Authorization in Access Control Context
Hi Experts,
Hi have a authorization problem for some users in Access Controll Context ,
1. We have created an user in SAPGUI and assigned a role similar to SAP_PLMWUI_DESIGNER( we copied it and made some modifications, but nothing that should matter)
2. Then we assigned this role to a context and assigned the user to the role in SAP WUI.
3. But when we logon with this user and try to display a document which is assigned to/or owned by(we tried both) the context, we get the following message:
Document DRW/xxxxxx does not exist or access authorizations are missing
What authorization is missing, any thoughts?
Kind regards
Mikael
Hi Santosh,
thanks for quick reply,
All needed activities are checked for PLM_DIR, for the moment I am not able to assign SAP_PLMWUI_OBJECT_REUSER but this should not be neccesary, should it.
I have the same problem for a user assigned to the role SAP_PLMWUI_DESIGNER.
Because of authorization issues we use all the single roles in each composite role above.
-> ie , in acc I haven't assigned the user to one composite role but all single roles separately, can this be the problem?
or can it be something else that I missed?
Kind regards
Mikael
Similar Messages
-
Access Control Context in Engineering Record screen
Hello Gurus,
I need to remove the Access Control Context and Owning Tet field from the PLM Engineering Record screen. Is it possible to do with configuration to hide these fields?
I removed from "Specify Object Types for PLM Authorization check".
Kindly advice.
Thanks & Regards
JoHi Jo ,
You cannot hide it via configuration as access control context is coming from component reuse . I created it while my team was developing PLM ECR in SAP Labs India.
One possible approach is to do a custom development to hide this field .
Thanks & Regards,
Abhishek. -
Access control for different user groups in APEX 4.0
Hi guys,
in Apex 4.0, is there any way to use the access control page to configure access control for different user groups?
The access control page currently only has an access control list by users with 3 privileges namely, Administrator, Edit & View where Administrator has the highest access level & View the lowest. Therefore 1 user cannot have more than 1 different privilege, however if the user belongs to 2 or more different groups then we can control what access he can have in a more fine grained manner. We also want to have more than the 3 privileges given.
Can we assign different groups to different users and let them have different privileges to be configured by page, region, process or item level?
Now Apex will create 2 tables, Apex_Access_Control & Apex_Access_Setup to store the application access control mode & access control list. It will also create 3 authorization schemes "access control - administrator", "access control - edit" & "access control - view" based on the 2 tables.
Does this mean we have to change the table structures & edit the authorization schemes to suit our usage? We are reluctant to do this because if we upgrade to a newer version of Apex then we would have to merge our pl/sql coding with Apex's updated code.
How can we auto-configure more than the 3 authorization schemes in the access control page? Is there any way to achieve a finer grain of access control based on the current access control administration page given by Apex without writing it ourselves?
We are afraid that we may have missed something on Apex access control & do not want to reinvent the wheel.Hi Errol,
to build your own application authorization scheme around the security model supplied by Apex for administration of the Apex environment would be a bad idea.
This was never intended for authorization scheme management in custom built Apex applications, it was solely intended to control access in the Apex environment overall. The API for it is not published, and making changes to it, such as adding more roles, would run the risk of breaking the overall Apex security model. It would not be supported by Oracle and Oracle would not guarantee the upwards compatibility of any changes you make in future versions of Apex.
In short, you should follow Tyson's advice and build your own structure. As he indicated, there are plenty of examples around and provided your requirements are not too complicated, it will be relatively simple.
Regards
Andre -
ADF Authorization for ADF Mobile:Configuring Access Control URL for ADF App
Can someone explain, how to expose weblogic user roles as a Rest Json Api? Basically I want to set up Access Control URL to authorize users on adf mobile.
Hi Frank,
This is what I did. Could you please let me know if I am doing it right.
1. Created an adf application with a simple page and applied security basic http authentication.
2. Added a rest service implementation in the same application, changed the adf application web.xml as below
<servlet-mapping>
<servlet-name>jersey</servlet-name>
<url-pattern>/jersey/*</url-pattern>
</servlet-mapping>
3. When I test the rest service in browser, it asks to log in and returns the user roles. Below is my rest implementation
@POST
@Produces(MediaType.APPLICATION_JSON)
public User getMessag3() throws Exception {
return new User();}
the rest service returns the logged in user roles in below json format.
{"userid":"susant","roles":["SSBAccessGroup","authenticated-role","SSBAccessApp","anonymous-role"],"priviledges":[]}
Do I need to implement anything on the ADF mobile side or I can just add the rest service url to the authorization tab. Will adf mobile automatically handle sending the http request.
Actually I just added the rest service url to adfm-applications connections authorization tab and I am getting ACS failed error after log in.
Thanks -
We have a problem when execute the next steps in GRC Access Control 10.0
SPRO-->Governance, Risk and Compliance>Access Control--> Access Risk Analysis--> Batch RisK Analysis
We applied the next note, but problem is the same.
1563583 - SYSTEM_NO_TASK_STORAGE dump on AIX
Category
ABAP Programming Error
Runtime Errors
ASSERTION_FAILED
ABAP Program
CL_GRRM_DASHBOARD_MENU_AUTH===CP
Application Component GRC-RM
Date and Time
13.03.2013 11:50:04
|Short text
|
|
The ASSERT condition was violated.
|
|What happened?
|
|
In the running application program, the ASSERT statement recognized a
|
|
situation that should not have occurred.
|
|
The runtime error was triggered for one of these reasons:
|
|
- For the checkpoint group specified with the ASSERT statement, the
|
|
activation mode is set to "abort".
|
|
- Via a system variant, the activation mode is globally set to "abort"
|
|
for checkpoint groups in this system.
|
|
- The activation mode is set to "abort" on program level.
|
|
- The ASSERT statement is not assigned to any checkpoint group.
|
|What can you do?
|
|
Note down which actions and inputs caused the error.
|
|
|
|
|
|
To process the problem further, contact you SAP system
|
|
administrator.
|
|
|
|
Using Transaction ST22 for ABAP Dump Analysis, you can look
|
|
at and manage termination messages, and you can also
|
|
keep them for a long time.
|
|Error analysis
|
|
The following checkpoint group was used: "No checkpoint group specified"
|
|
|
|
If in the ASSERT statement the addition FIELDS was used, you can find
|
|
the content of the first 8 specified fields in the following overview:
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|How to correct the error
|
|
Probably the only way to eliminate the error is to correct the program.
|
|
|
|
|
|
If the error occures in a non-modified SAP program, you may be able to
|
|
find an interim solution in an SAP Note.
|
|
If you have access to SAP Notes, carry out a search with the following
|
|
keywords:
|
|
|
|
"ASSERTION_FAILED" " "
|
|
"CL_GRRM_DASHBOARD_MENU_AUTH===CP" or "CL_GRRM_DASHBOARD_MENU_AUTH===CM001"
|
|
"IF_GRFN_MENU_ITEM_AUTH~IS_AUTHORIZED"
|
|
|
|
If you cannot solve the problem yourself and want to send an error
|
|
notification to SAP, include the following information:
|
|
|
|
1. The description of the current problem (short dump)
|
|
|
|
To save the description, choose "System->List->Save->Local File
|
|
(Unconverted)".
|
|
|
|
2. Corresponding system log
|
|
|
|
Display the system log by calling transaction SM21.
|
|
Restrict the time interval to 10 minutes before and five minutes
|
|
after the short dump. Then choose "System->List->Save->Local File
|
|
(Unconverted)".
|
|
|
|
3. If the problem occurs in a problem of your own or a modified SAP
|
|
program: The source code of the program
|
|
In the editor, choose "Utilities->More
|
|
Utilities->Upload/Download->Download".
|
|
|
|
4. Details about the conditions under which the error occurred or which
|
|
actions and input led to the error.
|
|
|
|
|
|System environment
|
|
SAP Release..... 702
|
|
SAP Basis Level. 0012
|
|
|
|
Application server... "KIO13701"
|
|
Network address...... "172.20.1.137"
|
|
Operating system..... "AIX"
|
|
Release.............. "7.1"
|
|
Hardware type........ "00F6C78E4C00"
|
|
Character length.... 16 Bits
|
|
Pointer length....... 64 Bits
|
|
Work process number.. 10
|
|
Shortdump setting.... "full"
|
|
|
|
Database server... "KIO13701"
|
|
Database type..... "DB6"
|
|
Database name..... "DGR"
|
|
Database user ID.. "SAPDGR"
|
|
|
|
Terminal.......... "192.168.0.5"
|
|
|
|
Char.set.... "C"
|
|
|
|
SAP kernel....... 720
|
|
created (date)... "Jul 8 2012 19:43:01"
|
|
create on........ "AIX 2 5 00092901D600"
|
|
Database version. "DB6_81 "
|
|
|
|
Patch level. 300
|
|
Patch text.. " "
|
|
|
|
Database............. "DB6 08.02.*, DB6 09.*, DB6 10.*"
|
|
SAP database version. 720
|
|
Operating system..... "AIX 2 5, AIX 3 5, AIX 1 6, AIX 1 7"
|
|
|
|
Memory consumption
|
|
Roll.... 0
|
|
EM...... 8379584
|
|
Heap.... 0
|
|
Page.... 16384
|
|
MM Used. 6205712
|
|
MM Free. 2170976
|
|User and Transaction
|
|
Client.............. 100
|
|
User................ "LVELASCO"
|
|
Language key........ "E"
|
|
Transaction......... " "
|
|
Transaction ID...... "51400164B1F00C40E1008000AC140189"
|
|
|
|
EPP Whole Context ID.... "5140015EB1F00C40E1008000AC140189"
|
|
EPP Connection ID....... "5140F9B0B19C1150E1008000AC140189"
|
|
EPP Caller Counter...... 1
|
|
|
|
Program............. "CL_GRRM_DASHBOARD_MENU_AUTH===CP"
|
|
Screen.............. "SAPMHTTP 0010"
|
|
Screen Line......... 2
|
|
Debugger Active..... "none"
|
|Server-Side Connection Information
|
|
Information on Caller of "HTTPS" Connection:
|
|
Plug-in Type.......... "HTTPS"
|
|
Caller IP............. "192.168.0.5"
|
|
Caller Port........... 44300
|
|
Universal Resource ID. "/sap/bc/webdynpro/sap/grfn_service_map"
|
|
|
|
Program............. "CL_GRRM_DASHBOARD_MENU_AUTH===CP"
|
|
Screen.............. "SAPMHTTP 0010"
|
|
Screen Line......... 2
|
|
|
|
Information on Caller ofr "HTTPS" Connection:
|
|
Plug-in Type.......... "HTTPS"
|
|
Caller IP............. "192.168.0.5"
|
|
Caller Port........... 44300
|
|
Universal Resource Id. "/sap/bc/webdynpro/sap/grfn_service_map"
|
|Information on where terminated
|
|
Termination occurred in the ABAP program "CL_GRRM_DASHBOARD_MENU_AUTH===CP" -
|
|
in "IF_GRFN_MENU_ITEM_AUTH~IS_AUTHORIZED".
|
|
The main program was "SAPMHTTP ".
|
|
|
|
In the source code you have the termination point in line 59
|
|
of the (Include) program "CL_GRRM_DASHBOARD_MENU_AUTH===CM001".
|
|Source Code Extract (Source code has changed)
|
|Line |SourceCde
|
| 29|
lv_dashboard = lv_value.
|
| 30|
|
| 31|
TRANSLATE lv_dashboard TO UPPER CASE.
|
| 32|
|
| 33|
CASE lv_dashboard.
|
| 34|
WHEN 'HEATMAP'.
|
| 35|
lv_report = 'GRRM_HEATMAP'.
|
| 36|
|
| 37|
WHEN 'LOSS_OVERVIEW' OR 'LOSS_STRUCTURE' OR 'OB_LOSS_OVERVIEW' OR 'OB_LOSS_STRUCTU|
| 38|
lv_report = 'GRRM_LOSS_ANALYSIS'.
|
| 39|
|
| 40|
WHEN 'OVERVIEW'.
|
| 41|
lv_report = 'GRRM_OVERVIEW'.
|
| 42|
|
| 43|
WHEN OTHERS.
|
| 44|
ASSERT 1 = 2.
|
| 45|
|
| 46|
ENDCASE.
|
| 47|
|
| 48|
EXIT.
|
| 49|
|
| 50|
ENDLOOP.
|
| 51|
|
| 52|
WHEN 'GRRM_LOSS_MATRIX' OR 'GRRM_LOSS_MATRIX_NEW'.
|
| 53|
lv_report = 'GRRM_LOSS_ANALYSIS'.
|
| 54|
|
| 55|
WHEN 'GRRM_HEATMAP_REPORT'.
|
| 56|
lv_report = 'GRRM_HEATMAP'.
|
| 57|
|
| 58|
WHEN OTHERS.
|
|>>>>>|
ASSERT 1 = 2.
|
| 60|
|
| 61| ENDCASE.
|
| 62|
|
| 63| TRY.
|
| 64|
lv_regulation_id = cl_grfn_api_regulation=>if_grfn_api_regulation~get_regulation_id( i|
| 65|
|
| 66|
ev_authorized = cl_grfn_util_rep_auth=>has_rep_auth(
|
| 67|
io_session
= io_session
|
| 68|
iv_regulation_id = lv_regulation_id
|
| 69|
iv_report
= lv_report
|
| 70|
iv_activity
= grfn0_c_activity-print
|
| 71|
|
| 72|
|
| 73|
CATCH cx_grfn_exception.
|
| 74|
ev_authorized = abap_false.
|
| 75|
|
| 76| ENDTRY.
|
| 77|
|
| 78|ENDMETHOD.
|
|Contents of system fields
|
|Name
|Val.
|
|SY-SUBRC|4
|
|SY-INDEX|2
|
|SY-TABIX|1
|
|SY-DBCNT|1
|
|SY-FDPOS|0
|
|SY-LSIND|0
|
|SY-PAGNO|0
|
|SY-LINNO|1
|
|SY-COLNO|1
|
|SY-PFKEY|
|
|SY-UCOMM|
|
|SY-TITLE|HTTP Control
|
|SY-MSGTY|
|
|SY-MSGID|
|
|SY-MSGNO|000
|
|SY-MSGV1|
|
|SY-MSGV2|
|
|SY-MSGV3|
|
|SY-MSGV4|
|
|SY-MODNO|0
|
|SY-DATUM|20130313
|
|SY-UZEIT|115004
|
|SY-XPROG|SAPCNVE
|
|SY-XFORM|CONVERSION_EXIT
|
|Active Calls/Events
|
|No. Ty.
Program
Include
Line |
|
Name
|
| 34 METHOD
CL_GRRM_DASHBOARD_MENU_AUTH===CP
CL_GRRM_DASHBOARD_MENU_AUTH===CM001
59 |
|
CL_GRRM_DASHBOARD_MENU_AUTH=>IF_GRFN_MENU_ITEM_AUTH~IS_AUTHORIZED
|
| 33 METHOD
CL_GRFN_API_MENU_ITEM_ELA=====CP
CL_GRFN_API_MENU_ITEM_ELA=====CM001 126 |
|
CL_GRFN_API_MENU_ITEM_ELA=>IF_GRFN_MENU_AUTH~ITEM_AUTH
|
| 32 METHOD
CL_GRFN_API_MENU==============CP
CL_GRFN_API_MENU==============CM003
34 |
|
CL_GRFN_API_MENU=>IF_GRFN_MENU_AUTH~ITEM_AUTH
|
| 31 METHOD
CL_GRFN_LAUNCHPAD_UIBB========CP
CL_GRFN_LAUNCHPAD_UIBB========CM006
60 |
|
CL_GRFN_LAUNCHPAD_UIBB=>IF_FPM_GUIBB_LAUNCHPAD~MODIFY
|
| 30 METHOD
CL_FPM_LAUNCHPAD_UIBB_ASSIST==CP
CL_FPM_LAUNCHPAD_UIBB_ASSIST==CM001
76 |
|
CL_FPM_LAUNCHPAD_UIBB_ASSIST=>INIT_FEEDER
|
| 29 METHOD
/1BCWDY/T2POSMRSKMLY9L6LJP5Z==CP
/1BCWDY/B_T2POSBAR6C8HPR0XTR4P
410 |
|
CL_COMPONENTCONTROLLER_CTR=>WDDOINIT
|
|
Web Dynpro Component
FPM_LAUNCHPAD_UIBB
|
|
Controller
COMPONENTCONTROLLER
|
| 28 METHOD
/1BCWDY/T2POSMRSKMLY9L6LJP5Z==CP
/1BCWDY/B_T2POSBAR6C8HPR0XTR4P
181 |
|
CLF_COMPONENTCONTROLLER_CTR=>IF_WDR_COMPONENT_DELEGATE~WD_DO_INIT
|
|
Web Dynpro Component
FPM_LAUNCHPAD_UIBB
|
|
Controller
COMPONENTCONTROLLER
|
| 27 METHOD
CL_WDR_DELEGATING_COMPONENT===CP
CL_WDR_DELEGATING_COMPONENT===CM004
9 |
|
CL_WDR_DELEGATING_COMPONENT=>DO_INIT
|
| 26 METHOD
CL_WDR_CONTROLLER=============CP
CL_WDR_CONTROLLER=============CM00V
3 |
|
CL_WDR_CONTROLLER=>INIT_CONTROLLER
|
| 25 METHOD
CL_WDR_COMPONENT==============CP
CL_WDR_COMPONENT==============CM019
24 |
|
CL_WDR_COMPONENT=>INIT_CONTROLLER
|
| 24 METHOD
CL_WDR_CONTROLLER=============CP
CL_WDR_CONTROLLER=============CM002
7 |
|
CL_WDR_CONTROLLER=>INIT
|
| 23 METHOD
CL_WDR_CLIENT_COMPONENT=======CP
CL_WDR_CLIENT_COMPONENT=======CM00E
24 |
|
CL_WDR_CLIENT_COMPONENT=>INIT
|
| 22 METHOD
CL_WDR_CLIENT_COMPONENT=======CP
CL_WDR_CLIENT_COMPONENT=======CM00A
42 |
|
CL_WDR_CLIENT_COMPONENT=>IF_WDR_COMPONENT_FACTORY~CREATE_COMPONENT
|
| 21 METHOD
CL_WDR_COMPONENT_USAGE========CP
CL_WDR_COMPONENT_USAGE========CM009
67 |
|
CL_WDR_COMPONENT_USAGE=>IF_WD_COMPONENT_USAGE~CREATE_COMPONENT
|
| 20 METHOD
CL_FPM_COMPONENT_MANAGER======CP
CL_FPM_COMPONENT_MANAGER======CM003
81 |
|
CL_FPM_COMPONENT_MANAGER=>ADD_COMPONENT
|
| 19 METHOD
CL_FPM_COMPONENT_MANAGER======CP
CL_FPM_COMPONENT_MANAGER======CM004
19 |
|
CL_FPM_COMPONENT_MANAGER=>ATTACH_COMPONENT_TO_USAGE
|
| 18 METHOD
CL_FPM========================CP
CL_FPM========================CM005
89 |
|
CL_FPM=>PROCESS_EVENT
|
| 17 METHOD
CL_FPM========================CP
CL_FPM========================CM00C
34 |
|
CL_FPM=>RUN_EVENT_LOOP
|
| 16 METHOD
CL_FPM========================CP
CL_FPM========================CM002
5 |
|
CL_FPM=>IF_FPM~RAISE_EVENT
|
| 15 METHOD
CL_FPM========================CP
CL_FPM========================CM003
11 |
|Hi Alberto,
The below Notes should resolve!
1428775
1744179
Hope this helps,
Luciana -
Hello,
I'm attempting to get a SharePoint 2013 Provider Hosted Application working in a brand new SharePoint environment. I've created snapshots of both my dev and the sharepoint environments along the way and have meticulously documented every step of the
way. I've followed these instructions (among many other resources found along this journey) :
http://msdn.microsoft.com/en-us/library/fp179923(office.15).aspx
http://technet.microsoft.com/en-us/library/fp161236(office.15).aspx
http://msdn.microsoft.com/library/office/fp179901%28v=office.15%29
Upon package and publish of my application to SharePoint, I get a 401 Unauthorized error. I use Fiddler to obtain the SPErrorCorrelationID to ultimately obtain the following ULS Viewer Output. Please explain how to fix if you're able.
Please Note: I was under the impression that a Provider Hosted Application does not use the Azure Access Control service, so I'm confused as to why my system is attempting to make this connection?
Also Note: I've used a self signed and godday obtained certificate to successfully f5 debug my basic web.title (out of the visual studio 2012 box) sharepoint provider hosted application... so I know my certs are good.
Here's my ULS output:
03/24/2014 08:54:47.83 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://portal.cltenet.com/_layouts/15/appredirect.aspx?instance_id=22d5252f%2D392c%2D4f68%2Db820%2Da3053b9d4f24)
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.83 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation Authentication Authorization agb9s Medium Non-OAuth request.
IsAuthenticated=True, UserIdentityName=0#.w|cltenet\sp.apps, ClaimsCount=25 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.83 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation Logging Correlation Data xmnv Medium Site=/ 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.84 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Deployment acjjg Medium The current user has System.Threading.Thread.CurrentPrincipal.Identity.Name
= 0#.w|cltenet\sp.apps, System.Security.Principal.WindowsIdentity.GetCurrent().Name = NT AUTHORITY\IUSR, System.Web.HttpContext.Current.User.Identity.Name = 0#.w|cltenet\sp.apps. 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.84 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsrv Medium redirectLaunUrl after getting it from query
string, web or app instance: https://hightrust31.cltenetapps.com/Pages/Default.aspx?{StandardTokens} 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation General aib0n High trying to get app tokens for site: 888b71f7-51ee-40f5-8344-8de4869d37d0
Unable to load app tokens from appInstanceId: 22d5252f-392c-4f68-b820-a3053b9d4f24 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsrw Medium redirectLaunUrl after getting token replacement:
https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http%3A%2F%2Fportal%2Ecltenet%2Ecom&SPLanguage=en%2DUS&SPClientTag=0&SPProductNumber=15%2E0%2E4420%2E1017 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsry Medium m_oauthAppId after NormalizeAppIdentifier()
i:0i.t|ms.sp.ext|[email protected]8df36d5d. Now getting app principal info. 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsr0 Medium decided that we need to do a POST to the
app. 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsr1 Medium m_redirectMessage: EndpointAuthorityMatches
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsr2 Medium realm matched attempting to get app token
using GetAccessToken() 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth advzm High Error when get token for app i:0i.t|ms.sp.ext|[email protected]8df36d5d,
exception: Microsoft.SharePoint.SPException: The Azure Access Control service is unavailable. at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)
at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext
userIdentityContext, String applicationId, Uri applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken) 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsr3 High App token requested from appredirect.aspx
for site: 888b71f7-51ee-40f5-8344-8de4869d37d0 but there was an error in generating it. This may be a case when we do not need a token or when the app principal was not properly set up. LaunchUrl:https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http://portal.cltenet.com&SPLanguage=en-US&SPClientTag=0&SPProductNumber=15.0.4420.1017
Exception Message:The Azure Access Control service is unavailable. Stacktrace: at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)
at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext
userIdentityContext, String applicationId, Uri applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenFromThreadIdentityOrUserToken(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPApplicationContextAccessTokenType tokenType, SPAppPrincipalInfo appPrincipal, Boolean useThreadIdentity, SPUserToken userToken) at Microsoft.SharePoint.ApplicationPages.AppRedirectPage.ValidateAndProcessRequest().
Since this is a nonfatal error, it will be sanitized and posted to the app as part of the app launch. 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation General ajlz0 High Getting Error Message for Exception Microsoft.SharePoint.SPException:
The Azure Access Control service is unavailable. at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext) at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext
serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext userIdentityContext, String applicationId, Uri
applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext serviceContext,
String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenFromThreadIdentityOrUserToken(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPApplicationContextAccessTokenType tokenType, SPAppPrincipalInfo appPrincipal, Boolean useThreadIdentity, SPUserToken userToken) at Microsoft.SharePoint.ApplicationPages.AppRedirectPage.ValidateAndProcessRequest()
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth aib0p Medium Doing appredirect from appredirect.aspx:
in site: 888b71f7-51ee-40f5-8344-8de4869d37d0 with RedirectLaunchUrl: https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http%3A%2F%2Fportal%2Ecltenet%2Ecom&SPLanguage=en%2DUS&SPClientTag=0&SPProductNumber=15%2E0%2E4420%2E1017
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://portal.cltenet.com/_layouts/15/appredirect.aspx?instance_id=22d5252f%2D392c%2D4f68%2Db820%2Da3053b9d4f24)).
Execution Time=26.5933938531294 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
Your help is very much appreciated.
With Respect,
LarryYes, actually - I was able to resolve it.
However I don't know how, unfortunately. I suspect it was because I needed to have the names of the certificates, defined during the certificate registration (to sharepoint) process, different.
I have a complete document that shows step by step instructions on the exact process I took to complete the provider hosted application creation, deployment and publishing. It was a daunting task, but I finished it successfully.
If there's a way to send private message on this forum, please do so and I'll respond with a way to obtain my document.
NOTE: I'm not all impressed with the way this forum works. This is supposed to be a Microsoft resource and I'll be damned if I ever get a response to highly technical questions. Completely lame. Boooooo Microsoft. -
Issue while enabling Access Control for a Coherence server node
Hi
Im trying to enable access control for a Coherence server node, using the default Keystore login method shipped with Coherence. When i start the server i get the error "java.security.AccessControlException: Unsufficient rights to perform the operation". Please see below for the sequence of steps I've followed to enable access control. I just need to be enable Authentication (not authorization) at this stage
1. I have added the following entry in the Coherence Operational override file
<security-config>
<enabled system-property="tangosol.coherence.security">true</enabled>
<login-module-name>Coherence</login-module-name>
<access-controller>
<class-name>com.tangosol.net.security.DefaultController</class-name>
<init-params>
<init-param id="1">
<param-type>java.io.File</param-type>
<param-value>keystore.jks</param-value>
</init-param>
<init-param id="2">
<param-type>java.io.File</param-type>
<param-value>permissions.xml</param-value>
</init-param>
</init-params>
</access-controller>
<callback-handler>
<class-name>com.sun.security.auth.callback.TextCallbackHandler</class-name>
</callback-handler>
</security-config>
2. The following is the entry in the Permissions.xml
<?xml version='1.0'?>
<permissions>
<grant>
<principal>
<class>javax.security.auth.x500.X500Principal</class>
<name>CN=admin,OU=Coherence,O=Oracle,C=US</name>
</principal>
<permission>
<target>*</target>
<action>all</action>
</permission>
</grant>
</permissions>
3. The following is the content of the Login configuration file "Coherence_Login.conf"
Coherence {
com.tangosol.security.KeystoreLogin required
keyStorePath="keystore.jks";
4. The following is the command line tag for starting the server
java -server -showversion -Djava.security.auth.login.config=Coherence_Login.conf -Xms%memory% -Xmx%memory% -Dtangosol.coherence.cacheconfig=PROXY-cache-config.xml -Dtangosol.coherence.override=FOL-coherence-override.xml -Dcom.sun.management.jmxremote.port=6789 -Dcom.sun.management.jmxremote.authenticate=false -Dtangosol.coherence.security=true -cp "%coherence_home%\lib\coherence.jar" com.tangosol.net.DefaultCacheServer %1
Following is the output on the Console when running the command. It asks for a username and password for the JKS store (If i provide the wrong password, it gives a different error, which shows that it is able to authenticate aganst the Keystore). After i put in the password, it throws the error as shown below "java.security.AccessControlException: Unsufficient rights to perform the operation"
D:\Coherence\FOL_CacheServer>fol-cache-server
java version "1.6.0_20"
Java(TM) SE Runtime Environment (build 1.6.0_20-b02)
Java HotSpot(TM) 64-Bit Server VM (build 16.3-b01, mixed mode)
Username:admin
Password:
Exception in thread "main" java.security.AccessControlException: Unsufficient ri
ghts to perform the operation
at com.tangosol.net.security.DefaultController.checkPermission(DefaultCo
ntroller.java:153)
at com.tangosol.coherence.component.net.security.Standard.checkPermissio
n(Standard.CDB:32)
at com.tangosol.coherence.component.net.Security.checkPermission(Securit
y.CDB:11)
at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeC
luster.CDB:6)
at com.tangosol.coherence.component.net.management.Connector.startServic
e(Connector.CDB:20)
at com.tangosol.coherence.component.net.management.gateway.Remote.regist
erLocalModel(Remote.CDB:10)
at com.tangosol.coherence.component.net.management.gateway.Local.registe
rLocalModel(Local.CDB:10)
at com.tangosol.coherence.component.net.management.Gateway.register(Gate
way.CDB:6)
at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluste
r(SafeCluster.CDB:46)
at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.C
DB:2)
at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:998)
at com.tangosol.net.DefaultConfigurableCacheFactory.ensureServiceInterna
l(DefaultConfigurableCacheFactory.java:923)
at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(Defaul
tConfigurableCacheFactory.java:892)
at com.tangosol.net.DefaultCacheServer.startServices(DefaultCacheServer.
java:81)
at com.tangosol.net.DefaultCacheServer.intialStartServices(DefaultCacheS
erver.java:250)
at com.tangosol.net.DefaultCacheServer.startAndMonitor(DefaultCacheServe
r.java:55)
at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:197)Did you create the weblogic domain with the Oracle Webcenter Spaces option selected? This should install the relevant libraries into the domain that you will need to deploy your application. My experience is based off WC 11.1.1.0. If you haven't, you can extend your domain by re-running the Domain Config Wizard again (WLS_HOME/common/bin/config.sh)
Cappa -
What is better for security? WPA2 or Access control
I have a Airport express and 2 computers; a Mac and a PC.
When it come to securing your wi-fi connection so you don't get unauthorized clients on your network.
What is better
A- Just using encryption like WPA2 or some other password based system or
B- Just entering the "Airport ID" (MAC) of the computers I want to authorize in my network on the Access control panel.
Seems to me like the later is easier on the clients since they don't need a password or anything, It's completely transparent for the client. And I believe encryption slows down the connection a bit and create overhead for the computer. But maybe I don't have the full picture of the situation.
Is there anybody who can illuminated this subject for me?
thanks
PowerBookG4 Mac OS X (10.3.9)WPA2 is virtually uncrackable only really vulnerable if you use a real word as a password.
When using access control, MAC addresses are sent unecrypted can be read and spoofed and therefore do not add any security.
Unfortunately "Closed" networks, MAC access control lists, and reduction in transmission power are all more "feel good" security rather than real security. All these various approaches are dated and mistakenly lead to overconfidence.
WPA is your friend if you value wireless security. -
Reporting on Access Control 5.3 with SAP BO 4.0
Hello All,
I have to develop WebI reports on Access Control 5.3 data. Are there any direct connectivity options available in IDT for Access Control 5.3 or Do I have to go through Oracle database connectivity as Access control 5.3 backend database is Oracle? And also for authorization data I have to connect to ERP system.
Any help that you can provide will be greatly appreciated.
Thanks and Regards,
AashutoshHi,
Generally speaking, i believe GRC 10 is more closely aligned to BI4.0 in terms of product releases.
However, to the best of my knowledge, there's no direct connector from BI semantic layer (IDT/UDT) specifically for GRC.
I believe there is a web-based UI (dynpro) for dashboard-like analysis of the compliance topology, but that's it:
http://help.sap.com/saphelp_grcac10/helpdata/en/16/7a5f2e29744e078f9305017fee2fc2/frameset.htm
You may want to contact the GRC forum to confirm.
Regards
H -
Creating SOD matrix with the help of Access control default ruleset
I am creating the SOD matrix for the existing roles of CRM and HR modules. As I am the security consultant therefore does not have the functional knowledge about the conflicts for CRM and HR transactions. My question is can I use the function/actions/risks conflicts provided with the Access control 5.3 default ruleset. We are not using Access control for these systems, so I want to know whether I can take the help of AC 5.3 default risks to create the SOD matrix based on it.
For e.g, like H001 default HR risk, I would make sure not to assign PA30(maintain HR data) with the PA03/PA04(maintain personal control record) as this will result in the providing conflict "Modify payroll master data and then process payroll".
Once I have the SOD list based upon AC 5.3, I can consult the Business approver/auditor to verify and modify as per the business requirement.
Maybe I am thinking the wrong way, please provide your inputs so I can work on it. Any help appreciated.
Thanks,
Sanjay DesaiThe most important thing to keep in mind is that you need to build a rule set that reflects the customers real business risk!
What you build there will influence the way the customer will be able to continue work, assign access and perform control activities. The input HAS to come from the business!
You can use the SAP standard risk definitions as a starting point for discussions, and the HR functions are an excellent building block to identify the transactions and necessary authorization objects that allow users to perform the actions.
But the real challenge is to identify the risks as perceived/accepted by the business!
Frank. -
ADF UIX Role Based Access Control Implementation
Hi,
Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
Thanks a lot.
SathyaBrenden,
I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
Two links that you might be interested in to read are:
http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
Frank -
DBMS_RLS를 이용한 FINE GRANED ACCESS CONTROL (FGAC)의 개념 및 사용방법 (8I ~ 10G)
제품 : ORACLE SERVER
작성날짜 : 2005-11-23
DBMS_RLS를 이용한 FINE GRANED ACCESS CONTROL (FGAC)의 개념 및 사용방법 (8I ~ 10G)
=====================================================================
PURPOSE
여러 사용자가 같은 테이블을 조회하더라도, 각 사용자마다 자신의 정보만을
표시해 준다거나, 특정 시간 범위 내에서는 다른 조건의 데이타만 보여지는 등
row level의 security및 context를 지정하는 것이 8i부터
FGAC (Fine Graned Access Control)을 통해 가능해졌다.
이것은 VPD (Virtual Private Database)라는 용어로도 언급되어지는대,
dbms_rls pacakge를 통해 policy 및 predicate을 생성하여 사용되어진다.
Explanation & Examples
FGAC는 row level로 security 및 context를 부여하는 것으로 결국 tranparent하게
수행하는 SQL문장에 where절 조건을 추가하는 것이다.
이렇게 추가되는 where 조건을 predicate이라고 부른다.
1. FGAC의 간단한 예제
scott의 emp table에 대해서 login한 username과 같은 ename에 대한 정보만을
보여주는 예제를 제시한다. super_user라는 role을 가진 user에 대해서는
전체 emp table이 모두 display되는 방법도 첨부한다.
(1) dbms_rls package에 대한 실행 권한을 scott에게 부여한다.
SQL> grant execute on dbms_rls to scott;
(2) emp table의 ename에 해당하는 user몇명을 생성하고 권한을 부여한다.
SQL> create user king identified by king;
SQL> create user adams identified by adams;
SQL> grant connect to king, adams, james;
SQL> connect scott/tiger
SQL> grant select on emp to king, adams, james, eykim;
(3) scott user에서 다음과 같이 predicate을 포함한 function을 생성한다.
SQL> connect scott/tiger
SQL> create or replace function predicate
(obj_schema varchar2, obj_name varchar2)
return varchar2 is d_predicate varchar2(2000);
BEGIN
d_predicate := 'ename = sys_context (''USERENV'', ''SESSION_USER'')';
RETURN d_predicate;
END predicate;
policy이 제대로 만들어졌는지 다음과 같이 scott user에서 확인한다.
SQL> select predicate('dummy','dummy') from dual;
PREDICATE('DUMMY','DUMMY')
ename = sys_context ('USERENV', 'SESSION_USER')
(4) 다음 문장을 system 혹은 scott user에서 실행한다.
이때 parameter의 의미는, object_schema, object_name, policy_name,
function_schema, policy_function 순이다. 이 외의 parameter가 더 있지만
나머지는 default값을 이용한다.
SQL> exec dbms_rls.add_policy('scott', 'emp', 'pol1', 'scott', 'predicate');
기존의 같은 policy name이 존재하는 경우에는 다음과 같이 지우고 새로 생성할
수 있다.
SQL> exec dbms_rls.drop_policy( 'SCOTT', 'EMP', 'pol1' );
(5) king/scott등 user로 접속하여 emp table을 조회해 본다.
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
SQL> connect scott/tiger
SQL> select * from emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7788 SCOTT ANALYST 7566 19-APR-87 3000
20
(6) emp table의 ename에 속해있지 않은 user로 접속하여 조회해 본다.
eykim user에 대해서 emp table의 select권한은 (2)번 단계에서 제공되었다.
SQL> connect eykim/eykim
SQL> select * from scott.emp;
no rows selected
(7) super_user라는 role을 생성하고 이 role을 가진 사용자는 모두 데이타가 조회
가능하도록 policy function을 변경하여 본다.
SQL> grant select on dba_role_privs to scott;
SQL> create or replace function predicate (obj_schema varchar2, obj_name varchar2)
return varchar2 is d_predicate varchar2(2000);
counter number;
begin
select count(*) into counter
from dba_role_privs
where granted_role='SUPER_USER'
and grantee = sys_context ('USERENV', 'SESSION_USER');
if counter = 1 then
d_predicate := '';
else
d_predicate := 'ename = sys_context (''USERENV'', ''SESSION_USER'')';
end if;
return d_predicate;
end predicate;
(8) king user에게 super_user role을 부여한 후 (5)번과 어떻게 결과가 다르게
나오는지 확인한다.
SQL> create role super_user;
SQL> grant super_user to king;
SQL> connect king/king
SQL> select * from emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7369 SMITH CLERK 7902 17-DEC-80 800
20
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300
30
7902 FORD ANALYST 7566 03-DEC-81 3000
20
7934 MILLER CLERK 7782 23-JAN-82 1300
10
14 rows selected.
RELATED DOCUMENTS
<Note 67977.1> Oracle8i Fine Grained Access Control - Working Examples -
FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징
제품 : ORACLE SERVER
작성날짜 : 2005-11-24
FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징
=======================================================================
PURPOSE
row leve의 security 및 context관리 방법인 FGAC에 대한 간단한 개념 및 사용방법은
<bul 23026>에 제시하였다.
이 문서에는 FGAC를 위한 dbms_rls package의 8i ~ 10g까지의 version별 특징을
정리하며, STATIC_POLICY와 POLCICY_TYPE parameter에 대해서는 예제를 이용하여
자세히 살펴보도록 한다.
Explanation & Examples
dbms_rls.add_policy를 사용할 때 일반적으로 주는 value값의 예제는 다음과 같다.
이중 대부분은 default값을 이용하여, 일반적으로는 앞의 5개의 parameter만
value를 주면 된다.
SQL> exec DBMS_RLS.ADD_POLICY ( -
> object_schema => 'SCOTT', -
> object_name => 'EMP', -
> policy_name => 'POL1', -
> function_schema => 'SYS', -
> policy_function => 'PREDICATE', -
> statement_types => 'SELECT', -
> static_policy => false, -
> policy_type => DBMS_RLS.DYNAMIC
> long_predicate => false);
1. FGAC의 version별 특징
(1) sec_relevant_cols/sec_relevant_cols_opt : 10G
위에 기술한 add_policy procedure의 parameter외에 10g에서 추가된
parameter로 다음 두 parameter가 존재한다.
이 parameter는 해당되는 column이 조회될때만 policy가 작동하게 하기 위한
것으로 metalink.oracle.com site에서 <Note 250795.1> 를 살펴보면 사용 방법
및 예제를 확인 가능하다.
- sec_relevant_cols
- sec_relevant_cols_opt
(2) long_predicate : 10G
default는 false이며, true로 지정하는 경우 predicate이 4000 bytes이상이
될 수 있다.
(3) statement_types : 10G부터 INDEX type추가
9i까지는 SELECT, INSERT, UPDATE, DELETE에 대해서는 FGAC를 적용할 수
있었으나, 10g부터는 INDEX type도 지정 가능하다.
index를 지정하는 경우, function-based index 생성을 제한할 수 있으며,
자세한 예제는 metalink.oracle.com site에서 <Note 315687.1>를 조회하여
확인할 수 있다.
(4) EXEMPT ACCESS POLICY 권한 : 9i
특정 user가 모든 fine-grained access control policy의 영향을 받지
않도록 하려면 exempt access policy권한을 grant하면 되며, 이것은 9i부터
소개되었다.
SQL> grant exempt access policy to scott;
와 같은 방식으로 권한을 부여하면 되며, 이에 대한 자세한 예제는
metalink.oracle.com site에서 <Note 174799.1>를 통해 확인 가능하다.
(5) synonym에 대한 policy설정 : 9.2
synonym에 대해서 VPD (Virtudal Private Database)에 대한 policy를 설정하는
것이 가능해 졌으며 이에 대해서는 metalink.oracle.com에서 <Note 174368.1>를
조회하여 자세한 방법 및 예제를 살펴볼 수 있다.
(6) static_policy : 8.1.7.4
static_policy paramter는 8i에는 없던 것으로 9i에서 도입되면서, 8.1.7.4에도
반영되었다. default값은 false이며, 8173까지는 항상 false인 형태로 동작한다.
즉, policy function이 매번 object를 access할때마다 실행된다.
8.1.7.4부터는 이 parameter를 true로 설정할 수 있는대, 이렇게 되면
해당 session에서 policy function이 한번 실행되고 그 function이 shared pool에
cache되어 있으면 재실행없이 그대로 사용된다.
10g부터는 (7)번에 설명하는 policy_type parameter가 추가되어,
이 parameter에 true로 지정하는 대신, static_type은 false로 두고,
policy_type을 dbms_rls.static 으로 지정하면,
9i와 8174에서 static_policy를 true로 한것과 같은 결과가 나타난다.
(7) policy_type: 10g
다음과 같이 5가지 value가 가능하며, 이 중 default는 dynamic이다.
- STATIC
policy fuction에 포함된 predicate이 runtime환경에 따라 다른 결과를 내지
않는 경우 사용하게 된다. 예를 들어 sysdate의해 다른 결과를 return하는
경우에는 사용하면 사용하면 문제가 될 수 있다.
static을 사용하는 경우 policy function은 한번 실행되어 SGA에 올라온 다음
이후 같은 session에서 같은 object를 사용시에는 재실행 없이 해당 predicate의
결과를 그대로 사용한다.
- SHARD_STATIC
STATIC과 같으나, 이 값은 다른 object에 대해서도 같은 predicate function이
사용되는 경우, 먼저 cache된 predicate을 찾아서 있으면 그 값을 이용한다.
STATIC의 경우는 다른 object 사이에서는 공유하지 않으며 같은 object에
대해서만 cache된 값을 사용한다.
- CONTEXT_SENSITIVE
한 session에서 context가 변경되면 그때 predicate를 재 실행시킨다.
WAS(web application server)를 사용하는 경우 connection pooling방법을
기본적으로 사용하는대, 이 경우 하나의 session을 여러 사용자가 이어서
교대로 사용하는 방식이 된다. 이 경우 middle tier단에서 context를 설정해
주면 context가 변경될때마다 predicate를 새로 실행시켜 변경된 sysdate나
session_user등의 값을 다시 계산하게 되는것이다.
jdbc에서 context설정에 관한 예제는 metalink.oracle.com에서
<Note 110604.1>에서 확인가능하다.
- SHARED_CONTEXT_SENSITIVE
context_sensitive와 동일하며, 단 shared_static과 마찬가지로 여러 object에
대해서 같은 predicate을 사용하는 경우 다른 object에 대한 같은 predicate이
cache되어 있는지를 먼저 살펴본다.
존재하면 session private application context가 변경되기 전까지 그 predicate의
결과를 그대로 사용한다.
- DYNAMIC
이 값이 default값이다. 즉, predicate function이나 시스템이나 환경에
영향을 받는다고 판단하여 statement가 실행될때마다 매번 predicate function을
재 실행하여 환경에 맞는 값을 return하여 준다.
아래에서 sysdate 값에 따라 다른 결과를 return하게 되어 있는
predicate을 이용한 예제를 통해 정확한 메카니즘을 확인한다.
2. static_policy 및 policy_type의 value에 따른 policy function의 작동예제
(a) STATIC_POLICY => TRUE and POLICY_TYPE => NULL
(1) 기존에 pol1 policy가 존재하는 경우 다음과 같이 drop시킨다.
SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
(2) 다음과 같이 predicate function을 scott user로 만들어둔다.
SQL> create or replace function PREDICATE (obj_schema varchar2, obj_name varchar2)
2 return varchar2 is d_predicate varchar2(2000);
3 begin
4 if to_char(sysdate, 'HH24') >= '06' and to_char(sysdate, 'MI')<'05' then
5 d_predicate := 'ename = sys_context (''USERENV'' , ''SESSION'');
6 else d_predicate := 'sal>=3000';
7 end if;
8 return d_predicate;
9 end predicate;
10 /
(3) pol1을 새로 add시킨다.
SQL> exec DBMS_RLS.ADD_POLICY ( -
object_schema => 'SCOTT', -
object_name => 'EMP', -
policy_name => 'POL1', -
function_schema => 'SCOTT', -
policy_function => 'PREDICATE', -
statement_types => 'SELECT', -
static_policy => TRUE, -
policy_type => NULL);
(4) adams user에서 scott.emp를 조회해 본다.
단 다음과 같이 scott.emp에 대한 select권한을 king에게 주어야 한다.
SQL>grant select on emp to king;
SQL>!date
Thu Nov 24 14:01:13 EST 2005
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
5분이후가 되어 predicate function의 if조건을 만족하지 않아도,
king user는 같은 값을 emp table에 대해서 return한다.
SQL>!date
Thu Nov 24 14:10:13 EST 2005
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
(b) STATIC_POLICY => FALSE and POLICY_TYPE => DBMS_RLS.DYNAMIC
(1) 기존의 policy를 다음과 같이 drop시킨다.
SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
(2) pol1을 새로 add시키는대 이대 static_policy와 policy_type을 다음과 같이
변경한다.
SQL> exec DBMS_RLS.ADD_POLICY ( -
object_schema => 'SCOTT', -
object_name => 'EMP', -
policy_name => 'POL1', -
function_schema => 'SCOTT', -
policy_function => 'PREDICATE', -
statement_types => 'SELECT', -
static_policy => flase, -
policy_type => dbms_rls.dynamic);
(3) king user에서 조회해본다.
predicate function은 위의 2-(a)에서 실행한 것을 그대로 사용한다.
즉 (a)를 실행하지 않은 경우, 조회전에 (a)-(2)번을 실행해야 한다.
SQL>!date
Thu Nov 24 15:01:13 EST 2005
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
5분 이후가 되어 다시한번 king user에서 실행해본다.
SQL>!date
Thu Nov 24 15:10:13 EST 2005
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7788 SCOTT ANALYST 7566 19-APR-87 3000
20
7839 KING PRESIDENT 17-NOV-81 5000
10
7902 FORD ANALYST 7566 03-DEC-81 3000
20
RELATED DOCUMENTS
<Note 281970.1> 10g Enhancement on STATIC_POLICY with POLICY_TYPE Behaviors
in DBMS_RLS.ADD_POLICY Procedure
<Note 281829.1> Evolution of Fine Grain Access Control FGAC Feature From 8i
to 10gfirst you could use default column values, not a trigger, which is more expensive.
if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it ) -
Access Control with Custom Groups
I am rather new to APEX. I am trying to implement access control/authorization using custom groups (not the built-in View, Edit, and Administrator groups). I did search the discussion forums and the web in general but so far I have come up empty. I was hoping someone could point me into the right direction as to how to get started. Are there stored procedures that need to be customized/implemented? Where do I store the user groups? Can I use the built-in tables or should I create custom security group tables? Those are just some of the questions I am trying to figure out and any help would be much appreciated.
And BTW, due to client requirements, we are currently using version 3.2. Not sure if there are any significant changes between that version and the latest version.
Thank you all!
MischaCustom authentication is fairly easy to set up with your own tables, here is an example
http://djmein.blogspot.com.au/2007/07/custom-authentication-authorisation.html
This leads on to authorisation, again using your own tables. You need to look into using authorization schemes
http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35125/sec_authorization.htm#BABEDFGB
This can simply be queries on your own group tables, which presumably would control membership by username.
You ask the question about using built-in tables, yet don't want to the built-in administrator groups?
Plenty of significant changes, but none that should affect you in regard to authentication/authorisation.
Scott -
Access Controlled Business Object ??
Hello,
Can anyone share few views about Access Controlled Business Object and RBAM Data. I have never used them before and wanted to know more about these like how it affects the security and all.
Please dont point to any reference links or pdf's to see the info abt Access Controlled BO's becoz I have already read enough material and all I had is confusion .
So, kindly share your personal views about this topic here rather than referring a document which is somewhere else.
Thanks in advance.
regards,
vatsavHello Vatsav,
I have used an employee association with access context to "1000 - Employee Self Service" and
"1003 - Management". It works very well.
In my case simple business user should see only their own data (1000 - Employee Self Service) and a business user with a management role (1003 - Management) can see all data.
If you want to use a different logic (such as access context code 1000/1003/1007), maybe you have a problem.
Regards,
Kay Kressner
Maybe you are looking for
-
After installing SP3 for BO XI R1 - Crystal Reports taking forever to run.
Hello, We are running BO XI R1 SP3. Ever since installing SP3 a number of our scheduled Crystal Reports are taking forever to run. The Business Objects server resources are okay, CPU never really gets above 50% so I figure perhaps it's our SQL Serv
-
i want to know certain information regarding performance tuning in oracle apps database.wat kind of paerformance tuning activities will the users normally follows in apps database environment.
-
(RTF) Check if there is enogh space for tables on page...
Hi All, I have a report consisting of various tables of grouped data, each of which can contain varying amounts of rows. The first row of each table is defined as the header row and set to repeat across page breaks. What is happening as a result, is
-
Delivered Scores not available
Hello community, unfortunately I am facing an issue with the contact fact sheet. When opening the contact fact sheet and navigating to the facet "Scores" it displays "No scores available". Also the key performance indicators (KPIs) are missing in the
-
Will there be any update for SONY Tipo?