BW security profiles for BPC

Similar Messages

• Override Security Profile for one employee

  Hi
  I have one employee who works in 'Accounts Department' and the HR user of accounts department can see only the employees of Accounts Department based on the security profile. This is working fine. But theres a different requirement. Some employees are transferred to other departments for 3-6 months for different purposes. During this time also the HR user of accounts department needs to view this employees details due to HR policies and procedures. Can we achieve this? If yes, how?
  - Gulzar

  Q 1 - When Employee is transferred from Dept 1 to Dept 2 for 6 months, Should the HR for both Dept 1 and Dept 2 be able to see his details for 6 months?
  Q 2 - After 6 months period, employee's organization is again updated to Dept 1, should again HRs of both Dept 1 and Dept 2 be able to see his details even after the 6 months period?
  Q 3 - If answer for Q 2 is - "after 6 months period, only HR of Dept 1 should see his details" , how to identify Employee's home department? Will it be the Employee's Organization effective as of Employee's hire date?

• Minimum Security Profile for CCMS?

  Does anyone know the minimum security profile or roles needed to read counters for CCMS?
  I have added the following roles to a test user:
  SAP_BC_BASIS_ADMIN
  SAP_BC_BASIS_MONITORING
  SAP_BC_CSMREG
  I have added NO profiles to this test user.
  I noticed when I try to retrieve data using an in-house program operating under this user, all values are always 0.00
  However, once I add the profile S_A.SYSTEM, I can see actual values of 25.00 or 8.00, etc.
  Unfortunately, S_A.SYSTEM is too powerful to use -- is there a different, minimum profile I can use to access CCMS metrics from a in-house program?
  Much appreciated.

  Hi,
  S_RZL_ADM authorization is required to administer CCMS. Please check if the SAP PDAGs that you are assigning have this authorization object. If not, you may experience similar errors.
  Also, refer SAP Note 135503 to identify the configuration parameters information required to work with CCMS.
  Hope this helps!!
  Regards,
  Raghu

• Security profiles for configurators and developers

  hello experts,
  is there a generic (standard) profile for:
  1) functional configurators that are not allowed to touch development objects, and
  2) developers that are not allowed to perform functional configuration?
  I am familiar with the S_DEVELOP authorization object; is there a way to exclude the customizing tables from the list of objects?

  Tiberiu,
  You cannot disable (deactivate) them all at once. You will need to disable 1 object at a time. Like I said, this option is cumbersome, but it will make sure that your Functional Consultants do not have access to Basis Objects and still have access to all the Functional ones.
  In case you are not aware of how to copy sap_all in a role, do this.
  1 Create a role using PFCG
  2. Go to the Authorizations tab
  3. Click change
  4. Copy sap_all from the list of profiles that you will get.
  5 To disable, you will need to go to each object and click on the small green rectangle/square to the left. It will say "deactivate" if you place your mouse cursor on it.
  A few more comments/suggestions from my side
  Workout with your team to whom you want to provide the access.Let them(functional team) come with what access they need and accordingly provide the access.
  If you can do that, great ! If the Functional Team members are non-cooperative, then you don't really have a choice. Again, if this is a Prod system, don't do what I said. That is too liberal an access. If it is Dev it should be okay. QA is also debatable.
  Inactivate the objects which are not needed and provide display activity for the objects which you are not sure.
  I would say disable the objects that you are not sure about rathar than giving Display access. Display access to S_TABU_DIS can be an audit issue in some cases.
  There will still be some authorization issues since some transactions change tables. But you can always add the ones needed.
  Kunal

• Enabling Secure Profile for ColdFusion Administrator

  This question was posted in response to the following article: http://help.adobe.com/en_US/ColdFusion/10.0/Admin/WSf23b27ebc7b554b629cab0421369741d5a7-80 00.html

  Currently, the last sentence contains "comma separate".  The "comma separate" should be "comma-separated" (pls see: http://en.wikipedia.org/wiki/Comma-separated_values).
  I'd probably also change "Further, you could provide" to "Further, you can provide" (since the 2nd sentence begins w/ "When installing ColdFusion, you can enable").  Basically, using "can" in both places (instead of both "can" and "could").
  Thanks!,
  -Aaron

• Secure Profile for ColdFusion Administrator

  This question was posted in response to the following article: http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSf23b27ebc7b554b6-6edc2fbc1373b350 f26-8000.html

  x

• How to restrict employees from accessing managers data using custom security profile

  Hi,
  I am using custom security profile for restricting the employees from accessing supervisors details(PG.SEGMENT2=4). I have written the custom code as below :
  Responsibility :US Super HRMS Manager
  ASSIGNMENT.PERSON_ID
  IN
  (SELECT PAF.PERSON_ID FROM PER_ALL_PEOPLE_F PAF,
  PER_ALL_ASSIGNMENTS_F PF,
  PAY_PEOPLE_GROUPS PG,
  PER_PERSON_TYPE_USAGES_F PPU,
  FND_USER FNU
  WHERE PAF.PERSON_ID=PF.PERSON_ID
  AND :EFFECTIVE_DATE BETWEEN PAF.EFFECTIVE_START_DATE
  AND PAF.EFFECTIVE_END_DATE
  AND PF.PEOPLE_GROUP_ID=PG.PEOPLE_GROUP_ID
  AND :EFFECTIVE_DATE BETWEEN PF.EFFECTIVE_START_DATE AND PF.EFFECTIVE_END_DATE
  AND PPU.PERSON_ID=PAF.PERSON_ID
  AND PPU.PERSON_ID=PF.PERSON_ID
  AND :EFFECTIVE_DATE BETWEEN PPU.EFFECTIVE_START_daTE AND PPU.EFFECTIVE_END_DATE
  AND PAF.PERSON_ID=FNU.EMPLOYEE_ID
  AND PAF.PERSON_TYPE_ID =2
  AND PPU.PERSON_TYPE_ID
  IN(2,62)
  and PAF.person_id = FND_PROFILE.value('user_id')
  AND PG.SEGMENT2=8)
  and using "restrict the people visible to each other using this profile".
  I have assigned the security profile to HR user responsibility
  But when I query the supervisor name in HR User responsibility , it is not restricting me from viewing supervisor details.
  When I query for first time, its restricting me to view others details, but when I close that click on torch button and try searching, its allowing me to access manages details.
  Can any one please let me know what setups need to be done for restricting employees from viewing supervisors data.
  I have gone through the document "Understanding and Using HRMS Security in Oracle HRMS" but didn't got any idea.
  Please suggest.
  Thanks & Regards,
  Anusha.

  Hi All ,
  i solved the problem by using event 01 of header view and using the table "Extract" .
  Regards,
  Neha

• R12 Security Profiles

  Hi- novice here. I do this: select security_profile_id, security_profile_name
  from per_security_profiles
  If I do the above query, I get values like:
  1508 SECCPF5O
  1509 SECCPF5P
  1510 SECCPF5R
  1511 SECCPF5T
  1512 SECCPF5V
  1513 SECCPF5W
  1514 SECCPF5X
  These are security profile names. My client uses these to decide what data a user can see when they log in. What the custom code is doing is comparing that security profile name (formerly secure_oracle_username in 10.7) with the user that is logged in and lets the user see specific data based on this.
  The thing is, user names are not the above SECC% name. I need to know where in the database (tables or forms) I can find the relation between who is logged in (user name) and the security profile for each. Is there a table to coorolate the two? I assume all users have a security profile attached to them correct? Is there a form I can navigate to in order to see/assign this? If so, I can examine that form and find the tables.
  Thanks in advance for your input.

  Pl post details of OS, database and EBS versions.
  Pl see if these MOS Docs can help
  Understanding and Using HRMS Security in Oracle HRMS          (Doc ID 394083.1)
  Secure Users Functionality in Release 11          (Doc ID 50850.1)
  You Have Installed, Now Before You Setup, Read This! - HR Shared          (Doc ID 116376.1)
  More information is in the "Oracle HRMS Configuring, Reporting, and System Administration Guide" for your release at http://www.oracle.com/technetwork/documentation/applications-167706.html
  HTH
  Srini

• 11.5.9 - Security profile

  Hi,
  A HR user is having full access to view employees from all organization, but now, we have to exclude one of the department, so tht this user should not view employees from the excluded department (say 'Development' org).
  Is it possible to do it without creating a new responsibility (because only one user is going to use this) ? Can we do it thru custom security profile (restict this user to view employees from all departments except 'Development' department).?
  Thanks in advance.

  In later releases you have 'User-based' security which would allow you write a Custom Restriction that does something like:
  ((fnd_profile.value('USER_NAME') = 'ONE_USER' and ASSIGNMENT.organization_id <> 123) OR fnd_profile.value('USER_NAME') <> 'ONE_USER')
  However, in 11.5.9 user-based custom security doesn't exist so I think you're out of luck.
  If you're enabled Multiple Security Groups - and it sounds like you haven't - you assignment Responsibilities and Security Profiles to individual users, rather than assigning Security Profiles to Responsibilities. With Multiple Security Groups you could simply create a new Security Profile for this one user and assign that.
  However, if you don't have Multiple Security Groups - and I don't recommend you implement it for this because it has many implications - then it's a new responsibility I'm afraid.

• Is there a way to enable delta for BPC transaction loads ?

  Hi,
  I am using Data Management package methodology to load data from BI to BPC.
  Created Transformation file, created Data management package to download the data from Infoprovider and run the package to load the data from BI cube to BPC application.
  everytime i run the package all the data from Infoprovider is read and will feed the application.So is there a way to delta enable the load from BI cube ?
  does this method work for volumes ? what is the best practice for BPC NW to load the transaction data from BI to BPC.
  thoughts appreciated.
  Regards

  Hi,
  Thanks for the information.Your blog is really a savior.
  I have followed the steps for automating the DM package.I have created prompt file based on the log file generated from the successful run of the package and i have entered all the required fields in UJD_TEST_PACKAGE programe along with Answer prompt file and i ran the package then some of the records were rejected with error "No authorization for members()on dimension()" and in the detaile log i saw "Cannot access the member (ACTUAL) of dimension (C_CATEGORY)" as the rejected records.
  Other hand if i run the package directly in excel client > Run Data management package then the package runs succesfully without any errors.
  I have checked the authorizations in Admin Client and i have full Member Access profile.Also checked C_Category is not a secured dimension.
  what it has to do with C_CATEGORY dimension??
  do we need any special authorisations while we run through the program? even in BI i have sap_all profile.
  Pls help.

• Member Access Profile in BPC

  Hi,
  I have some doubts w.r.t Member access profile in BPC. We have Entity and Category as secured dimension. Entity is read only (All members). Category is R/W (All members).
  1) If i add a third row, and deny only one base member of Entity, whether it will work fine? Which definition system will accept? Read or deny?
  2) In the above scenario, if i run the report on summary node of hierarchy (which has a denied base member), whether i will be able to read the values at summary node level.
  3) When i say Entity members are read only .. cant i do input using input schedules for those entities?
  4) How we need to copy these BPC authorizations to BI in BPC 7.0 (NW). Do we need to recreate these authorization concept in BI or the authorizations i define in BPC 7.0 (NW) are valid for BI also. In this case, if i run a report on BPC cubes using query designer in BI, how authorizations are checked?
  Please suggest.
  Thanks/regards,
  Lokesh Nandula

  Hi Lokesh
  I will try to answer your questions:
  1+2) If you give read/write access to a "Parentmember" all these settings are applied to all childs of this member. So if you give  Read Access to a Parent the User will be able to see everything under this Member.
  3) If you have Read Only on a Member, you cant send Data to the Database via Inputschedule.
  If you have Read Only on the whole Entity Dimension you cant do any posting in the whole cube, regardless of the settings in Category Dimension (but I think this is clear in Multidimensional Systems)
  4) Unfortunatly in Germany the RampUmp Version of BPC7NW is still not shipped, so I cant answer on this point
  Regards
  Jörg

• WINDOWS DOMAIN FOR BPC NW

  Hi Guys,
  Client Says ---donu2019t have fully qualified domain, only uses the local domain (which is nothing but the server name, on which BPC server is installed)
  All users are now been created on the BPC server machine. Related security profile is been assigned to the users, using BPCSYSADMIN ID.
  Is it the right way??
  Do you guys suggest some solution for it

  Dear RaciMishra,
  I did not say you have to create a Domain / Window AD. Please you follow me step-by-step how to add new user in BPC NW:
  1. Create a new user Group in Window.
  2. Assign all BPC users into the user Group Which you have created in step 1
  3. Open BPC Server Manager and choose menu "Options >> Define System User Groups"
  4. Input your user group name, group description, domain type (Local Windows), domain name
  5. Add a new users through BPC Administrator console, choose the user Group name (step 1) and BPC will provide all users name
  Kind Regards,
  Wandi Sutandi
  Edited by: wandi sutandi on Mar 21, 2011 9:11 PM

• In R12.1.3, MO:Security Profile Vs HR:Cross Business Group precedence

  Hi All,
  In R12.1.3, Which profile option has higher precedence in MOAC structure.
  If i set the HR:Cross Business Group to NO at resp level and MO: Security Profile, which is associated to Global Security Profile which has two OUs of two different BGs.
  For example:
  I have BG1 - OU1
  BG2 - OU2
  Case 1:
  Global Security Profile - XXGSP has both OU1(BG1) and OU2(BG2) associated.
  HR:Cross Business Group - NO
  HR:Cross Business Group - BG1
  In Purchasing Responsibility, what could be the behavior when i create PO?. Will it show both OU1 and OU2? or OU1?
  Case 2:
  Global Security Profile - XXGSP has both OU1(BG1) and OU2(BG2) associated.
  HR:Cross Business Group - Yes
  HR:Cross Business Group - BG1
  In Purchasing Responsibility, what could be the behavior when i create PO?. Will it show both OU1 and OU2? or OU1?
  Case 3:
  Global Security Profile - XXGSP has both OU1(BG1) associated.
  HR:Cross Business Group - NO
  HR:Cross Business Group - BG2
  In Purchasing Responsibility, what could be the behavior when i create PO?. Will it show both OU1 and OU2? or OU1?
  Case 4:
  Global Security Profile - XXGSP has both OU1(BG2) associated.
  HR:Cross Business Group - Yes
  HR:Cross Business Group - BG1
  In Purchasing Responsibility, what could be the behavior when i create PO?. Will it show both OU1 and OU2? or OU2?
  Regards,
  Soorya

  Hi Soorya,
  We are in a similiar situation and I was wondering if you have received an answer or how you proceeded?
  Thanks,
  Cathy

• JSPM: Error while detecting start profile for instance with ID _c.

  Hi Experts,
  we have an error when we start JSPM with message "cannot initialize application data. Error while detecting start profile for instance with ID _c." . Until now nothing has been updated yet. The system can be started up and shut down without any problem. The profiles are found in /usr/sap/PMA/SYS/profile
  Our BI system is currently Netweaver 7.0 with SPS14. We plan to update it to SPS20. But when we start JSPM, we have abover error.
  could somebody give a help? Thank you very much.
  Rongfeng
  P.S. the log file DETECT_SYSTEM_PARAMETERS_01.LOG:
  <!LOGHEADER[START]/>
  <!HELP[Manual modification of the header may cause parsing problem!]/>
  <!LOGGINGVERSION[1.5.3.7185 - 630]/>
  <!NAME[/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/log/log_2009_11_18_10_28_50/DETECT_SYSTEM_PARAMETERS_01.LOG]/>
  <!PATTERN[DETECT_SYSTEM_PARAMETERS_01.LOG]/>
  <!FORMATTER[com.sap.tc.logging.ListFormatter]/>
  <!ENCODING[UTF8]/>
  <!LOGHEADER[END]/>
  #1.5^H#C000995FC0200000000000207BD47BD40004789C01294DB0#1258511336558#/System/Server/Upgrade/JSPM##com.sap.sdt.jspm.gui.InitialParametersDetector.initializeJspmDataModel(InitialParametersDetector.java:397)#######Thread[main,5,main]##0#0#Info#1#com.sap.sdt.jspm.gui.InitialParametersDetector.initializeJspmDataModel(InitialParametersDetector.java:397)#Java###Initializing JSPM data model...##
  #1.5^H#C000995FC0200000000000217BD47BD40004789C01295968#1258511336561#/System/Server/Upgrade/JSPM##com.sap.sdt.jspm.gui.InitialParametersDetector.detectProfileDirectory(InitialParametersDetector.java:1468)#######Thread[main,5,main]##0#0#Info#1#com.sap.sdt.jspm.gui.InitialParametersDetector.detectProfileDirectory(InitialParametersDetector.java:1468)#Java###Detected profile directory .#1#/usr/sap/PMA/SYS/profile#
  #1.5^H#C000995FC0200000000000227BD47BD40004789C0141AFE0#1258511338156#/System/Server/Upgrade/JSPM##com.sap.sdt.jspm.gui.InitialParametersDetector.detectDb(InitialParametersDetector.java:936)#######Thread[main,5,main]##0#0#Info#1#com.sap.sdt.jspm.gui.InitialParametersDetector.detectDb(InitialParametersDetector.java:936)#Java###Detecting the parameters of the database...##
  #1.5^H#C000995FC0200000000000237BD47BD40004789C014205D0#1258511338178#/System/Server/Upgrade/JSPM##com.sap.sdt.db.dmtif.AbstractDMTController.execute(AbstractDMTController.java:261)#######Thread[main,5,main]##0#0#Info#1#com.sap.sdt.db.dmtif.AbstractDMTController.execute(AbstractDMTController.java:261)#Java###Executing command with arguments .#2#dbinfo#/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/config/DBINFO.XML#
  #1.5^H#C000995FC0200000000000247BD47BD40004789C01421570#1258511338182#/System/Server/Upgrade/JSPM##com.sap.sdt.tools.proc.JavaOsProcessController.logProcessInfo(JavaOsProcessController.java:41)#######Thread[main,5,main]##0#0#Info#1#com.sap.sdt.tools.proc.JavaOsProcessController.logProcessInfo(JavaOsProcessController.java:41)#Java###Java process ID , name has been started.#2#5#com.sap.sdt.dmt.main.DMT#
  #1.5^H#C000995FC0200000000000257BD47BD40004789C01421958#1258511338183#/System/Server/Upgrade/JSPM##com.sap.sdt.tools.proc.JavaOsProcessController.logProcessInfo(JavaOsProcessController.java:54)#######Thread[main,5,main]##0#0#Info#1#com.sap.sdt.tools.proc.JavaOsProcessController.logProcessInfo(JavaOsProcessController.java:54)#Java###Command line: #2#  #/opt/IBMJava2-amd64-142/jre/bin/java -cp .:/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/lib/sdt_dmt.jar:/oracle/client/10x_64/instantclient/ojdbc14.jar:/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/lib/jddi.jar:/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/lib/opensqlsta.jar:/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/lib/tc_sec_secstorefs.jar:/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/lib/frame.jar:/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/lib/exception.jar:/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/lib/logging.jar:/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/lib/jperflib.jar:/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/lib/util.jar:/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/./lib/tc_sec_secstorefs.jar:/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/./lib/exception.jar:/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/./lib/logging.jar:/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/./lib/opensqlsta.jar:/sapmnt/PMA/global/security/lib/tools/info/IAIKSecurityFS.list:/sapmnt/PMA/global/security/lib/tools/iaik_jce.jar:/sapmnt/PMA/global/security/lib/tools/iaik_smime.jar:/sapmnt/PMA/global/security/lib/tools/iaik_jsse.jar:/sapmnt/PMA/global/security/lib/tools/w3c_http.jar:/sapmnt/PMA/global/security/lib/tools/iaik_ssl.jar:/sapmnt/PMA/global/security/lib/engine/info/IAIKSecurityFS.list:/sapmnt/PMA/global/security/lib/engine/iaik_jce.jar com.sap.sdt.dmt.main.DMT -rootdir=/usr/sap/PMA/DVEBMGS10/j2ee/JSPM -descriptor=csrt29_PMA -logfile=/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/log/log_2009_11_18_10_28_50/DMT_01.LOG dbinfo /usr/sap/PMA/DVEBMGS10/j2ee/JSPM/config/DBINFO.XML#
  #1.5^H#C000995FC0200000000000267BD47BD40004789C01422128#1258511338185#/System/Server/Upgrade/JSPM##com.sap.sdt.tools.proc.JavaOsProcessController.logProcessInfo(JavaOsProcessController.java:55)#######Thread[main,5,main]##0#0#Info#1#com.sap.sdt.tools.proc.JavaOsProcessController.logProcessInfo(JavaOsProcessController.java:55)#Java###Standard out: #2#  #/usr/sap/PMA/DVEBMGS10/j2ee/JSPM/log/log_2009_11_18_10_28_50/DMT_01_01.OUT#
  #1.5^H#C000995FC0200000000000277BD47BD40004789C01424838#1258511338195#/System/Server/Upgrade/JSPM##com.sap.sdt.tools.proc.OsProcessController.launch(OsProcessController.java:126)#######Thread[main,5,main]##0#0#Info#1#com.sap.sdt.tools.proc.OsProcessController.launch(OsProcessController.java:126)#Java###Process ID has been started.#1#5#
  #1.5^H#C000995FC0200000000000287BD47BD40004789C014253F0#1258511338198#/System/Server/Upgrade/JSPM##com.sap.sdt.tools.proc.OsProcessController.waitFor(OsProcessController.java:182)#######Thread[main,5,main]##0#0#Info#1#com.sap.sdt.tools.proc.OsProcessController.waitFor(OsProcessController.java:182)#Java###Waiting for process ID , name to finish.#2#5#java#
  #1.5^H#C000995FC0200000000000297BD47BD40004789C017402B0#1258511341454#/System/Server/Upgrade/JSPM##com.sap.sdt.tools.proc.OsProcessController.waitFor(OsProcessController.java:215)#######Thread[main,5,main]##0#0#Info#1#com.sap.sdt.tools.proc.OsProcessController.waitFor(OsProcessController.java:215)#Java###Process ID , name has been finished, exit code .#3#5#java#0#
  #1.5^H#C000995FC02000000000002A7BD47BD40004789C01741638#1258511341459#/System/Server/Upgrade/JSPM##com.sap.sdt.db.dmtif.AbstractDMTController.execute(AbstractDMTController.java:273)#######Thread[main,5,main]##0#0#Info#1#com.sap.sdt.db.dmtif.AbstractDMTController.execute(AbstractDMTController.java:273)#Java###Command has been executed.#1#dbinfo#
  #1.5^H#C000995FC02000000000002B7BD47BD40004789C017421F0#1258511341462#/System/Server/Upgrade/JSPM##com.sap.sdt.jspm.gui.InitialParametersDetector.detectDb(InitialParametersDetector.java:984)#######Thread[main,5,main]##0#0#Info#1#com.sap.sdt.jspm.gui.InitialParametersDetector.detectDb(InitialParametersDetector.java:984)#Java###Detection of the parameters of the database has finished. Database type is , database name is and database version is .#3#ORA#Oracle#10.2.0.2.0#
  #1.5^H#C000995FC02000000000002C7BD47BD40004789C01744CE8#1258511341473#/System/Server/Upgrade/JSPM##com.sap.sdt.j2ee.tools.sysinfo.AbstractInfoController.updateProfileVariable(AbstractInfoController.java:284)#######Thread[main,5,main]##0#0#Info#1#com.sap.sdt.j2ee.tools.sysinfo.AbstractInfoController.updateProfileVariable(AbstractInfoController.java:284)#Java###Parameter has been detected. Parameter value is .#2#/J2EE/StandardSystem/DefaultProfilePath#/usr/sap/PMA/SYS/profile/DEFAULT.PFL#
  Sorry, I don't know how to format post 
  Edited by: Rongfeng Shi on Nov 18, 2009 4:20 AM

  Hi Rongfeng,
  There is not much information about the error in the log file you have pasted above.
  Please repeat the issue and catch the log files once again.
  Are you able to open SDM ?
  Best Regards
  Raghu

• WS-Security and proxy service: Unable to add security token for identity

  What the reason of "Unable to add security token for identity" fault in this situation (10.3.1):
  I did simple "hello word" proxy service and tried to apply custom policy binding.
  WS-Policy is next:
  <wsp:Policy wsu:Id="WS-Policy-Siebel"
       xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
       xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
       xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
       <wssp:Identity
            xmlns:wssp="http://www.bea.com/wls90/security/policy">
            <wssp:SupportedTokens>
                 <wssp:SecurityToken
                      TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
                      <wssp:UsePassword
                           Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" />
                 </wssp:SecurityToken>
            </wssp:SupportedTokens>
       </wssp:Identity>
  </wsp:Policy>
  Process WS-Security is setted to "yes".
  While debugging I see that all works fine - I can authenticate with defined credentials and breakpoints in proxy service flow works fine.
  But at the end I get the fault:
  Soap fault:
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Header/>
  <env:Body>
  <env:Fault>
  <faultcode>env:Server</faultcode>
  <faultstring>Unable to add security token for identity</faultstring>
  </env:Fault>
  </env:Body>
  </env:Envelope>
  In console:
  <09.06.2010 17:39:18 MSD> <Error> <OSB Security> <BEA-387023> <An error ocurred during web service security inbound response processing [error-code: F
  ault, message-id: 1721282272521583996--57dc4ccc.1291cc2282d.-7fab, proxy: OSB Project WS-Security/WSSecurityService, operation: NewOperation]
  --- Error message:
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault><faultcode>env:Server</faultcode><faultstring>Un
  able to add security token for identity</faultstring></env:Fault></env:Body></env:Envelope>
  weblogic.xml.crypto.wss.WSSecurityException: Unable to add security token for identity
  at weblogic.wsee.security.wss.SecurityPolicyDriver.processIdentity(SecurityPolicyDriver.java:175)
  at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:73)
  at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:64)
  at weblogic.wsee.security.WssServerHandler.processOutbound(WssServerHandler.java:88)
  at weblogic.wsee.security.WssServerHandler.processResponse(WssServerHandler.java:70)
  Truncated. see log file for complete stacktrace
  Incoming soap message is:
  <soapenv:Envelope      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header      xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <wsse:Security      soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:UsernameToken      wsu:Id="unt_TNNp0cBwU7HyPKoq" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:Username>testuser</wsse:Username>
  <wsse:Password      Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">testuser</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </soap:Header>
  <soapenv:Body>
  <wss:NewOperation      xmlns:wss="http://www.troika.ru/Enterprise/WSSecurityService/">
  <in>string</in>
  </wss:NewOperation>
  </soapenv:Body>
  </soapenv:Envelope>
  Edited by: Andrey L. on Jun 9, 2010 5:55 PM

  I thought you were getting that exception when accessing the proxy.
  No. Authentification works fine. Proxy body works fine. But at the end of proxy appears the exception.
  Sorry for my english - I tried to show this situation on image: http://imglink.ru/show-image.php?id=9c0e0c1719f00289faf11696c6703bc3
  Are you getting this exception when routing to a business service which is configured for WS-Security ??
  I don't use business service in this test project - only simple proxy service with all logic inside.
  PS transformation in replace action is very simple too:
  (:: pragma bea:global-element-parameter parameter="$newOperation1" element="ns0:NewOperation" location="WSSecurityService.wsdl" ::)
  (:: pragma bea:global-element-return element="ns0:NewOperationResponse" location="WSSecurityService.wsdl" ::)
  declare namespace ns0 = "http://www.troika.ru/Enterprise/WSSecurityService/";
  declare namespace xf = "http://tempuri.org/OSB%20Project%20WS-Security/Hello/";
  declare function xf:Hello($newOperation1 as element(ns0:NewOperation))
  as element(ns0:NewOperationResponse) {
  <ns0:NewOperationResponse>
  <out>Hello, { data($newOperation1/in) }!</out>
  </ns0:NewOperationResponse>
  declare variable $newOperation1 as element(ns0:NewOperation) external;
  xf:Hello($newOperation1)
  Edited by: Andrey L. on Jun 10, 2010 12:21 PM