Are Visitor Entitlement Roles == Scoped Roles
I'm working on the security implementation for a WebLogic 8.1 Portal application.
I've been doing some prototyping and am trying to determine where Visitor Entitlement
roles are stored. Are these implemented as scoped roles from a WL platform viewpoint.
I created two test roles for my portal and do not see any scoped roles under
the application or the portal node in the WebLogic console.
I'm trying to determine if these portal entitlement roles are/can be treated as
weblogic platform roles and can be used in security annotations for an EJB or
Java Control, and if they can be used for IsCallerInRole. I can create a security
policy to protect the portal resource, but I'm looking for a way to apply the
corresponding security in the business layer.
Thanks in advance for any advice.
Jim
Jim,
The WLP roles are stored in the default role mapper provider. They are
scoped roles, but only attachable to WLP resources (pages, portlets, etc.)
and cannot be used to protect J2EE resources. The basic reason for this
is because WLP roles can include custom predicates (date/time/profile
attributes) that rely on layered product classes that the base application
server is unaware of and cannot edit using the WLS console.
In Service Pack 3, the WLP admin tools will allow the converse - that is,
you'll be able to reference/use WLS global roles in WLP policies.
Service Pack2 adds a new tag to the auth taglib which allows you to
do a isUserInRole check against the WLP (and WLS) roles.
-Phil
"Jim Maycott" <[email protected]> wrote in message
news:[email protected]..
>
I'm working on the security implementation for a WebLogic 8.1 Portalapplication.
I've been doing some prototyping and am trying to determine where VisitorEntitlement
roles are stored. Are these implemented as scoped roles from a WLplatform viewpoint.
I created two test roles for my portal and do not see any scoped rolesunder
the application or the portal node in the WebLogic console.
I'm trying to determine if these portal entitlement roles are/can betreated as
weblogic platform roles and can be used in security annotations for an EJBor
Java Control, and if they can be used for IsCallerInRole. I can create asecurity
policy to protect the portal resource, but I'm looking for a way to applythe
corresponding security in the business layer.
Thanks in advance for any advice.
Jim
Similar Messages
-
Weblogic 10.3.2 visitor entitlements roles issue
1)I am upgrading my weblogic portal application from Weblogic 8.1SP4 to Weblogic 10.3.2 version. I found that roles that created under visitor entitlements thru weblogic portal administration portal are not visible to assigned user.For example I created testRole for my application and added user testuser to this user.When I login to my portal application this user should able to see the portal page that related to testRole.But currently this is not working.
To fix the above issue I created one new group under User and groups management and added the above user to that group and added that group to testRole. Now the user is able to see the portal pages
My question is why the user is not able to access the roles when he is not part of any group.Because My portal application have different business users with different entitlement setups for which I cannot categorize under groups.
The above functionality is working fine in Weblogic8.1SP4 production environment.
Regards,
SatyaHi Satya
Post on the WebLogic forum....
WebLogic Server - General
Cheers
David -
Weblogic 10.3.2 - Visitor entitlements role issue
1)I am upgrading my weblogic portal application from Weblogic 8.1SP4 to Weblogic 10.3.2 version. I found that roles that created under visitor entitlements thru weblogic portal administration portal are not visible to assigned user.For example I created testRole for my application and added user testuser to this user.When I login to my portal application this user should able to see the portal page that related to testRole.But currently this is not working.
To fix the above issue I created one new group under User and groups management and added the above user to that group and added that group to testRole. Now the user is able to see the portal pages
My question is why the user is not able to access the roles when he is not part of any group.Because My portal application have different business users with different entitlement setups which I cannot categorize under groups.
The above functionality is working fine in Weblogic8.1SP4 production environment.
Regards,
SatyaI think the rolemappings in the application are mapped to groups.
The rolemappings are defined through deployment overrides, such as for example, weblogic.xml (which is located in the WEB-INF/lib directory of a WAR file).
An example of such a role mapping is the following:
<weblogic-web-app ...>
<security-role-assignment>
<role-name>EMPLOYEE</role-name>
<principal-name>employees</principal-name>
</security-role-assignment>
<security-role-assignment>
<role-name>MANAGER</role-name>
<principal-name>managers</principal-name>
</security-role-assignment>
</weblogic-web-app>The role-name(s) are set in the web.xml of the application, through a security constraint. The principle names are the user or group names
configured in the admin console.
When you edit the weblogic.xml to included a security role assignment and add role-name - principle-name mapping, for example
<security-role-assignment>
<role-name>visitor</role-name>
<principal-name>testuser</principal-name>
</security-role-assignment>now the testuser has visitor rights. -
Visitor entitlements have disappeared in Web Logic Portal console
Hi all,
Please help! We have an issue whereby our users no longer have permission to access parts of our web application. Upon further investigation, when looking in the Portal console under visitor entitlements, we see the following message:
There are no visitor entitlement roles to display.
We have checked the portal database, and can see the roles are still in there, but aren't being retrieved by the application. We can also add new roles through the console, which are persisted in the database, but these too do not show in the console.
This had previously been working, and we are not sure what has changed.
Please advise what further information I can provide to help resolve this!
Kind regards,
MikeHi,
I was able to find a white paper which discusses this topic.
http://edocs.bea.com/wlp/docs81/whitepapers/vcr/index.html
If this isn't helpful, please post this question to the portal newsgroup at http://newsgroups.bea.com/bea/forum.jspa?forumID=2044
cheers
Raj -
Access Visitor entitlements programmatically
Hi,
I wonder if it is possible to access (create, manage, delete) Visitor Entitlements programmatically by a Beehive control/Helper ...
It is possible to do this for Delegated Admin roles with the DelegationRoleManagerControl control provided by Oracle. But I didn't find an equivalent to manage the Visitor Entitlements roles.
I'm using Weblogic Portal 10.2 (Weblogic Server 10) on a JRockit R27.6.0 1.5.0_15
Best.
Edited by: user11804594 on 19 août 2009 02:54Hi
if you want to get the list of roles for the currently logged in user thats possible.
If you want to get the roles for any logged in user, its possible if you know what the entitlement definition is before hand. if the entitlement is based on directly assigning users to the role or groups to the role, then its fine and can be done without needing the code to know which role is which group, it can be done programmatically.
if you have a more complicated and or clauses in the role definitiob or do not know the entitlement definition before hand then I dont think it is.
Which scenario applies to you? -
How to configure a form based login page with entitlement role
We need to have login page to our portal app.
When using "form based" authentication is it possible to map the security on a
"entitlement role" ?
Our need is to be abled to give direct url acces to some pages of the portal (for
exemple by sending urls like "http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_pageLabel=mypage")"
by email to portal users) and need a simple mecanism of authentication before
redirecting to the portal page.
InsteOlivier,
You can't reference WLP visitor roles in weblogic.xml, but you can
reference global roles (created using the WLS console):
- <security-role-assignment>
<role-name>PortalSystemAdministrator</role-name>
<externally-defined />
</security-role-assignment>
-Phil
"Olivier" <[email protected]> wrote in message
news:[email protected]..
>
We need to have login page to our portal app.
When using "form based" authentication is it possible to map the securityon a
"entitlement role" ?
Our need is to be abled to give direct url acces to some pages of theportal (for
exemple by sending urls like"http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_page
Label=mypage")"
by email to portal users) and need a simple mecanism of authenticationbefore
redirecting to the portal page.
Inste -
Which are the required roles/privs for viewing all scheduler jobs in OEM?
Platform: Oracle 11.1.0.6 Enterprise Edition (64) Windows 2008 R2 Server
- I've created a new Admin user in "OEM>Setup>Adminstrators>Create"
- I checked the user in "OEM>Server>Users":
CREATE USER "SA_ADMIN"
PROFILE "DEFAULT"
INDENTIFIED BY "saadminsa"
DEFAULT TABLESPACE "SYSAUX"
TEMPORARY TABLESPACE "TEMP"
ACCOUNT UNLOCK;
GRANT SELECT ANY DICTIONARY TO "SA_ADMIN";
GRANT "MGMT_USER" TO "SA_ADMIN"
- "SA_ADMIN" was granted only the permissions above.
- I can log in OEM as "SA_ADMIN"
- I can see OEM backup jobs and the history
- But I cannot see any "scheduler" jobs in "OEM>Server>Jobs"
- I get a lists of the jobs in "OEM>Scheduler Central" but I cannot display any more information of "scheduler jobs"
- I logged off from OEM
- I granted SCHEDULER_ADMIN role to "SA_ADMIN"
GRANT SCHEDULER_ADMIN TO "SA_ADMIN";
- I logged back in OEM as "SA_ADMIN
- I can now see some scheduler jobs, but not all of the jobs, I still cannot see any of the new jobs I created logged in OEM as SYS.
Which are the required roles/privs for viewing all scheduler jobs in OEM?if you grant "SYSDBA" to the new Admin user then you can see the "scheduler" jobs.
GRANT SYSDBA TO "SA_ADMIN";
I wanted to grant "read" access in OEM for the new user.
This behaviour is strange.
Without the "SYSDBA" role the new user can see the OEM backup jobs that were create in as SYS, but it cannot see the "scheduler" jobs. -
How to get entitlement role list
How can I get the portal entitlement role list by API?
If I use
RolePolicyManager.listRolesForResource(String anEntAppName,
String aWebAppName,
String aResourceId)
How can I specified the aResourceId such that the roles of entire portal will
be retreived?
Or it is just a wrong approach? Thx a lot!!
KenI can get it by calling
String str[] = RolePolicyManager.listRolesForResource(
ApplicationHelper.getApplicationName(),
ApplicationHelper.getWebAppName(getRequest()),
EntitlementConstants.P13N_ROLE_POLICY_POOL
"Ken" <[email protected]> wrote:
>
How can I get the portal entitlement role list by API?
If I use
RolePolicyManager.listRolesForResource(String anEntAppName,
String aWebAppName,
String aResourceId)
How can I specified the aResourceId such that the roles of entire portal
will
be retreived?
Or it is just a wrong approach? Thx a lot!!
Ken -
I am running Acrobat Pro 9 (9.5.5). Do we have to purchase the new version if we have never upgraded? Or are we entitled to an upgrade to the latest version.
I am not really clear on the intention of your question. If you are going to get the latest version you are going to purchase it. When you go to purchase it you should be able to see if there is an option to purchase it as an upgrade from the version you currently have. I cannot find the purchase page to check myself... I can only find the subscription option.
-
Visitor entitlements in a admin extension
Hi,
i want to extend my portal administration console.
Is there a way to get a list of all visitor entitlements?
Thanks!
Markuslook at RolePolicyManager
e.g.
import com.bea.p13n.management.ApplicationHelper;
import com.bea.p13n.entitlements.common.EntitlementConstants;
import com.bea.p13n.entitlements.management.RolePolicyManager;
String entAppName=ApplicationHelper.getApplicationName();
String webAppName = ApplicationHelper.getWebAppName(request);
String[] policies = RolePolicyManager.listRolesForResource(entAppName, webAppName, EntitlementConstants.P13N_ROLE_POLICY_POOL); -
What are the consultant roles in Upgradation or migration project
Hello ,
Would you please any dody help me to provide the role & responsibilities of consultant in SAP upgradation or migration project.Thanks.
Regards,
SampallyDear Sampally,
SAP defined a roadmap for upgrade.
1) Project Preparation
Analyze the actual situation
Define the objectives
Create the project plan
Carry out organizational preparation for example identify the project team
2)Upgrade Blueprint
The system and components affected
The mapped business processes
The requirements regarding business data
3)Upgrade Realization -- In this phase the solution described in the design phase is implemented in a test environment. This creates a pilot system landscape, in which the processes and all their interfaces can be mapped individually and tested on the functional basis.
4)Final Preparation for Cutover -- Testing, Training, Minimizing upgrade risks, Detailed upgrade planning
5)Production Cutover and Support
The production solution upgrade
Startup of the solutions in the new release
Post processing activities
Solving typical problems during the initial operation phase.
SAP expects at least 2 to 3 months for Upgrade and that again depends on project scope and complexity and various other factors.
STEPS IN TECHNICAL UPGRADE
Basis Team will do the prepare activities. (UNIX, BASIS, DBA).
Developer need to run the Transaction SPDD which provides the details of SAP Standard Dictionary objects that have been modified by the client. Users need to take a decision to keep the changes or revert back to the SAP Standard Structure. More often decision is to keep the change. This is mandatory activity in upgrade and avoids data loses in new system.
After completing SPDD transaction, we need to run SPAU Transaction to get the list of Standard SAP programs that have been modified. This activity can be done in phases even after the upgrade. Generally this will be done in same go so that your testing results are consistent and have more confident in upgrade.
Run SPUMG Transaction for Unicode Conversion in non-Unicode system. SPUM4 in 4.6c.
Then we need to move Z/Y Objects. Need to do Extended programming check, SQL trace, Unit testing, Integration testing, Final testing, Regression Testing, Acceptance Testing etc.,
The main Category of Objects that needs to be Upgraded is
Includes
Function Groups / Function Modules
Programs / Reports
OSS Notes
SAP Repository Objects
SAP Data Dictionary Objects
Domains, Data Elements
Tables, Structures and Views
Module Pools, Sub Routine pools
BDC Programs
Print Programs
SAP Scripts, Screens
User Exits
Also refer to the links -
http://service.sap.com
http://solutionbrowser.erp.sap.fmpmedia.com/
http://help.sap.com/saphelp_nw2004s/helpdata/en/60/d6ba7bceda11d1953a0000e82de14a/content.htm
http://www.id.unizh.ch/dl/sw/sap/upgrade/Master_Guide_Enh_Package_2005_1.pdf
Hope this helps you. Please let me know in case of any specific queries.
Regards,
Rakesh -
We have granted everyone all roles on our TfsReports site. However, all users (except for 2 who are TFS Admins) still get the following errors when attempting to manage the reports:
The permissions granted to user Domain\UserName are insufficient for performing this operation. (rsAccessDenied)
These are the roles we've granted to all "Domain Users": Browser, Content Manager, My Reports, Publisher, Report Builder, Team Foundation Content Manager.
We can't seem to figure out what else might be missing.
Please help.The issue was reported by one of the Application Support team stating that they have problems with accessing reports in Reporting Services from Team Foundation Server (TFS)
side. By default certain users are part of local domain group having LOCAL ADMINISTRATOR privileges on TFS server, which is by default no issues for those users. Somehow there was a change in the role of certain users where ADMIN access was revoked. However
the users are still part of SYSADMIN group, they were reported the error as follows:
“The
permissions granted to user ''DOMAIN\UserName'' are insufficient for performing this operation. (rsAccessDenied)”
By default the text clarifies that no permission to access the reports and further we have set of roles defined on the Reporting
Services, as follows:
http ://servername/Reports/
Root
BUILTIN\Administrators No
access
DOMAIN\TfsAdmins Content
Manager
DOMAIN\ReportAdmins
Content Manager
More
details
Ahsan Kabir Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread. http://www.aktechforum.blogspot.com/ -
Users are created but Roles are not Provisioned in the Target System
Hi,
It would be great if somebody would provided solution to my problem. The problem is when I try to create the Users in Identity Managment UI then the Users are created in the Target systems but the Roles are not provisioned to the Users.
In the provisioning job SetABAPRole&ProfileForUser,
It is says In the Error putNextEntry failed storing
Exception from Modify operation:com.sap.idm.ic.ToPassException: User does not exist
MSKEY 58437
Please note the When we create the User, the user is created however the Roles is not provisioned to the user.
Regards,
HakimHello Nits,
since this thread is from 2010 and the OP was logged on last in 2012 (as you can see in the profile), I don't think you'll get an answer here.
Please create a new thread to explain your problem (with version and SP numbers, logs etc). You can add a link to this thread to show, that the problem is similar.
Regards,
Steffi. -
Are Pre-defined roles available for Customizing Synchronization?
Hello Guys,
In the SAP Help for Solution Manager: <<http://help.sap.com/saphelp_sm40/helpdata/en/48/647e3ddf01910fe10000000a114084/content.htm>>
it's mentioned that certain authorizations needs to be given for the involved people (admin & customizer), in both the SOLMAN & the component systems.
Also, its said that the role Application Consultant has all authorizations which are needed to set-up the Customizing Distribution in the SAP Solution Manager system & the authorization profile S_CUS_CMP can be used in the component systems.
But the AC role "SAP_SOL_AC_COMP" & "S_CUS_CMP" profile donot have all the necessary authorizations specified.
E.g: Role SAP_SOL_AC_COMP doesnot have project creation authority, whereas S_CUS_CMP has only some authorizations.
So my question is:
Along with these two, are there any other roles/profiles which complete the gaps & are readily available for usage ?
Last option would be to manually create & include the mentioned auth. objects.
Thanks & Regards
ChaituHello Chait,
Regarding your two questions:
1) There are seperate roles available for customizing purposes, please check note 803142 <i>Roles for satellite systems</i>. The note administration list an xls with the respective roles for customizing distribution and comparison, namely
SAP_BC_CUS_ADMIN
SAP_BC_CUS_CUSTOMIZER
S_CUS_CMP
2) What I can recommend is the quick reference for setting up Customizing Distribution which is also part of the help documentation
http://help.sap.com/saphelp_sm40/helpdata/en/c4/533d4050d89523e10000000a1550b0/content.htm
Regards,
Doreen -
SRM RFC users for ERP , what are the profile/roles should be used?
Hi All,
I have integrated SRM and ERP systems using config wizard. Multiple rfc accounts were created automatically by the wizard but what i did was i skipped on the profile and role field because i don't know what to put. Now, I am battling on what profiles and roles should i put there since the wizard didn't do the automatic placing of authorizations and roles for me.
here are the users that have been created automatically by the config wizard.
ERP System:
SRM2ERP
SRM2ERPD
ERPLOCAL
SRM System:
ERP2SRM
ERP2SRMD
SRMLOCAL
Please help on what ABAP Roles and Profiles should i place to it.
Regards,
Tony
Edited by: Tony on Jun 9, 2011 12:34 PMHi ,
The user should have profile SAP_ALL assigned automatically when you run the CTC script.
Else please assign manually.
Regards
Sam
Maybe you are looking for
-
I have an odd problem with my 2011 MBP (15"). I use an external monitor (Samsung SA350, identified as SMS23A350H by the mac) hooked up to a KVM switch using the VGA port. The display support 1920x1080@60hz. It gets detected as such, and everything
-
Customer name appears with prefix '1' in sales order
Dears, When I enter sold to / ship to in sales order, name field in the header is prefixed with '1' example: 123455 - ABCD & Co (in customer master) but in sales order sold to party field 123455 - 1ABCD & Co This is happening for all the cases. plea
-
Why does App Store update ask me for someone else's Apple ID?
I have 14 Apps that have updates available. I was able to update a few using my Apple ID. However, the rest all pop up with a message asking for someone else's Apple ID and Password when I click on Update. I know this person but all the apps were d
-
I have created a 2 minute video and need to email. However, my email provider limits me to a 10mb file. I am trying to export the file out of final cut studio. I have the ability to export using quicktime or compressor. However, I am unable to find t
-
Change the precision of waveform data or daqmx read
Hi all, I am currently using daqmx read and writing the data to a tdms fiile. I would like to change the precision of the data if possible. Any advice? Thanks, Matt