Access User Roles

Similar Messages

• Access weblogic roles from external application

  Hi all. In my scenario, the user and roles are stored in the WebLogic server. Then, there is an external application (not deployed on this WebLogic server) which needs to access these users/roles. Can someone tell me if there is an API provided by WebLogic through which the external application can access them? A sample code/documentation link for this would be icing on the cake.
  Thanks for reading this post.
  Vishal Singh.

  The embedded LDAP server that comes with WLS is not intended to be used by other applications and scale up to a large amount of users. Oracle recommends using an enterprise class identity management solution for use cases like that such as Oracle Internet Directory or Oracle Directory Server Enterprise Edition.
  However, if you want to see how to embedded LDAP, this link shows you how to use a standard LDAP browser:
  http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/ldap.htm#i1102166
  So by using a Java LDAP api with the settings as described in the docs, your external app may be able to access users/roles.
  I think you can find WLST examples for that somewhere too.

• How to implement Oracle user/role security with Access front end?

  Hi,
  We have successfully migrated our Access database tables to Oracle 10g using SQL developer. We've recreated all the users and roles(i.e., access groups) in Oracle and granted rights to tables.
  In the Access front end database, in the Database window we have saved linked Oracle tables which replaced the Access tables. The forms, reports, queries run fine with the linked Oracle tables. All the linked table use one ODBC DSN to the Oracle database with the same Oracle user id.
  We need to be able to authenticate users into the Oracle database and RE-link the tables based on their own unique user id. By during so we can allow users to use the Oracle standard user id/role and system privileges to control select, update, ect. rights to the database.
  I've been able to use the VB code within Access to logon into the database with a unique id, but I have not been able to find out how to RE-link the tables to the unique user id using VB. There should be some way to relink tables dynamically, based on users login into the Access front end.
  I don't know a great deal about Access projects, but I do know with SQL server allows login into your Access project and link tables dynamically.
  Can someone give me some assistance or point me in the right direction?
  Thanks in advance,
  Larry

  We had one of our programmers here come up with a VB code solution for re-linking table within Access. However the relinking takes 3-4 minutes for 100+ tables.
  In an effort to help you understand the situation better, I will attempt to elaborate on the problem:
  We have an Access 2003 application which currently has a front end using Access(forms, reports, queries, & VB code) and a MS Access 2003 backend.
  We have migrated the backend tables to Oracle. However, we still have a need to maintain the front end in Access, since we have over 60 forms, 40 reports, 200+ queries in Access. Its easy to understand, we have a significant investment in the front end(Obviously, the plan is to migrate the front end also at some future date).
  In order to utilized the existing front end, we have to validate and modify the current front end connections to the new Oracle backend. One of the features of Access is that you can "link" tables and save the link for runtime. Each Access table can have its own link which is a separate ODBC/JET connection. As such, each separate link has its own userid/database information.
  The other issue with using the Access front-end is that Access utilizes a workgroup file to implement user and group security. The workgroup file contains all the users and which groups the users belong to in Access. Then within Access, you allow users access to object(tables, queries, ect) by their userid and or group. When users open an Access database with Access security enabled, they are required to log into Access. The login is authenticated by the workgroup file. Once, logged into Access, users have rights to Access objects based on their rights granted to their userid and groups they belong. The problem here is that when you remove the linked Access tables and replace them with linked Oracle tables, Access has knowledge about Oracle table rights granted to users; nor would you expect it to.
  The dilema is the disconnect between Access and the fact Oracle utilizes a similar but much more sophisticated security model. It creates users and roles(which are similar to Access groups), and again this is independent of Access security.
  Our solution was to still use the Access workgroup file security along with the Oracle security model. By using the Access userid and then creating a similar Oracle userid with similar table rights granted in Access, you could apply security within Access and also with the Oracle database.
  For example, a user BOB logs into Access via the workgroup file, using VB code, Access then establishes a Oracle connection logining into Oracle using the same unique userid BOB into Oracle.
  After connecting and validating user BOB into Oracle, then the Access tables are relinked to Oracle using the user BOB userid and table rights.
  This Oracle userid has been granted table rights specific for this userid.This allows the user BOB to use the Access application and still be authenticated into the Oracle database.
  The problem with this solution is that the relinking of the saved Access tables takes 3-7 minutes for about 100+ tables. This is not acceptable for users each time they log into the application.
  Our current alternative is to use one Oracle userid to login each user, and use Access form restrictions/security to allow/prevent users from updating/viewing data. Obviously, this is not the optimal solution in respect to security, but it at least allows us to control access to the data(via the forms) by using one logon required for each user, and quick startup time for the application.
  I understand SQL server does a better job in integration, but we use Oracle which is what I am trying to work with.
  Larry

• Customised Oracle application and access to roles and users...please advise

  Hi Gurus!
  We are developing a customised Oracle application where we have users and roles...user - role mapping is done in the system administration module of the application.
  Now, we are also developing Oracle discoverer reports based on this. Using 10g (10.1.2.0.2) for that.
  When I am creating an EUL, I select 'New EUL for Oracle Applications users only' option, but, I do not have any 'FND schema' to specify. That's where I'm stuck up!
  I want to give access to the 'roles' in tha same manner as I would give to the 'responsibilities' in Oracle Apps. But, I don't know how to do it here.
  Can someone guide me on this?
  Thanks and regards,
  Aparna

  Hi Aparna
  It would appear that you posted the same question on the Discoverer forum. Here is the answer that I posted there:
  If your application is not E-Business Suite you cannot install Discoverer into Apps mode. This mode is reserved for applications which are E-Business Suite, which basically tells Discoverer to use authenticate users using the FND tables owned by the APPLSYS user.
  In your case, even though you appear to be using Oracle applications, because you want to take advantage of your roles you will have to install Discoverer into standard mode. As you are creating your EUL you need to uncheck the box which says grant access to PUBLIC and make this a private EUL. Then you will not have the headache of worrying about setting up new users. You simply manage what a role can do (Tools | Privileges) and what a role has access to (Tools | Security).
  Now, when any any user connects to Discoverer their role will be evaluated and access will be restricted.
  You can do the same thing using a PUBLIC EUL, except you need to reduce what that user can do (Tools | Privileges) to an absolute minimum, and then take control of this using roles. For example, you could have a set of functional roles, one each for say AP, AR, GL and so on, but you could further break this down by privilege, thus you could have roles called AP Viewer, AP User, AR Viewer, AR User and so on. The User roles would have full access while the Viewer roles would have a much reduced set of privileges.
  You are basically setting up the Library approach that I discuss in my Discoverer 10g Handbook and in my white paper which you will find on my downloads page here: http://learndiscoverer.com/downloads/downloads.htm.
  I hope this helps
  Best wishes
  Michael Armstrong-Smith
  URL: http://learndiscoverer.com
  Blog: http://learndiscoverer.blogspot.com

• ABAP User Roles and Query for accessing particular T- codes and Reports

  dear Gurus
  I have one problem, i want to know about ABAP User Query ,i have one requirement my user wants to Lock all the HR Std versus Customized reports in T- code SQ01,other department peoples also see the Payslips and Hr personal reports which is harmfull to the dept so i want to Lock all the reports in Std T- code in SQ01 and i have created one Customized User Roles or Query in which the T-codes and Reports are assigned only those particular user can access the T-codes and Std reports .how can it be possible i dont have any idea about user roles and Queries .
  kindly help me out or send me some documents related to user roles and queries
  regards ritesh sharma

  Hi Ritesh,
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/103cafc2-7a64-2b10-14b3-eddb7d324561
  Regards,
  Flavya

• User role to access configuration management in NWA

  Hi,
  What USER role is required to create the destination information in configuration management in NWA. When I access NWA, I only have access to SOA management which has only Monitoring tools with role SOA technical ADmin.
  I need this to convert IDOC XML to flat file.
  thanks
  Prashanth

  Hi Prasanth,
  I am not sure about the exact role but, the ABAP role "SAP_NWA_FULL" & Java role "NWA_SUPERADMIN" will certainly help. This is the role that i had when i was trying a similar scenario.
  Please take a look at the following link which might be helpful:
  http://help.sap.com/saphelp_nwpi71/helpdata/en/45/c7ca8e89e45592e10000000a1553f7/content.htm
  You can infact ask your Basis team to help you out with this.
  I hope this helps.
  Regards, Gaurav.
  Edited by: Kumar Gaurav on Nov 9, 2010 5:57 AM

• BPM user role access

  Hi Experts,
  Who all can access the BPM process? Is it possible to set the userrole access to the BPM process?
  Scenario :
  Through webservice, I have to call BPM process..But the BPM process should be accessed by particular user.
  For example, Manager related BPM process should not be accessable to the Developers.
  How to set/give the BPM user role access?
  Regards
  Sara

  It is not possible, if sender application has an athorization to send the message to XI the process will be instantiated using Receive step.
  Thanks
  Farooq.

• How do I see the users/roles which have quota access to a Tablespace?

  How do I see the users/roles which have quota access to a Tablespace?
  Thanks

  Thank you very much.
  select username from dba_ts_quotas where tablespace_name='&tablespacename';
  did the job!
  regards

• Query user roles and access

  hi,
  How can query user roles and access in whole database? I want to list username, status, rights, and role
  thanks
  P

  Hi,
  The data dictionary view dba_users has one row per user.
  The data dictionary view dab_role_privs has one row for every distinct combination of user and role that actually occurs ion your database,
  Are you interested in system privileges? See dba_sys_privs.
  Are you interested in individual grants, like the privilege to UPDATE a given table, or the privilege to execute a given stored procedure? See dba_tab_privs. (Don't be fooled by the name; it's not just for tables.)
  I hope this answers your question.
  If not, post some CREATE statements, that create tables, roles, and whatever else you want, and some GRANT statmeents that grant privileges on those objects. Pos the results that you would want to get from those objects and grants.

• Assign Access Manager roles to end users?

  Hello,
  I am looking for information on how to assign an AM role to an end-user that is provisioned from IDM 7 to AM 7.1 using the AM resource adapter.
  We are modeling our IDM to AM provisioning based on this BigAdmin guide:
  http://www.sun.com/bigadmin/features/articles/id_access_integration.pdf
  However, in that document, it appears that the end user role is manually assigned to the user after provisioning to AM. We wish to do this role assignment in IDM, and have IDM push the assignment to AM (and by extension, the LDAP directory).
  Is this possible when using the AM resource adapter?
  Regards,
  Dillon

  Certainly.
  My role definitions look like this in the RoleAttributes section (you can configure this through the GUI in Roles > [rolename] > Set Attribute Values)
  <RoleAttribute name='RoleName:#ID#SunAccessManagerResource:roleMemberships'>
  <AttributeName>roleMemberships</AttributeName>
  <AttributeValueString>
  <List>
  <String>AMRoleName</String>
  </List>
  </AttributeValueString>
  <Requirement>Authoritative merge with value, clear existing</Requirement>
  <ResourceRef>
  <ObjectRef type='Resource' id='#ID#SunAccessManagerResource' name='SunAccessManagerRealm'/>
  </ResourceRef>
  </RoleAttribute>
  What this will do is set the nsRoleDN attribute (renamed as 'roleMemberships' by the adapter) in the assigned resource account for the user; the requirement field I've set to auth-merge-with-value, but you may want to play about with other settings.

• How can I add a user Role member that is from a different domain

  We are currently building out SCOM 2012 R2 to provide monitoring as a service to some of our customers.  As of now we have the RMS on our own department's domain (Domain A) which we have full control of and we have a gateway server that is on the company
  wide domain (Domain B) so that we can monitor other departments devices as the leverage this system.
  Monitoring is working just fine on both domains and we are just working on fine tuning SCOM so that we can roll it out as a service we offer to our customers.  One of the next steps we are working on before rolling it out is giving specific users access
  to view only their own devices, dashboards, and groups.  So I created a Read-Only profile and went to add a user to test it out, but that user is on Domain B and SCOM is unable to resolve this account.  I'm seeing Event ID 26319 with Error Code 1332.
  How can I get SCOM to discover devices on a different domain so that I can give them different permissions for accessing the Operations Console and/or Web Console?  Is this possible?
  Here is the Error I'm seeing.
  Log Name:      Operations Manager
  Source:        OpsMgr SDK Service
  Date:          2/4/2015 1:11:59 PM
  Event ID:      26319
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      xxxxx.xxxx.xxxxxxxx.xxx
  Description:
  An exception was thrown while processing UpsertUserRolesV2 for session ID uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40.
   Exception message: The creator of this fault did not specify a Reason.
   Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
  Unable to resolve the user [email protected] associated with the user role. Error code 1332. Check your active directory configuration.).
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="OpsMgr SDK Service" />
      <EventID Qualifiers="49152">26319</EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2015-02-04T21:11:59.000000000Z" />
      <EventRecordID>172748</EventRecordID>
      <Channel>Operations Manager</Channel>
      <Computer>xxxxx.xxxx.xxxxxxxx.xxx</Computer>
      <Security />
    </System>
    <EventData>
      <Data>UpsertUserRolesV2</Data>
      <Data>uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40</Data>
      <Data>The creator of this fault did not specify a Reason.</Data>
      <Data>System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
  Unable to resolve the user [email protected]  associated with the user role. Error code 1332. Check your active directory configuration.).</Data>
    </EventData>
  </Event>
  Thanks for any help I can get in resolving this issue.
  Jake

  The SCOM Management Server is in Domain A.  I've tried it already and it has failed.  
  So just to clarify the method I used was to go to Administration>Security>User Roles.  Then New User Role>Read-Only Operator.  In the Create User Role Wizard I then gave the User Role a name, Clicked "Add" under User Role Members.
   Then the Select Users or Groups window pops up and I changed the Locations from Domain A to Domain B and searched for the user, which it's able to find, then clicked "OK" to add it to the User Role members which it does just fine.  On
  the next page which is Group Scope I checked the one group I want this account to have access to and then click next.  This brings me to Dashboards and Views where I click the radio button for "Only the dashboards and views selected in each tab are
  approved" and chose the folder of dashboards I want this account to access and then click next.  This brings me to the Summary and I click "Create".  At this point it thinks for a moment then closes out the wizard but the new Read-Only
  Operator does not appear.  I then look in Event Viewer and see the Event I pasted above.
  Am I doing something wrong here?  Any guidance on how to get around this issue would be much appreciated.
  Thanks,
  Jake

• Custom plugin based on user role membership

  Hi all,
  I would like to develope a custom plugin that generates account userid (on process form) with different syntax against role membership.
  With "syntax" I mean name.surname.random_number for employee users and surname.company.random_number for example.
  I'll try to explain the scenario more in details:
  1. I create a user identity through a request
  2. After user identity has created successfully, I assign a role to the user. Since roles are associated with access policies, role assignment triggers provisioning on target system.
  3. The custom plugin that I would like to develope shuold be able to generate proper userid against role membership. For example if I assigned the role "Project Manager" the custom plugin should generate the account userid with name.surname.random_number format; viceversa if I assigned the role "External Reseller" the custom plugin should generate the account userid with surname.company.random_number format.
  Looking for custom plugin based on role membership in forum, I found a couple of threads about this subject:
  - Email notifications after role grant
  - Re: OIM 11g Role Membership Event Handlers.
  I tried to implement what explained in the threads, but I would be sure about what I've done.
  Here what I've done:
  1. created plugin.xml file
  2. created EventHandler.xml metadata file
  3. developed a java calss for testing pourpose
  4. copied the custom plugin class to OIM server for example in $MIDDLEWARE_HOME/OIMPlugins/lib
  NOTE: during this operation I have exactly mantained the same directory structure of custom java package.
  For example custom plugin class is under my.custom.plugin java package and I have copied custom java class under $MIDDLEWARE_HOME/OIMPlugins/lib/my/custom/plugin folder
  5. created a zip file containing custom plugin class (always with its directory structure) and plugin.xml file
  6. copied the zip file to $OIM_HOME/server/plugins
  7. edited ant.properties file (under $OIM_HOME/server/plugin_utility) setting wls.home and oim.home variables
  8. built the wlfullclient.jar (only the first time)
  9. registered the custom plugin
  10. created the custom plugin dataset file
  11. imported it in OIM database using "weblogicImportMetadata" utility
  12. purged cache using "PurgeCache" utility
  NOTE: all the steps above was executed using the system user running OIM process
  test java class
  package com.zeropiu.sky.custom.eventhandlers;
  import java.io.Serializable;
  import java.util.HashMap;
  import com.thortech.util.logging.Logger;
  import oracle.iam.platform.kernel.spi.ConditionalEventHandler;
  import oracle.iam.platform.kernel.spi.PostProcessHandler;
  import oracle.iam.platform.kernel.vo.AbstractGenericOrchestration;
  import oracle.iam.platform.kernel.vo.BulkEventResult;
  import oracle.iam.platform.kernel.vo.BulkOrchestration;
  import oracle.iam.platform.kernel.vo.EventResult;
  import oracle.iam.platform.kernel.vo.Orchestration;
  import oracle.iam.platform.context.ContextManager;
  import java.util.Set;
  public class TestUserAnonimi implements PostProcessHandler, ConditionalEventHandler {
       private static final Logger logger = Logger.getLogger("com.zeropiu.sky.custom.eventhandlers");
  private static final String className = "TestUserAnonimi";
       @Override
       public void initialize(HashMap<String, String> arg0) {
            // TODO Auto-generated method stub
            String methodName = "initialize";
            System.out.println("###### " + className + " - " + methodName);
       @Override
       public boolean isApplicable(AbstractGenericOrchestration abstractGenericOrchestration) {
            // TODO Auto-generated method stub
            String methodName = "isApplicable";
  System.out.println("###### " + className + " - " + methodName + " - STARTED");
  System.out.println("###### " + className + " - " + methodName + " - ContextManager.getContextType(): " + ContextManager.getContextType());
  System.out.println("###### " + className + " - " + methodName + " - ContextManager.getContextSubType(): " + ContextManager.getContextSubType());
  System.out.println("###### " + className + " - " + methodName + " - abstractGenericOrchestration.getOperation(): " + abstractGenericOrchestration.getOperation());
  System.out.println("###### " + className + " - " + methodName + " - Printing ContextManager parameters");
  HashMap allContextManagerPairs = ContextManager.getAllValuesFromCurrentContext();
  Set<String> allContextManagerParams = allContextManagerPairs.keySet();
  String[] parameters = allContextManagerParams.toArray(new String[allContextManagerParams.size()]);
  for (int i = 0; i < parameters.length; i++) {
            System.out.println("###### " + className + " - " + methodName + " - Context parameter " + i + ": " + parameters[i] + " - Object type is: " + Utils.getObjectType(ContextManager.getValue(parameters)));
  System.out.println("###### " + className + " - " + methodName + " - ENDED");
  return true;
       @Override
       public boolean cancel(long arg0, long arg1,     AbstractGenericOrchestration arg2) {
            // TODO Auto-generated method stub
            String methodName = "cancel";
            System.out.println("###### " + className + " - " + methodName);
            return false;
       @Override
       public void compensate(long arg0, long arg1, AbstractGenericOrchestration arg2) {
            // TODO Auto-generated method stub
            String methodName = "compensate";
            System.out.println("###### " + className + " - " + methodName);
       @Override
       public EventResult execute(long arg0, long arg1, Orchestration orchestration) {
            // TODO Auto-generated method stub
            String methodName = "Eventresult execute";
            System.out.println("###### " + className + " - " + methodName);
            return null;
       @Override
       public BulkEventResult execute(long arg0, long arg1, BulkOrchestration arg2) {
            // TODO Auto-generated method stub
            String methodName = "BulkEventResult execute";
            System.out.println("###### " + className + " - " + methodName);
            return null;
  plugin.xml file
  <?xml version="1.0" encoding="UTF-8"?>
  <oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <plugins pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
  <plugin pluginclass="com.zeropiu.sky.custom.eventhandlers.TestUserAnonimi" version="1.0" name="TestUserAnonimi">
  </plugin>
  </plugins>
  </oimplugins>
  EventHandler.xml metadata file
  <?xml version='1.0' encoding='UTF-8'?>
  <eventhandlers xmlns="http://www.oracle.com/schema/oim/platform/kernel" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd">
  <action-handler class="com.zeropiu.sky.custom.eventhandlers.TestUserAnonimi" entity-type="RoleUser" operation="CREATE" name="TestUserAnonimi" stage="preprocess" order="1007" sync="FALSE" />
  </eventhandlers>When I assign a role to a user through OIM web interface, I can see in OIM log file all System.out.println contained in initialize(), isApplicable() and BulkEventResult execute() methods. Is it correct? Can I implement my custom plugin logic now, or my starting point is wrong?
  ###### TestUserAnonimi - initialize
  ###### TestUserAnonimi - isApplicable - STARTED
  ###### TestUserAnonimi - isApplicable - ContextManager.getContextType(): ADMIN
  ###### TestUserAnonimi - isApplicable - ContextManager.getContextSubType():
  ###### TestUserAnonimi - isApplicable - abstractGenericOrchestration.getOperation(): CREATE
  ###### TestUserAnonimi - isApplicable - Printing ContextManager parameters
  ###### TestUserAnonimi - isApplicable - Context parameter 0: origuser - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 1: oimuser - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 2: RESOLVED_LOCALE - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 3: counter - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 4: TIME_ZONE - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 5: ipaddress - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - ENDED
  ##### TestUserAnonimi - BulkEventResult execute
  Thanks,
  Daniele
  Edited by: 886636 on Jan 24, 2012 2:53 AM
  Edited by: 886636 on Jan 24, 2012 2:53 AM

  Probably I don't explain myself clearly....sorry for that!
  Anyway you are right, the role of the user can change after the user is initially provisioned.
  I'll try to summarize to be sure to have understood your answer and to explain my scenario more in details:
  1. After user identity creation, I'll assign the role "Project Manager". Before role assignment the user has not any role. So using a pre-populate adapter I can retrieve the assigned role and compose the right userid.
  2. After step 1, I need to assign another role to the user, the new role should be "External Reseller" for example. In this case the user has a role already. What I would is: basing on the role that I'm assigning (External Reseller), the pre-populate should compose the right userid. Obviously this second userid will be different from the first one and this means a new account will be created for the user. At the moment I don't care to deprovisioning the first userid.
  Is it possible with pre-populate adapter?
  Sorry again for my not very clear explanations.
  Daniele
  Edited by: 886636 on Jan 24, 2012 4:10 AM

• Access users in a Web Dynpro application on different WAS ??????

  Hi,
  Scenario - I have a local WAS on which i have deployed a Web Dynpro Based application.
  There is another WAS on which I have portal installed. I need to access the roles assigned to a particular user in my Web Dynpro application.
  Query -
  I need to know can i access the roles assigned to a user on a different WAS in a Web Dynpro based application running on a different WAS.
  Thanks and Regards,
  Amol Ghodekar.

  Amol,
  as this questions existed twice, I've deleted one.
  As roles are in the UME, you can access them. But why do you want to do this? You could login to that user, but then the question is what you want to do....
  Regards,
  Benny

• Request Offerings not showing up for custom User role in SMPortal

  Hello All,
  I've created a custom End User role and scoped it to the domain users group.
  To this role I want to show a specific set of Request Offerings on the portal
  For that Purpose I created a new Service Offering and added these Request Offerings to it.
  I then went on to create a Catalog Group and added the Service Offering to it.
  I then created the custom user role based on the EndUser role and allowed them to see all Forms, all Queues, All CI's and on the Catalog group I select that they could only see the Catalog Group which I just created.
  I then logged in into the SMPortal and was expecting that my Service Offering would be shown to them.
  However, they don't see the service offering.
  What could cause this?
  Is there something I'm missing?
  Thanks in advance!
  Filip

  You have to add the Service Offerings and the Request Offerings in the Catalog Group. Nesting doesn't work because Service Offerings and Request Offerings are different types of objects.
  This offers the option the manage the access to Service Offerings and Request Offerings very granular if needed. For instance you can control access to a Service Offering in one Catalog Group related to one user role (A) and use two additional Catalog Groups
  with different Request Offerings related to other user roles (B) and (C). Result will lead to:
  User in Role A and B -> Can see Service Offerings A containing Request Offerings B
  User in Role A and C -> Can see Service Offerings A containing Request Offerings C
  User in Role A, B and C -> Can see Service Offerings A containing Request Offerings B and C
  User in Role A only -> Don's see anything because of the missing permission on any Request Offering. So the "empty" Service Request won't show up in the portal.
  Hope his helps.
  Andreas Baumgarten | H&D International Group

• User roles in Integration Repository

  Hi everybody,
  does anybody have experience with user roles in XI 3.0? We want to limit access to various namespaces in the Integration Repository with use of these roles that can be created in the IR. That way, various XI developers working on the same XI-Repository should not be able to work in the namespaces of other developers.
  We created the role in the IR and assigned it to a user in the J2EE Engine. But so far, it doesn't seem to work.
  Am I missing something??
  Thanks a lot,
  Francis Wolf

  Hi,
  it looks like the integration to the "abap" backend (=IS-Server) is missing.
  J2EE-R3 integration regards user management maps R3 roles onto J2EE user groups. Thus, if the term "role" is used in R3 context, it has to be translated to "user group" in J2EE.
  Next steps:
  1. Create user in "R3", with transaction SU01.
  2. In "R3", create a role with transaction PFCG
  3. UME Admin WebApp: assign role to user group
  4. XI Exchange Profile WebApp: activate data-dependent authorization checks. Put: com.sap.aii.util.server.auth.activation" in section "IntegrationBuilder.Repository" to true
  Please check the documentation on Netweaver security and Integration of UME Roles with SAP Roles
  Hope that gives an idea!
  Good luck
  Holger