Assigning Roles to Users and Groups

Similar Messages

• How to assign ROle to user

  Hello All,
    I need to programmatically assign roles to user and want to give some authorization at runtime..
  please suggest me which function module to use ..
  please help me asap
  thanks,
  jigs
  helpful answers wil lbe rewarded

  Hi all,
  Thanks for the reply.
    But i want to add one role to user not profile.
    i got one bapi BAPI_USER_ACTGROUPS_ASSIGN, this bapi does work...
  but actually deletes previous roles and then assign new one.
  is there any fm which will add role to user without deleting existing role.
  thanks,
  jigs

• Assigned Role in user Group

  Dear All
    Please help me assigned Role in user Group  . I create user Group  (  SURG ) . But i can't assigned Role ?
  Regards , Thanks
    Lannguyen

  Hello,
  You cannot assign user groups directly to Roles, however you can do the following.
  Use PFCG transaction
  1. Select the role and switch to change mode.
  2. Switch to user tab.
  3. Put the cursor in the blank line and hit F4
  4. You should get a popup window which asks you to provide search criteria for the user.
  5. Switch to 2nd tab Users by Logon criteria, here you should be able to find the selection field User group.
  6. Select the group you created and hit the green tick.
  7. All the users in that group will be listed in the User list tab on the main screen.
  8. Now to complete the user assignment hit the User comparisor button ( it should turn green once done).
  Regards,
  Siddhesh

• Assignment pfcg-role to user and assignment pfcg-role to business role

  Hello, Gurus!
  What is the difference between direct assignment pfcg-role to user and assignment pfcg-role to business role? What is the effect from assignment pfcg-role to business role?
  As  I see authrizations from pfcg-role assigned to business role have no effect to user...
  Best regards,
  Artuк Litvinov.

  Artur,
  The business role assignment does not give a user that PFCG role.  Instead it is just a mapping table and does nothing more. 
  Therefore that UIU_COMP auth object must exist in the PFCG roles assigned to the user in order for them to use the webclient.  In your scenario let's do the following:
  You have pfcg roles:
  RA
  RB
  You a have business role
  B1
  You have users:
  Joe
  Jack
  Business Role B1 is assigned to role RA which contains UIU_COMP.
  User Joe gets business role B1 and roles RB which does not have UIU_COMP.  This will not let him use the webclient.
  User Jack gets business role B1 and pfcg role RA.  This will work because everything is there.
  This means you need both the correct PFCG plus business role setup to make it work properly.
  Take care,
  Stephen

• SPML: search the roles assigned to a user and add others to him

  Hi,
  as in the subject i'm trying to create a method in idmClient to search the roles assigned to a user and then add some other (one or more).
  How can i implement the search/filter of the available roles assigned to a user?
  Thanks in advance,
  Gentjan

  coocooche wrote:
  Hi,
  as in the subject i'm trying to create a method in idmClient to search the roles assigned to a user and then add some other (one or more).
  How can i implement the search/filter of the available roles assigned to a user?I already find how to do it. I have to asked another question about SPML: is there any way to add new roles without searching the old ones?
  In other words i implemented a method that:
  1) search the roles assigned to a user and copy it to a List
  2) add to the List of the old roles, the new ones.
  Is it possible just to add the new roles without doing a search of the old ones? In this way the performance is better.
  Thanks in advance,
  Gentjan

• Need user and Groups assigned to each folders(KM) under service permission

  Hello Experts,
  Need you help for one requirement , in which i need to provide a list of users and groups assigned under Service permission for each KM folders. There is huge amount of folders so it is quite time consuming to get each folders open & to check the service permission and user.
  Do you have any idea on this? Any sugesstion would be appreciated in points.
  -Regards
  AK
  Edited by: AlokSBP on Oct 7, 2011 8:46 AM

  Hi,
  You'll find a lot of help on this if you search for ACL and permission in this forum.
  Here is a code sample of what to use:
  IAclService aclService = (IAclService) repServiceFactory.getRepositoryService(resource, "ServiceAclRepositoryService");
                      IResourceAclManager servAclMgr = aclService.getAclManager();
                      if(servAclMgr != null) {
                           IResourceAcl servAcl = servAclMgr.getAcl(resource);
                           if (servAcl == null) {
                                logger.debugT("no ServiceAcl found ");
                                logger.debugT("getting ServiceInheritedAcl ");
                                servAcl = servAclMgr.getInheritedAcl(resource);
                           if(servAcl == null){
                                logger.debugT("no ServiceInheritedAcl found");
                           }else{
                                // Iterating through the ACL list
                                IResourceAclEntryListIterator servAclList = null;
                                IResourceAclEntry servAclEntry = null;
                                for(servAclList = servAcl.getEntries().iterator(); servAclList.hasNext();)
                                                  //here do what you need to do. For example
  if(servAclEntry.getPermission().getName().equals(IAclPermission.ACL_PERMISSION_FULL_CONTROL))
                                          logger.debugT("This is a Full Group ");
  Regards,
  Thomas
  Edited by: Thomas Pary on Oct 10, 2011 1:59 PM

• MAJOR Open Directory issue: Can't assign Users and Groups that DO exist!

  Just noticed the following today:
  When doing Get Info -> Permsissions on files/folders located on my File Server share, Owner and Group show as (unknown).
  When I go into WGM -> Sharing, and look at files/folders on File Server share this way, the Owner and Group fields are blank.
  When I attempt to (re)assign an Owner or Group by dragging them from Users and Groups section of WGM, error tells me User or Group no longer exists. These Users and Groups clearly do exist in WGM -> Accounts.
  When I look at files on File Server share via CLI, instead of actual names for Users and Groups, I see their uid and gid's. Chowning via CLI fails as well.
  I've noticed all Users and Groups with this issue are OD.
  Server is xServe G4 DP 1.0 GNz/1 GB RAM/Mac OS X Server 10.4.7 Unlimited. This servers been running fine as an OD Master for months now. ACL's are enabled on this File Server share point. I've always had weird permissions issues, but NEVER the inability to assign OD Users and Groups to files/folders.
  I'm at a loss here, not to mention my wits end.
  Did my OD become corrupted?
  Any and all help would greatly appreciated.
  PowerMac G4 733 MHz   Mac OS X (10.4.6)   512 MB RAM

  When doing Get Info -> Permsissions on files/folders located on my File Server share, Owner and Group show as (unknown).
  This means that the Finder can't find a match in the accounts/groups database for the numeric UID assigned to those files. Either the records associated to those accounts have been deleted, or the database is corrupt. In either case, you should restore a copy of it from backup.
  (15686)

• OBIEE+ Where do I assign user and group mappings to the repository objects?

  Hi
  I'm using the Oracle BI Administration Tool and I'm creating users and groups. Where do I map my users and groups to the repository objects?.
  Regards,
  Néstor Boscán

  Hi,
  I was reading your reply for this post. Could you please tell me in which tool you set the User security. I couldn't find Repository Admin in BI Administration tool.
  Repository Admin > Manage > Security.
  Any help would be appreciated.
  Thanks in advance,
  Ravi

• Assigning roles to users programmatically

  Hi,
  I want to programmatically create roles, assign roles to users etc.
  I saw at this thread
  ADF Security Policy Store
  the folowing scriptlet by Frank Nimphius
  try {
  IdentityStore idstore = JpsCommonUtil.getValidIdStore("idstore.xml.provider").getIdmStore();
  try {
  UserManager userManager = idstore.getUserManager();
  RoleManager roleManager = idstore.getRoleManager();
  Role adminRole = idstore.searchRole(Role.SCOPE_APPLICATION,"admin");
  // create user
  //TODO check for empty username and password
  User newUser = userManager.createUser(this.username,this.password.toCharArray());
  roleManager.grantRole(adminRole,newUser.getPrincipal());
  } catch (IMException e) {
  // TODO
  } catch (JpsException e) {
  // TODO
  return null;
  this is a TP3 scriptlet, is it still working on the 11g production?
  I try it and i get a JpsException
  oracle.security.jps.JpsException
       at oracle.security.jps.internal.common.util.JpsCommonUtil.getValidIdStore(JpsCommonUtil.java:1004)
  do I have to replace "idstore.xml.provider" with something else depending on my configuration?
  thanks
  Tilemahos

  Hi Frank thanks for the answer,
  I check this functionality at WLS embeded LDAP and I shaw your "How-to configure OID for authentication in WebLogic Server" post.
  I manage to add users and assign them roles that i created at my application.
  But what if I want to have a super user that can create new roles and assign them member roles?
  eg.
  Developer created roles (policy store):
  accessPage1 ( granted all the necesery principals to access page1 )
  accessPage2 ( granted all the necesery principals to access page2 )
  Super user created roles
  Role1 member roles :accessPage1,accessPage2
  If i want my application to have that functionallity i must create roles programmatically wont I?
  If there another way?
  By the way I followed the advices at the following useful links
  Chris Muir: http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html
  Frank Nimphius's How-to configure OID for authentication in WebLogic Server
  Edwin Biemond's Using OpenLDAP as security provider in WebLogic
  Andrejus Baranovskis: Practical ADF Security Deployment on WebLogic Server
  And I manage to add users of the Microsoft LDAP at the WLS
  but I could't mekae them group members of my application groups (roles)
  is this possible?
  Thanks

• Differences between Roles, Schemas, Users and Logins.

  I need differences between Roles, Schemas, Users and Logins. Can anyone help me. Thanks in advance

  Roles:
  I think of creating roles in the database to group users of like
  function.  Roles are granted certain permissions in the database.  You
  should become familiar with the fixed database roles since these will be
  utilized once you start creating users within the database.  Also, once
  you see the type of permissions that are granted to each role, is makes
  more sense.
  Schema: there can be several schemas in a database,
  which will house different types of objects such as tables, indexes,
  stored procedures, functions,  etc.  Users own schemas.  Looking into
  the AdventureWorks database illustrates this concept, with several
  schemas like HR, Production, etc.
  Login: Think about login as
  gaining access to the SQL Server instance.  If a user account is not
  granted any permissions within the instance, you basically just were
  able to unlock the door and enter the room, by creating a user you then
  grant access to the database objects or principals, and can begin to
  work with them. 
  Users:  Users own schemas, and as such will be
  able to manipulate the objects they own.  Some of the manunipulations
  are very permissive, such as creating tables, indexes, stored
  procedures, functions, etc.  These are developers and administrators.
  Users
  are created and granted permissions for application use, which will
  have select, update, insert, and delete and execute permissions  to a
  finite set of objects in the schema, for which the application will need
  to function properly.
  In a client server database, as an
  example, of the structure.  Roles were defined which provides the
  permissions to the database objects in the database, which only has one
  schema 'dbo'. One SQL server login was created with the same username,
  and dbo is the assigned default schema, and the roles assigned to that
  username. 
  In the application, each specific user is given there own
  "application" login which is mapped to the one defined sql server
  login.
  Ahsan Kabir Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread. http://www.aktechforum.blogspot.com/

• Populating users and groups - design considerations/best practice

  We are currently running a 4.5 Portal in production. We are doing requirements/design for the 5.0 upgrade.
  We currently have a stored procedure that assigns users to the appropriate groups based on the domain info and role info from an ERP database after they are imported and synched up by the authentication source.
  We need to migrate this functionality to the 5.0 portal. We are debating whether to provide this functionality by doing this process via a custom Profile Web service. It was recommended during ADC and other presentation that we should stay away from using the database security/membership tables in the database directy and use the EDK/PRC instead.
  Please advise on the best way to approach(With details) this issue. We need to finalize the best approach to take asap.
  Thanks.
  Vanita

  So the best way to do this is to write a custom Authentication Web Service.  Database customizations can do much more damage and the EDK/PRC/API are designed to prevent inconsistencies and problems.
  Along those lines they also make it really easy to rationalize data from multiple backend systems into an orgainzation you'd like for your portal.  For example you could write a Custom Authentication Source that would connect to your NT Domain and get all the users and groups, then connect to your ERP system and do the same work your stored procedure would do.  It can then present this information to the portal in the way that the portal expects and let the portal maintain its own database and information store.
  Another solution is to write an External Operation that encapsulates the logic in your stored procedure but uses the PRC/Server API to manipulate users and group memberships.  I suggest you use the PRC interface since the Server API may change in subtle ways from release to release and is not as well documented.
  Either of these solutions would be easier in the long term to maintain than a database stored procedure.
  Hope this helps,
  -Akash

• Example of creating a valid LDAP user and group in the Portal tree

  I need to create (via bulk LDIP or API) fresh users AND groups into OID that can be used by Portal. In theory it sounds easy - just create an appropriate LDIF file.
  What is the best way to achieve this?
  I don't the know the structure that should be used in the LDIF file that would create the correct structure held for all the Portal users and groups in OID.
  I've looked through the OID admin and dev guides but am still confused as to what exactly I have to do. It seems that Portal accounts are synchronised by a method called Provisioning.
  All I want to do is bulk upload Portal compatible users into the repository.
  Can somebody please assist.
  Cheers,
  John

  I have below changes in files
  1] In jps-config.xml
  -- Added identity store and selected it from drop down in Security Context tab.
  2] In weblogic-application.xml
  In Security tab --> Role assignment mapped valid-users to principle name.
  <security>
  <realm-name>myrealm</realm-name>
  <security-role-assignment>
  <role-name>valid-users</role-name>
  <principal-name>DERDev</principal-name>
  </security-role-assignment>
  </security>
  3] Same thing done in weblogic.xml . I do not know the difference between weblogic-application.xml and weblogic.xml configuartion and which will work.
  4] Added security role "DERDev" along with the default/automatically added role "valid users"
  <security-role>
  <role-name>DERDev</role-name>
  </security-role>
  Still no luck ...... i am missing again ? I referred many links but found not a single document mentioning all steps
  Mukesh

• Create worklist user and group's in 11G...

  How to create worklist user's and group's in standart 11G instalation...
  Thanks...

  hI Raj,
  It is very easy to create users,groups,roles in soa suite 11g manually .Just login to the weblogic console and you find a security realms tab click on that then next a page will open with my realms then click on it you will find a users and groups tab on top click on that then lock and edit the session and from there you can create users groups and also assign roles.You can also use external ldap if you want,Please let me know if this clarifies your doubt

• LDAP User and Group import

  My client has OAM as SSO provider. They want the LDAP Agent to import only users and groups but not the group memberships.
  What setting should I Use for LDAP authentication ?

  I have below changes in files
  1] In jps-config.xml
  -- Added identity store and selected it from drop down in Security Context tab.
  2] In weblogic-application.xml
  In Security tab --> Role assignment mapped valid-users to principle name.
  <security>
  <realm-name>myrealm</realm-name>
  <security-role-assignment>
  <role-name>valid-users</role-name>
  <principal-name>DERDev</principal-name>
  </security-role-assignment>
  </security>
  3] Same thing done in weblogic.xml . I do not know the difference between weblogic-application.xml and weblogic.xml configuartion and which will work.
  4] Added security role "DERDev" along with the default/automatically added role "valid users"
  <security-role>
  <role-name>DERDev</role-name>
  </security-role>
  Still no luck ...... i am missing again ? I referred many links but found not a single document mentioning all steps
  Mukesh

• LDAP user and group configuration in ADF application

  Hi All,
  I have to use LDAP user and groups in my ADF application. I have configured the LDAP on WLS server successfully and can see all users/groups under tab "User and Groups". I have added the Enterprise Role in jazn-data.xml matching the name of groups. Created Application role in jazn-data.xml and assigned a role of Enterprise Role.
  However not added any user in jazn-data.xml. Which i guess not required because it will picked from LDAP.
  Now how to configure the JDeveloper to use those users ? What changes need to make in jazn-data.xml ? or in jps-config.xml / web.xml/ weblogic-application.xml
  Am i missing nay configuration step. i have referred ADF Security set up - step by step tutorial - quick question but not found useful
  I am using JDeveloper 11.1.1.5.
  Thanking you all in advance.
  Mukesh.

  I have below changes in files
  1] In jps-config.xml
  -- Added identity store and selected it from drop down in Security Context tab.
  2] In weblogic-application.xml
  In Security tab --> Role assignment mapped valid-users to principle name.
  <security>
  <realm-name>myrealm</realm-name>
  <security-role-assignment>
  <role-name>valid-users</role-name>
  <principal-name>DERDev</principal-name>
  </security-role-assignment>
  </security>
  3] Same thing done in weblogic.xml . I do not know the difference between weblogic-application.xml and weblogic.xml configuartion and which will work.
  4] Added security role "DERDev" along with the default/automatically added role "valid users"
  <security-role>
  <role-name>DERDev</role-name>
  </security-role>
  Still no luck ...... i am missing again ? I referred many links but found not a single document mentioning all steps
  Mukesh