. Users within all three groups are available and imported in to the SCCM users collection and verified. users in 1 group works fine without any issue. But users in the
  other 2 groups having trouble where when they try to connect SCCM console using their computers, it fails. Even i tried adding the user directly assigning full administrator role. But still it fails.
  It is weird because it kind of loads the SCCM console administration tab and suddenly shows the error message. the error is a generic error saying verify below things. Any advice would be appreciated.

  To clarify, you have three Active Directory groups, all of which are assigned the remote control operators role in ConfigMgr?
  If they are only remote control operators, what are they using in the administration workspace?
  What does the SmsAdminUI.log show on one of the PCs? Based on what you describe, it is unclear whether this is an RBAC issue or not.
  Jeff