Can I map iwtUser-role to an attribute in external LDAP???

Similar Messages

• When to set iwtUser-role and other per user schema using custom athentication?

  I have written my own authentication module and would like to set per user schema on login. Can I write iwtUser-role, iwtCalendarProvider-calendarUserPassword, etc from the authentication class?

  Yes you can, after the authentication is complete you get the profile object and then set whatever value you want to set for particular attributes you want to set ..

• How to map Application Roles to Enterprise Roles

  Hello,
  i am having a problem with mapping Application Roles (from ADF Security) to the corresponding Enterprise Roles. I have already seen that it is possible with a tool called Enterprise Manager, but what if i do not have it??
  Can i map the roles in WebLogic Server itself? I have searched for such ability and did not found it. Also have not seen any tutorial on the internet. Someone help me pls.
  The version i am using is 12.1.2.0.0.

  Application roles and permissions defined within WebCenter Portal are stored in its policy store and, consequently, apply to the WebCenter Portal application only.
  Application Roles : Application roles control the level of access a user has to information and services in WebCenter Spaces. Specifically, application roles determine what a user can see and do in their personal space.
  Application Permissions : Again every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in their personal Portal.
  Enterprise roles are different. Enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Portal.
  2. How and where do we create these 5 Application Roles in WC 11.1.1.8 version ?
  You can create an application role from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> Roles -> Create Role
  See : Managing Security Across Portals for more info :
  http://docs.oracle.com/cd/E29542_01/webcenter.1111/e27738/wcadm_ps_security.htm#WCADM398
  3. Last, where and how do we MAP these Application Roles TO Enterprise Roles in 11.1.1.8 version ?
  First, You can grant privileges to a specified group (say sales group) of users by granting Enterprise Roles in Enterprise LDAP.
  Next, Create custom application roles (say Contributor, Moderator, UIDesigner, Application Specialist, etc) and assign the appropriate permissions as explained above.
  Then, You can assign one or more Application Roles to a specified group (say sales group) from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> users & Groups
  I hope it helps.

• Map wls roles to application roles

  how can i map weblogic roles to my application roles ?
  already, i config db authentication in wls
  but how can i map it to jazen-data.xml file ?

  Hi,
  either you create the same roles in jazn-data.xml in which case they are automatically used after deployment or you have a look at how to map user groups (not application roles) created in jazn-data.xml to WLS groups using the weblogic.xml file
  Frank

• Map security roles to group within LDAP using external 3rd Party LDAP

  I'm haveing a problem mapping my logical role defined in my web.xml to a role within Active Directory. I'm currently authenticating using Active Directory succsfully, however after the user is authenticated I get a message from the OC4J container that my role can not be found. Can you map a logical role to group within Active Directory? Below are details about my configuration.
  Any help would be greatly appreciated.
  Log.xml log entry that confirms webtA is communicating successfully with AD.
  SG_TEXT>JAAS-LDAPLoginModule: authenticating user wmgraham</MSG_TEXT>
  </PAYLOAD>
  </MESSAGE>
  <MESSAGE>
  <HEADER>
  </CORRELATION_DATA>
  <PAYLOAD>
  <MSG_TEXT>JAAS-LDAPLoginModule: DN for user wmgraham is cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi</MSG_TEXT>
  </PAYLOAD>
  </MESSAGE>
  <MESSAGE>
  <HEADER>
  Error reported in the log
  <MESSAGE>
  <HEADER>
  <TSTZ_ORIGINATING>2008-08-27T11:38:05.991-04:00</TSTZ_ORIGINATING>
  <COMPONENT_ID>j2ee</COMPONENT_ID>
  <MSG_TYPE TYPE="TRACE"></MSG_TYPE>
  <MSG_LEVEL>16</MSG_LEVEL>
  <HOST_ID>F2287032-W</HOST_ID>
  <HOST_NWADDR>30.30.16.14</HOST_NWADDR>
  <MODULE_ID>security</MODULE_ID>
  <THREAD_ID>14</THREAD_ID>
  <USER_ID>wmgraham</USER_ID>
  </HEADER>
  <CORRELATION_DATA>
  <EXEC_CONTEXT_ID><UNIQUE_ID>30.30.16.14:59560:1219851485804:6</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
  </CORRELATION_DATA>
  <PAYLOAD>
  <MSG_TEXT>for group=[JAZNGroupAdaptor: webta] there's no matching role found.</MSG_TEXT>
  </PAYLOAD>
  </MESSAGE>
  Web.xml Logical Role definition
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>allpages</web-resource-name>
  <url-pattern>/servlet/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>WEBTA_J2EE_USER</role-name>
  </auth-constraint>
  </security-constraint>
  <security-role>
  <role-name>WEBTA_J2EE_USER</role-name>
  </security-role>
  Orion-web.xml This file maps the logical role defined in webxml to a group within Active Directory.
  <security-role-mapping name="WEBTA_J2EE_USER">
  <group name="webta"/> <-- Group defined in AD -->
  </security-role-mapping>

  What is the name of the group in AD (provide the DN) that you want to map the j2ee logical role WEBTA_J2EE_USER? What are the group search base and group mapping attribute?
  When wmgraham logs into the app, the 3rd party ldap login module will attempt to query for the groups wmgraham is a member of - this is done using the group search base configuration for the provider.
  In this example, the DN is "cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and likely user search base is set to "ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi".
  Assuming group search base is (say) "ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and and group mapping attr is "cn", then the role mapping you mention should work for group DN "cn=webta,ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi"

• Mapping ABAP roles and assignments to EP UserGroups and EP Roles

  Hello.
  I have set up my EP7 UME to upload ABAP roles as Portal Groups . Im expecting the ABAP role to user assignment to also reflect as EP Group to User assignment.
  All my roles that 'exist' in the ABAP source system are created in EP7 correctly as expected. However, only "direct" user to role assignments are uploaded. NONE of my "indirect" user to role assignments (ie: Via HR Org in ABAP system) are reflected in EP.
  Qtn: Is there a way I can encorporate indirect user-role assignments into the upload into EP as well ??
  Thanks
  Andrew
  ps: I have played with HR org active switch in vain in ABAP syst

  Hi Kumar,
  Have you tested the connection of your R3 system?
  Do you want to connect to the ABAP UME?  If so do the following:
  1.     Logon to the portal as administrator
  2.     Go to:
  1.     System Administrator
  2.     System Configuration
  3.     UME Configuration
  4.     Click Modify Configuration
  5.     From the drop down select ABAP system
  Fill in the details for your system. 
  Click on the User Mapping tab
  Click on the reference system combo box and select the relevant system
  (in this case R3)
  Click on the ‘Test Connection button’.  If the test has been successful you should get a ‘Connection test successful’. ~<b>It is important to test the connection before saving otherwise this could cause you lots of problems!</b>
  Thanks,
  Nick

• Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

  Hi
  I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
  This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  Any help or suggestions on the above would be appreciated.
  Thanks and Regards
  Arun R

  Hi
  1. Can we integrate both structural authorizations and position based role mapping in one system?
  Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
  2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
  No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
  3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
  Create user in SU01.SU10 first before creating infotype 105 in PA30.
  4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
  *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
  Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
  Hope this helps.
  Charmaine

• Problem mapping LoginModule roles to ejb security roles

  I have "successfully" managed to implement the DBSystemLoginModule. When I run my application I successfully authenticate to the database, the login module successfully retrieves the users roles from the database and adds them to the subject:
  PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
  LoginContext lc = new LoginContext("current-workspace-app", cbh);
  lc.login();
  I then perform a lookup on a bean using the same user:
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory");
  env.put("java.naming.security.principal",username);
  env.put("java.naming.security.credentials",password);
  env.put("java.naming.provider.url", "ormi://localhost:23891/current-workspace-app");
  Context ic = new InitialContext(env);
  final SessionEJBHome sessionEJBHome =
  (SessionEJBHome) PortableRemoteObject.narrow( ic.lookup( "SessionEJB" ), SessionEJBHome.class );
  Finally, I create an instance of the bean and call a method of this bean.
  SessionEJB sessionEJB;
  sessionEJB = sessionEJBHome.create( );
  sessionEJB.testMe( );
  I am expecting (hoping) that the roles retrieved from the database by the login module may be used to authenticate the ejb methods. i.e. if (in ejb-jar.xml) the method "testMe" has a method-permission with role-name of "ABC" then this method may only be accessed if the user is a member of the "ABC" role retrieved from the database by the login module. However I get the message:
  "username is not allowed to call this EJB method"
  When I add a security-role-mapping in orion-ejb-jar.xml mapping the role "ABC" to the group "ABC" (and impliesALL="true") then the method is called successfully. However, if I add a security-role-mapping mapping the role "DEF" to the group "DEF" (which the user is not a member of) the ejb method is (wrongly) called successfully (with implies all="false" the method always fails). In other words there seems to be no mapping of the roles retrieved by the login module to the ejb security roles.
  Can anyone please enlighten me on how I can achieve the mapping of the ejb security roles to the roles obtained from the login module.
  Thanks
  PS I have this problem with JDeveloper 10.1.3 (Developer Preview 10.1.3.0.2.223 and Early Access 10.1.3.0.3.3412)

  Hi Sebastian,
  yes, it is possible to do such mapping. And here how it works:
  1. define security roles in the ejb-jar.xml within the <security-role>. For example:
  <security-role>
       <role-name>test</role-name>
  </security-role>
  2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
  <security-permission>
     <security-role-map>
        <role-name>test</role-name>
        <server-role-name>myUMErole</server-role-name>
     </security-role-map>
  </security-permission>
  the myUMErole must be defined in the UME!
  Does this answer your question?

• How to map CRM roles to EP roles

  Hello,
  I have created one coordinator roles in CRM and assigned to one user.
  Assigned defualt EP role also, but user is not getting any worksheets and ivews.
  How can we map the CRM roles to EP roels.
  Thanks
  Purna

  Purna,
  The portal roles drive the iView, workhseet, etc. The backend CRM roles give the needed authorization to run CRM.
  I assume your CRM Coordinator role is a custom role, you can either assign the standard CRM Portal Roles that provide the related iView for that backend role or create new CRM Portal Role using Content Admin. You can find the standard CRM portal roles by User Admin, change Search Criteria to Role and uses crm.
  Don't forget to check the permission on your new portal roles.
  Good luck.
  Lye
  Hope this

• AD to OID mappings - can you map telephonenumber in activechg.map

  Noticed the Telephone number attribute does not map automatically.
  Can you map the "telephonenumber" attribute like below?
  AD >>> OID using activechg.map
  telephoneNumber:::organizationalperson:telephonenumber::inetorgperson
  Thxs

  That worked - it mapped the telephone number.

• Please help with OWB Mapping for Children Parent relationship attributes.

  Hi there,
  I am pretty new to Oracle Warehouse Builder (Ver10.2.0.3). If you have attempted the following, appreciate if you can share your knowledge.
  I have to create a mapping to populate the following attributes in a Children Parent relationship mapping.
  1. isleaf
  2. path
  3. descendant_level
  4. parent_level
  5. descendant_order (tree walking)
  6. root_parent
  Please refer to the following SQL which is based on the scott/tiger EMP table. This SQL generates me the above attributes correctly.
  select h.*,
  nvl(i.descendant_level,0),
  nvl(j.parent_level,0),
  row_number()
  over(partition by SUBSTR(path, 2, INSTR(SUBSTR(path, 2)||'/','/')-1 ) order by ROWNUM) - 1 DESCENDANT_order,
  SUBSTR(path, 2, INSTR(SUBSTR(path, 2)||'/','/')-1 ) parent
  from (select
  emp.empno,
  emp.ename,
  emp.mgr,
  decode(connect_by_isleaf,0,'N',1,'Y') isleaf,
  sys_connect_by_path(emp.empno,'/') path
  from emp
  CONNECT BY MGR = PRIOR EMPNO) h,
  (select
  level descendant_level,
  emp.empno
  from emp
  CONNECT BY MGR = PRIOR EMPNO
  start with mgr = 7839) i,
  (select
  level parent_level,
  emp.empno
  from emp
  CONNECT BY MGR = PRIOR EMPNO
  start with mgr = 7839) j
  where h.empno = i.empno(+)
  and SUBSTR(path, 2, INSTR(SUBSTR(path, 2)||'/','/')-1 ) = j.empno(+)
  order by nvl(parent_level,0),nvl(descendant_level,0),DESCENDANT_order
  I searched OTN and found the following document:-
  http://blogs.oracle.com/warehousebuilder/newsItems/viewFullItem$10
  I tried all the 3 variations of the expression below in my FILTER condition.
  CONNECT BY INOUTGRP1.MGR = PRIOR INOUTGRP1.EMPNO
  CONNECT BY INOUTGRP1.MGR = PRIOR INOUTGRP1.EMPNO START WITH INOUTGRP1.ENAME = 'KING'
  START WITH INOUTGRP1.ENAME = 'KING' CONNECT BY INOUTGRP1.MGR = PRIOR INOUTGRP1.EMPNO
  When I tried to validate each of the above expression, it came back with the following error:-
  'ORA-00936 missing expression' error.
  Hope someone can help me with the above or better still have done the above and can sent me an MDL export file.
  Thanks in advance.
  Regards
  Rudy

  Hi Carsten,
  Thanks for your help.
  Oracle Support provide me the solution. I have to do the following:-
  1. Set the mapping's "Default Operating Mode" and "Generation Mode" to 'Set Based'
  2. Changed the Filter condition to "CONNECT BY PRIOR INOUTGRP1.EMPNO = INOUTGRP1.MGR"
  You right, the Filter condition still produce an error 'ORA-00936 - missing expression' when I tried to 'Validate', but it deployed and executed successfully.
  Again thanks for your help.
  Regards
  Rudy

• Can we map three BPC users with single domain user

  Hi..
  When we map the three BPC users in the ABAP server in the program UJA3_WRITE_SYS_USERS with domain user,can we map with only one domain user for all three BPC users or we have to use three different domain users to map the three BPC users?
  Please do reply
  Thanks
  Bobby

  yep
  u can map three bpc user with single domain user.
  but domain user must have management roles.

• Creating/Mapping security roles without authentication

  Hello all, I am new to WebLogic 9.1, and I appreciate your help in advance.
  I have an HTTP header pre-populated with the roles a logged-in user has (these roles are defined outside websphere), and the user has already been authenticated.
  I want to map each role from my header to a URI configured in weblogic, so it can authorize/deny access to that page within the container, based on the role in the header.
  What would be a good approach to doing this? I have been looking through the security documentation, and I am a bit overwhelmed, I'm not sure where to begin.
  Thanks

  Hi,
  1) as said, nothing prevents you from building a JAAS LoginModule that does what you need - e.g. authenticate a user against LDAP, then connect to the database and query for his/her user roles. You can't have container managed authorization without authentication though.
  There will be a change in API in JDeveloper 11 (and most likely in JDeveloper 10.1.3.4 - upcoming) that allows you to set a Subject into the OC4J context, in which case you don't need container managed autehntication. However, I don't have it tested yet and can't tell to what extend this would be useful
  3) Sure, you can build a JAAS LoginModule that doesn't care for authentication. However, this doesn't work with container managed security. As far as I am aware, the only option to not show a login dialog is to use certificates. And certificates are not yet to use with custom LoginModules. So the above mentioned API - that is available as a backported patch for 10.1.3.1 - might do the trick
  Frank

• XSLT Mapping of Adapter-Specific Message Attributes

  Hi,
  We have the requirement to build a soap request with a custom soap envelop/header which contains a sessionId.
  Therefore we developed a xlst mapping which is called directly after a graphical mapping.
  In the graphical mapping the session id is written to the dynamic configuration.
  The goal is to read this session id in the xslt mapping from the dynamic configuration using XSLT Mapping of Adapter-Specific Message Attributes. We used  [this|http://help.sap.com/saphelp_nwpi711/helpdata/en/43/03fe1bdc7821ade10000000a1553f6/content.htm] documentation as an example.
  But we are getting the following error: TransformerConfigurationException triggered while loading XSLT mapping. The error is raised at this node: <xsl:variable name="dynamic-conf" select="map:get($inputparam, 'DynamicConfiguration')" />
  This is the coding of the xslt transformation:
  <?xml version="1.0" encoding="utf-8"?>
  <xsl:stylesheet version="1.0"
        xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
        xmlns:ns1="urn:enterprise.soap.sforce.com"
        xmlns:map="java:java.util.Map"
        xmlns:dyn="java:com.sap.aii.mapping.api.DynamicConfiguration"
        xmlns:key="java:com.sap.aii.mapping.api.DynamicConfigurationKey">
  <xsl:output indent="no" />
  <xsl:param name="inputparam"/>
  <xsl:template match="/">
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:enterprise.soap.sforce.com">
  <soapenv:Header>
  <urn:SessionHeader>
  <xsl:variable name="dynamic-conf" select="map:get($inputparam, 'DynamicConfiguration')" />
  <xsl:variable name="dynamic-key" select="key:create('http://sap.com/xi/XI/System/SOAP', 'sessionId')" />
  <xsl:variable name="dynamic-value" select="dyn:get($dynamic-conf, $dynamic-key)" />
  <urn:sessionId><xsl:value-of select="$dynamic-value"></xsl:value-of></urn:sessionId>
  </urn:SessionHeader>
  </soapenv:Header>
  <soapenv:Body>
  <xsl:copy-of select="*"/>
  </soapenv:Body>
  </soapenv:Envelope>
  </xsl:template>
  </xsl:stylesheet>
  Any help will be highly appreciated.
  Regards, Henk

  Hi, yes we did try that and lot's of other combination.
  The results of those trials are that it seems to go wrong with <xsl:variable name="dynamic-conf" select="map:get($inputparam, 'DynamicConfiguration')" />
  When we enclose it with <xsl:if test="function-available('map:get')"> the transformation is not dumping, but the function is not available.
  Regards, Henk

• I can not map field after changing data source location

  Hi
  I have a small problem that I got a report file and database from my customer, after that I setup database, open the file and change data source to my setting. but some filed can not map. The field mapping widonw does not display all field in the table. Of course I have checked the missing fields are existing in the table.
  OS:Windows7
  DB:Oracle11
  CR:XI Release 2
  Does anyone have an idea?

  hi,
  In Map Fields window, there is an option "Match Type".
  Please Unchek that option, so that you will be able to see all the fields from that table.
  Also, while mapping please verify the datatypes of source and target fields.
  Regards,
  Vamsee