Assigning Roles to Groups

Similar Messages

• Automatically assign a BP Grouping for a BP Role

  Hi, everyone!
  I would like to automatically assign an specific Grouping range for a BP when creating it in an specific Role.  Now, the user has to select each them separately and sometimes makes mistakes because he selects a wrong Grouping for the Role he is selecting.
  Can this be done?  I will appreciate a lot your help.
  Thanks in advance.
  Adolfo Garay

  Thank you very much, Javier! I will try to explore this.  By any chance, do you have any example that could help me to do this?
  Anyone else have some examples that can be useful for this case?
  Regards,
  Adolfo

• Assign role, group to Human Task when initiated

  Hi all,
  Currently, when user login to BPM and create new task instance, i can get roles and groups of that user by programming. I want to assign roles of user to that task instance dynamically when user click SUBMIT button (Because i want to restrict users belong role are able to do this task, each user belong to a role and group can do it).
  Somebody help?
  Thanks.

  Hi Ming
  1. If you want to intercept any Actions from a Task like Save, Submit, Approve, Reject etc, you can create your own class like MyAppTaskValidationCallback that implements oracle.bpel.services.workflow.task.ITaskValidationCallback and in this overwrite one method named validateTaskOperation(bunch of parameters). See APIs for this.
  In this method, you can get the action performed on the task. Also you can get the complete Payload of the Task including your custom payload and the standard Task Payload stuff like History, Attachments, Comments etc. You can write some simple XML Parser utility methods to get and set attributes in the Payload xsd schema. So in your case, in this method, get Roles, Groups of the logged in user. Check the action performed. If he is not allowed to do that operation, throw the error from this method. Else continue with your logic. To begin with create java class like above, add this code snippet and just explore the data.
  Now, just curious. If your requirement is really to control the actions based on User Role/Groups, did you try to use the out of box functionality and avoid this custom logic. Say for BPM Applications, we have Swimlanes / Roles. Only users belonging to that Role, can work on that Tasks. Try to use out of box stuff as much as possible, unless you really need custom assignment logic.
  Thanks
  Ravi Jegga
  Just giving the code snippet to get an idea. But do refer the online APIs for more information.
  public void validateTaskOperation(ITaskValidationCallback.TaskAction taskAction, IWorkflowContext iWorkflowContext, Task task, Map<String, Object> parameters, Locale locale, List<String> errors) {
  try {
    Element taskPayload = task.getPayloadAsElement();
    String taskTitle;
    String taskOutcome;
    SystemAttributesType taskSystemAttributes = task.getSystemAttributes();         
    taskTitle = task.getTitle();
    System.out.println("MyAppTaskValidationCallback::validateTaskOperation() Begin For TaskTitle: " + taskTitle + " -> TaskAction: " + taskAction + " -> Parameters:\n" + parameters);
    if(taskAction == TaskAction.ACQUIRE) {
        System.out.println("Inside ACQUIRE");
        //parameters.put("AcquiredBy", iWorkflowContext.getUser());
    } else if(taskAction == TaskAction.OUTCOME_UPDATE) {
      System.out.println("Inside OUTCOME_UPDATE");
  } catch (Exception anException) {
    anException.printStackTrace();
  }

• Assigned Role in user Group

  Dear All
    Please help me assigned Role in user Group  . I create user Group  (  SURG ) . But i can't assigned Role ?
  Regards , Thanks
    Lannguyen

  Hello,
  You cannot assign user groups directly to Roles, however you can do the following.
  Use PFCG transaction
  1. Select the role and switch to change mode.
  2. Switch to user tab.
  3. Put the cursor in the blank line and hit F4
  4. You should get a popup window which asks you to provide search criteria for the user.
  5. Switch to 2nd tab Users by Logon criteria, here you should be able to find the selection field User group.
  6. Select the group you created and hit the green tick.
  7. All the users in that group will be listed in the User list tab on the main screen.
  8. Now to complete the user assignment hit the User comparisor button ( it should turn green once done).
  Regards,
  Siddhesh

• Assigning roles to LDAP users through BIP API

  Hi.
  My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
  One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
  I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
  We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
  Is it possible to make that assignments through BIP API?
  If not, any other ideas? New ideas or different approaches are welcome.
  Thanks in advance.

  In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
  During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
  I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
  There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
  Let me know if that helps.

• Assigning roles to users programmatically

  Hi,
  I want to programmatically create roles, assign roles to users etc.
  I saw at this thread
  ADF Security Policy Store
  the folowing scriptlet by Frank Nimphius
  try {
  IdentityStore idstore = JpsCommonUtil.getValidIdStore("idstore.xml.provider").getIdmStore();
  try {
  UserManager userManager = idstore.getUserManager();
  RoleManager roleManager = idstore.getRoleManager();
  Role adminRole = idstore.searchRole(Role.SCOPE_APPLICATION,"admin");
  // create user
  //TODO check for empty username and password
  User newUser = userManager.createUser(this.username,this.password.toCharArray());
  roleManager.grantRole(adminRole,newUser.getPrincipal());
  } catch (IMException e) {
  // TODO
  } catch (JpsException e) {
  // TODO
  return null;
  this is a TP3 scriptlet, is it still working on the 11g production?
  I try it and i get a JpsException
  oracle.security.jps.JpsException
       at oracle.security.jps.internal.common.util.JpsCommonUtil.getValidIdStore(JpsCommonUtil.java:1004)
  do I have to replace "idstore.xml.provider" with something else depending on my configuration?
  thanks
  Tilemahos

  Hi Frank thanks for the answer,
  I check this functionality at WLS embeded LDAP and I shaw your "How-to configure OID for authentication in WebLogic Server" post.
  I manage to add users and assign them roles that i created at my application.
  But what if I want to have a super user that can create new roles and assign them member roles?
  eg.
  Developer created roles (policy store):
  accessPage1 ( granted all the necesery principals to access page1 )
  accessPage2 ( granted all the necesery principals to access page2 )
  Super user created roles
  Role1 member roles :accessPage1,accessPage2
  If i want my application to have that functionallity i must create roles programmatically wont I?
  If there another way?
  By the way I followed the advices at the following useful links
  Chris Muir: http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html
  Frank Nimphius's How-to configure OID for authentication in WebLogic Server
  Edwin Biemond's Using OpenLDAP as security provider in WebLogic
  Andrejus Baranovskis: Practical ADF Security Deployment on WebLogic Server
  And I manage to add users of the Microsoft LDAP at the WLS
  but I could't mekae them group members of my application groups (roles)
  is this possible?
  Thanks

• Delivery Assignment to Device group in standalone deployment?

  Hi,
  I am using the standalone deployment of SAP AII 2.1. I have the following two queries regarding assignment of deliveries to device groups.
  1. I am able to assign the same delivery to multiple device groups with same business roles as well as different business roles at the same time.
  For example, I am assigning the delivery to a device group that handles tag commissioning and I also assign the same delivery to a device group that handles the loading at the same time. Is this the correct behavior?
  Or is it that once a delivery is assigned to a device group, it should be first processed by that device group or unassigned before the same delivery can be assigned to a different device group?
  If this is the case, then is there any configuration setting in AII that can control the delivery assignment to device groups?
  2. Logically I believe that only one delivery can be assigned to a device group.
  I assign a delivery to a device group. Then I immediately assign another delivery to the same device group. I believe that the first delivery gets unassigned from the device group, but there is no message to this effect
  Again is there any configuration setting for handling this situation?
  Regards,
  Dhananjay

  What you are deploying is a Client Settings policy, not the client itself. This is akin to a Group Policy Object being linked to an OU. The machines in the collection which already have the ConfigMgr client will process those policies, but additional non-client
  machines added to the collection will not automatically install the client.
  As Torsten indicated, you can deploy the client to these machines using the manual client push method.  Simply right click on the clients themselves (or the collection) and select Install Client.  If doing it at the collection level, I recommend
  against selecting "Always install the client software" in the wizard as it will force an unnecessary repair of the existing ConfigMgr clients. I would recommend testing this on one machine in the collection in question before attempting to do them in bulk.
  Note that this requires that a Client Push Installation account be configured (Administration > Site Configuration > Sites > Client Installation Settings >  Client Push Installation > Accounts tab) which has admin rights on the clients.
  You *DO NOT need to enabled site-wide client push installation* to be able to use the Install Client method in the console. Enabling this will force the client to attempt installation on ALL systems that ConfigMgr sees.

• Error in User Management and Assigning Role

  Hi,
  I have configured LDAP authentication on LiveCycle Server. I get the userlist with LDAP in my admin console under User Management - User & Groups. But as soon I click on any of the LDAP username I am getting error to contact administrator. Same also happens when I check the checbox infront of the username and tries to assing role.
  My Livecycle server is on WAS6.1, I also have server setup on my local where the same LDAP i have configured and I am able to access users and assign role. Is there any problem with WAS6.1 ?
  I checked the logs and i got following exception in server logs.
  [10/24/08 10:57:58:467 EDT] 00000039 IDPLoggedExce W com.adobe.idp.common.errors.Logger$LogConsumer run UserM:GENERIC_WARNING: [Thread Hashcode: 1028668752] | [com.adobe.idp.um.businesslogic.directoryservices.DirectoryServicesManagerBean] errorCode:8193 errorCodeHEX:0x2001 message:getPrincipal public chainedException:java.lang.NullPointerExceptionchainedExceptionMessage:null chainedException trace:java.lang.NullPointerException
  at com.adobe.idp.um.businesslogic.directoryservices.DirectoryServicesManagerBean.getCacheKey s(DirectoryServicesManagerBean.java:1583)
  at com.adobe.idp.um.businesslogic.directoryservices.DirectoryServicesManagerBean.findPrincip al(DirectoryServicesManagerBean.java:1608)
  at com.adobe.idp.um.businesslogic.directoryservices.EJSLocalStatelessDirectoryServicesManage rBean_0dbf3d20.findPrincipal(Unknown Source)
  at com.adobe.idp.um.api.impl.DirectoryManagerImpl.findPrincipal(DirectoryManagerImpl.java:13 8)
  at com.adobe.idp.um.ui.user.CreateNewUserAction.doExecute(CreateNewUserAction.java:139)
  at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
  at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
  at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
  at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
  at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
  at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1075)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1016)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
  at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:1 73)
  at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java: 190)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
  at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
  at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java: 190)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
  at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:113)
  at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java: 190)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
  at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:771)
  at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:679)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:546)
  at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
  at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.jav a:90)
  at com.ibm.ws.web

  Hello Do anyone get anything about above exception, or is there any other information needed, please let me know ?
  I still cannot found the solution for above problem, and it stops me to configuring users on Adobe LiveCycle ES, we have purchased Livecycle ES version 8.0

• ABAP Query : user is not assigned to user group

  Hello All,
  i have created user group using sq03 and assigned user name for change authorization in 'assign users and infosets'.
  But when user tries to run query using sq01 system is giving message 'User XXX is not assigned to any user group'.
  I tried every thing but facing same problem.
  Could anyone please help me out .
  Thanks

  I actually assigned the user group to a role in SQ10.  The user is assigned to the role.  I also created a new post under Security which has more detail:
  http://scn.sap.com/thread/3198604

• Role and groups ?

  What is the difference between roles and groups in Identity Server

  The main difference between roles and groups in Identity Server 5.1 is that you cannot assign policy to groups, only to roles.
  Roles in Identity Server are used to define management permission via ACIs and to allow attribute inheritance via CoS and roles.

• Table for Role & Authorization group

  Hi Gurus,
  I am looking for a table or FM to get all roles for Authorization group.
  I tried in SUIM tcode but could not able to find exact DB table for these.
  Giri
  P.S.: To Moderator:
         My earlier thread was locked for the same question, I was searching in SDN and google from last 3 days and could not able to find enough information on it. AGR_USERS, TBRG, TACT are the tables i found. But still there is a link missed between Role & Authorization Group.

  Thomas,
  My report have selection screen with Auth group and user.
  If user provides Auth. Group then need to find all roles linked to auth group and users assigned to that role.
  In my investigation, there is link between Auth. Group <--> Auth. object.
  Also Auth. Object <--> Role.
  but still there is a fine link missing between Auth Group <--> Role.
  For Eg: Auth Object S_TABU_DIS will be associated to all Auth. Groups but assigned to only limited roles.
  I tried to debug the SUIM transaction multiple times but couldn't find the tables to find the link and not able to find the FM's.
  if anybody have any idea to find that link between Auth. Group & Role then it will be helpful....
  Giri

• How to assign users to group during upload ?

  Hi all,
  we have to upload a lot of users into our EP6.
  according to the documentation it is possible to assign those users to roles during the upload, but we want to use Group-Assignments instead of directly assigning roles to users.
  Is there any possibility to assign groups instead of roles during a user-upload ?
  The doc shows in the Standard-File-Format" the parameters <namespace>:<name> , may those be used for this purpose, when yes, then how ?
  Thanx for any hints...
  Stefan

  Hi,
  do you mean uploading role-group assignments or user-group assignments?
  User-group assignments can be uploaded using the following format (extraxt from UME documentation - section: Standard Format):
  [Group]
  gid=HappyBuyers
  gdesc=This is a group of all satisfied buyers
  user=MarcPeters;JackSmith;Alan_Fox
  Make sure that you upload the groups in a second step after you have already uploaded the users. The userIds you name in the property "user" must exist.
  For uploading role-group assignments I don't know a way but usually you so not have that many ...
  Best regards,
  Oliver

• Role to Group Assignments

  Dear Portal Gurus,
  We are on EP 6.0 SP12.
  We have ADS against which we authenticate EP users.
  There is a group in ADS called (say) GRP_ESS
  We have assigned all ESS users to that group inside ADS.
  Now I want to assign the EP role (say)  "ESS" to that group and store the group to role assignment itself in ADS.
  Pls let me know how to accomplish this.
  FYI :
  We currently had assigned the EP ROle ESS to the group GRP_ESS in EP.Whenever AD is down,we lose all the role to group assignments.We have only read access to ADS from EP due to company policies.
  Pls suggest any better way of accomplishing this.
  Thx.
  Josh

  Hi Josh,
  User (or Group) to Role assignments are stored as UM information on the Portal database, not in the LDAP. To my knowledge there's also no way to store these assignments in LDAP instead (it also doesn't really make sense IMHO). Are you sure you lost all the assignments in the case the LDAP (ADS) is not available? The assignments itself can not be lost due to the above fact.
  Cheers!
  Frodo
  p.s. Feel free to award any points if you find this answer helpful.

• Role & authorization group

  Hi guys,
  is there any table or FM which gives the link between Role & Authorization group?
  Thanks
  Giri
  Moderator message: please try finding this yourself before asking others.
  Edited by: Thomas Zloch on Nov 9, 2010 9:48 PM

  Thanks Soumyaprakash,
  I am developing a report on this to know for which users have the roles and authorization groups assigned to it.
  i need a DB table name or FM to get the link between Role and Authorizaion group.
  Giri

• SAP CRM Error: A number range is not assigned to account group

  Hi Experts,
  We have a stuck BDOC for a BP with "ZEmployee" (custom) role in CRM with error as "Fill in Required fields". We knew this is b'cos one of the mandatory field in not maintained in CRM. After maintaining the mandatory field in CRM; we are re-processing the stuck BDOC and again it is getting into the error message with error "A number range is not assigned to account group Sold-to party".
  We have checked the number range and grouping configuration both in ECC and CRM. But still not able to identify the gaps. Is there a detailed step-by-step approach which can be taken up to resolve the issue.
  Request you quick response.
  Thanks,
  Chaudh.

  HI Chaudh,
  I am facing similiar issue. When i am creating BP in CRM WebUI, I am getting an error message: "Error in Transporting Number Range".
  Could you please share your findings, how you solved your issue?
  Dave