Create a role without becoming a member...

I looked all over and couldn't find the answer....I'm 99% sure it's possible....Just cannot remember for the life of me.
What I'm trying to do is create a role (Create Role TestRoleABC) without becoming a member of it or having the admin ability attached to the ID I'm creating the role with.
So, example being. Using ID "AppID123", I issue "Create Role TestRoleABC". After creation, the ID "AppID123" is now a member of "TestRoleABC" and has the ability to grant it. I only want accounts that have the "Grant Any Role" priv to be able to do so....
Thanks.

Topher34 wrote:
I looked all over and couldn't find the answer....I'm 99% sure it's possible....Just cannot remember for the life of me.
What I'm trying to do is create a role (Create Role TestRoleABC) without becoming a member of it or having the admin ability attached to the ID I'm creating the role with.
So, example being. Using ID "AppID123", I issue "Create Role TestRoleABC". After creation, the ID "AppID123" is now a member of "TestRoleABC" and has the ability to grant it. I only want accounts that have the "Grant Any Role" priv to be able to do so....
Thanks.when all else fails Read The Fine Manual
http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_6012.htm#i2066772
"If you create a role that is NOT IDENTIFIED or is IDENTIFIED EXTERNALLY or BY password, then Oracle Database grants you the role with ADMIN OPTION. However, if you create a role IDENTIFIED GLOBALLY, then the database does not grant you the role. A global role cannot be granted to a user or role directly. Global roles can be granted only through enterprise roles."

Similar Messages

  • Is it possible to create a role with PERM_READER_EXTENSIONS_WEB_APPLICATIONS without Service Invoke?

    I need to restrict user access to Workspace processes.  Using the adminui, service management, I gave my test group INVOKE_PERM permissions to this service.  This works good.  The users of the test group can only see this process.  However, for these users the SOAP calls do not work.  I am using a reader extended form and I am getting the error below.  If I add the Reader Extension Web Application role, the SOAP call work, but the user of the test group can see all other processes.  I created a role and gave it PERM_READER_EXTENSIONS_WEB_APPLICATIONS, Service Read, INVOKE_PERM and other combinations.  This role only works if I add Service Invoke and this give users access to all processes.  How can I get a role to provide the Reader Extension without using Service Invoke?
    An error has occurred. See error log for more details.
    User TORRES, ALEJANDRO G does not have the Service Invoke Permission on Service ReaderExtensionsService.

    I found the answer to my question.  I had to give INVOKE permission to all the services used by the process.

  • How to create Users/Roles for ldap in weblogic without using admin console

    Is it possible to create Users/Roles for ldap in weblogic without using admin console? if possible what are the files i need to modify in DefaultDomain?
    or is there any ant script for creating USers/Roles?
    Regards,
    Raghu.
    Edited by: user9942600 on Jul 2, 2009 1:00 AM
    Edited by: user9942600 on Jul 2, 2009 1:58 AM

    Hi..
    You can use wlst or jmx to perform all security config etc.. same as if it were perfomred from the admin console..
    .e.g. wlst create user
    ..after connecting to admin server
    serverConfig()
    cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator")
    cmo.createUser("userName","Password","UserDesc")
    ..for adding/configuring a role
    cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/RoleMappers/XACMLRoleMapper")
    cmo.createRole('','roleName', 'userName')
    ...see the mbean docs for all the different attributes, operations etc..
    ..Mark.

  • How to create SAP_ALL Display Role without HR Transactions.

    Hi,
    Can someone help mem create an SAP_ALL Display only Role without HR Transactions.
    It takes lot of time to create a New role with SAP_ALL Template and manually change the Activity to display and de-activate HR Objects.
    Please let me know if there is any faster way to do this.
    Regards,
    MASQ.

    > Please let me know if there is any faster way to do this.
    Nope, there isn't. Besides that, only changing activity fields will not result in a display-only role. As said, please use the search and browse through the sticky threads.

  • Modify Script to Create User Role on Single Database.

    Hi All,
    Below is the script to create user role on database. Here problem is when I execute this script, it creates user role for all database within an instance and I want it to create user role only on 2 database say TEST1 and TEST2
    Can anyone help me to modify the script? 
    --===================================================================================
    -- Description
    -- Database Type: MSSQL
    -- This script creates a role called 'gdmmonitor' for ALL databases.
    -- It grants some system catalogs to this role to allow Classification and Assessment on the database.
    -- It then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.
    -- before runnign this script
    --  you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
    --  This sqlguard login doesn't need to be added to any database or given
    --  any privilege.  The script will take care of that.
    --  Note:
    --   If you wish to use a different login name (instead of 'sqlguard') you need to change
    --   the value of the variable '@Guardium_user' in the script below; 
    --   (Look for the string: "set @Guardium_user = 'sqlguard'" and replace the 'sqlguard')
    -- after runnign this script
    -- Nothing to do, the script already creates the db user
    -- User/Password to use
    -- User: sqlguard (or any other name, if changed)
    -- Pass: user defined
    -- Role: gdmmonitor
    --===================================================================================
    PRINT '>>>==================================================================>>>'
    PRINT '>>> Creating role: "gdmmonitor" at the server level.'
    PRINT '>>>==================================================================>>>'
    -- Change to the master database
    USE master
    -- *** If a different login name is desired, define it here. ***
    DECLARE @Guardium_user AS varchar(50)
    set @Guardium_user = 'sqlguard'
    DECLARE @dbName AS varchar(256)
    DECLARE @memberName AS varchar(256)
    DECLARE @dbVer AS nvarchar(128)
    SET     @dbVer = CAST(serverproperty('ProductVersion') AS nvarchar)
    SET     @dbVer = SUBSTRING(@dbVer, 1, CHARINDEX('.', @dbVer) - 1)
    IF (@dbVer = '8') SET @dbVer = '2000'
    ELSE IF (@dbVer = '9')  SET @dbVer = '2005'
    ELSE IF (@dbVer = '10')  SET @dbVer = '2008'
    ELSE IF (@dbVer = '11')  SET @dbVer = '2012'
    ELSE SET @dbVer = '''Unsupported Version'''
    IF (@dbVer != '2000')
    BEGIN
      -- This privilege is required to peform a specific MSSQL test.
      -- Test name: SQL OLEDB disabled (DisallowAdhocAccess registry key) 
      -- Procedure execute: EXEC master.dbo.sp_MSset_oledb_prop 
      -- Purpose: To display provider property, not changing anything.
      PRINT '==> Granting MSSSQL 2005 and above setupadmin server role'
      EXEC master..sp_addsrvrolemember @loginame = @Guardium_user, @rolename = N'setupadmin'
    END
    SELECT  @dbName = DB_NAME()
    PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
    -- find any members of the role if they exist
    CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL)
    INSERT INTO #rolemember
    SELECT DISTINCT usr.name FROM dbo.sysusers usr, .dbo.sysmembers mbr
    WHERE usr.uid = mbr.memberuid
    AND mbr.groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
    --  Drop the Role Members If they exist
    IF EXISTS (SELECT count(*) FROM #rolemember)
    BEGIN
      PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
      DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
      OPEN DropCursor
      FETCH DropCursor INTO @memberName
      WHILE @@Fetch_Status = 0
       BEGIN
        PRINT '==> Dropping member: ''' + @memberName + ''''
        exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
        FETCH DropCursor INTO @memberName
       END
      CLOSE DropCursor
      DEALLOCATE DropCursor
    END
    -- drop the role if it exists
    IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
    BEGIN
      PRINT '==> Dropping the role gdmmonitor on: ' + @dbName
      exec sp_droprole 'gdmmonitor'
    END
    -- Create the role
    PRINT '==> Creating the role gdmmonitor on: ' + @dbName
    exec sp_addrole 'gdmmonitor'
    -- Grant select privileges to the role for MSSql Common
    PRINT '==> Granting common SELECT privileges on: ' + @dbName
    GRANT SELECT ON dbo.spt_values     TO gdmmonitor
    GRANT SELECT ON dbo.sysmembers     TO gdmmonitor
    GRANT SELECT ON dbo.sysobjects     TO gdmmonitor
    GRANT SELECT ON dbo.sysprotects    TO gdmmonitor
    GRANT SELECT ON dbo.sysusers       TO gdmmonitor
    GRANT SELECT ON dbo.sysconfigures  TO gdmmonitor
    GRANT SELECT ON dbo.sysdatabases   TO gdmmonitor
    GRANT SELECT ON dbo.sysfiles       TO gdmmonitor
    GRANT SELECT ON dbo.syslogins      TO gdmmonitor
    GRANT SELECT ON dbo.syspermissions TO gdmmonitor
    -- Grant execute privileges to the role for MSSql Common
    PRINT '==> Granting common EXECUTE privileges on: ' + @dbName
    GRANT EXECUTE ON sp_helpdbfixedrole    TO gdmmonitor
    GRANT EXECUTE ON sp_helprotect         TO gdmmonitor
    GRANT EXECUTE ON sp_helprolemember     TO gdmmonitor
    GRANT EXECUTE ON sp_helpsrvrolemember  TO gdmmonitor
    GRANT EXECUTE ON sp_tables             TO gdmmonitor
    GRANT EXECUTE ON sp_validatelogins     TO gdmmonitor
    GRANT EXECUTE ON sp_server_info       TO gdmmonitor
    -- Check if the version is 2005 or greater
    IF (@dbVer != '2000')
    BEGIN
      -- Grant select privileges to the role for MSSql 2005 and above
      PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
      GRANT SELECT ON sys.all_objects           TO gdmmonitor
      GRANT SELECT ON sys.database_permissions  TO gdmmonitor
      GRANT SELECT ON sys.database_principals   TO gdmmonitor
      GRANT SELECT ON sys.sql_logins            TO gdmmonitor
      GRANT SELECT ON sys.sysfiles              TO gdmmonitor
      GRANT SELECT ON sys.database_role_members TO gdmmonitor 
      GRANT SELECT ON sys.server_role_members   TO gdmmonitor 
      GRANT SELECT ON sys.configurations        TO gdmmonitor
      GRANT SELECT ON sys.master_key_passwords  TO gdmmonitor
      GRANT SELECT ON sys.server_principals     TO gdmmonitor
      GRANT SELECT ON sys.server_permissions    TO gdmmonitor
      GRANT SELECT ON sys.credentials    
       TO gdmmonitor
      --This is called by master.dbo.sp_MSset_oledb_prop.  
      --By defautl it should have already been granted to public. 
      GRANT EXECUTE ON sys.xp_instance_regread TO GDMMONITOR
      GRANT EXECUTE ON sys.sp_MSset_oledb_prop TO GDMMONITOR 
    END
    -- Re-add the dropped members
    IF EXISTS (SELECT 1 FROM #rolemember)
    BEGIN
      PRINT '==> Re-adding the role members on: ' + @dbName
      DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
      OPEN DropCursor
      FETCH DropCursor INTO @memberName
      WHILE @@Fetch_Status = 0
        BEGIN
         PRINT '==> Re-adding member: ''' + @memberName + ''''
         exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
         FETCH DropCursor INTO @memberName
        END
      CLOSE DropCursor
      DEALLOCATE DropCursor
    END
    -- END of role creation on database
    PRINT '==> END of role creation on: ' + @dbName
    PRINT ''
    -- Change to the msdb database
    USE msdb
    set @memberName = ''
    SELECT  @dbName = DB_NAME()
    PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
    -- find any members of the role if it exists
    TRUNCATE TABLE #rolemember
    INSERT INTO #rolemember
    SELECT DISTINCT usr.name FROM .dbo.sysusers usr, .dbo.sysmembers mbr
    WHERE usr.uid = mbr.memberuid
    AND groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
    --  Drop the Role Members If they exist
    IF EXISTS (SELECT count(*) FROM #rolemember)
    BEGIN
      PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
      DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
      OPEN DropCursor
      FETCH DropCursor INTO @memberName
      WHILE @@Fetch_Status = 0
       BEGIN
        PRINT '==> Dropping member: ''' + @memberName + ''''
        exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
        FETCH DropCursor INTO @memberName
       END
      CLOSE DropCursor
      DEALLOCATE DropCursor
    END
    -- drop the role if it exists
    IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
    BEGIN
      PRINT '==> Dropping the gdmmonitor role on: ' + @dbName
      exec sp_droprole 'gdmmonitor'
    END
    -- Create the role
    PRINT '==> Creating the gdmmonitor role on: ' + @dbName
    exec sp_addrole 'gdmmonitor'
    -- Grant select privileges to the role for MSSql Common
    PRINT '==> Granting common SELECT privileges on: ' + @dbName
    GRANT SELECT ON dbo.sysobjects     TO gdmmonitor
    GRANT SELECT ON dbo.sysusers       TO gdmmonitor
    GRANT SELECT ON dbo.sysprotects    TO gdmmonitor
    GRANT SELECT ON dbo.sysmembers     TO gdmmonitor
    GRANT SELECT ON dbo.sysfiles       TO gdmmonitor
    GRANT SELECT ON dbo.syspermissions TO gdmmonitor
    GRANT SELECT ON dbo.backupset   TO gdmmonitor
    -- Check if the version is 2005 or greater
    IF (@dbVer != '2000')
    BEGIN
      -- Grant select privileges to the role for MSSql 2005 and above
      PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
      GRANT SELECT ON sys.all_objects TO gdmmonitor
      GRANT SELECT ON sys.database_permissions TO gdmmonitor
      GRANT SELECT ON sys.database_principals TO gdmmonitor
      GRANT SELECT ON sys.sysfiles TO gdmmonitor
      -- Grant execute privileges to the role for MSSql 2005 or above
      PRINT '==> Granting MSSql 2005 and above EXECUTE privileges on: ' + @dbName
      GRANT EXECUTE ON msdb.dbo.sp_enum_login_for_proxy TO gdmmonitor
      GRANT SELECT ON sys.database_role_members  TO gdmmonitor
    END
    IF (@dbVer > '2000' and @dbVer < '2012') 
    --This sp is not available in SQL 2012
    BEGIN
      GRANT EXECUTE ON sp_get_dtspackage TO gdmmonitor
    END
    -- Re-add the dropped members
    IF EXISTS (SELECT count(*) FROM #rolemember)
    BEGIN
      PRINT '==> Re-adding the gdmmonitor role members on: ' + @dbName
      DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
      OPEN DropCursor
      FETCH DropCursor INTO @memberName
      WHILE @@Fetch_Status = 0
        BEGIN
         PRINT '==> Re-adding member: ''' + @memberName + ''''
         exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
         FETCH DropCursor INTO @memberName
        END
      CLOSE DropCursor
      DEALLOCATE DropCursor
    END
    -- drop the temporary table
    DROP TABLE #rolemember
    -- END of role creation on database
    PRINT '==> END of gdmmonitor role creation on: ' + @dbName
    -- Role creation complete
    PRINT '<<<==================================================================<<<'
    PRINT '<<< END of creating role: "gdmmonitor" at the server level.'
    PRINT '<<<==================================================================<<<'
    PRINT ''
    PRINT '>>>==================================================================>>>'
    PRINT '>>> Starting application database role creation'
    PRINT '>>>==================================================================>>>'
    use master
    DECLARE @databaseName AS varchar(80)
    DECLARE @executeString AS varchar(7950)
    DECLARE @dbcounter as int   
    set @dbcounter = 0
    DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases where name not in ('master', 'msdb')
    and not (status & 1024 > 1)
    --read only
    and not (status & 4096 > 1)
    --single user
    and not (status & 512 > 1)
    --offline
    and not (status & 32 > 1)
    --loading
    and not (status & 64 > 1)
    --pre recovery
    and not (status & 128 > 1)
    --recovering
    and not (status & 256 > 1)
    --not recovered
    and not (status & 32768 > 1)
    --emergency mode
    OPEN DatabaseCursor
    FETCH DatabaseCursor INTO @databaseName
    WHILE @@Fetch_Status = 0
    BEGIN
    set @dbcounter = @dbcounter + 1     
    set @databaseName = '"' + @databaseName + '"'  
    set @executeString = ''
    set @executeString = 'use ' + @databaseName + ' ' +
             'PRINT ''>>>==================================================================>>>'' ' +
             'PRINT ''>>> Starting MSSql ' + @dbVer + ' role creation on database: ' + @databaseName + ''' ' +
             'PRINT ''>>>==================================================================>>>'' ' +
           '/* Variable @memberNameDBname must be declare within the string or else it will fail */ ' +
           'DECLARE @memberName' + cast(@dbcounter as varchar(5)) + ' as varchar(50) ' +
           '/*find any members of the role if it exists*/ ' +
             'CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL) ' +
             'INSERT INTO #rolemember ' +
             'SELECT DISTINCT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr ' +
             'WHERE usr.uid = mbr.memberuid ' +
             'AND groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
             '/*Drop the Role Members If they exist*/ ' +
             'IF EXISTS (SELECT * FROM #rolemember) ' +
             'BEGIN ' +
               'PRINT ''==> Dropping the role members on: ' + @databaseName + ''' ' +
               'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
               'OPEN DropCursor ' +
               'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
               'WHILE @@Fetch_Status = 0 ' +
                 'BEGIN ' +
                 'PRINT ''==> Dropping member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
                 'exec(''EXEC sp_droprolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5))  + ' + '''''';'') ' +
                 'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
                 'END ' +
               'CLOSE DropCursor ' +
               'DEALLOCATE DropCursor ' +
             'END ' +
             '/*drop the role if it exists*/ ' +
             'IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = ''gdmmonitor'') ' +
             'BEGIN ' +
               'PRINT ''==> Dropping the gdmmonitor role on: ' + @databaseName + ''' ' +
               'exec sp_droprole ''gdmmonitor'' ' +
             'END ' +
             '/* Create the role */ ' +
             'PRINT ''==> Creating the gdmmonitor role on: ' + @databaseName + ''' ' +
             'exec sp_addrole ''gdmmonitor'' ' +
             '/* Grant select privileges to the role for MSSql Common */ ' +
             'PRINT ''==> Granting common SELECT privileges on: ' + @databaseName + ''' ' +
             'GRANT SELECT ON dbo.sysmembers     TO gdmmonitor ' +
             'GRANT SELECT ON dbo.sysobjects     TO gdmmonitor ' +
             'GRANT SELECT ON dbo.sysprotects    TO gdmmonitor ' +
             'GRANT SELECT ON dbo.sysusers       TO gdmmonitor ' +
             'GRANT SELECT ON dbo.sysfiles       TO gdmmonitor ' +
                   'GRANT SELECT ON dbo.syspermissions TO gdmmonitor ' +
             '/* Check if the version is 2005 or greater */ ' +
             'IF (' + @dbVer + ' != ''2000'') ' +
             'BEGIN ' +
               '/* Grant select privileges to the role for MSSql 2005 and above */ ' +
               'PRINT ''==> Granting MSSql 2005 and above SELECT privileges on: ' + @databaseName + ''' ' +
               'GRANT SELECT ON sys.database_permissions TO gdmmonitor ' +
               'GRANT SELECT ON sys.all_objects          TO gdmmonitor ' +
               'GRANT SELECT ON sys.database_principals  TO gdmmonitor ' +
               'GRANT SELECT ON sys.sysfiles      TO gdmmonitor ' +          
               'GRANT SELECT ON sys.database_role_members  TO gdmmonitor ' +           
             'END ' +
             '/* Re-add the dropped members */ ' +
             'IF EXISTS (SELECT 1 FROM #rolemember) ' +
             'BEGIN ' +
               'PRINT ''==> Re-adding the gdmmonitor role members on: ' + @databaseName + ''' ' +
               'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
               'OPEN DropCursor ' +
               'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
               'WHILE @@Fetch_Status = 0 ' +
                 'BEGIN ' +
                   'PRINT ''==> Re-adding member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
                   'exec(''EXEC sp_addrolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5))  + ' + '''''';'') ' +
                   'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
                 'END ' +
               'CLOSE DropCursor ' +
               'DEALLOCATE DropCursor ' +
             'END ' +
             '/* drop the temporary table */ ' +
             'DROP TABLE #rolemember ' +
             'PRINT ''<<<==================================================================<<<'' ' +
             'PRINT ''<<< END of role creation on: ' + @databaseName + ''' ' +
             'PRINT ''<<<==================================================================<<<'' ' +
             'PRINT '' ''' +
             'PRINT '' '''
    execute (@executeString)
    FETCH DatabaseCursor INTO @databaseName
    END
    CLOSE DatabaseCursor
    DEALLOCATE DatabaseCursor
    --  Adding user to all the databases
    --  and grant gdmmonitor role, only if login exists.
    PRINT '>>>==================================================================>>>'
    PRINT '>>> Add and Grant gdmmonitor role to: ''' + @Guardium_user + ''''
    PRINT '>>> on all databases.'
    PRINT '>>>==================================================================>>>'
    USE master
    /* Check if @Guardium_user is a login exist, if not do nothing.*/
    IF NOT EXISTS (select * from syslogins where name = @Guardium_user)
    BEGIN
      PRINT ''
      PRINT '************************************************************************'
      PRINT '*** ERROR: Could not find the login: ''' + @Guardium_user + ''''
      PRINT '***        Please add the login and re-run this script.'
      PRINT '************************************************************************'
      PRINT ''
    END
    ELSE
    BEGIN
      DECLARE @counter AS smallint
      set @counter = 0
      --  This loop runs 4 time just to make sure that the @Guardium_user gets added to all db.
      --  99% of the time, this is totally unnecessary.  But in some rare case on SQL 2005
      --  the loop skips some databases when it tried to add the @Guardium_user.
      --  After two to three executions, the user is added in all the dbs.
      --  Might be a SQL Server bug.
      WHILE @counter <= 3
      BEGIN
      set @counter = @counter + 1
        set @databaseName = ''
        set @executeString = ''
        DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases
        where not (status & 1024 > 1)
    --read only
        and not (status & 4096 > 1)
    --single user
        and not (status & 512 > 1)
    --offline
        and not (status & 32 > 1)
    --loading
        and not (status & 64 > 1)
    --pre recovery
        and not (status & 128 > 1)
    --recovering
        and not (status & 256 > 1)
    --not recovered
    and not (status & 32768 > 1)
    --emergency mode    
        OPEN DatabaseCursor
        FETCH DatabaseCursor INTO @databaseName
        WHILE @@Fetch_Status = 0
        BEGIN
        set @databaseName = '"' + @databaseName + '"' 
        set @executeString = ''
        set @executeString = 'use ' + @databaseName + ' ' +
                 '/*Check if the login already has access to this database */ ' +
                 'IF EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
                 'BEGIN ' +
                  '/*Check if login already have gdmmonitor role*/ ' +
                  'IF NOT EXISTS (SELECT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr WHERE usr.uid = mbr.memberuid ' +
                'AND mbr.groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
                'AND usr.name = ''' + @Guardium_user + ''') ' +
                  'BEGIN ' +
                  'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
                  'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
                  'PRINT '' ''' +
                  'END ' +
                 'END ' +
                 'IF NOT EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
                 'BEGIN ' +
                 'PRINT ''==> Adding user [' + @Guardium_user + '] to database: ' + @databaseName + ''' ' +
                 'execute sp_adduser [' + @Guardium_user + '] ' +
                 'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database '  + @databaseName + ''' ' +
                 'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
                 'PRINT '' ''' +
                 'END '
        execute (@executeString)
        FETCH DatabaseCursor INTO @databaseName
        END
        CLOSE DatabaseCursor
        DEALLOCATE DatabaseCursor
      END   -- end while
      -- Required for Version 2005 or greater.
      IF (@dbVer != '2000')
      BEGIN
        -- Grant system privileges to the @guardium_user.  This is a requirement for >= SQL 2005
        -- or else some system catalogs will filter our result from assessment test.
        -- This will show up in sys.server_permissions view.
        PRINT '==> Granting catalog privileges to: ''' + @Guardium_user + ''''
        execute ('grant VIEW ANY DATABASE to [' + @Guardium_user + ']' )
        execute ('grant VIEW ANY DEFINITION to [' + @Guardium_user + ']' )
      END
      PRINT '<<<==================================================================<<<'
      PRINT '<<< Finished Adding and Granting gdmmonitor role to: ''' + @Guardium_user + ''''
      PRINT '<<< on all databases.'
      PRINT '<<<==================================================================<<<'
      PRINT ''
    END
    GO

    Thanks a lot Sir... it worked.
    Can you also help me in troubleshooting below issue?
    This script is working fine on all databases except one MS SQL 2005 database. build of this database is 9.00.3042.00
    SA account with highest privileges is been used for script execution. errors received are as follow:
    >>>==================================================================>>>
    >>> Creating role: "gdmmonitor" at the server level.
    >>>==================================================================>>>
    ==> Granting MSSSQL 2005 and above setupadmin server role
    ==> Starting MSSql 2005 role creation on database: master
    (0 row(s) affected)
    ==> Dropping the gdmmonitor role members on: master
    ==> Creating the role gdmmonitor on: master
    Msg 15002, Level 16, State 1, Procedure sp_addrole, Line 16
    The procedure 'sys.sp_addrole' cannot be executed within a transaction.
    ==> Granting common SELECT privileges on: master
    Msg 15151, Level 16, State 1, Line 117
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 118
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 119
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 120
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 121
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 122
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 123
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 124
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 125
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 126
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    ==> Granting common EXECUTE privileges on: master
    Msg 15151, Level 16, State 1, Line 130
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 131
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 132
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 133
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 134
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 135
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
    Msg 15151, Level 16, State 1, Line 136
    Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.

  • Creation of Business role without allow user the possibility of personaliz.

    Hi
    I'm new in SAP. and I'm in need. Is it possible create Business Role (in CRM) without the possibility (for the user) to personalize the assignment block and the general setting?
    Thanks for your future help!
    Stefano

    Hi,
    this is possible by assigning the Function Profile 'PERSONALIZATION' with value 'ALL_DISABLED' to your business Role in the Business Role Customizing.
    Kind regards,
    Carl

  • How to create the roles and rule

    i buddies,
    here i have small requirement, but i am confusing to do that as i am new to OIM. my requirement is
    1) i have to create 2 roles named a and b.
    2)then i have to create one rule which states that these two roles can'be the same in that organization.
    3)after that i have to create one user and i have to assign the first role i.e a.
    4)if i assign the second role ie b to the same user , it should not allow me.
    to accomplish this task what is the work flow i have to create ? please tell me the steps...
    Thanks
    Balu

    First create 2 user groups called Group A and Group B.
    Create the group membership rules for A and B which will instruct oim to evaluate group membership rules when a user is created in OIM.
    for example: If user's cost center (on the user form) is "AAA" then he should be assigned to Group A. this will be your group membership rule for group A
    Then for constrcuting the group membership rule for Group B you can say,
    if user's cost center !="AAA". This will ensure that any single user in the system will not be a part of both groups at any given time, depending upon this attribute called cost center.
    you can then define access poclicies on the groups/roles which is used to auto-provision resources for any member of that role/group.

  • Can we create a role similar to SAP_J2EE_ADMIN

    Hi,
    Our portal UME is ABAP datasource so in order to assign Super Administrator we are giving SAP_J2EE_ADMIN in the backend .
    Our security team has decided that instead of giving SAP_J2EE_ADMIN to users, they want to tweak this role a little bit and create another role where we can control all the authorisations in that role.So we are trying to understand how this SAP_J2EE_ADMIN authorisations are built( I believe all the authorisation are given by java coding)
    If anybody is having any info on how this role is build and how this role can be copied let me know
    Thanks
    Bala Duvvuri

    It's just an ABAP role which then becomes a portal group.  I don't believe the name is important. You should be able to copy the role in PFCG and then do appropriate group to portal role assignments in Java.

  • Is it possible to create a WBS without Company code

    Hello,
    I am a SAP CRM guy and I am creating a WBS in PS system from CRM Campaigns.
    My question is whether its possible to create a WBSE without having a Comapny code?
    The reason we need this is because we are planning campaigns at a very high level and later we want to procure for these cmapaings at multiple company codes and cost centers through SRM. So we do not want to restrict the WBSE to one comapny code.
    Regards,
    Vicky

    Hi Ammar,
    The reason this scenario does not seem to be feasible is we have a one to one relationship between campaigns and WBSEs. Creating multiple WBSEs would translate as creating multiple campaigns, which we want to avoid at the first place as this increases the amount of data entry for planning and planning will become based on the procurement we is not the right way.
    However, atleast I am sure now that I cannot have WBSE without company code.
    Abdul,
    Now I am thinking whether its possible to create a Project instead of WBSE and then procure wrt project?
    I need to check the possibility of creating project from a campaign, but from the procument perspective, do you know if its possible to procure wrt project?
    Thanks & Regards,
    Vicky

  • Role without Tcode but with customized "Z" Object only

    Hi all,
    Please help my querry is that with a Single Role as while seeing that role in PFCG in Menu Tab no Tcode is assigned and in the Authoriztion Tab -> change authorization tab just a single(one) Z auth object is maintained with Display actvt and i am not able to understand how this is going how the user are able to access the the Role without TCODE assigned but with just a Z authobject. please tell How this is going and working .
    Your help will be greatly appreciated and pleas tell how this Z auth object are created.
    Thanks,
    Chandresh.

    >
    > You need to provide more infos (from the system) and just asking on site is a good idea (as mentioned by Alex).
    >
    > Cheers,
    > Julius
    I agree that asking onsite could give more insight into the Z-Object usage. I can explain the probable reason of having the Z-Object as a stand alone authorization
    In a role inheritance scenario, when you have roles with 100+ transactions (role A, B,C, .......) which act as the master roles and the derived roles being A1,A2,A3...... depending on the number of inherited roles you have in the set-up, authorization objects like customer authorization group or vendor authorization group can be a tough task (as these are not called in the organization level values) - in this situation as the authorization groups would have to maintained individually in the inherited roles and can be a time consuming task with the additional risk of passing down the values of the master role every time it is generated and inherited - a better option could be to maintain a non-existent value in the master role , inherit it so the non-existent value is passed down to the inherited roles. To give access on the specific authorization groups , create a role with only the object F_KNA1_BED or F_BKPF_BED as might be the case and maintain organization specific values in these object and assign it to the users who need it
    My guess would be that the Z-object the operator mentions is something that is developed to address such an issue

  • How to create different roles into a single profile

    Hi All,
    I would like to create different roles and add all them to a single pofile. But when I try, it is asking for a profile name for every role that I create.
    I have also tried to give the same profile name while creating a second role, but it is giving me error that the profile name already exists.
    Can someone help to get some clarity on this?
    Thanks
    Vijay

    Hi,
    I agree with you. But, whenever I try to create a single role, it is asking for a profile name that has to be assigned to that particular single role. I cannot go further until I give a profile name.
    How can I create a single role without creating a profile?
    Thanks
    Vijay

  • Can thread become a member of another thread  in Concurrent Programming

    i had this doubt in concurrrent programming,..........
    1)Can thread become a member of another thread in Concurrent Programming

    Threads are just objects that happen to have a special property:
    - when you invoke start() them the VM creates a new thread of execution to execute the Thread object's run() method
    A class that subclasses Thread is just a normal class and can have whatever members it like.
    Your questions don't make a lot of sense. If you are truly a "Novice in Java" then I recommend reading a few good books before you post in the forums.

  • Proforma invoice is created for delivery without PGI in STO(Depot sales)

    Dear Gurus,
       I am facing a strange issue, user created Purchase order with some material X of 4 quantity, and he created the replenishment delivery for 1 quantity and without doing any Picking and PGI but system allowed to create proforma invoice with 4 quantity I checked the copy control config settings for Delivery and Proforma invoice all are maintained fine (viz., billing qty as D, copying req:311 and Data VBRK\VBRP:001)( Ichecked the change log for delivery but I didnt observed any chanes in delivery) .. strange to watch ........created the same scenario in quality but system doesnt allowed to create proforma invoice without PGI and picking(Just one month before quality is refreshed with Production).
    If anyone faced the same problem let me konw the solution ate the earliest.
    Best Regards,
    Kishore.SGR

    Hi
    As already said, as per the standard the Performa Invoice do not check the Goods Issue status of a Delivery since it uses the Copying Requirement 009 in transaction VTFL.
    If you want your performa invoice to be created only after the PGI of a delivery, then use the Requirement 003 in Copying Requirement field for the combination of your Delivery Doc. and Billing doc. in transaction VTFL at Header level.
    Regards
    Amitesh Anand

  • Creating a Role view in a workflow

    I'm trying to create a role view in my workflow with the following code but it gives me an error: com.waveset.util.InternalError: Unable to locate ViewHandler for 'role'.
    <Action application='com.waveset.session.WorkflowServices'>
                <Argument name='op' value='createView'/>
                <Argument name='type' value='Role'/>
                <Return from='view' to='view'/>
              </Action>Has anyone created a role from a workflow, java or SPML?

    nvm figured it out.
    <Action id='0' application='com.waveset.session.WorkflowServices'>
              <Argument name='op' value='createView'/>
              <Argument name='type' value='Role'/>
              <Argument name='viewId' value='Role'/>
              <Argument name='Form' value='Empty Form'/>
              <Argument name='authorized' value='true'/>
              <Return from='view' to='role'/>
            </Action>       

  • How do you create an array without using a shell on the FP?

    I want to be able to read the status of front panel controls (value, control box selection, etc.) and save it to a file, as a "configuration" file -- then be able to load it and have all the controls set to the same states as were saved in the file. I was thinking an array would be a way to do this, as I have done that in VB. (Saving it as a text file, then reading lines back into the array when the file is read and point the control(s) values/states to the corresponding array element.
    So how do I create an array of X dimensions without using a shell on the front panel? Or can someone suggest a better way to accomplish what I am after? (Datalogging doesn't allow for saving the status by a filename, so I
    do not want to go that route.)

    Thanks so much m3nth! This definitely looks like what I was wanting... just not really knowing how to get there.
    I'm not sure I follow all the icons. Is that an array (top left with 0 constant) in the top example? And if so, that gets back to part of my original question of how to create an array without using a shell on the FP. Do I follow your diagram correctly?
    If I seem a tad green... well I am.
    I hope you understand the LabVIEW environment and icons are still very new to me.
    Also, I had a response from an NI app. engineer about this problem. He sent me a couple of VI's that he threw together approaching this by using Keys. (I still think you are pointing to the best solution.) I assume he wouldn't mind m
    e posting his reply and the VI's for the sake of a good, thorough, Roundtable discussion. So here are his comments with VI's attached:
    "I was implementing this exact functionality this morning for an application I'm working on. I only have five controls I want to save, but they are all of different data types. I simply wrote a key for each control, and read back that key on initialization. I simply passed in property node values to the save VI at the end, and passed the values out to property nodes at
    the beginning. I've attached my initialize and save VI's for you to view. If you have so many controls that this would not be feasible, you may want to look into clustering the controls and saving the cluster as a datalog file.
    Attachments:
    Initialize_Settings.vi ‏55 KB
    Save_Settings.vi ‏52 KB

Maybe you are looking for

  • IN APP

    Hi Gurus, in case app when print run i am getting an error saying "specify a lot for production run" i configured cheque lots correctly i don't know why i am getting this error, please help me out. This is urgent. sd/- Sreenivasulu.P

  • IOS8.2 how to delete saved safari passwords on ipad

    My iPad is completely up to date, as is my iPhone 4 on IOS8.2 Yet I cannot delete the saved usernames and passwords in Settings / Safari / Passwords & Autofill / Saved Passwords. I have tried the Edit button, selected all I want to delete and then ta

  • Create Variable

    Hi, I need to create two dynamic variables for my reports, 1) Fiscal year to date 2) Last 12 months Can you please tell me the sql for the initialization block. I am using Out of the box OBIEE 10.1.3.4 repository. Thanks

  • Best Practices for E-Commerce

    Hi Experts, I was wondering if anybody has experience in installing and configuring SAP Best Practices for E-Commerce. I have downloaded and installed the ADD-ONs but when trying to configure IPC and webshop via XCM http://<server>:<port>/isauseradm/

  • Ship to party not assigned to sold to party

    Hi friends, can u expain me --- In the partner function screen of a sold-to party master record for the current sales area, enter the ship-to party under the function 'ship-to party' ein. means what extactly to do? regards, mahesh amale