Application role

I create application roles and assign them to an enterprise role at jazn-data.xml in jdeveloper.
However, after deployment I cannot find these application roles. But I can find the enterprise role.

Thanks for your reply. I can see application roles in EM.
I have 2 adf applications. Application A has application role A and B. Application B has application role C and D.
How to set the security in Jdevloper, weblogic admin console or EM that :
users in application role A and B can only login to Application A.
users in application role C and D can only login to Application B.
I deploy the sample application of 048. XML Menu Model site menus protected with ADF Security and JAAS of Oracle ADF Code Corner. However, in the EM, I cannot see application roles.

Similar Messages

Error assigning users to application Role in Obiee 11.1.1.7.0

Hello
I installed Obiee 11.1.1.7.0 both on Windows and Linux platform and after that, I successfully set Active Directory integration. I have a problem assigning users to Application Role in EM. When I'm trying to search a user on Display name, the Principal userName returned is blank and the error is : Java Null Pointer Exception
After that I install a fresh copy of 11.1.6.0. After AD Integration, I was able to assign users to Application Role. I made 11.1.1.7.0 upgrade and same error has come. I think this is a bug because same AD settings on 11.1.1.6.0 works.
The error:
ava.lang.NullPointerException
#{viewScope.emas_pagemodel_security_EditAppRole.searchPrincipal}: java.lang.NullPointerException
Hide Additional Trace Information
javax.faces.FacesException: #{viewScope.emas_pagemodel_security_EditAppRole.searchPrincipal}: java.lang.NullPointerException at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:118) at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:190) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:103) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:97) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.broadcastEvents(LifecycleImpl.java:1086) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:434) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:207) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emSDK.license.LicenseFilter.doFilter(LicenseFilter.java:101) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:128) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446) at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177) at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emas.fwk.MASConnectionFilter.doFilter(MASConnectionFilter.java:41) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:180) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.AuditServletFilter.doFilter(AuditServletFilter.java:179) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.EMRepLoginFilter.doFilter(EMRepLoginFilter.java:203) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.model.targetauth.EMLangPrefFilter.doFilter(EMLangPrefFilter.java:158) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.app.perf.PerfFilter.doFilter(PerfFilter.java:141) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.ContextInitFilter.doFilter(ContextInitFilter.java:542) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119) at java.security.AccessController.doPrivileged(Native Method) at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324) at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460) at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103) at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171) at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209) at weblogic.work.ExecuteThread.run(ExecuteThread.java:178) Caused by: javax.faces.el.EvaluationException: java.lang.NullPointerException at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:51) at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) ... 67 more Caused by: java.lang.NullPointerException at oracle.sysman.emas.model.security.DialogAdminBean$1.compare(DialogAdminBean.java:567) at java.util.Arrays.mergeSort(Arrays.java:1270) at java.util.Arrays.mergeSort(Arrays.java:1281) at java.util.Arrays.sort(Arrays.java:1210) at java.util.Collections.sort(Collections.java:157) at oracle.sysman.emas.model.security.DialogAdminBean.fetchPrincipals(DialogAdminBean.java:563) at oracle.sysman.emas.pagemodel.security.identity.EditAppRolePageModel.searchPrincipal(EditAppRolePageModel.java:496) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(Unknown Source) at com.sun.el.MethodExpressionImpl.invoke(Unknown Source) at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:46) ... 68 more
Any suggestion?
Thx
Gabriel
Edited by: Gabbriel on Apr 23, 2013 10:46 PM

We received from Oracle a work-around of this problem.
It seems to be related to the virtualize flag set to true. I f you set it to false the problem disappear (it works for me).
(rif. http://docs.oracle.com/cd/E28280_01/bi.1111/e10543/privileges.htm#BABDCJBH)
There's an open BUG on this problem: Bug 16808088 - 11G JAVA.LANG.NULLPOINTEREXCEPTION ADDING USER TO ROLE AFTER UPGRADE TO 11.1.1.7.
Hope this works.
S.

Is Distributed Transaction Coordinator services of the application role are required by SQL Server 2012 for clustering and support of SharePoint 2013.

All I want to know is if Distributed Transaction Coordinator services of the application role are required by SQL Server 2012 for clustering and support of SharePoint 2013.
I have been planning and deploying my companies first Windows Server 2012/SQL Server 2012 Always On cluster and Always On Availability Groups Multi-Subnet cluster and instances for SharePoint 2013, and I will be brutally honest, the documentation on either
the MSDN and TechNet leave alot to be desired. Continually finding links in the documentation will take me from a Windows 2012 reference to a page talking about Windows Server 2008 or R2, The differences of which there are so many when it comes to configurations,
settings, roles, services when working with SQL Server 2012. I have been confused, frustrated, screaming mad, with all the misdirection in this documentation. The documentation takes me windows 2008 R2 which is different than 2012!
Tired and trying to pick myself up off the floor!
Greg
Gman

In general, DTC is not required for SQL 2012. But, since you are asking specifically about SharePoint, it would be better to ask in a SharePoint forum. They would be more likely to know those situations where FTC might be needed by SharePoint.
.:|:.:|:. tim

OBIEE 11g issue - same user assigned to the multiple application role

Hi All,
We are facing an issue when assigning a user to the multiple application role and applying the data level filter on the different column of the same table.
For example, we have a table Department with three columns Department No, Department name, Department location.
Application Role A1 and A2 are created.
Data Level security Applied on the application role A1: Department Name='Finance'
Data Level Security Applied on the application role A2: Department location='US'
The user "User1" is created in LDAP and is assigned to both the Application roles A1 and A2.
When logged in with "User1", none of the filters of Role A1 or A2 is applied in the report. If this user is assigned to only one role, either A1 or A2, then the filter is applied. It seems the filter will not be applied if a user belongs to multiple roles with data filter applied on the same table across these roles.
Please reply if anyone has faced similar issue.

Hi All,
Regarding the above issue to update the analysis we came up that the user if assigned to the multiple group with the data filter applied on the same column of the table is getting an *"OR"* join.
We had a requirement to get an "AND" in the query condition. Please let us know if any one faced the issue and the resolution of the same.
Regards,
Jyotshna

Qualifications not shown in all e-rec application / role

Hi,
we have created qualifications and they are shown/ accessible in some e-rec application roles, but not all.
So, I don't think the problem is to activate any feature.
The roles where qualifications are not shown are: Employee (Internal) and Internal Recruiter.
Does anyone have experience with the same type of issue, or have any documentation available?
Thank you!
Kind regards,
Hilde Bakkemyr

The button "New entry" is also missing from Qualifications, but not from "work experience", "edication" etc. Can this be a web service issue, if so, does anyone know what transaction and settings must be made?
regards,
hilde

LDAP user to application role mapping

Hi All,
OBIEE 11.1.1.5
I have a table with ldap username and role. I have also configured external LDAP server in RPD. Users are able to login to portal.
Can some one guide me, how to make sure that when user login to OBIEE automatically by table the role will be fetched and mapped with application role created?
Or, In simple words,
How can I assign an external ldap user to be mapped to application role? One by one?? or Via table as mentioned above?
Anyone can help? All documents are not giving this simple picture to me.
It was easy in 10g, In 11g is it rocket science so that my company can loose the hope to go ahead with 11g?

Hi,
1. Create block to initialize USER variable with user name from LDAP
2. Create block to initialize GROUP variable with role name from external table
3. In initializtion block for GROUP variable add precedence with User init block to make sure that USER variable have value
4. If one user can have few roles you should check row-wise-initialization oprion
Hope it's helpful

Can't create Application Role in Obiee 11g Enterprise Manager

Hi All,
I was working on obiee11g enterprise manager. I created some of the groups in weblogic console. Now I wanted to create application roles in enterprise manager for those groups. I am surprised that, the "*Create*" button is inactive on the application role page of enterprise manager. I only i could see tthe actives ones "*Create Like*", "*Edit*" and "*Delete*".
Please assist shoud I need any additional configuration for the same.urgent!!
Thank you in advance,
BK.

Click on Create Like button
Then click cancel on the Create Like dialog box
Go back to the Create button, it now works
But if you log out and log back in, the Create button is disabled again
so may repeat the above process of accessing the 'Create Like' button first to enable the Create button
< Bug:13983399> CREATE BUTTON IS DISABLED IN FUSION MIDDLEWARE CONTROL IN OBIEE 11.1.1.6.0 ENV
Please mark helpful or correct if answered.
Thanks,
- A.Y

Assign Application Roles

Hi All,
I am new to SOA and I want to know how to assign application roles (Not global roles) through EM Console. As, I am unable to assign the roles through BPM workspace. I can go to the administrator tab and assign the roles to me. But in the task list I am unable to get the task.
Thanks and Regards,
Ram

Hi Ram,
Refer this doc:
http://docs.oracle.com/cd/E24628_01/doc.121/e36415/sec_features.htm#CJADDBGA
HTH
Mani

Applications Roles in FMW (Enterprise Manager) OBIEE11g

Hi,
Please specify, how to migrate new created Application roles in production from Test @Enterprise Manager (FMW).
Regards
Rahul

Good question. In the documentation it's with the hand.
See: http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10540/lifecycle.htm
Application Role (Policy Store) Migration
There are several options for migrating application roles between development, test, and production systems.
For simplicity, this document assumes you will re-key a small number of application role names by hand.
Links to additional content on migrating application roles for larger-scale batch cases are provided later in this appendix.And of course, no appendix ...
Cheers
Nico

Migrate Application Role from uat to prod in 11.1.1.6.10

Hi All,
We have to migrate the UAT Application Roles to Prod instance. I followed Rittman Mead policy store migration. servers in LINUX
http://www.rittmanmead.com/2011/04/oracle-bi-ee-11g-migrating-security-policy-store-part-2/
But at MigrateSecurityStore step, I am facing an issue with the wlst script which is throwing below error.
I am getting bellow error
wls:/offline> migrateSecurityStore(type="appPolicies",srcApp="obi",configFile="/ usr/app/MW/SecurityMigration/jps-config-policy.xml",src="sourceFileStore",dst="t                                                                                                         argetFileStore",overWrite="false")
Oct 17, 2013 11:41:27 AM oracle.security.jps.internal.config.xml.XmlConfigurationFactory initDefaultConfiguration
SEVERE: org.xml.sax.SAXParseException: The XML declaration must end with "?>".
Command FAILED, Reason: The XML declaration must end with "?>".
Traceback (innermost last):
File "<console>", line 1, in ?
File "/usr/app/MW/oracle_common/common/wlst/jpsWlstCmd.py", line 955, in migrateSecurityStore
File "/usr/app/MW/oracle_common/common/wlst/jpsWlstCmd.py", line 927, in migrateSecurityStoreImpl
        at oracle.security.jps.internal.tools.utility.source.JpsInitializerSource.getSources(JpsInitializerSource.java:155)
        at oracle.security.jps.internal.tools.utility.JpsUtility.<init>(JpsUtilty.java:62)
        at oracle.security.jps.internal.tools.utility.JpsUtilMigrationPolicyImpl.migrateAppPolicyData(JpsUtilMigrationPolicyImpl.java:151)
        at oracle.security.jps.tools.utility.JpsUtilMigrationTool.executeCommand(JpsUtilMigrationTool.java:231)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
oracle.security.jps.JpsException: oracle.security.jps.JpsException: The XML declaration must end with "?>".
This is config.xml file
<?xml version='1.0' encoding='utf-8'? standalone='yes'?>
<jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd">
   <property name="oracle.security.jps.jaas.mode" value="Off"/>
   <propertySets>
<propertySet name="sam1.trusted.issuers.1">
<property name="name" value="www.oracle.com" />
</propertySet>
</propertySets>
   <serviceProviders>
      <serviceProvider type="POLICY_STORE" name="policystore.xml.provider" class="oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider">
         <description>XML-based PolicyStore Provider</description>
      </serviceProvider>
   </serviceProviders>
   <serviceInstance name="srcpolicystore.xml" provider="policystore.xml.provider" location="/usr/app/MW/SecurityMigration/uat/system-jazn-data.xml">
<description>File Based Policy Store Service Instance</description>
</serviceInstance>
<serviceInstance name="policystore.xml" provider="policystore.xml.provider" location="/usr/app/MW/SecurityMigration/prod/system-jazn-data.xml">
<description>File Based Policy Store Service Instance</description>
</serviceInstance>
   </serviceInstances>
    <jpsContexts default="default">

<jpsContext name="sourceFileStore">
<serviceInstanceRef ref="srcpolicystore.xml"/>
</jpsContext> <jpsContext name="targetFileStore">
<serviceInstanceRef ref="policystore.xml"/>
</jpsContext>
</jpsContexts>
</jpsConfig>
Please let me know if i need to provide further inputs.Appreciate your help.

make sure you are running the wlst.sh from this path /MWHOME/Oracle_BI1/common/bin/wlst.sh
you can take a look at this too Migrating Security Policies from Development to Standalone WLS 11g
http://ssssupport.blogspot.com/2013/02/obiee-11g-application-role-migration.html
Obiee11g: Migrating application role from DEV to Prod server in obiee11g

Webcenter Application Roles not getting imported in UCM on Migration

Hi All,
I migrated the webcenter resources (Service Data, Customizations and security policies) and UCM content (Using configuration utility, Archiver and Folder Archive components). After migration I am able to see the application roles in the destination webcenter spaces instance by navigating to Webcenter Spaces -> Security -> Application Roles, but I am not able to see the corresponding accounts created in the UCM for that particular user.
For Ex: I have a application role: s1a472022_f8bb_48e1_a519_15841780df72#-#Moderator in Webcenter Spaces for user ABC
In UCM I am not able to see the account AUTHEN/s1a472022f8bb48e1a51915841780df72 for the user ABC.
I verified in the source UCM instance and I am able to see the accounts in that instance.
Please help me out. Let me know if extra details required.
Thanks,
Sachin

Hi Srinath,
Yes, I have migrated data from UCM1 to UCM2 using insert script. But, I think there should be some other way also. There may be some options to check while creating export archive. We can migrate UCM schema tables also while migrating the content but I was not able to find USEREXTENDEDATTRIBUTES table. There are some other options like export additional user config, I need to check those options also.
Thanks,
Sachin

OBIEE 11g Custom Application Roles

Hello Experts,
I would need to create our Custom BI Consumer, Author Application Roles. I have followed the steps are
1) Created an Application Role "Revenue Data Access Role" for Data Level Security and added the users into it
2) Selected the existing BI Consumer Role & Created Like "Revenue Dashboard Consumer Access Role" and added "Revenue Data Access Role" into it.
3) Selected the existing BI Consumer Application Policies & Created like "Revenue Dashboard Consumer Access Role"
After Restarting OBIEE, I could see that Data level security is working fine but the users don't have Consumer Level access at dashboard level. am i missing anything here? Please advice.

John,
We can do it in repository level right..Manage---Security-Application Role.... double click the application role there u can set right?Correct me if am wrong?
Thanks,
SN.
Edited by: 926238 on Sep 1, 2012 5:57 PM

Best practices on enterprise and application roles in OIM and OAM 11g?

Hi, all,
I wonder if any of you can give me some advice on role design for OIM and OAM 11g. I'd like to have both enterprise roles, such as Accountant II, and application roles, such as App1_User, App1_Admin, etc. Ideally, the enterprise role would automatically give the user the appropriate application roles, but I can't figure out how to do that. We tried using OIM 11g's inheritance, but when the application role is inherited, OAM doesn't see it in OID/OVD and therefore doesn't think the user has the correct authorization to access the application. I thought about using role membership rules, but those seem to only allow you to use user attributes to control membership, which doesn't help at all in my situation.
How is this situation best handled? Any advice much appreciated!
Ariel Anderson
Senior Business Analyst
Zirous, Inc.

Hi,
I am assuming in clustered environment you are having two instances running.
It must be an issue with a single server,,because the problem is intermittent.
To see which server is causing problem....just perform the following steps:
1) Stop server1 and keep running server2..and fire new registration request...
2) stop server 2..and keep running server1.....and fire new registration request.
Using above, atleast you can see which server is causing the problem...
Regards,
J
Edited by: J_IDM on Mar 21, 2011 10:52 PM

Assign application roles after authentication

Hi,
It's been some time now I'm struggling with this issue...
I have a client application (not a web one) trying to access an EJB resource.
The EJB is first looked up through jndi and then asked to invoke a method, say test().
In ejb-jar.xml I have the following:
<security-role >
<role-name>AN_APP_ROLE</role-name>
</security-role>
<method-permission >
<role-name>AN_APP_ROLE</role-name>
<method >
<ejb-name>EJB NAME</ejb-name>
<method-intf>Remote</method-intf>
<method-name>test</method-name>
<method-params>
</method-params>
</method>
</method-permission>
I manage to have OID perform the authentication, so that I can perform the EJB lookup and call non protected methods. Issues arise when trying to get the roles working.
I know that i can <security-role-mapping> AN_APP_ROLE to an oid group; what I am trying to accomplish is to have oid do the authentication and be able to fetch the application roles from a database.
As a starting point what I've done is a client LoginModule that first authenticates against the OID (by looking up an EJB resource) and then, in the commit(), do the following:
this.subject.getPrincipals ().add (new RoleExtended("AN_APP_ROLE"));
Nevertheless access is denied when the client tries to access the protected test() method.
It seems that somehow even if the Subject has the role within its principals, the container doesn't threat it such.
I am pretty stuck, and starting to wonder if this is the right approach...Nevertheless I don't think putting the application roles in oid is a good idea, since application roles should remain an application property not a enterprise directory one.
Any hint?!
cheers,
Francesco
p.s: in jazn.xml I have
<property name="role.mapping.dynamic" value="true"/>

Hi,
It's been some time now I'm struggling with this issue...
I have a client application (not a web one) trying to access an EJB resource.
The EJB is first looked up through jndi and then asked to invoke a method, say test().
In ejb-jar.xml I have the following:
<security-role >
<role-name>AN_APP_ROLE</role-name>
</security-role>
<method-permission >
<role-name>AN_APP_ROLE</role-name>
<method >
<ejb-name>EJB NAME</ejb-name>
<method-intf>Remote</method-intf>
<method-name>test</method-name>
<method-params>
</method-params>
</method>
</method-permission>
I manage to have OID perform the authentication, so that I can perform the EJB lookup and call non protected methods. Issues arise when trying to get the roles working.
I know that i can <security-role-mapping> AN_APP_ROLE to an oid group; what I am trying to accomplish is to have oid do the authentication and be able to fetch the application roles from a database.
As a starting point what I've done is a client LoginModule that first authenticates against the OID (by looking up an EJB resource) and then, in the commit(), do the following:
this.subject.getPrincipals ().add (new RoleExtended("AN_APP_ROLE"));
Nevertheless access is denied when the client tries to access the protected test() method.
It seems that somehow even if the Subject has the role within its principals, the container doesn't threat it such.
I am pretty stuck, and starting to wonder if this is the right approach...Nevertheless I don't think putting the application roles in oid is a good idea, since application roles should remain an application property not a enterprise directory one.
Any hint?!
cheers,
Francesco
p.s: in jazn.xml I have
<property name="role.mapping.dynamic" value="true"/>

Approver for the application role not working out

Hi,
I have created a role with type application and Approver A, then created a business role with the Approver B and included application role into the business role.
When i assign this business role to a user the only request for approval goes to Approver B and after approval the both application and business roles are assigned. Strangely it seem to skip the Approver A. I did even remove the approver in business role, leaving only approver in application role, still same result - it skips Approver A.
I'm using IDM 8.0.0.1, any ideas why it would skip the approver in the included role?
Thanks!

Thanks for the quick reply. I've tried optional with approval and here is what I found.
It seems I need a combination of the two. My end goal is to have a second level approval, one group would be responsible for approving the business role and the system owners would be responsible for approving the nested application roles. When a user requests the business role, they must have approvals for the business role and all of the nested application roles for their request to be completed.
If the app. roles are required, the workflow automatically incorporate the nested appl. roles in the request but does not require approval for them. If they are conditional with approval, the user would have to submit a second request to get all of the nested application roles. It looks like I need a combination of the two, required with approval.
I need it to behave like it does when you have a role with approver that includes resources with an approver. The role and resources must all be approved before the request can be completed successfully.
I'm trying to see if this is possible through the GUI before I customize the workflow.

How to map Application Roles to Enterprise Roles

Hello,
i am having a problem with mapping Application Roles (from ADF Security) to the corresponding Enterprise Roles. I have already seen that it is possible with a tool called Enterprise Manager, but what if i do not have it??
Can i map the roles in WebLogic Server itself? I have searched for such ability and did not found it. Also have not seen any tutorial on the internet. Someone help me pls.
The version i am using is 12.1.2.0.0.

Application roles and permissions defined within WebCenter Portal are stored in its policy store and, consequently, apply to the WebCenter Portal application only.
Application Roles : Application roles control the level of access a user has to information and services in WebCenter Spaces. Specifically, application roles determine what a user can see and do in their personal space.
Application Permissions : Again every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in their personal Portal.
Enterprise roles are different. Enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Portal.
2. How and where do we create these 5 Application Roles in WC 11.1.1.8 version ?
You can create an application role from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> Roles -> Create Role
See : Managing Security Across Portals for more info :
http://docs.oracle.com/cd/E29542_01/webcenter.1111/e27738/wcadm_ps_security.htm#WCADM398
3. Last, where and how do we MAP these Application Roles TO Enterprise Roles in 11.1.1.8 version ?
First, You can grant privileges to a specified group (say sales group) of users by granting Enterprise Roles in Enterprise LDAP.
Next, Create custom application roles (say Contributor, Moderator, UIDesigner, Application Specialist, etc) and assign the appropriate permissions as explained above.
Then, You can assign one or more Application Roles to a specified group (say sales group) from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> users & Groups
I hope it helps.

Application role

Similar Messages

Maybe you are looking for