Assign role to LDAP group

Hello,
I've assigned a role to a LDAP group in portal. But when accesing it displays: 'No portal roles are assigned for this user'.
The user is included in the LDAP group but I dont't know why it doesn't display nothing.
Please, do you know what could it be?
Thanks in advance

Hi Isabel,
this really IS strange. Can you assign this user to a group defined in the database and try to assign a role to this group? Is it working then?
If this is working, then we probably have to increase the log levels and check from there.
You could also try to remove the role from the group and reassign it again.
If it's not working: remove it again and this time search for the role and assign the group to it.
Please come back if it is not working. Then we will try to dig deeper.
Regards,
Holger.

Similar Messages

Assigned Role in user Group

Dear All
Please help me assigned Role in user Group . I create user Group ( SURG ) . But i can't assigned Role ?
Regards , Thanks
Lannguyen

Hello,
You cannot assign user groups directly to Roles, however you can do the following.
Use PFCG transaction
1. Select the role and switch to change mode.
2. Switch to user tab.
3. Put the cursor in the blank line and hit F4
4. You should get a popup window which asks you to provide search criteria for the user.
5. Switch to 2nd tab Users by Logon criteria, here you should be able to find the selection field User group.
6. Select the group you created and hit the green tick.
7. All the users in that group will be listed in the User list tab on the main screen.
8. Now to complete the user assignment hit the User comparisor button ( it should turn green once done).
Regards,
Siddhesh

Assigning roles to LDAP users through BIP API

Hi.
My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
Is it possible to make that assignments through BIP API?
If not, any other ideas? New ideas or different approaches are welcome.
Thanks in advance.

In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
Let me know if that helps.

Associating roles with LDAP Groups

I see in a number of places where I can define roles using a "principal-name".
Can I use a realm group here as well as a single user? What I'm looking for is
a method where I can set up my roles in my web appps and ejbs and then on the
fly grant users rights by adding them to a group. Certainly seems possible but
I must be missing something.
Consider the following example (from the weblogic documentation) and let me know
if I can use realm groups for the section attributed to the weblogic.xml file.
(I marked it with ***).
<security-constraint> <web-resource-collection> <web-resource-name>SecureOrdersEast</web-resource-name>
<description> Security constraint for resources in the orders/east directory </description>
<url-pattern>/orders/east/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method>
</web-resource-collection> <auth-constraint> <description>constraint for east
coast sales</description> <role-name>east</role-name> <role-name>manager</role-name>
</auth-constraint> <user-data-constraint> <description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
<security-role> <description>east coast sales</description> <role-name>east</role-name></security-role>
<security-role> <description>managers</description> <role-name>manager</role-name></security-role>
weblogic.xml entries *** Can these come from the realm????????***
<security-role-assignment> <role-name>east</role-name> <principal-name>tom</principal-name>
<principal-name>jane</principal-name> <principal-name>javier</principal-name>
<principal-name>maria</principal-name> </security-role-assignment> <security-role-assignment>
<role-name> manager </role-name> <principal-name>peter</principal-name> <principal-name>georgia</principal-name></security-role-assignment>

See my answer to your question:
Simple (dumb) role/group question
Yong
"Ilango Maragathavannan" <[email protected]> wrote:
>
I see in a number of places where I can define roles using a "principal-name".
Can I use a realm group here as well as a single user? What I'm looking
for is
a method where I can set up my roles in my web appps and ejbs and then
on the
fly grant users rights by adding them to a group. Certainly seems possible
but
I must be missing something.
Consider the following example (from the weblogic documentation) and
let me know
if I can use realm groups for the section attributed to the weblogic.xml
file.
(I marked it with ***).
<security-constraint> <web-resource-collection> <web-resource-name>SecureOrdersEast</web-resource-name>
<description> Security constraint for resources in the orders/east directory
</description>
<url-pattern>/orders/east/*</url-pattern> <http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection> <auth-constraint> <description>constraint
for east
coast sales</description> <role-name>east</role-name> <role-name>manager</role-name>
</auth-constraint> <user-data-constraint> <description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee> </user-data-constraint>
</security-constraint>
<security-role> <description>east coast sales</description> <role-name>east</role-name></security-role>
<security-role> <description>managers</description> <role-name>manager</role-name></security-role>
weblogic.xml entries *** Can these come from the realm????????***
<security-role-assignment> <role-name>east</role-name> <principal-name>tom</principal-name>
<principal-name>jane</principal-name> <principal-name>javier</principal-name>
<principal-name>maria</principal-name> </security-role-assignment> <security-role-assignment>
<role-name> manager </role-name> <principal-name>peter</principal-name>
<principal-name>georgia</principal-name></security-role-assignment>

Assigning Roles to Groups

Hi there,
i am a newbie to SAP and have some questions to Usermanagement in Web AS ABAP.
Is it, like in Web As Java, possible to assign roles to groups?
And could one user be in several groups?
Or is it possible to sssign groups to groups?
I want to assign a group to each role and then not changing the assignment of user to role but instead change the assignment of user to groups.
Thanks for your answers,
stefan

Hi Stefan,
Ques:1)Is it, like in Web As Java, possible to assign roles to groups?
Ans:You cannot assign roles to a group.
Ques:2) And could one user be in several groups?
Ans: Yes you can assign user to multiple groups.
User Management -> Group - > Assign User to a group.
Ques:3)Or is it possible to sssign groups to groups?
Ans: Yes, this is also possible. Just go to User Administration on portal and then Groups. There you will find a icon group to another group.
User Management -> Group - > Assign group to a group.
I think this will help to solve your problem..
Regards
Pravesh
Sorry!! I really misunderstood the problem. So I am editing the wrong part of my answer.
Message was edited by: Pravesh Verma

Mapping LDAP Groups to SAP Roles

Hi there,
i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
In Web AS ABAP it seems impossible to assign roles to groups.
The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?
Or is there another way to administrate users in different systems?
Thanks alot for your answers,
stefan

Hi
in this case u have to use the concept of central user administration. use the following links
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
hope this helps u to get fair bit of idea
don,t forget to give points
With regards
subrato kundu

Portal Roles added to the LDAP group is not showing up for users

Hello expert,
I have implemented SSO for Enterprise Portal and MS LDAP. It is working fine but when I assigned roles to the LDAP group instead of UME group, they are not taking effect when I refresh the browser. My service account that I set up in the keytab file is a read only account for the LDAP. Is there some permission issue that I have to do to be able to add Portal roles or groups to LDAP groups?

Hi,
By default the LDAP integration configuration file is readonly.
In this case, is not possible to modify data in LDAP.
You must to connect in read-write mode; and I think that, furthermore, you need to configure SSL between Portal and LDAP in order to use read-write mode.
regards,

Novell LDAP Group - Role

Hi,
I have created a Novell LDAP Group. In my realm I have now two authentication
providers: default and novell, both optional. If I authenticate my user which
is stored in the novell ldap the user is correctly authenticated (request.getRemoteUser()
!= null), although the log says user denied (no matter if the user is in the embedded
ldap or the novell, but maybe the other one always complains). (novell user gets
rejected if password is wrong)
For a novell group i create a role with the condition: caller is a member of the
group"novell group" this seems not to work. with request.isUserInRole("novell
group") i get "false" !!
any ideas??
regards
tobias

found my mistake. i created a role in the weblogic console which i also have defined
in the web.xml. then i also need to assign this role to the principal (my group)
in the weblogic.xml.
if i have a role not defined in the web.xml the request.isUserInRole(<RoleName>)
works fine, but not in the above described case without assignment in the weblogic.xml.
"Tobias Voigt" <[email protected]> wrote:
>
Actually groups are also configured correctly as it seems for me. On
the group
page, the ldap group is also listed (in the provider column it says NovellAuthenticator).
Also if i look at the output of weblogic.security.Security.getCurrentSubject()
the LDAP group is also listed as a Principal.
weblogic.security.SubjectUtils.isUserInGroup(<Subject>,<LDAPGroup>) says
true.
but request.isUserInRole(<Role for Members in LDAPGroup>) says false.
(Btw: Weblogic 8.1 sp1)
"tm" <no-reply> wrote:
Hi Tobias,
It sounds like you can successfully use users
in your Novell LDAP server but you cannot
successfully use groups from the LDAP server.
(ie. when you login, it's finding the user, but it
isn't finding the user's groups thus the role isn't working).
I'm assuming that you have configured a NovellAuthenticator.
You must configure the NovellAuthenticator to tell
how groups are stored in your Novell LDAP server
(ie. tell it about the group schema). If this is not
correctly configured, then groups won't work.
See http://e-docs.bea.com/wls/docs81/secmanage/providers.html#1172008
for more information on configuring group schemas for LDAP authentication
providers.
-tm
"Tobias Voigt" <[email protected]> wrote in message
news:[email protected]...
Hi,
I have created a Novell LDAP Group. In my realm I have now twoauthentication
providers: default and novell, both optional. If I authenticate myuser
which
is stored in the novell ldap the user is correctly authenticated(request.getRemoteUser()
!= null), although the log says user denied (no matter if the useris in
the embedded
ldap or the novell, but maybe the other one always complains). (novelluser gets
rejected if password is wrong)
For a novell group i create a role with the condition: caller is amember
of the
group"novell group" this seems not to work. withrequest.isUserInRole("novell
group") i get "false" !!
any ideas??
regards
tobias

LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)

I have 2 questions and these are very urgent :-
1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
contractactors and employess. How do I map LDAP group contractors to weblogic security
Role contractors? Similarly for employees ?
2. I have not defined contarctors and employeees under People container in IPlanet.
e.g. The RDN for contractor is
uid=1234,ou=dir,dc=orams,dc=com
Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
under People ) OR I have to write my own custom code ?
3. I am planning to use Roles insetad of groups to manage the logical grouping in
iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
parameters ?)
This is very urgent ....so if any of you can throw any hints that will be greatly
appreciated.
--Sunita

Hi Ariel,
The driver is bundled with the product in WLS 6.1sp1. you don't have to
download any additional driver. Use it as you normally would only thing to
remember is if you are trying to write standalone java code then you have to
have weblogic.jar in your classpath. For the rest of the info follow the wls
docs for 6.1
HTH
sree
"Ariel" <[email protected]> wrote in message
news:3bb4a643$[email protected]..
We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
downloaded the JDriver from bea.com, but all the istructions that camewith
it are for WLserver 5.1.
What has to be done to do this with 6.1 sp1?
Thanks,
Ariel

Assigning the role to the group using MAXL

Hi,
We are using Essbase 11.1.1.3 and Hyperion Financial Reports 11.1.13.
I have created a role called "Standard_user_HFR" in shared Services and assgined Explorer and viewer to the role and i need to assign the role to the groups and i have around 1600 groups to which i have assign the role. Is there any Maxl Script to assign the role to the groups. As of now i am manually adding the role to the group.
Regards,
VJ

Also look into Aggregated Roles to possibly reduce the number of Groups.
Oracle states:
Aggregated roles, also known as custom roles, aggregate multiple predefined application roles. An aggregated role can contain other aggregated roles. For example, a Shared Services Administrator or Provisioning Manager can create an aggregated role that combines the Planner and View User roles of a Oracle Hyperion Planning, Fusion Edition, application. Aggregating roles can simplify the administration of applications that have several granular roles. Global Shared Services roles can be included in aggregated roles. You cannot create an aggregated role that spans applications or products.
Thank you,
Todd Rebner

Managing LDAP groups and roles through SUN IDM

Hi Guys,
We have a requirement to build the following functionality in our Sun IDM tool.
1.     Ability to create/manage Static LDAP group.
2.     Ability to create/manage filtered LDAP group.
3.     Ability to create/manage Static LDAP roles.
4.     Ability to create/manage filtered LDAP roles.
Can anyone let us know any pointers as to how to accomplish this or any ideas for the path to follow for this.
Any reply will be appreciated.

http://myidm.blogspot.com/2009/06/how-to-create-groups-in-ldap-or-active.html

Assign role, group to Human Task when initiated

Hi all,
Currently, when user login to BPM and create new task instance, i can get roles and groups of that user by programming. I want to assign roles of user to that task instance dynamically when user click SUBMIT button (Because i want to restrict users belong role are able to do this task, each user belong to a role and group can do it).
Somebody help?
Thanks.

Hi Ming
1. If you want to intercept any Actions from a Task like Save, Submit, Approve, Reject etc, you can create your own class like MyAppTaskValidationCallback that implements oracle.bpel.services.workflow.task.ITaskValidationCallback and in this overwrite one method named validateTaskOperation(bunch of parameters). See APIs for this.
In this method, you can get the action performed on the task. Also you can get the complete Payload of the Task including your custom payload and the standard Task Payload stuff like History, Attachments, Comments etc. You can write some simple XML Parser utility methods to get and set attributes in the Payload xsd schema. So in your case, in this method, get Roles, Groups of the logged in user. Check the action performed. If he is not allowed to do that operation, throw the error from this method. Else continue with your logic. To begin with create java class like above, add this code snippet and just explore the data.
Now, just curious. If your requirement is really to control the actions based on User Role/Groups, did you try to use the out of box functionality and avoid this custom logic. Say for BPM Applications, we have Swimlanes / Roles. Only users belonging to that Role, can work on that Tasks. Try to use out of box stuff as much as possible, unless you really need custom assignment logic.
Thanks
Ravi Jegga
Just giving the code snippet to get an idea. But do refer the online APIs for more information.
public void validateTaskOperation(ITaskValidationCallback.TaskAction taskAction, IWorkflowContext iWorkflowContext, Task task, Map<String, Object> parameters, Locale locale, List<String> errors) {
try {
Element taskPayload = task.getPayloadAsElement();
String taskTitle;
String taskOutcome;
SystemAttributesType taskSystemAttributes = task.getSystemAttributes();
taskTitle = task.getTitle();
System.out.println("MyAppTaskValidationCallback::validateTaskOperation() Begin For TaskTitle: " + taskTitle + " -> TaskAction: " + taskAction + " -> Parameters:\n" + parameters);
if(taskAction == TaskAction.ACQUIRE) {
 System.out.println("Inside ACQUIRE");
 //parameters.put("AcquiredBy", iWorkflowContext.getUser());
} else if(taskAction == TaskAction.OUTCOME_UPDATE) {
 System.out.println("Inside OUTCOME_UPDATE");
} catch (Exception anException) {
anException.printStackTrace();
}

Assign user role to network group people

Hi everyone,
What user role should I assign to network people if they wan to be able to discovery(add) and manage their network devices by themselves. I have tried Advanced Operator and Operator two roles, but non of them came up with Discovery Wizard option. I really don't
want to assign them to Operations Manager Administrators group because I'm pretty sure they will mess up SCOM within couple mins!!!!!

Hi,
We can create runas account for discovery with the network discovery wizard, the runas account type is community string only.
Network devices that use SNMP v1 or v2 require a Run As account that specifies a community string, which acts like a password to provide read-only access to the device.
Regards, Yan Li
Hi Yan Li,
After reading your post couple times, I'm confused now. I did have two run as account created for community string and snmpv3 authentication. When I ran Discovery Wizard for network devices, I can select either one of them to run without problem,
and discover network devices. My account is under Operation Manager Administrators role, so I have full permissions to do anything I want.
My question is that how to configure or create User Roles for network group people, so they can also run Discovery Wizard and manage their network devices without putting them into Operation Manager Administrators group. Ex: there is not Administration
tab for them, they only see Network Monitoring folder under Monitoring. Because I don't want them to mess up those options under Administration.
Is it just like the previous post said that only two options? Thank you.
1) grant them as a SCOM administrators right
2) scom administrator help them to do network discovery

LDAP groups to pool assignation problem

Hi All,
I have created two pools "Vista" and "Ubuntu" with two LDAP group associated ("Vista" and "Ubuntu"). I have a user "XX" which is in both LDAP groups (Vista and Ubuntu).
When I display information about user XX in WEb interface, I get the information that the user is in 2 pools. But when I try to connect, I don't get any chooser and a desktop is started (generally the last used).
Both pools contain enough free desktops (about 10).
I have tried to use the "vda" command to see the configuration from command line.Unfortunately, I don't succeed. The command "vda user-search" give me the answer "XX uid=XX,ou=People" and when I try to pass the command "vda user-show XX" I get the answer "user not found, try command vda user-search".
I use VDI3 software with the latest patches.
Any help or idea would be greatly appreciated.
Thanks
rhino64

Hello,
you can look for more information about the failing commands in the cacao log file
/var/cacao/instances/default/logs/cacao.0
after increasing the log level as explained in:
[http://wikis.sun.com/pages/viewpage.action?pageId=139002331|http://wikis.sun.com/pages/viewpage.action?pageId=139002331]
rhino64 wrote:
root@zzz:/ # vda user-show test1
User test1 not found. Use the user-search subcommand to search for existing
users or groups.
root@zzz:/ # vda user-show 10009
User 10009 not found. Use the user-search subcommand to search for existing
users or groups. In the two commands above, you seem to be trying to use the userid of the user. VDI uses the list of attributes defined in the global setting ldap.userid.attributes to search for users from their userid. So what is the value of the ldap.userid.attributes setting ?
#/opt/SUNWvda/sbin/vda settings-getprops -p ldap.userid.attributes
And then what is the value of the corresponding attribute for your user ? You should use this value as userid for your user.
It is up to you to decide which attribute of the directory is the userid of your user, and then edit ldap.userid.attributes accordingly.
See http://wikis.sun.com/display/VDI3/Customizing+the+LDAP+Filters+and+Attributes for more details.
root@zzz:/ # vda user-show 'cn=test1,ou=People'
User cn=test1,ou=People not found. Use the user-search subcommand to search for
existing users or groups. This command would not work because as listed in the user-search command, the dn for your user is not cn=test1...
root@zzz:/ # vda user-show 'uid=test1,ou=People'
User uid=test1,ou=People not found. Use the user-search subcommand to search for
existing users or groups.This command should work fine and I can't really explain why it doesn't. The only difference I can see with the result of user-search is the capitalized 'People' so maybe try:
# vda user-show 'uid=test1,ou=people'
Katell

Assigning roles to users programmatically

Hi,
I want to programmatically create roles, assign roles to users etc.
I saw at this thread
ADF Security Policy Store
the folowing scriptlet by Frank Nimphius
try {
IdentityStore idstore = JpsCommonUtil.getValidIdStore("idstore.xml.provider").getIdmStore();
try {
UserManager userManager = idstore.getUserManager();
RoleManager roleManager = idstore.getRoleManager();
Role adminRole = idstore.searchRole(Role.SCOPE_APPLICATION,"admin");
// create user
//TODO check for empty username and password
User newUser = userManager.createUser(this.username,this.password.toCharArray());
roleManager.grantRole(adminRole,newUser.getPrincipal());
} catch (IMException e) {
// TODO
} catch (JpsException e) {
// TODO
return null;
this is a TP3 scriptlet, is it still working on the 11g production?
I try it and i get a JpsException
oracle.security.jps.JpsException
at oracle.security.jps.internal.common.util.JpsCommonUtil.getValidIdStore(JpsCommonUtil.java:1004)
do I have to replace "idstore.xml.provider" with something else depending on my configuration?
thanks
Tilemahos

Hi Frank thanks for the answer,
I check this functionality at WLS embeded LDAP and I shaw your "How-to configure OID for authentication in WebLogic Server" post.
I manage to add users and assign them roles that i created at my application.
But what if I want to have a super user that can create new roles and assign them member roles?
eg.
Developer created roles (policy store):
accessPage1 ( granted all the necesery principals to access page1 )
accessPage2 ( granted all the necesery principals to access page2 )
Super user created roles
Role1 member roles :accessPage1,accessPage2
If i want my application to have that functionallity i must create roles programmatically wont I?
If there another way?
By the way I followed the advices at the following useful links
Chris Muir: http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html
Frank Nimphius's How-to configure OID for authentication in WebLogic Server
Edwin Biemond's Using OpenLDAP as security provider in WebLogic
Andrejus Baranovskis: Practical ADF Security Deployment on WebLogic Server
And I manage to add users of the Microsoft LDAP at the WLS
but I could't mekae them group members of my application groups (roles)
is this possible?
Thanks

Assign role to LDAP group

Similar Messages

Maybe you are looking for