Cannot attach User property set within a Rule set

Similar Messages

• I cannot attach files in Gmail within Firefox. I can attach files in Gmail from Chrome and IE.

  I know it has been mentioned elsewhere too ( https://support.mozilla.org/en-US/questions/999383 ), but I cannot reply to that message... so, here it is again, with full details of the testing we have performed so far....
  ALL users or our organization are currently affected.
  When you try to attached a doc, xls, pdf, etc. in Gmail the results are all the same in Firefox. You get a red bar with "attachment failed" and an option to cancel or retry.
  We have tested with our Proxy On and Off. We have tested with no extensions loaded (I get the message with my 3 extensions on or off -- Adblock+, Ghostery, HTTPS Everywhere). Versions on which the issue has been seen include 25, 26, 28, 28.0.1 and 29.0.1 (the latest as of this post). Most users in our organization do not use extensions with Firefox.
  Attachments link up just fine in IE 10 and 11, and Chrome (with Adblock, Ghostery, and HTTPS Everywhere turned on). This error is only seen in Firefox, with or without plug-ins.
  Operating Systems used for testing were Windows 7 and Windows 8.1.
  The issue was first reported to us today, 5/13/14, but it is unknown if the issue has been around longer. However, Firefox is our organization's default browser due to countless web software vendor recommendations. We most likely would have heard before today if the issue has happened previously.
  Any tips or suggestions would be welcome here.

  Without trying any of the fixes, the issue seems to have gone away on its own. All users (of about 7 reporting in) can attach files within Gmail using Firefox as of 5/15. We did not try any of the 4 fixes listed above. On 5/13 and 5/14, users could not attach files to Gmail messages within Firefox.
  However, on the day of the issue we did try all the mentioned fixes (except #4). All affected users had all history and cache wiped, updated to v29.0.1, and the latest Flash plug-in from Adobe.com. We have the browsers set to clear all history, temp files, cookies, etc. at exit to avoid any cached data issues. We tried with proxy on and off too. Attachments were in the 20K-35K range, so very small. They failed on 5/13 and 5/14 within Firefox, but attached fine in IE and Chrome on the same days.
  So, not sure what the issue was, what caused, or why it went away... but we cannot reproduce today, as of 5/15.
  Thanks for the tips. I'll bookmark them if the issue reappears.

• Retrieving ALL values from a single restricted user property

  How can I retrieve ALL values of a single restricted user property from within
  a .jpf file?
  I want to display a dropdown list within a form in a JSP which should contain
  all the locations listed in the property 'locations'. I ever get just the default
  value when I access the property via
  ProfileWrapper pw = userprofile.getProfileForUser(user);
  Object prop = pw.getProperty("ClockSetup", "Locations");

  Well, the code you've got will retrieve the single value of the property
  for the current user. You're getting the default value because the
  current user doesn't have Locations property set, so the ProfileWrapper
  returns the default value from the property set.
  I assume you want to get the list of available values that you entered
  into the .usr file in Workshop. If so, I've attached a
  SetColorController.jpf, index.jsp, and GeneralInfo.usr (put in
  META-INF/data/userprofiles) I wrote for an example that does just this.
  It uses the PropertySetManagerControl to retrieve the restricted values
  for a property, and the jsp uses data-binding to create a list from that
  pageflow method.
  For a just-jsps solution, you can also use the
  <ps:getRestrictedPropertyValues/> tag. I've attached a setcolor-tags.jsp
  that does the same thing.
  Greg
  Dirk wrote:
  How can I retrieve ALL values of a single restricted user property from within
  a .jpf file?
  I want to display a dropdown list within a form in a JSP which should contain
  all the locations listed in the property 'locations'. I ever get just the default
  value when I access the property via
  ProfileWrapper pw = userprofile.getProfileForUser(user);
  Object prop = pw.getProperty("ClockSetup", "Locations");
  [att1.html]
  package users.setcolor;
  import com.bea.p13n.controls.exceptions.P13nControlException;
  import com.bea.p13n.property.PropertyDefinition;
  import com.bea.p13n.property.PropertySet;
  import com.bea.p13n.usermgmt.profile.ProfileWrapper;
  import com.bea.wlw.netui.pageflow.FormData;
  import com.bea.wlw.netui.pageflow.Forward;
  import com.bea.wlw.netui.pageflow.PageFlowController;
  import java.util.Collection;
  import java.util.Iterator;
  * @jpf:controller
  * @jpf:view-properties view-properties::
  * <!-- This data is auto-generated. Hand-editing this section is not recommended. -->
  * <view-properties>
  * <pageflow-object id="pageflow:/users/setcolor/SetColorController.jpf"/>
  * <pageflow-object id="action:begin.do">
  * <property value="80" name="x"/>
  * <property value="100" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="action:setColor.do#users.setcolor.SetColorController.ColorFormBean">
  * <property value="240" name="x"/>
  * <property value="220" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="action-call:@page:index.jsp@#@action:setColor.do#users.setcolor.SetColorController.ColorFormBean@">
  * <property value="240,240,240,240" name="elbowsX"/>
  * <property value="144,160,160,176" name="elbowsY"/>
  * <property value="South_1" name="fromPort"/>
  * <property value="North_1" name="toPort"/>
  * </pageflow-object>
  * <pageflow-object id="page:index.jsp">
  * <property value="240" name="x"/>
  * <property value="100" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="forward:path#success#index.jsp#@action:begin.do@">
  * <property value="116,160,160,204" name="elbowsX"/>
  * <property value="92,92,92,92" name="elbowsY"/>
  * <property value="East_1" name="fromPort"/>
  * <property value="West_1" name="toPort"/>
  * <property value="success" name="label"/>
  * </pageflow-object>
  * <pageflow-object id="forward:path#success#begin.do#@action:setColor.do#users.setcolor.SetColorController.ColorFormBean@">
  * <property value="204,160,160,116" name="elbowsX"/>
  * <property value="201,201,103,103" name="elbowsY"/>
  * <property value="West_0" name="fromPort"/>
  * <property value="East_2" name="toPort"/>
  * <property value="success" name="label"/>
  * </pageflow-object>
  * <pageflow-object id="control:com.bea.p13n.controls.ejb.property.PropertySetManager#propSetMgr">
  * <property value="31" name="x"/>
  * <property value="34" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="control:com.bea.p13n.controls.profile.UserProfileControl#profileControl">
  * <property value="37" name="x"/>
  * <property value="34" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="formbeanprop:users.setcolor.SetColorController.ColorFormBean#color#java.lang.String"/>
  * <pageflow-object id="formbean:users.setcolor.SetColorController.ColorFormBean"/>
  * </view-properties>
  public class SetColorController extends PageFlowController
  * @common:control
  private com.bea.p13n.controls.ejb.property.PropertySetManager propSetMgr;
  * @common:control
  private com.bea.p13n.controls.profile.UserProfileControl profileControl;
  /** Cached possible colors from the User Profile Property Set definition.
  private String[] possibleColors = null;
  /** Get the possible colors, based upon the User Profile Property Set.
  public String[] getPossibleColors()
  if (possibleColors != null)
  return possibleColors;
  try
  PropertySet ps = propSetMgr.getPropertySet("USER", "GeneralInfo");
  PropertyDefinition pd = ps.getPropertyDefinition("FavoriteColor");
  Collection l = pd.getRestrictedValues();
  String[] s = new String[l.size()];
  Iterator it = l.iterator();
  for (int i = 0; it.hasNext(); i++)
  s[i] = it.next().toString();
  possibleColors = s;
  catch (P13nControlException ex)
  ex.printStackTrace();
  possibleColors = new String[0];
  return possibleColors;
  /** Get the user's favorite color from their profile.
  public String getUsersColor()
  try
  ProfileWrapper profile = profileControl.getProfileFromRequest(getRequest());
  return profileControl.getProperty(profile, "GeneralInfo", "FavoriteColor").toString();
  catch (P13nControlException ex)
  ex.printStackTrace();
  return null;
  // Uncomment this declaration to access Global.app.
  // protected global.Global globalApp;
  // For an example of page flow exception handling see the example "catch" and "exception-handler"
  // annotations in {project}/WEB-INF/src/global/Global.app
  * This method represents the point of entry into the pageflow
  * @jpf:action
  * @jpf:forward name="success" path="index.jsp"
  protected Forward begin()
  return new Forward("success");
  * @jpf:action
  * @jpf:forward name="success" path="begin.do"
  protected Forward setColor(ColorFormBean form)
  // set the color in the user's profile
  try
  ProfileWrapper profile = profileControl.getProfileFromRequest(getRequest());
  profileControl.setProperty(profile, "GeneralInfo", "FavoriteColor", form.getColor());
  catch (P13nControlException ex)
  ex.printStackTrace();
  return new Forward("success");
  * FormData get and set methods may be overwritten by the Form Bean editor.
  public static class ColorFormBean extends FormData
  private String color;
  public void setColor(String color)
  this.color = color;
  public String getColor()
  return this.color;
  [GeneralInfo.usr]
  [att1.html]

• GRC Upgrade 4.7 to 5.3 - Rule Set Upload

  Questions about upgrade from 4.7 to 5.3
  Work in corporate conglomerate that consists of 4 independent business units each with own SOD rule set:
  u2022How do we upload each independent set of rule sets so they can coexist within GRC 5.3?
  u20224.7 mapping of files to 5.3 naming conventions u2013 see 4.7 rule set download below
  CONFIG
  CR_PROFS
  CR_PROFST
  CR_ROLES
  CR_ROLEST
  CR_TRANS
  CR_TRANST
  SOD_OBECT01
  SOD_OBECT02
  SOD_OBECT03
  SOD_OBECTT
  SOD_TCODE
  SOD_TCODET

  Alpesh
  We are trying to upload our existing SOD 4.7 rules using the 5.3 the configuration tab u2013 rule upload.  We are having difficulties associating old 4.7 SOD files names to the 5.3 SOD file names.  Is this the correct location within 5.3 to associate a physical system to a specific set of SOD rule sets?  If not could you please point us to correct location within 5.3.
  Thanks

• Doubt in Execute Rule Set Action

  Hi,
  I have seen the following documentation in help doc regarding Execute Ruleset action
  'The Execute Ruleset and Execute Flow Ruleset rule script actions result in evaluating and executing another ruleset u2013 either a rete ruleset or a flow ruleset. This action is similar to invoking a ruleset, except that the current value of objects, including variable definitions, are available to the ruleset being invoked (instead of their initial values). If the invoked ruleset changes the value of any of the objects, these are reflected in the initial Flow Ruleset'
  I have a rule flow set invoking another rule set in its action script. I need to pass a variable defined in rule flow set to invoked rule set. I did this with following action
  Execute Ruleset RuleSet1 On var1.
  My doubt is how do i access this in invoked rule set? I didnt see this in invoked rule set.
  Regards,
  Dhana

  Hi Dhana,
  'The Execute Ruleset and Execute Flow Ruleset rule script actions result in evaluating and executing another ruleset u2013 either a rete ruleset or a flow ruleset. This action is similar to invoking a ruleset, except that the current value of objects, including variable definitions, are available to the ruleset being invoked (instead of their initial values). If the invoked ruleset changes the value of any of the objects, these are reflected in the initial Flow Ruleset'
  What we mean by the stmt above is - In case the action  "Execute Ruleset" or "Execute Flow Ruleset" is used, all those global definitions which are modified at the ruleset level will retain their changed value when the other ruleset is evaluated.
  This needn't be specifically mentioned using the "ON" option.
  This option is provided for a user to pass the current value of objects alone. "except that the current value of objects... are available to the ruleset being invoked"
  Your other question related to passing the variable definition created at the flow ruleset level, to be passed to the other ruleset - such a mapping is not yet possible. You will have to define this as a common(global) definition.
  Hope this clarifies your doubt.
  Best Regards,
  Arti

• SAP BPM Flow Rule set error: Result for ResultSet is required.

  Hi ,
  I want to create of Rule set or Flow rule set inside "Process development" perspective.
  I have defined one process under "Processes" folder. After this, I want to create a rule set under "Rule Sets" folder.
  While creating a rule set, it prompts for "Result for ResultSet is Required" but I don't get anything in drop down select. Please help me whats going wrong here.
  Regards,
  Aman

  Hi Aman,
  Have you mentioned the Return Type in signature while creating RuleSet ?
  Refer the document : SAP NetWeaver Business Process Management Resource Center
  -Abhijeet

• User Property Sets / UUP -- not showing up

  Hi. We are having problems getting any portal user property sets to show up in any environment other than our dev boxes. We are running 10.2. Our environment consists of our dev workstations, a dev server in 'development' mode, a stage server in 'production' mode, and a production server in 'production' mode.
  On our development boxes, we see the following property sets from the portal admin:
  Groupspace
  CustomerProperties
  BusinessUserProperties
  BusinessEmployeeProperties
  The latter 2 are our UUP property sets. As I said, these sets appear on our dev boxes, but from what I understand, that is expected because the EAR is exploded when published on a dev box.
  Consultants developed much of this portal application for us, including the uup property sets, and they are backing away and not offering any help in this matter. They simply said to use the propegation tools. I used the propegation tool to merge my dev box inventory and our development server inventory, and the differences did indicate the 4 property sets listed above. I selected to add only those 4 property sets to the dev server, exported the merged inventory, and exported it to our dev server with no errors. However, still no property sets showed up. I then pulled down another inventory from our dev server, and it indicated that it still did not have the property sets. I repeated this cycle once more to no avail.
  Things that are confusing to me are:
  1) The 'Groupspace' and 'CustomerProperties' sets appear to be portal default property sets. Wouldn't they be expected to exist in all environments?
  2) I thought that I read if the server you are deploying the EAR to is in 'development' mode, then the property sets should be moved over when deploying the EAR normally. I may be wrong about this as I am on information overload trying to learn these portal aspects under a time crunch.
  3) Where in the portal database are the propertysets themselved defined? I can see the 'PROPERTY_KEY' and 'PROPERTY_VALUE' tables which handle storing the user properties themselves, but I don't see any tables which would define a property set.
  Thanks in advance for any insights to this issue. It is making my week really tough.

  1st, I recommend posting in the WebLogic Portal forum:
  WebLogic Portal
  2ndly, I recommend opening a support case to get assistance if you are under a time crunch.

• Risk Analysis at user level shows nothing in all 3 views though at role level shows risks of global rule set

  I am configuring ARA 10.1 for a ECC 6.0 plug in development system and facing this issue. Risk Analysis at user level shows no data  in all 3 views though at role level shows risks of global rule set. I am using Global rule set. I generated all risks/functions & using connector group as SAP_ECCS_LG not SAP_R3_LG.I activated common, R/3 & ECCS BC sets. Added integration scenario for AUTH. Run all 4 sync jobs multiple times successfully. My system already has decentralised EAM 10.1 implemented & even used in production as BAU. I have checked at both chrome & IE. The misleading thing is that RFC is also working fine & I can see risks in Risk Analysis at role level & risky roles are even assigned to valid users.GRC is at SP4 & accordingly is the ECC 6.0 plug in. Thanks in Advance. Please  consider it urgent.

  Hi,
  Assign ECC connector to SAP_ECCS_LG group.
  Run the programs GRAC_PFCG_AUTHORIZATION_SYNCand GRAC_REPOSITORY_OBJECT_SYNC) in full synch mode(this might take time so better do this in background). Better do it sequentially.Check the logs of the jobs in SLG1 just to ensure everythings fine.
  Run ARA for a specific user and mention the connector for faster output. Ensure this user has the role with risks.Also as explained earlier check the GUID against user id in table GRACUSERROLE and using GRACROLE you can find out the technical name of the role updated in the table. This should be same as the backend role.
  Then run ARA and while doing so please ensure the selection screen doesnt have any unwanted default inputs. If followed correctly , this should be of help.  I am assuming the role analysis yielded correct risks as configured since this would mean that connector have correct actions and basic config is in place.
  Regards,
  Vivek

• A simple problem? - cannot grant create rule set

  Hi,
  Can anyone spot the stupid mistake i'm obviously making when trying to grant create rule set to my streams admin user? The script was working last week?!
  BEGIN
  DBMS_RULE_ADM.GRANT_SYSTEM_PRIVILEGE(
  privilege => DBMS_RULE_ADM.CREATE_RULE_SET_OBJ,
  grantee => 'strmadmin',
  grant_option => FALSE);
  END;
  ERROR at line 1:
  ORA-00931: missing identifier
  ORA-24000: invalid value , USER/ROLE should be of the form [SCHEMA.]NAME
  ORA-06512: at "SYS.DBMS_RULE_ADM", line 167
  ORA-06512: at line 2
  Many thanks,
  Warren

  Yes, catpatch.sql is necessary only for existing 9.2.0.1 databases upgraded to 9.2.0.2.
  I am assuming that when you created the database under 9.2.0.2 that catalog.sql and
  catproc.sql were run. The next step, I guess, is to turn on sql tracing to see
  which sql statement actually fails when you run the command. Turn on sql tracing
  with the following command, and then execute the procedure again.
  alter session set sql_trace=true;

• Cannot attach files on yahoo mail in domain user envirinment

  I am a network administrator working on microsoft windows environment with domain user connectivity. Our domain user got stucked with making email attachment by yahoo. Every time try attaching browser is asking a domain user name and password. Eventhough, user typed them correctly yahoo unable to finish attachin. I tried with Firefox 5 and Adobe Flash Player 10.3.181.34. But our user cannot attach any thing.

  I am a network administrator working on microsoft windows environment with domain user connectivity. Our domain user got stucked with making email attachment by yahoo. Every time try attaching browser is asking a domain user name and password. Eventhough, user typed them correctly yahoo unable to finish attachin. I tried with Firefox 5 and Adobe Flash Player 10.3.181.34. But our user cannot attach any thing.

• HT5622 i cannot access my apple id within my iphone and ipad setting. not highlighted?

  i cannot access my apple id within my iphone and ipad.i go to  setting, then itunes and app store tab then my apple id seems to be greyed out.
  to start i tryed to download a song from apple store and it is just pending saying waiting in the apple store download tab ????

  You can try resetting your iPad by simultaneously pressing and holding the Home and Sleep/Wake buttons until you see the Apple Logo. This can take up to 15 seconds so be patient and don't release the buttons until the logo appears.
  Try again to see if the problem persists.

• Setting a Transport Rule to reply with a Custom DSN for a Disabled User and disconnected mailbox

  Here is what I am trying to accomplish. A user leaves the company. We disable there exchange email and that in turn disabled the account in AD. We want a custom NDR to say "This employee is no longer and employee blah blah" We dont get rid of email
  boxes but we disable them. 
  Here is what I done. Created custom NDR and then created a transport rule to read if the message is sent to [email protected] reply back with this NDR code. It works fine if I disable the user from AD and not exchange. Once I "disconnect" the mailbox
  it no longer works. I get the default NDR that says this email cant be found. I don't want that one. I want my custom NDR. I don't want to modify the 5.1.1 message either. Is there away around this?

  Hi Nellyjo,
  In your case, when you disable the user from AD and Exchange, in fact the message is blocked before reaching transport rule, recipient filtering is blocking this email. If you still want to achieve your goal by transport rule, you need to create a mailbox
  or contact to make your transport rule work.
  What's more, you also can modify original DSN for external and internal senders to meet your requirement.
  For more information, here is a similar thread for your reference.
  Setting a Transport Rule to reply with a Custom DSN for a Disabled User
  http://social.technet.microsoft.com/Forums/en-US/b1a4dd86-1e0e-43a9-b340-a80352e5c323/setting-a-transport-rule-to-reply-with-a-custom-dsn-for-a-disabled-user?forum=exchange2010
  Hope it helps.
  If you need further assistance, please feel free to let me know.
  Best regards,
  Amy
  Amy Wang
  TechNet Community Support

• How to set JMS user property in JMS Adapter.

  I am using Jdeveloper and SOA 11g. I want to filter some JMS messages from a topic based on a JMS user property. It is consumed using (JMS Adapter) consumer --> Mediator---> DBAdapter.
  My Question is how to define a JMS user property using Jdeveloper 11g.
  Thanks
  Edited by: user5108636 on 24/06/2010 16:10

  In Mediator mplan Assign Values use a property expression in the "to" side like:
  jca.jms.JMSProperty.XXX
  where XXX is the name of the property you would like to have created and populated. In source it will look like:
  <Mediator name="A03QueueWFeedMediator" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.oracle.com/sca/1.0/mediator"
  wsdlTargetNamespace="http://www.oracle.com/integration/b2b/A03QueueWFeedFromB2B/">
  <operation name="receive" deliveryPolicy="AllOrNothing" priority="4"
  validateSchema="false">
  <switch>
  <case executionType="direct" name="A03QueueWFeedToJMS.Produce_Message">
  <action>
  <transform>
  <part name="$out.body"
  function="xslt(xsl/ADT_AXX_To_ADT_AXX.xsl, $in.body)"/>
  </transform>
  <assign>
  <copy target="$out.body/imp1:ADT_AXX/imp1:MSH/@Type"
  value="$in.property.b2b.documentDefinitionName"
  xmlns:imp1="NS_64FCBED013AA409D933F624674E67BF220070423183755"/>
  <copy target="$out.body/imp1:ADT_AXX/imp1:MSH/@ID"
  value="$in.property.b2b.fromTradingPartnerId"
  xmlns:imp1="NS_64FCBED013AA409D933F624674E67BF220070423183755"/>
  <copy target="$out.body/imp1:ADT_AXX/imp1:MSH/@Name"
  value="$in.property.b2b.toTradingPartnerId"
  xmlns:imp1="NS_64FCBED013AA409D933F624674E67BF220070423183755"/>
  <copy target="$out.property.b2b.conversationId"
  value="$in.property.b2b.conversationId"/>
  <copy target="$out.property.b2b.documentDefinitionName"
  value="$in.property.b2b.documentDefinitionName"/>
  <copy target="$out.property.b2b.documentProtocolName"
  value="$in.property.b2b.documentProtocolName"/>
  <copy target="$out.property.b2b.documentProtocolVersion"
  value="$in.property.b2b.documentProtocolVersion"/>
  <copy target="$out.property.b2b.documentTypeName"
  value="$in.property.b2b.documentTypeName"/>
  <copy target="$out.property.b2b.fromTradingPartnerId"
  value="$in.property.b2b.fromTradingPartnerId"/>
  <copy target="$out.property.b2b.fromTradingPartnerIdType"
  value="$in.property.b2b.fromTradingPartnerIdType"/>
  <copy target="$out.property.b2b.toTradingPartnerId"
  value="$in.property.b2b.toTradingPartnerId"/>
  <copy target="$out.property.b2b.toTradingPartnerIdType"
  value="$in.property.b2b.toTradingPartnerIdType"/>
  *<copy target="$out.property.jca.jms.JMSProperty.conversationId"*
  value="$in.property.b2b.conversationId"/> <copy target="$out.property.jca.jms.JMSProperty.documentDefinitionName"
  value="$in.property.b2b.documentDefinitionName"/>
  <copy target="$out.property.jca.jms.JMSProperty.documentProtocolName"
  value="$in.property.b2b.documentProtocolName"/>
  <copy target="$out.property.jca.jms.JMSProperty.documentProtocolVersion"
  value="$in.property.b2b.documentProtocolVersion"/>
  <copy target="$out.property.jca.jms.JMSProperty.documentTypeName"
  value="$in.property.b2b.documentTypeName"/>
  <copy target="$out.property.jca.jms.JMSProperty.fromTradingPartnerId"
  value="$in.property.b2b.fromTradingPartnerId"/>
  <copy target="$out.property.jca.jms.JMSProperty.fromTradingPartnerIdType"
  value="$in.property.b2b.fromTradingPartnerIdType"/>
  <copy target="$out.property.jca.jms.JMSProperty.toTradingPartnerId"
  value="$in.property.b2b.toTradingPartnerId"/>
  <copy target="$out.property.jca.jms.JMSProperty.toTradingPartnerIdType"
  value="$in.property.b2b.toTradingPartnerIdType"/>
  </assign>
  <invoke reference="A03QueueWFeedToJMS" operation="Produce_Message"/>
  </action>
  </case>
  </switch>
  </operation>
  </Mediator>
  The runtime will see something like:
  [2010-09-09T11:48:06.353+10:00] [AdminServer] [TRACE] [] [oracle.soa.adapter] [tid: weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@60ddbc76] [userId: weblogic] [ecid: 0000Ifo9olH2zGWjLxmJOA1CY0sg0001jY,0] [SRC_CLASS: oracle.integration.platform.blocks.adapter.fw.log.LogManagerImpl] [APP: soa-infra] [dcid: 02d1ff4621073810:26418f01:12af379c141:-7fd3-0000000000000219] [SRC_METHOD: log] Jms Adapter A03QueueWFeed:A03QueueWFeedToJMS [ Produce_Message_ptt::Produce_Message(body) ] XMLHelper_convertJmsMessageHeadersAndPropertiesToXML: <JMSInboundHeadersAndProperties xmlns="http://xmlns.oracle.com/pcbpel/adapter/jms/">[[
  <JMSInboundHeaders>
  <JMSCorrelationID></JMSCorrelationID>
  <JMSDeliveryMode>2</JMSDeliveryMode>
  <JMSExpiration>0</JMSExpiration>
  <JMSMessageID>ID:&lt;911867.1283996886119.0></JMSMessageID>
  <JMSPriority>4</JMSPriority>
  <JMSRedelivered>false</JMSRedelivered>
  <JMSType></JMSType>
  <JMSTimestamp>1283996886119</JMSTimestamp>
  </JMSInboundHeaders>
  <JMSInboundProperties>
  <Property name="documentProtocolVersion" value="2.3"/>
  <Property name="toTradingPartnerIdType" value="Name"/>
  *<Property name="conversationId" value="C0A83C0712AF42D840E0000074BA3CCC"/>* <Property name="documentTypeName" value="ADT"/>
  <Property name="tracking_conversationId" value="C0A83C0712AF42D866F0000074BA3CD9"/>
  <Property name="tracking_ecid" value="C0A83C0712AF42D866F0000074BA3CDA"/>
  <Property name="tracking_compositeInstanceId" value="60019"/>
  <Property name="documentProtocolName" value="HL7"/>
  <Property name="documentDefinitionName" value="QH_ADT_Generic"/>
  <Property name="tracking_parentComponentInstanceId" value="mediator:45E076D0BBB411DFAF05817F5F0DD1A1"/>
  <Property name="fromTradingPartnerIdType" value="Name"/>
  <Property name="fromTradingPartnerId" value="HOMER"/>
  <Property name="toTradingPartnerId" value="Self"/>
  <Property name="JMSXDeliveryCount" type="integer" value="1"/>
  </JMSInboundProperties>
  </JMSInboundHeadersAndProperties>
  Edited by: Michael.Czapski on 8/09/2010 18:58

• Rule Sets to control application access

  Oracle documentation mention Rule Sets to prevent authorized applications to read data from the database. E.g pl/sql developer.
  http://docs.oracle.com/cd/B28359_01/server.111/b31222/cfseappr.htm
  In Oracle Database Vault, you can create a secure application role that you enable with an Oracle Database Vault rule set. Regular Oracle Database secure application roles are enabled by custom PL/SQL procedures. You use secure application roles to prevent users from accessing data from outside an application. This forces users to work within the framework of the application privileges that have been granted to the role.
  But I cannot find an example showing how to set this up? Could anyone point me in the right direction?
  Thanks

  Hi elOpalo,
  elOpalo wrote:
  One idea is ... You can assign a token to user and save it in session to test whether he can access the page (e.g. from bookmark)).
  The second idea is to save a special attribute in request's scope and pass the user to pageX.jsp ... Of course You need to assign different attributes before each pageX.jsp.Can you please elaborate more? I am not able to understand because both approaches have in common is storing some token/attribute but in different scopes as below:
  approach one suggest to *assign a token to the user and store in session*
  approach two suggest to *save a special attribute and store in request scope*
  I am explaining what I have understood and you please testifies it:
  Approach a:
  When ever user requests for any pageX.jsp, First check that weather all required data for requested page is available in session or not. If available let user access the page and if not forward him to correct flow. This requires lots of checking on each page and when there are large number of pages in the application it will be a tedious task to manage this check. I am not so sure about storing token in the session which you suggested.
  Approach b:
  As This looks similar to storing token as in approach a. I am not so sure about this also that what and how to do this?
  Please explain more and you can also suggest me any tutorial or references you may have, I'll surely read that and try this out.
  Thanking you,
  Tejas

• Do you trust the SAP standard rule set ?

  Hello all,
  I have the impression that, too often, the SAP standard ruleset has been taken for granted : upload, generate and use. Here is a post as to why not to do so. Hopefuly, this will generate a interesting discussion.
  As I have previously stated in other threads, you should be very careful accepting the SAP standard rule set without reviewing it first. Before accepting it, you should ensure that your specific SAP environment has been reflected in the functions. The 2 following questions deal with this topic :
  1. what is your SAP release  ? ---> 46C is different than ECC 6.0 in terms of permissions to be included in the function permission tab. With every SAP release, new authorization objects are linked to SAP standard tcodes. Subsequently some AUTHORITY-CHECK statements have been adapted in the ABAP behind the transaction code. So, other authorizations need to provided from an implementation point of view (PFCG). And thus, from an audit perspective (GRC-CC), other settings are due when filtering users' access rights in search for who can do what in SAP.
  2. what are your customizing settings and master data settings ? --> depending on these answers you will have to (de)activate certain permissions in your functions. Eg. are authorization groups for posting periods, business areas, material types, ... being used ? If this is not required in the SAP system and if activated in SAP GRC function, then you filter down your results too hard, thereby leaving certain users out of the audit report while in reality they can actually execute the corresponding SAP functionality --> risk for false negatives !
  Do not forget that the SAP standard ruleset is only an import of SU24 settings of - probably - a Walldorf system. That's the reason SAP states that the delivered rule set is a starting point. 
  So, the best practice is :
  a. collect SAP specific settings per connector in a separate 'questionnaire' document, preferably structured in a database
  b. reflect these answers per function per connector per action per permission by correctly (de)activating the corresponding permissions for all affected functions
  You can imagine that this is a time-consuming process due to the amount of work and the slow interaction with the Java web-based GRC GUI. Therefore, it is a quite cumbersome and at times error-prone activity ...... That is, in case you would decide to implement your questionnaire answers manually. There are of course software providers on the market that can develop and maintain your functions in an off-line application and generate your rule set so that you can upload it directly in SAP GRC. In this example such software providers are particularly interesting, because your questionnaire answers are structurally stored and reflected in the functions. Any change now or in the future can be mass-reflected in all (hundreds / thousands of) corresponding permissions in the functions. Time-saving and consistent !
  Is this questionnaire really necessary ? Can't I just activate all permissions in every function ? Certainly not, because that would - and here is the main problem - filter too much users out of your audit results because the filter is too stringent. This practice would lead too false negatives, something that auditors do not like.
  Can't I just update all my functions based on my particular SU24 settings ? (by the way, if you don't know what SU24 settings are, than ask your role administrator. He/she should know. ) Yes, if you think they are on target, yes you can by deleting all VIRSA_CC_FUNCPRM entries from the Rules.txt export of the SAP standard rule set, re-upload, go for every function into change mode so that the new permissions are imported based on your SU24 settings. Also, very cumbersome and with the absolute condition that you SU24 are maintained excellent.
  Why is that so important ? Imagine F_BKPF_GSB the auth object to check on auth groups on business areas within accounting documents. Most role administrator will leave this object on Check/Maintain in the SU24 settings. This means that the object will be imported in the role when - for example - FB01 has been added in the menu.  But the role administrator inactivates the object in the role. Still no problem, because user doesn't need it, since auth groups on business areas are not being used. However, having this SU24 will result in an activated F_BKPF_GSB permission in your GRC function. So, SAP GRC will filter down on those users who have F_BKPF_GSB, which will lead to false negatives.
  Haven't you noticed that SAP has deactivated quite a lot of permissions, including F_BKPF_GSB ? Now, you see why. But they go too far at times and even incorrect. Example : go ahead and look deeper into function AP02. There, you will see for FB01 that two permissions have been activated. F_BKPF_BEK and F_BKPF_KOA.  The very basic authorizations needed to be able to post FI document are F_BKPF_BUK and F_BKPF_KOA.  That's F_BKPF_BUK .... not F_BKPF_BEK. They have made a mistake here. F_BKPF_BEK is an optional  auth object (as with F_BKPF_GSB) to check on vendor account auth groups.
  Again, the message is : be very critical when looking at the SAP standard rule set. So, test thoroughly. And if your not sure, leave the job to a specialized firm.
  Success !
  Sam

  Sam and everyone,
  Sam brings up some good points on the delivered ruleset.  Please keep in mind; however, that SAP has always stated that the delivered ruleset is a starting point.  This is brought up in sap note 986996     Best Practice for SAP CC Rules and Risks.  I completely agree with him that no company should just use the supplied rules without doing a full evaluation of their risk and control environment.
  I'll try to address each area that Sam brings up:
  1.  Regarding the issue with differences of auth objects between versions, the SAP delivered rulset is not meant to be version specific.  We therefore provide rules with the lowest common denominator when it comes to auth object settings.
  The rules were created on a 4.6c system, with the exception of transactions that only exist in higher versions.
  The underlying assumption is that we want to ensure the rules do not have any false negatives.  This means that we purposely activate the fewest auth objects required in order to execute the transaction.
  If new or different auth object settings come into play in the higher releases and you feel this results in false positives (conflicts that show that don't really exist), then you can adjust the rules to add these auth objects to the rules.
  Again, our assumption is that the delivered ruleset should err on the side of showing too many conflicts which can be further filtered by the customer, versus excluding users that should be reported.
  2.  For the customizing settings, as per above, we strive to deliver rules that are base level rules that are applicable for everyone.  This is why we deliver only the core auth objects in our rules and not all.  A example is ME21N. 
  If you look at SU24 in an ECC6 system, ME21N has 4 auth objects set as check/maintain.  However, in the rules we only enable one of the object, M_BEST_BSA.  This is to prevent false negatives.
  3.  Sam is absolutely right that the delivered auth object settings for FB01 have a mistake.  The correct auth object should be F_BKPF_BUK and not F_BKPF_BEK.  This was a manual error on my part.  I've added this to a listing to correct in future versions of the rules.
  4.  Since late 2006, 4 updates have been made to the rules to correct known issues as well as expand the ruleset as needed.  See the sap notes below as well as posting Compliance Calibrator - Q2 2008 Rule Update from July 22.
  1083611 Compliance Calibrator Rule Update Q3 2007
  1061380 Compliance Calibrator Rule Update Q2 2006
  1035070 Compliance Calibrator Rule Update Q1 2007
  1173980 Risk Analysis and Remediation Rule Update Q2 2008
  5.  SAP is constantly working to improve our rulesets as we know there are areas where the rules can be improved.  See my earlier post called Request for participants for an Access Control Rule mini-council from January 28, 2008.  A rule mini-council is in place and I welcome anyone who is interested in joining to contact me at the information provided in that post.
  6.  Finally, the document on the BPX location below has a good overview of how companies should review the rules and customize them to their control and risk environment:
  https://www.sdn.sap.com/irj/sdn/bpx-grc                                                                               
  Under Key Topics - Access Control; choose document below:
      o  GRC Access Control - Access Risk Management Guide   (PDF 268 KB) 
  The access risk management guide helps you set up and implement risk    
  identification and remediation with GRC Access Control.