Authorizations: Dynamic roles

Similar Messages

• How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level.

  How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level, There is a requirement from my client  and i propose two methode
  1- Creation of Ztcode ZVL32N and do changes ABAP program level
  2- Disablement via Authorization/Role level - but how can i find the auth object/ Authorization corresponds to POST GOODS RECEIPT button in VL32N

  I think you can make use of SHD0 - Transaction variant to achieve this. You can make it as grayed out while recording steps in SHD0.

• BPM Dynamic Roles

  Hi All,
  I am trying to figure out how I can dynamically assign roles within BPM. So I want to be able to route the BPM process to the manager of the user that the process was assigned. I am just not sure how to dynamically do this within BPM.
  Any thoughts? Any documentation on dynamic roles would be greatly appreciated.
  We are using BPM 11g.
  --S                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

  So is it the call CreateResourceList that lets you actually set the user / approle for a flow?
  It looks like that might be on the right track.
  --S                                                                                                                                                                                                                                                                                                               

• Dynamic Role -- Group Mapping not working in WebLogic 10

  I have an installation I am migrating from 9.2 to 10. It uses Dynamic Role Mapping:
  From my Weblogic.xml within the deployment:
      <security-role-assignment>
          <role-name>EELSSystemAdministrator</role-name>
          <externally-defined/>
      </security-role-assignment>I am using SPNEGO SSO, and it is working fine, it retrieves the principles from LDAP and adds them to the subject, so everything is fine there. I have defined the deployment constraint "EELSSystemAdministrator" as a Global Role, and then Added a condition "group" and set it to the LDAP Group (SMS EELSSystemAdministrator) which is one of the three principles being returned from LDAP.
  When the Role mapper runs, it returns the following in the logs:
  <SecurityRoleMap> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users, SMS EELSSystemAdministrator,SMS EELSReportAnalyst]>
  <SecurityRoleMap> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(SMS EELSSystemAdministrator ,[everyone,users,SMS EELSSystemAdministrator,SMS EELSReportAnalyst]) -> false>
  <SecurityRoleMap> <primary-rule evaluates to NotApplicable because of Condition>
  <SecurityRoleMap> <urn:bea:xacml:2.0:entitlement:role:EELSSystemAdministrator:top, 1.0 evaluates to Deny>
  <SecurityRoleMap> <XACML RoleMapper: accessing role EELSSystemAdministrator: DENIEDIn my 9.2 Installation that is working I get the following in the logs:
  <SecurityRoleMap> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users,SMS EELSSystemAdministrator,SMS EELSReportAnalyst]>
  <SecurityRoleMap> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(SMS EELSSystemAdministrator,[everyone,users,SMS EELSSystemAdministrator,SMS EELSReportAnalyst]) -> true>
  <SecurityRoleMap> <Evaluate urn:oasis:names:tc:xacml:1.0:function:or(true) -> true>
  <SecurityRoleMap> <primary-rule evaluates to Permit>
  <SecurityRoleMap> <urn:bea:xacml:2.0:entitlement:role:EELSSystemAdministrator:type@E@Furl@G@M@Oapplication@EEELSWeb@[email protected]@O$@S@VDSTAMP@S@W@M@OcontextPath@E@UEELS@M@Ouri@E@U, 1.0 evaluates to Permit>
  <SecurityRoleMap> <XACML RoleMapper: accessing role EELSSystemAdministrator: GRANTED> I am not sure why my 9.2 deployment lists the role type as a "url" (which points to the right deployment, and 10 lists it as the word "top". Either way, it is not authenticating to my global role based on the Group returned from LDAP.
  I'm pretty much out of troubleshooting idea's, having compared every config file/log file etc to find descrepancies in my setup. Anyone have any suggestions, perhaps something that has to be setup differently in 10 then in 9.2?
  Thanks in Advance,
  John

  Update:
  I checked a bunch of settings, and it seems to be working now, very odd.

• MSS (non-webdynpro) Authorizations and Roles

  Do you know the MSS 60.1 business package authorizations and roles that are required for the backend R/3 system?  I noticed an SAP note exists for the webdynpro version (#798967) but didn't see a note for the old package.

  Umair,
  I know this auth object is required for webdynpros in new business package but does it apply for old traditional java MSS package too?
  Thanks, John

• Regarding Authorizations and Roles

  Hi All,
  Can anyone explain me about Authorizations and Roles ,in detail.
  regards,
  Ali

  Links for Learning about Authorizations:
  http://help.sap.com/saphelp_nw70/helpdata/en/44/599b3c494d8e15e10000000a114084/frameset.htm
  http://help.sap.com/saphelp_bw33/helpdata/en/be/076f3b6c980c3be10000000a11402f/content.htm
  http://help.sap.com/bp_biv235/BI_EN/documentation/Authorization_BW_Proj.pdf
  http://help.sap.com/saphelp_nw04/helpdata/en/e3/e60138fede083de10000009b38f8cf/frameset.htm
  Links to learn about Roles:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
  http://www.bwexpertonline.com/archive/Volume_04_(2006)/Issue_10_(Nov_and_Dec)/V4I10A2.cfm?session=
  Assign points if helpful,
  Venkat

• Init function to habilite dynamic roles

  Hi
  We want user dynamic roles at database level, we are using JAAS for security at application level, we want to habilite the roles in a database procedure in base of jaas username, but we need execute this database procedure before any other action, like an init() function, where can we execute this method ? I tried in the ApplicationModule constructor but it don't function well because I need to use the function getApplicationModule to obtain de JAAS user.
  Where can I execute this method ? maybe a function at Application Module level
  Thanks in advance
  Liceth

  Liceth,
  With functionality like this you have to always remember that many things (such as Application Module instances en DB connections) are pooled and re-used, so the constructor of an ApplicationModuleImpl is definately NOT the place!
  If I understood your problem correctly, it sounds very similar to the problem you would be facing when using Business Components together with the VPD (Virtual Private Database) feature of the Oracle Database. It boils down to you having to execute a PL/SQL procedure every time a database connection is obtained from the database connection pool when an ApplicationModule instance is checked out from the ApplicationModulePool for a particular user/session.
  If you search OTN on the combination VPD and BC4J, you will certainly find some very useful documents that will probably help you implement your solution.
  Kind regards,
  Peter Ebell
  JHeadstart Team

• Dynamic roles in Agent Assignment

  Dear All
  I have a requirement of assigning dynamic roles which is stored in container element. When i select the role in the agent assignment of the task all the system roles come in the drop down. How to assign the role stored in the container element in agent assignment.
  Thanx in advance

  You can use a simple rule that returns the agents having that role FM PRGN_READ_USERS_FOR_ONE_AGR will do the trick.
  Or else I think you can just use a role as an expression (haven't done this myself). Just as you would pass in USUSERNAME, prefix it with AG. You may have an issue with data types though if the role name is longer than the standard HR object name, I haven't tried it for this very reason.

• Authorization or roles assign?

  Hi All,
  I have installed Xi 3.0 on windows server 2003.but my users are getting this error not able to create a product. Its says "You
  are not authorized to view the requested resource 403 forbidden".
  What all the authorizations and roles i need to set for every user.
  Regards,
  Rohit

  Error: HTTP 403 Forbidden
  Description: The server understood the request, but is refusing to fulfill it
  Possible Tips:
  Path sap/xi/engine not active
  • HTTP 403 during cache refresh of the adapter framework - Refer SAP Note -751856
  • Because of Inactive Services in ICF –Go to SICF transaction and activate the services. Refer SAP Note -517484
  • Error in RWB/Message Monitoring- because of J2EE roles – Refer SAP Note -796726
  • Error in SOAP Adapter - "403 Forbidden" from the adapter's servlet. –Because of the URL is incorrect or the adapter is not correctly deployed.
  <i>From
  /people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
  Regards,
  Prateek

• Authorizations & Business roles for ITSM

  Dears,
  i would like to ask whoever implemented an ITSM as a service desk for an IT organization, after setup the Organizational Structure (Organizational Model) and setup the Organizational Unit  (Sold To Part) and Org. Object (Support team).
  what is the best approach to give Authorizations & Business roles for :
  1) new employee joined the company as an End User (Requester).
  2) new employee joined the company as one of the IT Help desk (Dispatcher, Processor....etc.)
  Regards,
  Yazeed

  HI Shikha,
  i hope you are assigning the Role to the Position cretaed in your org model.
  That is by navigating thru
  GO TO-DETAIL OBJECT-ENHANCED DETIAL DESCRIPTION-By creating new infotype for Business Role
  here one can assign the Business Role with the position.
  In case you are not assigning by above mentioned way. Try to do so. Hope this will help.
  Vijayata

• Dynamic role Assignment in Portal using Web dynpro Java?

  Hi All,
  We have following requirement for dynamic role assignment.
  1) User Login to Portal.
  2) User Clicks on Home Tab in Portal, through RFC/BAPI, get Role from Backend(ECC) and compare the role ID with Portal Object ID through UME.
  Role gets assigned in Portal after comparison, if it exists in Portal.
  Can you please let me know what all steps I need to do to complete the above assignment.
  Thank you
  Ravi

  Thanks Tobias.
  To be precise I will explian my requirement.
  1) User Login ( User ID will be input to RFC)
  2) RFC will get Role for that user ID from Backend(ECC) and return that role ID to Portal.
  3) Now With the help of UME API, need to search role ID in Portal, If it exists, no action.
  If Role ID does not exists, then it shuld assign that role in Portal.
  Sorry for tedious comment.
  I am a bit new to webdyn pro.
  Can you please tell me each step i need to follow to complete the above requirement.
  Many Thanks,
  Ravi

• Report to check the open authorization in Roles

  Hi All,
  Is there any standard SAP report or option to find out the list of roles with open authorizations(auth data incomplete) in the R/3 system?
  We are on R/3 4.7.
  Thanx
  Balaji Srinivas

  I've found a solution on netweaver 2004 for which I think does work on 4.7 as well:
  Use SE16 to get the data from tables AGR_1251 and AGR1252 with the following selection criteria:
  For the "LOW" field open the selection subscreen, go to "exclude ranges" and in the lower limit you enter "#!" where the exclamation mark is the lowest in the ascii range (character 33) and the hash is there to escape any special meaning so SE16 will accept it. In the "upper limit" enter "ÿ", character 255. Now you've told the system not to return any row with a valid ascii character in the "LOW" field for the objects.
  You may want to filter for "DELETED" <> "X" as well in AGR_1251.
  Hope this helps
  Jurjen

• OBPM 10gR3 Dynamic Role Assignment at user login

  Hi,
  For all the great integration with LDAP in 10gR3, unfortunately, the system is unable to deal with dynamically-defined LDAP groups.
  Our goal is to apply a BPM Role to ALL humans defined in our LDAP.
  All humans happen to already be defined by a dynamically-defined LDAP group called 'AllPeople'.
  It would have been perfect if we could simply assign our BPM Role, 'Employee', to the LDAP group, 'AllPeople'. Sadly you can't (one for the next release pls).
  So as a workaround, what we want to do instead is assign the BPM Role 'Employee' to each individual user dynamically when they first login.
  Since the FDI library is useless outside of a BPM context (you'll find that some of the familiar methods of RoleAssignment are missing), We opted to create an actual BPM process to conduct role assignments, and we would then trigger it via PAPI.
  The question then was, where/when do we invoke the process such that it does the role assignment quickly and soon enough for the appropriate views and applications to appear in their workspace straight after login?
  We opted for a customised implementation of the SSOWorkspaceLoginInterface class.
  However, we tried making the invocation in the setupAuthenticatedSession() and the processRequest() methods but, although the role assignment was successfully done in either case, sadly the user's session was loaded without the new changes - perhaps loaded quicker than the role assignment could be fed back through the directory.
  Therefore, we dumped the invocation in the actual constuctor - and this seems to work for the most part. Yet on the odd ocassion, the role assignment is not quick enough to be realised in the user's workspace session - the user has to logout and back in before the changes are realised.
  We've even tried to get the execution to sleep for a second or two, while the PAPI thread goes about doing the role assignment - again not much success.
  So I really have 2 questions:
  1. Where during login can we make a PAPI call to do a role assignment so that it should be picked up by the time the session is created? perhaps we already are doing it in the right place.
  2. How could we refresh/request a new session cookie without explicitly logging out and back in again? Note, page refresh is not enough.
  Thanks for reading.

  Sorry for the belated response - I don't get notified of replies.
  The code for my custom SSOLoginModule class is:-
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import java.io.FileInputStream;
  import java.io.IOException;
  import java.util.Properties;
  import fuego.workspace.security.SSOWorkspaceLoginInterface;
  import fuego.papi.Arguments;
  import fuego.papi.CommunicationException;
  import fuego.papi.InstanceInfo;
  import fuego.papi.OperationException;
  import fuego.papi.ProcessService;
  import fuego.papi.ProcessServiceSession;
  import fuego.sso.SSOLoginException;
  import fuego.sso.SSOUserLogin;
  import fuego.jsfcomponents.Util;
  import fuego.workspace.model.common.WorkspaceApplicationBean;
  public class CustomSSOWorkspaceLogin extends SSOUserLogin implements SSOWorkspaceLoginInterface {
  private ProcessService pService;
  private ProcessServiceSession pServiceSession;
  private Properties properties;
  public SSOWorkspaceDBLogin() {
  //Do the role assignment here because it works, and does not work in the ideal location of setupAuthenticatedSession method
  pService = createProcessService();
  pServiceSession = createProcessServiceSession();
  assignDefaultRole(Util.getHttpServletRequest().getRemoteUser());
  private ProcessService createProcessService() {
  return WorkspaceApplicationBean.getCurrent().getProcessService();
  private ProcessServiceSession createProcessServiceSession() {
  return pService.createSession("yourdirectoryusername","yourdirectorypassword",null);
  //This method is used to remotely invoke a BPM process to do the role assignment - no external API to do this directly!
  private void assignDefaultRole(String email) {
  try {
  String processId = "myRoleAssignmentProcessId";
  String argumentName = "argumentName"; //the name of the input argument to feed in the participant
  String argumentValue = email;
  Arguments arguments = Arguments.create();
  arguments.putArgument(argumentName, argumentValue);
  InstanceInfo instance = pServiceSession.processCreateInstance(processId, arguments);
  Long waitTime = new Long(1000);
  Long timeLimit = new Long(5000);
  boolean roleAssigned = false;
  boolean timeLimitExceeded = false;
  Long startTime = System.currentTimeMillis();
  //Allow role assignment thread to complete
  while (!roleAssigned && !timeLimitExceeded) {
  try {
  Thread.sleep(waitTime);
  if (pServiceSession.processGetInstance(instance.getId()).isCompleted()) {
  roleAssigned = true;
  if (System.currentTimeMillis() - startTime > timeLimit) {
  timeLimitExceeded = true;
  } catch (InterruptedException e) {
  e.printStackTrace();
  //close process service session
  pServiceSession.close();
  //Do not close the service itself as it is shared with the Workspace itself!
  //pService.close();
  } catch (Exception e) {
  e.printStackTrace();
  public void setupAuthenticatedSession(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
  //Unfortunately, the below does not work here because the role assignment is not fast enough
  //The result is that the user logs in but cannot see any applications because the role assignment has not been made in time.
  //Therefore, we run the below statements from the constructor - ugly but functions.
  //pService = createProcessService();
  //pServiceSession = createProcessServiceSession();
  //assignDefaultRole(httpservletrequest.getRemoteUser());
  public void processRequest(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
  }

• Check users authorizations and role

  Hello!
  How can I check the authorizations of
  Web Dynpro application users and also his role.
  Thanks
  rgds
  sas

  HI,
  Pl go through Following link
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/wd%20java/web%20dynpro%20security.pdf
  https://help.sap.com/javadocs/index.html
  use the method isMemberOfRole.
  Regards
  Ayyapparaj

• Dynamic role setting in human task

  Hi,
  I would like to use the human task activity in a BPEL process setting the role that has to complete the activity dynamically.
  I mean, inside the human task editor, there is a section named "Assignment and Routing policy" where I add a participant to the task. There, I have two options: By name (which I have already used) or by expression.
  I would like to assign the role from a variable of my process. This is, I invoke the business rules engine, and the result is a role. Then, I want to assign the human task to that role. It this possible? How do I do this?
  Thanks in advance,
  Zaloa

  We do the same. We invoke a service from BPEL before the human workflow activity. This service returns a department (that is also present in our OID) based on some instance data. We assign this role to the human task in the task definition like this:
  <routingSlip xmlns="http://xmlns.oracle.com/bpel/workflow/routingSlip">
  <globalConfiguration>
  <expirationDuration duration="/task:task/task:payload/ns0:humanTaskInformation/ns0:expirationDate"
  type="XPATH"/>
  </globalConfiguration>
  <participants isAdhocRoutingSupported="false">
  <participant name="Department">
  <resource isGroup="true" type="XPATH">/task:task/task:payload/ns0:humanTaskInformation/ns0:department</resource>
  </participant>
  </participants>
  <notification includeTaskAttachments="false" actionable="false"
  secureNotifications="false"/>
  </routingSlip>
  This works.
  As Eric already indicated, you should see some error detail in the audit trail when the human workflow activity "falls through".
  Regards, Ronald