Assigning roles dynamically through an application

Similar Messages

• Assign role request through code not going to Operational level

  Hi All
  We are trying to assign roles through code using the OIM API's as suggested in the documentation
  "http://docs.oracle.com/cd/E27559_01/doc.1112/e28183/oim_up.htm#autoId40".
  We have 2 Approval policies one is at Request Level (i.e. Auto Approval) and the other is Operational level(Scope=ALL Scope) with workflow, So once the request is getting raised with the code successfully it is getting completed. The expected behavior is that it should go to the approval workflow attached at operational level.
  When we tried to attach a workflow at the request level, the request is going through Approval workflow attached at request level and once we approve at request level it is getting completed and not going to operational level.
  But we will have Request level as auto approved and Operational level with two level of Workflow.
  Thanks in Advance

  Check whether you have configured Request Type in your approval policy properly for operational level approval. In the Rule Components section check whether you have configured everything correctly. Also dont raise the request from system admin login as it will be treated as a direct provisioning request and your approval policies will not be invoked. Login through an end-user and test it

• Assigning roles to LDAP users through BIP API

  Hi.
  My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
  One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
  I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
  We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
  Is it possible to make that assignments through BIP API?
  If not, any other ideas? New ideas or different approaches are welcome.
  Thanks in advance.

  In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
  During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
  I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
  There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
  Let me know if that helps.

• Assign Roles through Custom Reconciliation

  Hi Experts,
  I am looking for a way to assign roles to a user through custom reconciliation. This requirement is part of the reconciliation process which also includes updating the application instance account status for the linked user(which I have done successfully). Please suggest some ways to implement this with the help of api methods. There are no child forms involved.
  Thanks,
  Subin

  For API's,
  You can use this in your recon code and call it when needed,
  You can first find the role key for role details from RoleManager's methods.
  Then, use method grantResource of RoleManager to assign the role to the user.
  Finally you can check the status of addition from RoleManagerResult API.
  Please use the following API references to code,
  http://docs.oracle.com/cd/E23549_01/apirefs.1111/e17334/oracle/iam/identity/rolemgmt/api/RoleManager.html
  http://docs.oracle.com/cd/E23549_01/apirefs.1111/e17334/oracle/iam/identity/rolemgmt/vo/Role.html
  http://docs.oracle.com/cd/E23549_01/apirefs.1111/e17334/oracle/iam/identity/rolemgmt/vo/RoleManagerResult.html
  Edited by: Shashi kiran on Apr 19, 2013 3:15 PM

• Assigning a ROLE dynamically in PAPI

  Hi, I've got a need to create an instance of a process and assign the ROLE to the instance dynamically through PAPI.
  I know how to create the instance, but not to assign a ROLE to it dynamically.
  Does anyone know how to do this?

  Hi,
  The right way to implement this use case, is to use parametric roles. Instead of creating a regular role, you can place an activity (let's say an interactive activity) in a parametric role. Parametric roles have the particularity that they need to be linked to a process instance variable of type String. This String value can be set dynamically and at runtime even with a value coming as an input argument to the process through the process instance creation.
  So your process pattern could look something like this:
  Begin -> Automtic -> Interactive (in a parametric role referencing the String instance variable called paramRoleValue) -> ...
  The Automatic activity method implementation could have something like:
  paramRoleValue = "part1"
  // We assume the participant that will have visibility is also identified somehow into a process instance variable (at least it userid)
  // Use logic to use the Fuego.Fdi.DirOrganizationalRole + Fuego.Fdi.RoleAssignment to dynamically assign the parametric role with the value "part1" to the target participant(s).
  HTH,
  eduardoc.

• When Role is assigned to User through membership rule then it's membership is not added to OID ?

  Hi All,
        I have OIM 11gR2 installed with  LDAPSync enabled.
  When tried to assign Role to User through membership rule, Role is successfully assigned to User in OIM, but it is not added in OID.
  Role membership is added in OID when User requests Role through Catalog search. Also, Role membership is added in OID after running job 'LDAPSync Post Enable Provision Role Memberships to LDAP '.
  How can I add Role membership in OID  as soon as Role is assigned to User  through membership rule in OIM ?

  Hi
  It sounds like you have not selected anything on the Presentation & Data tab of the Workspace Startpoint/User Service.
  You need to specify:
  Your Asset (the form you want to present to the user)
  An associated Action Profile (tells the server how you want the form rendered...typically it is set to Default which uses the Render PDF Form process)
  The variable to hold your data(typically an xml variable)
  Make sure these are set.
  Diana

• Assigning a BEx role to BSP - BSP application is missing in PFCG

  Hi everybody,
  at first I will describe our problem.
  We constructed a mixed environment web application, consisting out of a BSP application and WAD web templates. Unfortunately the url of web templates and the bsp-application differs - meaning the server is the same, but the port is different. That's why it is not easy to link the application each other, because for transportation reasons, we would like to have relative url paths.
  After searching the SDN and reading several help files I draw the conclusion, that I have to put my BSP application into a BEx role. Correct? If anybody has a better approach, please raise your hand now!
  So, I tried to create a role for my BSP application in the transaction PFCG. To specify the target I choosed entry type OTHER and BSP application. But in the appearing list of all BSP applications, my application was missing.
  I really wondered about it, because similar BSPs from other authors within the sap/bc/bsp - folder appeared in the list.
  Question: What are the prerequisites that a BSP application is available in the PFCG transaction?
  Thanks for any comments and helps
  Best regards,
  Sebastian

  Hi Raja,
  thank you for your quick reply.
  you are looking at constructing the BW WAD url and call it from BSP, however the host address (port) differs and coz of that you cannot use relative urls.
  Almost. I'm actually searching for the other way round. I want to call the BSP in an inlineframe of a WAD web template. But its exactly that port change issue, that causes the problem.
  My BSP application is located in a subfolder of default_host/sap/bc/bsp/ ?
  There are other BSPs in that folder which already appear in the PFCG transaction under OTHER.
  Best regards,
  Sebastian

• Reg:Assigning users to roles dynamically

  Hi all,
     i've different set of users for whom i can assign the roles based on their functionality. But the thing is that i can create them  and add delta links in the portal. But i don't want to do this  as manually .. and let me know in detail UME...
  Can we assign roles to users based on some logic or conditions.If yes ...Please direct me how to do it..
  Reply awaited....
  Regards,
  sitara
  Edited by: sitara kola on Mar 8, 2008 2:47 PM

  I do not know if this works for you but you can use virtual groups to automatically assign users to groups. Say you want to group users by department. Create virtual groups for the department attribute. Then assign the roles you want to assign to the marketing virtual group and the sales virtual group. When you create a new user and assign them to the marketing department, the user is automatically assigned to the marketing group as recieves the required roles.
  See the documentation: http://help.sap.com/saphelp_nw04s/helpdata/en/43/fcfa2942ed7067e10000000a1553f6/frameset.htm
  -Michael

• How can I dynamically change the Application Date Format?

  Hi everyone...
  In my application (v 3.2) I let the user set the application date format dynamically through a "preference" value they can change on the go.
  I then take the format they pick and assign their value (ie: DD-MON-YYYY) and pad 'HH:MI' to it and use this as the PICK_DATE_FORMAT_MASK which works great for most date pickers.
  The problem I have is that some date picker I use in the application don't require the HH:MI, they simply need the DD-MON-YYYY part. Could I use the NLS_DATE_FORMAT for this? Would I then be able to use date pickers with the "use application date format"? It doesn't seem to work for me.
  In other words, I basically need 2 date formats for my application date pickers; 1 for simply the dates and 1 for dates including time. And these 2 formats are chosen by the user by setting an application preference dynamically at run time.
  Not sure if I make sense here....any idea?
  Thanks!
  Francois

  "use application date format" is the choice you want.
  Denes Kubicek
  http://deneskubicek.blogspot.com/
  http://www.opal-consulting.de/training
  http://apex.oracle.com/pls/otn/f?p=31517:1
  http://www.amazon.de/Oracle-APEX-XE-Praxis/dp/3826655494
  -------------------------------------------------------------------

• Problems, when creating roles dynamically

  Hi,
  I have an application, in which roles and users are created programatically.
  Now I have an EJB, that wants to call isCallerInRole() for every existing role.
  As I create the roles dynamically, I cannot specify all roles in the deployment-descriptor of the EJB.
  As a result I get a <010013> <EJB "MyBean" referenced an undeclared security role "myRole".> - warning,
  and isCallerInRole() always returns false.
  What do I have to write into the deployment-descriptor, to make the ejb aware of the dynamically created roles?
  Thanks in advance
  Christian Wulff

  What you can do, is create an authorization profile (transaction pfcg) with these objects, and assign them to the user you are using for the trusted connection.
  Kind regards,
  Mark

• Assign role, group to Human Task when initiated

  Hi all,
  Currently, when user login to BPM and create new task instance, i can get roles and groups of that user by programming. I want to assign roles of user to that task instance dynamically when user click SUBMIT button (Because i want to restrict users belong role are able to do this task, each user belong to a role and group can do it).
  Somebody help?
  Thanks.

  Hi Ming
  1. If you want to intercept any Actions from a Task like Save, Submit, Approve, Reject etc, you can create your own class like MyAppTaskValidationCallback that implements oracle.bpel.services.workflow.task.ITaskValidationCallback and in this overwrite one method named validateTaskOperation(bunch of parameters). See APIs for this.
  In this method, you can get the action performed on the task. Also you can get the complete Payload of the Task including your custom payload and the standard Task Payload stuff like History, Attachments, Comments etc. You can write some simple XML Parser utility methods to get and set attributes in the Payload xsd schema. So in your case, in this method, get Roles, Groups of the logged in user. Check the action performed. If he is not allowed to do that operation, throw the error from this method. Else continue with your logic. To begin with create java class like above, add this code snippet and just explore the data.
  Now, just curious. If your requirement is really to control the actions based on User Role/Groups, did you try to use the out of box functionality and avoid this custom logic. Say for BPM Applications, we have Swimlanes / Roles. Only users belonging to that Role, can work on that Tasks. Try to use out of box stuff as much as possible, unless you really need custom assignment logic.
  Thanks
  Ravi Jegga
  Just giving the code snippet to get an idea. But do refer the online APIs for more information.
  public void validateTaskOperation(ITaskValidationCallback.TaskAction taskAction, IWorkflowContext iWorkflowContext, Task task, Map<String, Object> parameters, Locale locale, List<String> errors) {
  try {
    Element taskPayload = task.getPayloadAsElement();
    String taskTitle;
    String taskOutcome;
    SystemAttributesType taskSystemAttributes = task.getSystemAttributes();         
    taskTitle = task.getTitle();
    System.out.println("MyAppTaskValidationCallback::validateTaskOperation() Begin For TaskTitle: " + taskTitle + " -> TaskAction: " + taskAction + " -> Parameters:\n" + parameters);
    if(taskAction == TaskAction.ACQUIRE) {
        System.out.println("Inside ACQUIRE");
        //parameters.put("AcquiredBy", iWorkflowContext.getUser());
    } else if(taskAction == TaskAction.OUTCOME_UPDATE) {
      System.out.println("Inside OUTCOME_UPDATE");
  } catch (Exception anException) {
    anException.printStackTrace();
  }

• How to assign roles to users using WL api?

  Hi,
  We have a requirement to allow creation of new users through application screens and assign groups and roles to those users.
  My users will exist in external LDAP server while my groups and roles will exist in embedded LDAP server. Using WL APIs i am able to create users and add them to groups using the code peices given below:
  ========================================
            userProviderControl.createUserSimple(form.userID, form.password);
            groupProviderControl.addUserToGroup(ocnGroup, form.userID);
  ========================================
  How do i assign roles to this new user programatically?
  If i add a role from console (Home > Realm Roles > Summary of Security Realms > myrealm > Realm Roles -> Global Roles) and edit role condition to add this newly created user then i it works fine. I want to achieve the same i.e. edit role condition programatically.
  Any help will be greatly appreciated.
  Thanks,

  Problem Solved !!!
  The data-type conversion needs to be performed in the SPML2 Person Form. Add a Field called waveset.roles and map it to the SPML2 attribute name being used in ur client. It's best done through a rule.....
  If anybody is facing similar problem and need more details....please email me @ [email protected]

• Assign roles to SSO integrated users

  Hello everyone,
  I'm trying to assign roles to SSO users but I can't. I achieved it with local and LDAP users, but not for SSO users (I want to use my AD users but without LDAP config)
  My platform is vCenter 5.5 U1 for SSO, vCAC appliance + IaaS server, and vCAD appliance. When you register your vCAD with vCAC you can use SSO integrated authentication of vCAC. But, how can I assign roles to SSO users?
  I can access to vCAD with AD users through SSO integrated authentication but all options are read-only.
  Best regards,
  Jose Luis Gomez

  Hello everyone,
  Auto-response.
  When you've registered your vCAD with vCAC, new roles appears in vCAC. This roles are:
  Application Architect
  Application Catalog Administrator
  Application Cloud Administrator
  Application Publisher And Deployer
  Application System Administrator
  You can apply this roles to users or groups but always from vCAC --> Administration --> Groups/Users
  Best regards,
  Jose Luis Gomez

• How to assign a dynamic value to the value property of a button ?

  Hi Folks,
  I have a need, can i know how to assign a dynamic value to the value property of a button. Scenario is like follows...
  This is a struts based web application
  1. I have a file which consists of login user details (user name and his previlages) for a web application.
  2. I got those user details, into a List.
  3. When a user logged into the web app, in the home page there are few buttons. The type and number of buttons shown depends on the type of user/ user. (Buttons have different combination and the number of buttons available are not constant, they will vary from user to user).
  4. for each button, there will be a different action. I can pass the value of a button to an action class, but here button must have a dynamic value.
  Here is my test code:
  <%
  if (List != null)
  for (int i = 0; i <List.length; i++)
  %>
  <html:submit property="rduname" value= "<%=List%>" onclick="return submitRdu('<%=List[i] %>');"/>
  <%
  %>
  But my problem is how to assign a dynamic value to the value property of the button ( i know 'value= "<%=List[i]%>" ' will not work, just wanted show you guys).
  Thanks in advance,
  UV
  Edited by: UV_Dev on Oct 9, 2008 2:15 PM

  Let me try i know am not good at JSP but do we need double quotes here
  value= <%=List%>i think JSTL should help you about the dynamic thing                                                                                                                                                                                                                                                                                                                       

• Assigning roles to users programmatically

  Hi,
  I want to programmatically create roles, assign roles to users etc.
  I saw at this thread
  ADF Security Policy Store
  the folowing scriptlet by Frank Nimphius
  try {
  IdentityStore idstore = JpsCommonUtil.getValidIdStore("idstore.xml.provider").getIdmStore();
  try {
  UserManager userManager = idstore.getUserManager();
  RoleManager roleManager = idstore.getRoleManager();
  Role adminRole = idstore.searchRole(Role.SCOPE_APPLICATION,"admin");
  // create user
  //TODO check for empty username and password
  User newUser = userManager.createUser(this.username,this.password.toCharArray());
  roleManager.grantRole(adminRole,newUser.getPrincipal());
  } catch (IMException e) {
  // TODO
  } catch (JpsException e) {
  // TODO
  return null;
  this is a TP3 scriptlet, is it still working on the 11g production?
  I try it and i get a JpsException
  oracle.security.jps.JpsException
       at oracle.security.jps.internal.common.util.JpsCommonUtil.getValidIdStore(JpsCommonUtil.java:1004)
  do I have to replace "idstore.xml.provider" with something else depending on my configuration?
  thanks
  Tilemahos

  Hi Frank thanks for the answer,
  I check this functionality at WLS embeded LDAP and I shaw your "How-to configure OID for authentication in WebLogic Server" post.
  I manage to add users and assign them roles that i created at my application.
  But what if I want to have a super user that can create new roles and assign them member roles?
  eg.
  Developer created roles (policy store):
  accessPage1 ( granted all the necesery principals to access page1 )
  accessPage2 ( granted all the necesery principals to access page2 )
  Super user created roles
  Role1 member roles :accessPage1,accessPage2
  If i want my application to have that functionallity i must create roles programmatically wont I?
  If there another way?
  By the way I followed the advices at the following useful links
  Chris Muir: http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html
  Frank Nimphius's How-to configure OID for authentication in WebLogic Server
  Edwin Biemond's Using OpenLDAP as security provider in WebLogic
  Andrejus Baranovskis: Practical ADF Security Deployment on WebLogic Server
  And I manage to add users of the Microsoft LDAP at the WLS
  but I could't mekae them group members of my application groups (roles)
  is this possible?
  Thanks