Associating roles with LDAP Groups

Similar Messages

• Transport roles (with assigned group) containing folders and iviews

  Hi,
  This message was in the BI forum before and I think that it suits here better.
  I created a portal role which is contained in a folder X under Portal Content. This portal role is associated with a particular ABAP menu-role by means of Assigned Groups. When I transported the folder X with all dependent objects from Dev to QA, the portal role appeared but the Assigned Groups is empty. Another words, the association between portal role and the ABAP menu-role could not be transported. How can Associated Groups in a Portal Role be transported?
  Then I also tried to do the following steps:
  1. Export and import portal contents which include the whole structure with folders, roles and iviews under each role.
  2. Export and import the same roles as user management data
  The result from 1 was that the whole structure including the roles is imported; however none of the portal role contains the associated assigned group.
  The result from 2 was that the UME roles with assigned group are imported as separat objects.
  Now, the same role appears both as portal role without assigned group and the UME object with assigned group. But, there is no connection between 1 and 2. That means that I cannot use 2 anyway.
  Therefore, I still have to manuelly modify 1 with assigned role once again after importing step 1. Is there a way to import 1 with the associated assigned group without any manuel modification?
  Thank you in advance for any helpful advice.
  Best regards,
  Zabrina

  hi,
  check the following threads
  http://help.sap.com/saphelp_nw04/helpdata/en/6d/7c8cfd410ea040aadf92e1f78107a4/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/6d/7c8cfd410ea040aadf92e1f78107a4/frameset.htm
  Re: Transport management in BW 2004s
  let me know uneed any further info
  bvr

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• Matching ABAP Roles with UME Groups

  Hello,
  we are facing the following issue:
  We are providing Business Warehouse access via NW Portal beside the "normal" abap system. Therefore we need to put every new user into a special UME-group. How can we match ABAP-Roles with UME-Groups?
  We just want to assign a single (portal-)role to an user in the abap-stack, not another group in the UME. Is this possible?

  Sascha Landowski wrote:
  We did it a little bit different, but that's it. We had an existing portal group with the needed portal roles. We created a new group in reference to a existing abap role and gave it the portal roles.
  In fact thats I have suggest Sascha However, its a very common construct in EP, glad it worked for you
  reagrds

• Select list populated with ldap group membership attributes

  Is it possible to query an LDAP group and retrieve all the members of the group?
  For example, if I have an LDAP group with members' login name, I want to retrieve all login names and populate a select list so the end-user can choose a login name from the group.
  Thanks, alan.

  The problem is the second query. I would guess that the TO_CHAR(co) is not unique for each account, but is the same for the accounts. And as the second item in the select-list is the listitems values, all your listitem-entries have the same value. therefore, of you select any entry, the list will always go the the first entry again.
  Adjust your query.

• Assign role to LDAP group

  Hello,
  I've assigned a role to a LDAP group in portal. But when accesing it displays: 'No portal roles are assigned for this user'.
  The user is included in the LDAP group but I dont't know why it doesn't display nothing.
  Please, do you know what could it be?
  Thanks in advance

  Hi Isabel,
  this really IS strange. Can you assign this user to a group defined in the database and try to assign a role to this group? Is it working then?
  If this is working, then we probably have to increase the log levels and check from there.
  You could also try to remove the role from the group and reassign it again.
  If it's not working: remove it again and this time search for the role and assign the group to it.
  Please come back if it is not working. Then we will try to dig deeper.
  Regards,
  Holger.

• Fail to create roles with users in LDAP

  I installed and configured two Directory Services one for AM and one for identity. I created an LDAP Data Store for the root realm and can see the LDAP users in the Subjects->User tab in AM. I can create Subjects->Groups and add LDAP users successfully, but I cannot create Subjects->Roles with LDAP users. I get the following error:
  Plug-in com.sun.identity.idm.plugins.files.FilesRepo: Unable to find entry: C:\SFU\app\ironscale\amserver\idRepo\user\awhite
  Any ideas? I also found it odd that my new Group was created in the FileRepo under idRepo/group. I thought it would have been written to the AM DS.
  I deleted the flat file Data Store and the Group/Roles tabs disappeared. Must I import additional LDIFS to my LDAP Identity DS to store roles and groups it that DS?

  Update.
  I deleted LDAPv3 Plug-in Supported Types and Operations values group, user, and role, based on Sun's Access Manager training class examples. I re-added them and deleted the File Data Store and groups now get created in the LDAP Identity repo. However when I create a role and add users the operation sucessfully completes. But I cannot find the roles using an LDAP browser. I can grep the role name from the LDAP database and the roles remain after restarting the db and AM. It appears AM is adding roles in a way other tools cannot see them.

• Identity Service LDAP with dynamic grouping

  Hi all,
  We are developing an enterprise application with oc4j and bpel.
  First we managed to handle user management with XML based JAZN tool.
  After that,we managed to connect identity service with iPlanet LDAP server and get users and roles(with static groups defined.)
  But our client wanted static and dynamic groups together in their LDAP server,because of the complexity of their current user base.
  When we try this,we cannot get the roles that are assigned with dynamic groups.But we can get the roles that are statically defined.
  We check the roles from the worklist application (integration/worklistapp... thing..) and we se the static groups where we cannot see dynamic one's.
  There is a section in is_config.xml like:
  <roleControls>
  <property name="nameattribute" value="cn"/>
  <property name="objectclass" value="groupOfUniqueNames"/>
  <property name="membershipsearchscope" value="onelevel"/>
  <property name="memberattribute" value="uniquemember"/>
  <search searchbase="ou=Groups,dc=dummy,dc=com,dc=tr" scope="onelevel" maxSizeLimit="1000" maxTimeLimit="120"/>
  </roleControls>
  I think the property uniquemember has an effect in this situation but I cannot find any sample configurations using dynamic groups in LDAP.
  Hope somebody has already done that..

  I find a solution here:
  http://download.oracle.com/docs/cd/E15523_01/integration.1111/e10226/hwf_config.htm
  I am currently using weblogic's defaultAuthentication to test BPM 11g.
  I do not know if this approach works in production environment.

• LDAP Group

  Is there a way to control the depth TES 6.1 can query AD Groups?          
  For example, I created AD sec groups TESScheduler, TESMIgrators, TESOperator and TESInquiry. 
  Inside AD group TESScheduler, I want to add another AD security group instead of an AD Account (user).
  When I tried it, TES 6.1 will not recognize the AD security group inside the AD security group, it only works when I put in users.
  Also, since moving the security policy to be associated to the LDAP Group, I can no longer impersonate the users.  I may have read this somewhere (probably since sec policy is no longer associated with user) does someone remember where this way mentioned?

  Thanks for the response - I just wanted to check if maybe thre is a configuration setting that can be tweaked currently.  I will log a case since this will make it easier for me to get away from managing users.
  Did have a followup question to get idea on how everyone else is using the LDAP group capability.    We are a very distributed in terms of the teams/workgroups - each team has total autonomy over their jobs and objects they own and job activity functions.
  With help of consultants, this is what we have deviced and outline the challenges with it:
  First we decided to use team's existing AD sec group to control the functional aspect of security (as in workgroup they have access to).  This ensures that Tidal access to workgroups  is always up to date - in case someone joins the team or leaves the team.
  We then create an LDAP group for each workgroup (associating runtime users and agents on the LDAP group).  We took out any userse and agents out of the workgroups and moved them to LDAP group.
  Then we created four new AD sec group to control what users can with the objects they have access to.
  - TESScheduler
  - TESOperator
  - TESMigrator
  - TESInquiry
  Lastly in Tidal, we create the 4 LDAP groups for the security policy access linking it to the new AD sec groups.
  So that for example, if Pete belongs to the Finance team and is a scheduler.  He is automatically in the Finance team AD sec group as soon as he is hired.  Then someone (TIdal Admind) adds him manually to the TESScheduler AD sec group - then voila he can log into Tidal with the appropriate access.
  Challenges with this (aside from the bug I encounter when adding LDAP group to workgroup >_<):
  - it wold be nice if I can add the team's AD sec group into TESScheduler (as mentioned in my orignal post)
  - I am still having to be in the picture whenevr someone needs Tidal access granted or revoked because a central body needs to make sure that user is not in more than one of the sec policy AD group (TESScheduler, TESOperator, ...)  We have sold this LDAP group thing as a way for teams to finally control their own access but that is not the case really.
  We have decided to live with this model but wondered if other implementations with distributed user bases have other ways to deal with this.  I can obviously open the 4 new sec policies for the teams to edit on their own but I cannot guarantee they will check for duplicates and not accidentally delete other folks etc.  Also, some folks who belong to multiple workgroup have to be handled differently since they may want to be schedulers for Finance but Marketing requires them to be operator only - which means they really can't be a scheduler.  In this case, they have to be an operator only to belong in both groups or not be in Marketing at all to get Scheduler privs.  Kind of goes against the cumulative access model that TIDAL 6 is based on.

• Can an email address be a member of an LDAP group even if it isn't associated with an object in the Directory Server?

  Can an email address be a member of an LDAP group even if it isn't
  associated with an object in the Directory Server?
  <P>
  General members of a group are the members defined in the
  Directory Server. They are full-fledged members of the group who
  may have a set of permissions associated with their membership,
  a title, or other attributes. Mail-specific users are users who
  are not full-fledged members of the group, but who receive mail
  sent to the group. Mail-specific users need not be identified as
  a user in the Directory Server--an email address is sufficient.
  An example of this is a group of salespeople, all of whom are in
  the group "North American Sales Team." They have access to a
  sales-tracking database, on-line quota information, and
  competitive information. The mail-specific users of this group
  are the admins who support the members of the sales team, who need
  to get the mail that goes out to the group, but don't need access
  to the applications and information that the salespeople do.

  Hey EllyK,
  Welcome to the BlackBerry Support Community Forums.
  Thanks for the question.
  I would suggest performing this workaround and then try to login to BlackBerry Link:
  Open BlackBerry World on the BlackBerry smartphone and sign in using the BlackBerry ID. 
  Connect the BlackBerry 10 smartphone to the computer. 
  Open BlackBerry Link
  Sign in using the BlackBerry ID. 
  Let me know if the issue still persists.
  Cheers.
  -ViciousFerret
  Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
  Be sure to click Like! for those who have helped you.
  Click  Accept as Solution for posts that have solved your issue(s)!

• LDAP/AD Role group user login issue in sharepoint 2010 FBA with LDAP

  Hi.
  I created sharepoint 2010 site with LDAP FBA.If I add the AD user as form based user and try to login to my site its working very well but if I add a AD Group in to my site and try to login with one of the AD user of this group its say "Access
  Denied".
  In my project we want add AD group in sharepoin Groups not a individual AD users.
  Can anyone help me with this please its urgant?

  I added both LDAP membership and LDAP Role provider.And I can also find groups in people picker in my Central Admin and FBA Web app site colleciton.  
  <add name="ADMembers"
  type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
  server="company.com"
  port="389"
  useSSL="false"
  userNameAttribute="sAMAccountName"
  userContainer="DC=company,DC=com"
  userObjectClass="person"
  userFilter="(|(ObjectCategory=group)(ObjectClass=person))"
  userDNAttribute="distinguishedName"
  scope="Subtree"
  enableSearchMethods="true"
  otherRequiredUserAttributes="sn,givenname,cn"
  />
  <add name="ADRoles"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="Company.com"
  port="389"
  useSSL="false"
  groupContainer="DC=Company,DC=com"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="(ObjectClass=group)"
  userFilter="(ObjectClass=person)"
  scope="Subtree" />

• Mapping LDAP Groups to SAP Roles

  Hi there,
  i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
  My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
  In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
  In Web AS ABAP it seems impossible to assign roles to groups.
  <b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
  Or is there another way to administrate users in different systems?
  Thanks alot for your answers,
  stefan

  Hi
  in this case u have to use the concept of central user administration. use the following links
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
  hope this helps u to get fair bit of idea
  don,t forget to give points
  With regards
  subrato kundu

• Automatic upload of roles from ECC to portal (UME with LDAP)

  Hi experts,
  This thread reopen the question asked on the following message : automatic upload of roles from BI to portal
  However, it concerns this time "UME with LDAP".
  Problematic :
  SAP Library 04s tells us that is not yet possible to automate role replication (or role assigment replication) from ABAP Based back-end to Netweaver Portal. Only manual process for initial upload is possible.
  Source = http://help.sap.com/saphelp_nw04s/helpdata/en/41/5e4d40ecf00272e10000000a155106/frameset.htm
  Questions :
  1 - Did anyone ever try to implement such an automatic tool ?
  2 - What if I'm not able to write on the Active Directory ? I am still able, at least, to automate role assignment replication from ABAP Based back-end to Netweaver Portal (ie. UME with LDAP) ? Directly from SAP R/3 to EP through UME, without passing through Active Directory since the group field is not maintained in AD.
  Many thanks for your inputs
  Alexis MARTIN

  Hello,
  As I did not read the previous thread I don't know what exactly you are trying to achieve, but I can tell you about what we have done - as far as it is not too late yet.
  We use the portal with integration to a BI system. In the ABAP stack we have lots of roles with menu items for hundreds of reports. We want the users to see these roles in the portal.
  First we have used the role migration tool of the portal to upload these roles. There is a Java API for executing role uploads from code. You need to create a webservice in the java stack to call this api, and can call the webservice from ABAP.
  However it is just a question of time and role size until this will not work at all. Standard role migration is more or less crap, stability is a problem. It also creates a lot of logs in the PCD and thus fills the database with trash. (After a few OSS messages there is now a program for deleting logs + you can turn of logging.) Also upload of larger roles takes up to an hour, and you alwasy have the problem that your portal roles are not up to date during the day.
  When I got completely fed up, I have implemented an own navigation connector. When you log on to the portal it will connect to the ABAP stack via RFC, load the role, and generate the portal menu from it. It uses caching, but on every logon it checks whether the role has been updated in ABAP since the last time it was loaded. It is up to date, faster then PCD navigation, and you need absoluetely no periodical synching at all. I cant even understand why this is not offered by SAP per standard!
  Drawback is that it will of course only work for the menu items, and only menu items with an "URL-type" are supported. I'm prettry sure however that it would be possible to implement a few other types as well.
  Let me know if you are interested in the solution, I can give you a few additional details: oliverDOTsvisztATwienerbergerDOTcom
  Oliver

• LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)

  I have 2 questions and these are very urgent :-
  1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
  2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
  contractactors and employess. How do I map LDAP group contractors to weblogic security
  Role contractors? Similarly for employees ?
  2. I have not defined contarctors and employeees under People container in IPlanet.
  e.g. The RDN for contractor is
  uid=1234,ou=dir,dc=orams,dc=com
  Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
  under People ) OR I have to write my own custom code ?
  3. I am planning to use Roles insetad of groups to manage the logical grouping in
  iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
  parameters ?)
  This is very urgent ....so if any of you can throw any hints that will be greatly
  appreciated.
  --Sunita

  Hi Ariel,
  The driver is bundled with the product in WLS 6.1sp1. you don't have to
  download any additional driver. Use it as you normally would only thing to
  remember is if you are trying to write standalone java code then you have to
  have weblogic.jar in your classpath. For the rest of the info follow the wls
  docs for 6.1
  HTH
  sree
  "Ariel" <[email protected]> wrote in message
  news:3bb4a643$[email protected]..
  We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
  downloaded the JDriver from bea.com, but all the istructions that camewith
  it are for WLserver 5.1.
  What has to be done to do this with 6.1 sp1?
  Thanks,
  Ariel

• OVD/OID group reconciliation in OIM 11g with LDAP sync

  Hi All!
  Is it possible to reconcile OID groups to OIM using LDAP sync? How to achieve such configuration?
  I have OIM with LDAP sync and user and roles provisining to OVD is working.
  best
  mp

  Hi,
  I want to Integrate OIM and OID. Can you guide me in doing so?. The platform I will use is Windows 2003 Server, OIM version is 9.1. Also please tell me which version of OID i should use.
  Note: I am new to OID and OIM.
  Thanks in advance.
  Regards,
  Kazmi