Assign user role to network group people

Similar Messages

• Assigning the role to the group using MAXL

  Hi,
  We are using Essbase 11.1.1.3 and Hyperion Financial Reports 11.1.13.
  I have created a role called "Standard_user_HFR" in shared Services and assgined Explorer and viewer to the role and i need to assign the role to the groups and i have around 1600 groups to which i have assign the role. Is there any Maxl Script to assign the role to the groups. As of now i am manually adding the role to the group.
  Regards,
  VJ

  Also look into Aggregated Roles to possibly reduce the number of Groups.
  Oracle states:
  Aggregated roles, also known as custom roles, aggregate multiple predefined application roles. An aggregated role can contain other aggregated roles. For example, a Shared Services Administrator or Provisioning Manager can create an aggregated role that combines the Planner and View User roles of a Oracle Hyperion Planning, Fusion Edition, application. Aggregating roles can simplify the administration of applications that have several granular roles. Global Shared Services roles can be included in aggregated roles. You cannot create an aggregated role that spans applications or products.
  Thank you,
  Todd Rebner

• Assigning user roles in my application in a programatic way

  Hi,
  How can I assign user roles in a programatic way when I am using the Sun One 7 server? Is that possible?
  Thanks,
  Wanderley.

  Sorry, but I need to know HOW can I assign roles( RolesPrincipals) to the container Subject (using JAAS)?
  When I am using, for instance Tomcat, I assign the roles to the container's Subject defining the Roles Principals in server.xml. Like this:
  <Realm className="org.apache.catalina.realm.JAASRealm"
               userClassNames="br.com.caf.security.auth.LoginPrincipal"
               roleClassNames="br.com.caf.security.auth.RolesPrincipal"/>Doing that, Tomcat will know which Principal to return when I call "request.getUserPrincipal()".
  In JBoss I implement a LoginModule (org.jboss.security.auth.spi.AbstractServerLoginModule) that defines who is my User (LoginPrincipal) and his Roles (RolesPrincipal).
  How can I assign user and his roles to the container's subject in Sun One?
  Thanks,
  Wanderley.

• Assign User ids to Recipient Group

  Hi All
  Could any one please tell us how to assign users into a recipient group.
  Recipient group can be found from SPRO IMG
  Training and event management --> Day to day Activities --> Correspondance --> Notification Abbreviations
  Regards
  Pritam

  Dear Pritam,
  With the Definition of the recepient groups you can specify for which recipient group which function module should be linked / should be used.
  In the function module it is decided whom the correppondece will be sent.
  F.e.:
  Recipient group Prebooked  -> RH_GET_ADDR_PREB (function module)
  If you prebook a course with one of your Objects (Person, User, Candidate, Org. Unit, etc..) than the object automatically belongs to the Prebooked group.
  For the "prebooked" group you can specify different notification types they call the function module.
  I hope i could clearify the question.
  Kind regards,
  Zsolt

• Assigned User Role Mirgation from EP 6.0 SP2 to SAP NW2004s (EP 7.00 SP7)

  Our users are stored in LDAP and their role assignment is driven by the roles assigned to the groups. For example...
        Manager Group : MSS and other role assigned
        Employee Group : ESS and other role assigned
  but some users are assigned additional roles not driven through groups, for example, some manager may have business specific reporting role assigned to them. In this case, the assigned role did not move to EP 7.0 because the role assignment information is stored in the portal database (Oracle)  for EP 6.0 SP2 and the new EP 7.0 portal database (Oracle) does not have that information since we did not use migration tools for the upgrade.
  Is there any way I can extract the roll assignment information from EP 6.0 SP2 and upload them to EP 7.0 database since both environments have identical roles and we are using the same LDAP for both environments ??

  Our users are stored in LDAP and their role assignment is driven by the roles assigned to the groups. For example...
        Manager Group : MSS and other role assigned
        Employee Group : ESS and other role assigned
  but some users are assigned additional roles not driven through groups, for example, some manager may have business specific reporting role assigned to them. In this case, the assigned role did not move to EP 7.0 because the role assignment information is stored in the portal database (Oracle)  for EP 6.0 SP2 and the new EP 7.0 portal database (Oracle) does not have that information since we did not use migration tools for the upgrade.
  Is there any way I can extract the roll assignment information from EP 6.0 SP2 and upload them to EP 7.0 database since both environments have identical roles and we are using the same LDAP for both environments ??

• Shared Services 11.1.2 Unable to remove assigned user from a security group

  In Shared Services 11.1.2 - trying to remove a user from the assigned users list of a security group. Initially, I am able to remove the user and the assigned users total decreases by one - but when I relaunch the group properties - this user is still in there? The change does not hold. Any suggestions would be appreciated - thanks,
  Paul

  Hello Paul,
  Not sure if this is related to yours, but it might be worth having a look at the following articles on Oracle support --
  External users in EPM Shared Services (e.g. MSAD users) cannot be removed from Native groups if they have multiple IDs in the external user directory. [ID 1526569.1]
  Users from External User Directories Cannot be Removed from Native Groups [ID 1272309.1]
  Thanks,
  hyperionEPM
  Please mark answers as correct or helpful for others to find them easily.

• Cisco Security Manager Local RBAC Authentication Radius assign user role

  Is it possible to use Cisco Security Manager with local RBAC, authenticate the user to Radius and retrieve it's role from Radius. Getting the authentication to work isn't the problem, but is it also possible to return the role the user has (i.e. Super Admin) via Radius, without having to create all the users one-by-one in the local CSM database with the correct role.
  Can i use a certain Cisco-AV-Pair attribute to return the user role via Radius?

  I just got asked to look at the same situation by one of our security people.
  We have exactly the same problem but it reports a username of "*****" and we are running CSM 4.7 (upgraded last week)

• Assign user external dir to group using MaxL

  Hi
  I have my essbase security sync with Shared services.
  Now i want to assign user to groups using Maxl
  Groups exist as Essbase native Groups
  Users exist as corporate directory and are NOT native users
  Now when i try to execute the following statement i get error saying 'user does not exist'
  Alter user 'username@corporatedir' add to group 'nativegroup';
  Is it not possible to assign users from external directory to native groups using Maxl?

  Not specifed your version.
  For 9.3.1 refer to page 103 for details. http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/hyp_security_guide.pdf
  The file looks like
  #group_children          
  id,user_id,user_provider
  myNativeGroup,User1,myProvider
  myNativeGroup,USer2,myProvider
  myNativeGroup,nativeUser3,Native Directory
  For better understanding, add one external user to a native group manually in shared services and then export using the utility.
  Then the exported file format can be used for your import.
  Hope it helps.

• Automatically assign user roles on user creation

  Hi,
  I have a scenario where i am creating database users in Oracle database and we need that no matter from where the database users are created they have a couple of roles automatically assigned to them.
  How can this be done?
  Quick response will be very helpful.
  UZ

  post and wait for a valid answer more than 20 minutes, search by yourself at oracle documentation less than 5 minutes. worth it?
  http://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_8003.htm
  a trick --> group of roles = profile
  another trick --> profile can be add in the user creation
  Edited by: Fran on 26-feb-2013 2:17

• Assign role to LDAP group

  Hello,
  I've assigned a role to a LDAP group in portal. But when accesing it displays: 'No portal roles are assigned for this user'.
  The user is included in the LDAP group but I dont't know why it doesn't display nothing.
  Please, do you know what could it be?
  Thanks in advance

  Hi Isabel,
  this really IS strange. Can you assign this user to a group defined in the database and try to assign a role to this group? Is it working then?
  If this is working, then we probably have to increase the log levels and check from there.
  You could also try to remove the role from the group and reassign it again.
  If it's not working: remove it again and this time search for the role and assign the group to it.
  Please come back if it is not working. Then we will try to dig deeper.
  Regards,
  Holger.

• Customize portal "Help" link based on user roles

  Is there a chance to customize the Help link URL in Masthead iView based on user roles? The use case we have is that the "Help" should be different for users of the purchasing company from those of the supplying company.
  Thanks.

  Hello Jay.
  This is a multi step process.
  Step 1 : Create 2 desktops with everything as same but different mastheads.
  - Copy your existing desktop and paste it in your working folder in PCD (Not select Delta link)
  - Now download masthead par file.
  - Modify your masthead par file where you will disable help link. Rename you masthead file (newMasthead.par) and export it from NWDS. Now import it in portal.
  - open your framework page in desktop2. Just add your new masthead in it. Enable the new one and disable the existing one.
  Step 2 : Create 2 groups of users. (First one belong to users who wish to see help link . i.e existing desktop) (Second of thoese users who do not have to see help link i.e. newDesktop)
  - Assign users to appropriate groups.
  - Assign same roles to both groups.
  Step 3 : Modify main rule section in PCD.
  - If group = HelpLinkUsers Then Desktop1
  If group = NoHelpLinkUsers Then Desktop2.
  You may find above process bit tedious and lengthy.
  But if you wish to further customize your portal then this will be needed one day.
  If you find problems in implementing any step then please search in google or SDN.
  Please revert back on any specific question on above approach you may face while implementing.
  Thanks

• SAPJSF user role - does it have to be SAP delivered name ?

  Hi Folks,
  Security question - We are upgrading to EP 7.0 . The SAPJSF user ( in ABAP system) has the role SAP_BC_JSF_COMMUNICATION_RO.
  Does the Portal need this exact named role ? If so ..can it be changed in the
  Portal end ?
  Our policy with roles is not to use the SAP delivered - so we copy and change
  to our standard . Will the portal recognize a different role on the SAPJSF user.
  This note got me thinking on this  908911 
  Thanks for input !   Dan

  Ah, yes. It does read the role. It displays this role in the UME user interfaces as a group to which users are assigned. You can then assign portal roles to this "group."
  See the picture in this document:
  http://help.sap.com/saphelp_nw04s/helpdata/en/ed/18cc38e6df4741a264bddcd4f98ae2/frameset.htm
  -Michael

• Query Result Filtered using User Roles SCSM 2012 R2 RU2

  Hi,
  I have a Query Result setup in a Request Offering that shows the list of Printers using the Printer CI. We have different sites with printers that start with the site location like MTL. There are no filters in the Query Result. What i did is create a Group
  for each site that has the rule "start with" MTL (other groups have other 3 letter prefix). Then i created a user role for each group and only selected the Printer group for the site and i associated the User Role with our AD Site group called MTL-User.
  i did this for each site. Now when i checked the Request Offering at first, with a user that is part of MTL-User group, it showed only the list of printers that started with MTL. Now today i came to check again and the same user is seeing all the printers
  and not just the ones that start with MTL.
  The User Role i made was based on the Read-Only Operator. I just dont know what the problem is

  Thanks for that link. I had thought of something like that but i found it came to the same thing as just using the filter field that is already available when using a Query Result. I retried using User Roles and figured out that the problem is that my test
  user is only part of the MTL-USER group so when i logged in with him into the portal (cireson Portal btw) i would see the proper result. If i logged in with a actual user that is also part of other groups besides MTL-Users, they see all the printers no matter
  which AD group i define in the User Role. 
  So what i figured was that my group is not getting applied as the filter to the query Result and that the Member section in the User role is only to say who can see the Query result list. But then i have my test user for which this setup works...so im confused
  on what exactly is overriding the results.

• Portal Runtime error in assigning a role to a user by UME

  Hi ALL,
  I am assigning a role to a user through UME using this piece of code:
  String uids = userFactory.getUserByUniqueName("Shilpa").getUniqueID();
  String roleid = roleFact.getRoleByUniqueName("pcd:portal_content/administrator/content_admin/content_admin_role").getUniqueID();
  roleFact.addUserToRole(uids,roleid);
  The userid and role is beinf fetched successfully but at the assignment of the role to the user , I am gettign Portal runtime error.
  The error log is following.
  <b> java.lang.NoClassDefFoundError: com/sap/abc/network/util/InfEPLog
       at UserListeners.userAssigned(UserListeners.java:27)</b>
       at com.sap.security.core.imp.RoleFactory.assignUserPerformed(RoleFactory.java:1466)
       at com.sap.security.core.persistence.imp.DistributedTransaction.doCacheUpdateAndNotificationForMembers(DistributedTransaction.java:565)
       at com.sap.security.core.persistence.imp.DistributedTransaction.doCacheUpdateAndNotificationForMembers(DistributedTransaction.java:815)
       at com.sap.security.core.persistence.imp.DistributedTransaction.doCacheUpdateAndNotification(DistributedTransaction.java:465)
       at com.sap.security.core.persistence.imp.DistributedTransaction.afterCompletion(DistributedTransaction.java:252)
       at com.sap.engine.services.ts.jta.impl.TransactionImpl.commit(TransactionImpl.java:414)
       at com.sap.engine.services.ts.jta.impl.TransactionManagerImpl.commit(TransactionManagerImpl.java:316)
       at com.sap.engine.services.ts.transaction.TxManager.commitLevel(TxManager.java:581)
       at com.sap.engine.services.ts.transaction.TxManagerImpl.commitLevel(TxManagerImpl.java:63)
       at com.sap.transaction.TxManager.commitLevel(TxManager.java:237)
       at com.sap.security.core.persistence.imp.DistributedTransaction.commit(DistributedTransaction.java:2742)
       at com.sap.security.core.imp.Role.commit(Role.java:337)
       at com.sap.security.core.imp.RoleFactory.addUserToRole(RoleFactory.java:1338)
       at com.sap.user.UserAdded.doContent(UserAdded.java:63)
       at com.sapportals.portal.prt.component.AbstractPortalComponent.doPreview(AbstractPortalComponent.java:240)
       at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:168)
       at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114)
       at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
       at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215)
       at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:645)
       at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
       at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
       at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753)
       at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
       at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Please tell me where I am wrong.
  Regards,
  Shilpa.

  Hi Shilpa,
  The error "java.lang.NoClassDefFoundError" means that your classpath is not set correctly. This is likely due to a missing reference. The class file may be in the jar, but at runtime the component (your component) needs to have access to the jar file which contains the class.
  Try adding the servlet.jar, activation.jar file in your project and also through your ADd external libraries at 'java build path'. also please ensure tht WAS and NWDS at the same SP level.
  Hope this might help you.
  Regards,
  Shaila

• Active Directory users not made member of Local Network group

  Hi all,
  I've just done a clean install from 10.6 Server to 10.8.4.
  The issue I seem to be having is a mismatch between what Groups in Server.app is reporting as members (who happen to be users or groups from our Active Directory domains) of a Local Network group and what dseditgroup reports as members of the same network.
  The Setup:
  In Groups in Server.app under Local Network Group I have created a group call "AccessServer"
  Members in that group are:
       - AD-Domain User Group (so should be all users in the domain)
       - MacOS X "netaccounts" group (again, should capture all users that connect through the network I've used this in the past/10.6 very handy)
       - AD User 1
       - AD User 2
       - AD User 3
  The Server is bound to the AD Domain, All-Domains is not selected and a Search Path is added for each Domain needed and set at the top of the search order.
  The Behaviour:
  AD User 1 can access AFP and other services as expected.
  AD User 2 and 3 cannot.
  Another user within AD-Domain User Group or netaccounts can access AFP and other services as expected
  Yet other users within AD-Domain User Group or netaccounts cannot
  Furthermore: 
  If I REMOVE AD User 1 (a working user) *and* the AD Domain Group and netaccounts Group.  I can still login with that account!
  Diagnosis:
  I tried checking group membership with dseditgroup, the results match the behaviour, not the setup.
  >dseditgroup -o checkmember -m ADUser1 accessserver
  yes ADUser1 is a member of accessserver
  >dseditgroup -o checkmember -m ADUser2 accessserver
  no ADUser2 is NOT member of accessserver
  >dseditgroup -o checkmember -m ADDomainUser/netacc accessserver
  yes ADDomainUser/netacc is a member of accessserver
  >dseditgroup -o checkmember -m n accessserver
  no ADUser2 is NOT member of accessserver
  When non-member users try to connect I get a message in the logs of (IP/DNS values anonymized):
  2013-06-25 3:04:36.794 PM sshd[5217]: error: PAM: authentication error for illegal user ----- from ----.mala.bc.ca via x.x.
  I get the same results even after removing the user from the Groups screen!
  Failed Solutions
  - As we are a large AD I've tried specifying specific Active Direcotry servers that might better be able to find the users in question and authenticate.
  - I've let the system just sit, in hopes delayed replication would solve the problem overnight.
  - I've deleted and recreated the groups.

  Upon further investigation we have discovered:
  a) the main behaviour that is causing the problem is best described as AD users that are added to a Local or Network OS X group... either individually or through a Domain group.... are not actually recognized as members of that OS X group even though the GUI or CLI tool have added them and acknowledge them as being in the list.
  b)  This is NOT limited only to MacOS X Server 10.8.  The same behaviour is occuring on a long-running 10.6 server as well.
  c) The problem remains whether we nest AD groups to capture a large bunch of users, or add users individually.  If the user is part of the mysteriously denied set, how they are added to the OD or local group is irrelevant, including if added from the command line.
  d) Which users are allowed and which are not is unclear and appears generally random.  We have found 3 'classes' of users:    
            1 - those that are successfully becoming members every time.
            2 - those that are intermittent members.  Members on one server or another, or in one case even go from being reported as a member (by dseditgroup), to not being a member, to being a member again within the span of only a minute or two.
            3 - those that are never successfully admitted as a member.
  So the problem is both Apple's and Windows in that:
  Apple: Is allowing a group and/or user to be added and implying then membership in the group even though that membership is not being honoured in some way and there is no feedback or communication of that fact aside from generic 'denied' or 'illegal user' errors.
  Windows:  Is passing along membership through its groups and users, but not completely, for reasons that are, at this point, a mystery.
  Really hoping people have some ideas on this.  This system of nested groups or individual user access is something we have of course being using for many years.  So this is a major setback.