BPM 11g Role Assignment not Reflected on BPM Workspace

Similar Messages

• I have created a user in oracle BPM but it is not reflected in system-jazn-data.xml file and I am unable to authenticate that user to create context as needed in workflow client

  I have created a user in oracle BPM but it is not reflected in system-jazn-data.xml file and I am unable to authenticate that user to create context as needed in workflow client

  weblogic credentials are different.
  and using thode credentials I am able to login to weblogic server
  the users I am talking about is the process users defined in realm.
  in realm those users are defined as Default authenticator and OID authenticator.
  and I am trying to authenticate one of those users defined in realm using java api so that I an access a process defined In Oracle BPM 11g

• Another FPN Thread: Remote role assignment not working

  Hi all,
  We have successfully implemented FPN for use in our ESS and BW environment and we are experiencing very little problems with it. We now want to start implementing it for our eRecruitment and SRM systems (as producers). For some reason we are not able to use the Remote Role Assignement functionality.
  We have set up trust for the systems and use SSO.
  Connection test for the producer is successfull.
  We can see the Producer content in the pcd on the consumer.
  Server times are the same.
  As far as I know I have correctly set permissions on producer and consumer.
  Possible cause: We are in the process of upgrading our consumer Portal to NW 7.0 SPS15 and have encountered some problems. The system is partially upgraded, so some components are SP15 and some others are still SP13. This is currently under investigation by SAP. Can this be an issue as our producer portals all are still on SP13?
  I hope to hear from you soon. Please ask if you need any screenshots. Thanks in advance.
  Best regards,
  Jan Laros

  Hi Jan,
  if remote role assignment not works, you can also use remote delta links. I only work with remote delta links because i have more options   and a better performance.
  If your connection works you can go to Content Administration ->Portal Content-> NetWeaver-Content-Producer. Hier you can see your remote system. Now you can copy the role and add it to your portal-content.
  If you can not see the content make sure that you have the same user  on both sides also check the premissions on the portal-content of your remote system. To test the connection it is easier to add Everyone group to the content of your remote system.
  regards,
  Sharam

• BPM 11g - Human task not removed when interrupting boundary event fired

  In BPM 11g (11.1.1.1.3), I am testing a message catch event on the boundary of a human task. It is set for interrupting, so it should, when the event fires, remove the human task from the work list and follow the flow out of the event. The event flow is being followed, but the human task is being left active in the user's work list. I would expect the human task to be removed when the interrupting boundary message event occurs.
  I think this is a bug, but would welcome any suggestions on how to solve it. Does anyone know if this works in the latest release (11.1.1.1.4)? We might upgrade pretty soon. Has anyone else tried boundary message events and gotten them to work properly in BPM 11g?
  Just FYI....in order to make the BPM message event occur and provide instance correlation, we had to add a mediator and BPEL correlation. We followed process documented in a previous post to do this (http://blog.andrade.inf.br/2011/01/implementing-correlation-in-bpm-11gr1.html). Thanks to whomever posted that...it got us a few steps further along!

  I do not think this is bug based on
  Oracle® Fusion Middleware Modeling and Implementation Guide for Oracle Business Process Management
  23.1.1 Understanding the Relationship Between SOA Composites and SOA Components
  "In a similar way, when an interrupting timer or message boundary event arrives to a user task, the BPMN process instance leaves the user task but the associated Human Task remains available. Because the interrupting timer or message boundary event arrived before the user completes the user task, the human task remains unfinished, and you can still access it thought the Worklist application. However running that human task does not have any effect on the BPMN process."
  This also gives us big trouble. I am looking for the solution.
  Helen

• BPM Application Link does not appear in BPM Workspace (11.1.1.7)

  I spent huge amount of time to reveal why does that happens.
  All that follows further is valid for BPM Suite 11.1.1.7.
  The scenario.
  You developed a simple BPM process with Initiator pattern (maybe by following the "Quote Request" tutorial).
  But the application link did not appear in BPM Workspace.
  Here i'm skipping any kind of mistakes as "oh, incorrect swimlane", "oh, i did not include the user to the app role" and so on.
  At first, you should know about the "feature" - You have to attach task form to the Initiator Human Task to see the App Link.
  The simplest way to do that is to AutoGenerate task form (and deploy it, of course).
  Else the Appication Link will not appear.
  One exception to this rule - If your Task HAS NO PAYLOAD (no parameters) the Task Form is not required (to appearing of the Application Link).
  The second find is a bug (is think so).
  If you edited the Role that Attached to the swimlane of Initiator Task, you will not see the Application Link.
  If you look to organization.xml you will see something like this:
          <ns1:applicationRole id="StartTask.InitRole" isProcessRole="true">
              <ns5:name>StartTask.InitRole1</ns5:name>
              <ns1:processRole id="InitRole" name="InitRole1"/>
          </ns1:applicationRole>
  The Application Link will appear ONLY IF THE "applicationRole id", "applicationRole name" and "processRole id" have the same value.
  When you edit name of the application role in Organization Editor you change "applicationRole name" and "processRole name" values.
  After that "applicationRole id" != "applicationRole name" and the Link does not appear.
  How to fix?
  Just edit organization.xml (with external editor) - change the "applicationRole name" to the value of "applicationRole id".
  That allows to have value of "processRole name" something like "The Initiator Role" - that value appears in the BPMN diagram of process.
  Also you can edit organization.xml with Organization Editor and set the Name to the value of "applicationRole id".
  In that case the associated swimlane will have the same name as the "applicationRole id".
  Hope this helps somebody
  Oleg

  Flash Player is a browser add-on, not an executable program.
  If you need to open a local SWF file you will need the standalone player (Projector) from http://www.adobe.com/support/flashplayer/downloads.html
  Note that the download is the player, not an installer, so you will need to make the file association manually.

• ABAP centered role assignment not working

  I have been trying to implement ABAP centered role assignment for our users but not really having much luck in gettng it to work. I've been trying to make sense of it by using [the help guide|http://help.sap.com/saphelp_nwmobile71/helpdata/en/d2/3e3842b23d690de10000000a155106/frameset.htm] but I must be doing someting wrong. Here are the steps that  take.
  1. Create a single ABAP role - A single role with no menu or authorizatons
  2. Create a UME Group - I name the group exactly the same as the ABAP single role from the previous step
  3. Assign UME Group to Portal Role
  4. Assign mapped user to ABAP role
  Supposedly the ABAP role assingment is supposed to reflect through to the UME group membership so the portal user then sees the associated portal tab.
  Can you enlighten me?
  Thanks in advance

  Hi,
  I 'm facing same kind of problem.
  Case 1:
  I tried with:
                    Assigning users to group (abap role) which didn't worked.
                    Assigning UME Role to group (abap role) which worked. Then i assigned the user to the UME Role, but the user is not getting the backend authorizations.
                    Assigning the portal role to the group (abap role), then when i assiged a user to the abap role from R/3 automatically the user is getting the portal role.
  How can i do the same from portal?
  Case2:     
  While distributing the portal roles to the ABAP system (System Administrator -> Permissions -> SAP Authorizations), the status is showing as "Role transfer compleated". but when i checked from the R/3 transaction WP3R, there are no portal roles.
  Why are the portal roles not getting transfered even though the status is green?
  Mr.Chowdary

• Changing object name of role is not reflected

  When I change the Current Object Name for a specific role this change is not reflected. The role still retains it original name in the PCD or when I assign the role to a user.
  This only happens for a specific role in our system. For all other roles the change of the Object Name works fine.
  What am I overlooking?

  Hi ,
  Please check that when you change property 'name' of the role and then click on save button you shud get a  'save successful ' kinda message.
  If not then may be your role is locked by some other portal user id and thus not allowing you to change it. Please note that this will also not allow to change any property of the role, so you can test this by trying changing the other properties of the role.
  If this is not the case, then compare the properties of two roles one whichis working fine and the one which is not.
  Thanks,
  Namrta Mahajan

• FPN - error trying to lookup object - remote role assignment not working

  Hello everyone,
  We have implemented a Federated Portal Network connection in our landscape between our portals.
  We use only remote role assignment functionality.
  Everything was working fine, but since 2 days we encounter the following error in the Default trace.
  Error trying to lookup object: alias: <role name>
  It is possible to open the producer portal in the Portal Content Administration and also searching for the Producer portal roles is possible in User administration. But when we assign the remote role the tab is not displayed in the portal only the above mentioned error is shown in the default trace. Our portals run SP 12 and BI Java SP14.
  Is there a solution or workaround for this issue ?
  Martin

  Hi,
  I have the same issue as you, I cannot see role tabs in Consumer portal and I get the same error in the defaulttrace as you.
  What did you do to resolve this issue?
  Many thanks
  Gordon

• Security-role and security-role-assignment not working in WL7.0

  Hello all..
  Some EJB components that worked fine in WebLogic 6.1 no longer work in
  WL7.0. It has to do with the security-role and security-role-assignment
  descriptor elements no longer allowing anonymous users to be included in the
  authorization for a bean.
  For example, in WL6.1 placing these items in ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <role-name>Employees</role-name>
  </security-role>
  <method-permission>
  <role-name>Employees</role-name>
  <method>
  <ejb-name>CustomerEJB</ejb-name>
  <method-name>*</method-name>
  </method>
  </method-permission>
  and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
  <security-role-assignment>
  <role-name>Employees</role-name>
  <principal-name>guest</principal-name>
  <principal-name>system</principal-name>
  </security-role-assignment>
  worked fine for clients creating their context using a simple
  InitialContext() constructor without specifying SECURITY_PRINCIPAL or
  SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
  the security-role-assignment element above told WebLogic that "guest" was in
  the Employees role for purposes of this EJB archive.
  Worked in WL6.1, no longer works in WL7.0. Client receives typical
  permission exception:
  java.rmi.AccessException: Security violation: insufficient permission to
  access method 'create'
  If I explicity connect as "system" things are fine, or I can create a new
  user in the default realm in WebLogic, put a matching <principal-name>
  element in the section above, and connect as that user. Note that if I leave
  off the <security-role> section completely, or set the required role name to
  "everyone", the anonymous access works fine. Apparently the anonymous user
  is a member of "everyone" behind the scenes even though "everyone" does not
  appear in the realm list of groups or roles.
  So, my question boils down to this: Is there a "magic" username in WL7 like
  "guest" was in WL6.1 that can be mapped to the required role name, or must
  every client connection use a true weblogic-created user with appropriate
  role assignments used to map it to the required role name.
  -Greg
  P.S. Note that none of the EJB examples provided with WL used
  <security-role>..
  Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
  www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

  Below are the screen shots for PFCG:

• Role assignment not working

  Hi everyone,
  I am trying to assign different roles to different users for GRC - Risk Management 10.0; however it seems like standard roles don't have any affect on type of activity. I have maintained various levels of roles (e.g. risk owner, risk expert, risk manager, etc) using PFCG and assigned almost every role to the users; but it doesn't give them the authorization to create or edit anything, they can only display.
  The only workaround for this was assigning a role with the authorization object GRFN_USER (with 02 Change value enabled) or assigning SAP_GRC_FN_ALL (Power user role which also contains object GRFN_USER). However this would allow users to do "anything" they want which obviously isn't what I seek.
  I have tried changing customization options such as Maintain Custom Agent Determination Rules and Maintain Entity Role Assignment, it hasn't solved anything so far.
  I urgently require your assistance on this issue. Thank you.
  Regards,
  Seckin

  Hi,
  I 'm facing same kind of problem.
  Case 1:
  I tried with:
                    Assigning users to group (abap role) which didn't worked.
                    Assigning UME Role to group (abap role) which worked. Then i assigned the user to the UME Role, but the user is not getting the backend authorizations.
                    Assigning the portal role to the group (abap role), then when i assiged a user to the abap role from R/3 automatically the user is getting the portal role.
  How can i do the same from portal?
  Case2:     
  While distributing the portal roles to the ABAP system (System Administrator -> Permissions -> SAP Authorizations), the status is showing as "Role transfer compleated". but when i checked from the R/3 transaction WP3R, there are no portal roles.
  Why are the portal roles not getting transfered even though the status is green?
  Mr.Chowdary

• Changes to a Role are not Reflected

  I have created a role with one BSP iView and assigned the role to a user.  When the user logs in he can see that iView.  Then I have added three more BSP iViews to the role.  But these new BSP iViews are not visible to the user.  The user had logged off and logged on again.  I have deleted the role assignment to the user and then reassigned.  Nothing is working.  Can someone tell me what could be the problem?  I will assign points to helpful posts.

  probablly you may not clear the cache, just clear the cache and check it out.
  to clear cache go to system administration -> navigation -> navigation cache.

• BPM 11g: Adding external application link to process workspace

  Hi,
  In my project, I have a requirement to show a search link the applications panel of the process workspace (link will trigger a ADF application). Currently it is being implemented using a process with a single initiator task. The disadvantage of this approach is that a new instance is created for every new search. It unnecessarily invokes BPM which is not required as there isn't any flow.
  In 10g, we can implement this using a 'Global Interactive Activity'. Is there any equivalent to that in 11g or any other other workaround so that I can only have the application link in the workspace instead of creating a instance every time?
  Thanks,
  Ravi

  HI,
  In 11g you have the concept of Global Links. You can refer to http://docs.oracle.com/cd/E23943_01/user.1111/e15175/bpmug_ext_apps.htm#BACCACGI fro example of how this can be acheived
  I think there are also some samples on java.net for Oracle BPM Suite however this appears to be down at the time of posting so I can not validate this.
  Hope this helps
  Regards Dave

• Re: BPM 11g: Adding external application link to process workspace

  Hello Ravi, did you manage to do what you need? I´m facing the same problem.
  Regards Hernan

  HI,
  In 11g you have the concept of Global Links. You can refer to http://docs.oracle.com/cd/E23943_01/user.1111/e15175/bpmug_ext_apps.htm#BACCACGI fro example of how this can be acheived
  I think there are also some samples on java.net for Oracle BPM Suite however this appears to be down at the time of posting so I can not validate this.
  Hope this helps
  Regards Dave

• Custom Auth. Object with Profile and role assignment not working

  Hi,
  I have created custom Authorization Object with field ACTVT with allowed values - 01,02, 03. Now test it with custom program using AUTHORITY-CHECK OBJECT 'Z_AUTHORIZ' it is working fine and returning sy-subrc 12. At this point i have not created any role using this Auth Object.
  Now I have created custom role ZPM_**** and assigned above Auth object to it with value ACTVT 03. Assigned this role to user.
  When I try to test the above custom program with any ACTVT value it is giving sy-subrc as 0. Used below custom code in program.
  AUTHORITY-CHECK OBJECT 'Z_AUTHORIZ'
              ID 'ACTVT'  FIELD '01'.
  Am I missing anything? The profiles are generated correctly. 
  Best Regards,
  Nilesh

  Below are the screen shots for PFCG:

• BPM 11g workspace not show user from OVD - top most authentication provider

  Hi,
  We have added OVD which connected to LDAP as the top-most authentication provider for myrealm. The order of the providers are:
  (1) OVD (control Flag:SUFFICIENT)
  (2) DefaultAuthenticator(control Flag: REQUIRED)
  (3) DefaultIdentityAsserter
  The users and groups from the OVD are displayed in the weblogic console and are searchable in the OEM when I want to add the user/group to the application role but not in the BPM workspace. I find a related thread:
  Weblogic administrator account is inactive after enabling DB Authenticator
  It seems I did the same but I am still able to login bpm workspace with weblogic id. I guess my BPM does not use OVD for the Authenticator at all and it is still using DefaultAuthenticator. Can anyone please help and let me know what I missed for the setting? Should I put DefaultIdentityAsserter to the 2nd in the provider list to solve this?
  Thanks,
  Helen
  Edited by: Helen on Mar 22, 2011 7:31 AM

  Hi Helen
  Make sure that for the second Authenticator (DefaultAuthenticator) the required Flag is SUFFICIENT. From Weblogic point of view, if it is required, this means that user should and must exist in this provider also. Since you configured external LDAP and say you have something like "mytestuser" in LDAP. I guess you already added this user "mytestuser" to the BPMWorflowAdmin role as per the forum you listed below. But this user may not and will not exist in the default authenticator. So try making it sufficient and see if that works.
  As mentioned in my earlier post, I do have LDAP cconfigured to my BPM Domain and this is the first in the order of providers. I added a user from this LDAP into workflow admin role in em. I could login into bpm/workspace and see adminstrator link.
  Thanks
  Ravi Jegga