Create Admin Role

Similar Messages

• Is there any way to create admin role only for one resource.

  Hi all,
  I am trying to create an admin role with 'update user' capability. But I want to restrict the user(with the admin role) to be able to update a user's attribute only for one resource, The user(with the admin role) should not be able to update the attributes of the other resources which a user have.
  Is there any way to create admin role only for one resource?
  I customized the tabbed user form to show only one resource attribute (deleting the missing fields and adding my tab for the resource) and then assigned this new User Form to the user(with the admin role) in security tab.
  It works fine. But the problem is that if any user(with the admin role) is also admin of some other resource then he/she will not be able to view the other resource attributes.
  Please suggest,
  thanks

  The loop function always repeats the same region so of course the fade is also copied. So option+drag the original region to make a (non clone) copy, fade the first region and loop the second one (which you just copied).

• Exclude a Resource from scope of control of a Admin role??????

  Hi,
  I need to exclude a resource from the scope of ADMINROLE for a particular form. This i m able to achive by Admin role form. but i need to do this in backed .(not through that form). I am able to create Admin Role in a workflow .I m even able to addign controlled Sub organisatons,member organisations,capabilities.But can anyone tell me how to limit the scope of control of a Resource of a particular organisation under his control.i.e Exclude or Include Resources for this child organisation from a workflow.
  Any help will be highly appriciated.......
  Thanks and Regards,
  Ashi

  The site swallowed my first reply to this. Attempt 2.
  nantucket wrote:
  AndrewThompson64 wrote:
  nantucket wrote:
  ..Where the method getCodeBase() of the Applet instance returns the url of the directory from which the applet originated.No. It is the URL of the codebase. ......I made my response based upon what I saw in the API
  http://java.sun.com/j2se/1.5.0/docs/api/java/applet/Applet.html#getCodeBase()
  public URL getCodeBase()
  "Gets the base URL. This is the URL of the directory which contains this applet."So try the experiment. See where it leads you..
  [http://pscode.org/test/codebase/applet.html] - two different (in the codebase) calls to the same applet.
  import javax.swing.*;
  public class CodeBaseApplet extends JApplet {
       public void init() {
            add(new JLabel(getCodeBase().toString()));
  My wording may have been confusing. But I thought "which contains this applet" and "from where the applet originated" referred to the same thing.This is not the first time I have discovered JavaDocs that are misleading.
  I generally don't work with the applet tag when I do develop applets as the tag has been deprecated for a number of years.Same difference with <object> (or <embed>). The codebase is the codebase, not the directory of any Jar (necessarily).
  Think about it this way. An applet loads one Jar from my site, one Jar from yours, and another from any other site. What is the codebase then? (Answer: the codebase defined in the applet element.)
  *OTOH it is quite typical to have the codebase point to the single directory that contains all the applet Jars - so often that advice is true. But the devil is in the details.*

• OBIEE 11g  - Not able to see existing reports which are created by specific owner but I could able to see Admin role user reports.

  OBIEE 11g  - Not able to see existing reports which are created by specific owner but I could able to see Admin role user reports.
  Appreciated if you could able to help as soon as possible as I don' have back up for these disappeared reports.
  Pleas let me know if any additional information needed.

  Hi
  Thank you for the reply.
  Here one thing I would need to mention that those are created by me on last week, but when I check those today, I could not able to see or even admin also not able to see those. For sure no migration and updations happend over the week end, really not able to debug whats the issue around. Unfortunately I haven't taken back up as well.
  Please could you help and let me know whats the root cause and how I could able to restore.
  Best regards,
  Kumar

• How to create Users/Roles for ldap in weblogic without using admin console

  Is it possible to create Users/Roles for ldap in weblogic without using admin console? if possible what are the files i need to modify in DefaultDomain?
  or is there any ant script for creating USers/Roles?
  Regards,
  Raghu.
  Edited by: user9942600 on Jul 2, 2009 1:00 AM
  Edited by: user9942600 on Jul 2, 2009 1:58 AM

  Hi..
  You can use wlst or jmx to perform all security config etc.. same as if it were perfomred from the admin console..
  .e.g. wlst create user
  ..after connecting to admin server
  serverConfig()
  cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator")
  cmo.createUser("userName","Password","UserDesc")
  ..for adding/configuring a role
  cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/RoleMappers/XACMLRoleMapper")
  cmo.createRole('','roleName', 'userName')
  ...see the mbean docs for all the different attributes, operations etc..
  ..Mark.

• Creating a reports folder that's only visible to the Admin role

  Hi all,
  I want to create a new Shared Custom Analyses folder to contain Admin reports. I need to make this folder only visible to users with the Administator role. But you can't seem to add the Admin role when setting up User Visibility to Shared Report Folders. Help says that it's because the Admin role has visibility to all folders.
  I understand this - but how can you resrict access to a reports folder to just the Admin role (ie. it should not be visible to other roles)??
  Many thanks.

  You will need to assign all the other folders to rest of the roles.This would be the only way so that your required folder access is given only to admin and not to other users.
  -MR

• No "Admin Roles" or "Capabilities" on the Create User - Security tab

  I have created some Admin roles with full Capabilities for an Organisation (other than Top).
  However, when I login as "Configurator", and attempt to create a user under the "Accounts" tab, I cannot see any of the "Admin Roles" created under the "Security" tab. In fact, the "Admin Roles" or "Capabilities" list boxes somehow disappear altogether.
  Does anyone know what can cause the "Admin Roles" and "Capabililties" list boxes to disappear from this tab?

  Are you using IDM version 7.0 and above? If so, it is a security feature introduced by Sun.
  An administrator can assign an admin-role to a user only when he/she is designated to be the "assigner" of that role. Here's how you do it:
  Go to Security -> Admin Roles tab in the admin console, and click on the role to be assigned
  In the form that opens up, click "Add from Search" in the general tab and search/add the desired account.
  You would expect configurator to be a default assigner to any admin-role, but even this account needs to be configured to be the assigner for each admin-role.
  Hope this helps.
  -Adi
  [www.xpressutils.com|http://www.xpressutils.com]

• In Portal Content admin Role "Portal content" folder is not displaying

  Hi,
        I created a user in EP and assign Only Content admin Role. But in portal content area "Portal content "folder is not displaying.
  Can someone help me the process steps to achieve it?
  Thanks,
  kundan

  It is because the user has no proper permissions  to the porta content folder.
  you should give atleast read permission to the portal content folder to the content_admin role or to the users who have content admin role.
  also make sure the end user check box is checked at the time of giving permissions.
  Otherwise give eevryone group as read permisisons to the portal content folder. then you can see the portal content folder with read permissiosn only.
  Raghu
  Edited by: Raghavendranath Garlapati on Sep 1, 2009 9:32 AM

• Pictures not loaded in a Web Page Composer site without admin role

  Hello!
  I have got an new problem concerning SAP Web Page Composer.
  I have created an new site with some paragraphs and some pictures. The problem is when I, with admin role, access this site I am able to see everything. When another user, without admin role, is trying to access this site he is able to see everything but the pictures. All paragraphs or linklists are displayed but the pictures are not available. When giving the user the admin role he also become able to see the pictures.
  I know it is a permisson problem but not know where I forgot to set the permissions to "every user". But I do not understand why this is only concerning the pictures and every other Web Page Composer element is displayed properly, although the pictures permissions set to the same as the other elements. When trying to access the pictures by the user without admin role NetWeaver is throwing following exception:
  "com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): portal_content/every_user/general/eu_role/com.sap.km.home_ws/com.sap.km.hidden/com.sap.km.urlaccess/com.sap.km.docs)"
  Thanks for your help in advance!
  Regards
  Georg

  The whole exception:
  [EXCEPTION]
  com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/every_user/general/eu_role/com.sap.km.home_ws/com.sap.km.hidden/com.sap.km.urlaccess/com.sap.km.docs - user: Manager,
  at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1932)
  at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:234)
  at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:316)
  at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:387)
  at com.sapportals.portal.prt.connection.PortalRequest.getRootContext(PortalRequest.java:488)
  at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:607)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
  at com.sapportals.wcm.portal.connection.KmConnection.handleRequest(KmConnection.java:52)
  at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Caused by: com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): portal_content/every_user/general/eu_role/com.sap.km.home_ws/com.sap.km.hidden/com.sap.km.urlaccess/com.sap.km.docs)
  at com.sapportals.portal.pcd.gl.PcdFilterContext.filterLookup(PcdFilterContext.java:422)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1248)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookupLink(PcdProxyContext.java:1353)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookup(PcdProxyContext.java:1300)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.lookup(PcdProxyContext.java:1067)
  at com.sapportals.portal.pcd.gl.PcdGlContext.lookup(PcdGlContext.java:68)
  at com.sapportals.portal.pcd.gl.PcdURLContext.lookup(PcdURLContext.java:238)
  at javax.naming.InitialContext.lookup(InitialContext.java:347)
  at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1919

• Creation of new admin role in Exchange Online Protecion

  HI,
  I am brand new with the Exchange Online Protection solution.
  I want to create a new admin role since the default one do not offer teh specific rights that we need for a group.
  I went in Exchange admin Center > Permissions > Admin role and we can only edit the actual default groups.
  I need to be able to create new one.
  I did read somewere some powershell command but, since this is cloud base solution, i have hard time to believe that there is no option to create a custom role on the actual web interface of EOP.
  Anybody have a solution for that ?
  Thx

  Hi,
  as far as I can see you can't create roles in EOP because there is access necessary to Exchange Online. EOP has only limited access to Exchange Online or no access. It seems to me that managing roles is not part of EOP.
  To be sure you should open a support case in the admin center.
  Greetings
  Christian
  Christian Groebner MVP Forefront

• How to give amadmin the role:Top-level Admin Role?

  hi,
  To the user amAdmin , i cancel the role:Top-level Admin Role,as a result, amadmin becomes a common user without the priveleges such as creating users!how to restore the role for amAdmin?thanks in advace

  HI,
    Check if this can help you.
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/dae78be4-0601-0010-c9ab-c0b8d86fac07
  Regards,
  Harini S

• Dynamic Admin Role Problems - IDM7.1

  Hi Everyone. I'm having problems getting a dynamic admin role to work correctly. No matter what I do I always get the error at logon that the user controls no organizations and has no capabilities. Here is how the admin role is configured.
  General:
  Type = Identity Objects
  Assigners = blank (I have also tried configurator)
  Organizations = Top
  Scope of Control:
  Controlled Organizations = Top
  None for everything else.
  Capabilities:
  All caps assigned, no cap rule.
  Assign to users:
  Has the rule below assigned to it. If I check a user that is in the AD group mentioned in the rule, it gives me a '1', if I check one that doesn't have the group, a '0'
  Rule:
  <?xml version='1.0' encoding='UTF-8'?>
  <!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'>
  <!--  MemberObjectGroups="#ID#Top" authType="UserIsAssignedAdminRoleRule" id="#ID#Rule:IAM Admin Admin Role Rule" lastMod="26" lastModifier="Configurator" name="IAM Admin Admin Role Rule"-->
  <Rule authType='UserIsAssignedAdminRoleRule' id='#ID#Rule:IAM Admin Admin Role Rule' name='IAM Admin Admin Role Rule' createDate='1239044336520' lastModifier='Configurator' lastModDate='1248287397906' lastMod='26'>
    <RuleArgument name='context'/>
    <RuleArgument name='runAsUser'/>
    <isTrue>
      <contains>
        <rule name='my_rulelibrary:get_DownCaseList'>
          <argument name='dnlist' value='$(runAsUser.accounts[AD].groups)'/>
        </rule>
        <downcase>
          <rule name='my_Configuration:IAM Admin Group Name'/>
        </downcase>
      </contains>
    </isTrue>
    <MemberObjectGroups>
      <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
    </MemberObjectGroups>
  </Rule>I have also added the item below to the system configuration and reset the app server
  <Attribute name='authz'>
              <Object>
                <Attribute name='checkDynamicallyAssignedAdminRolesAtLoginTo'>
                  <Object>
                    <Attribute name='Administrator Interface'>
                      <Boolean>true</Boolean>
                    </Attribute>
                    <Attribute name='Service Provider User Interface'>
                      <Boolean>false</Boolean>
                    </Attribute>
                    <Attribute name='User Interface'>
                      <Boolean>true</Boolean>
                    </Attribute>
                  </Object>
                </Attribute>
              </Object>
            </Attribute>Any ideas?

  Hi,
  the view handed to these kind of rules is created with the noFetch option set to true. As a result the AD groups of the user are not available during rule evaluation.
  You could solve your task by doing a search using the FormUtil class.
  I would however advise you to only do this in a small or demo environment as the usage of usermember rules does not scale at all. This is a pure sales feature that will quickly bring down a production environment with high CPU utilization and horrible response times. Unlike what one might guess these rules are not only evaluated during login but almost all the time, often multiple times for each click. Even if the rule as such only performs cheap operations the AuthCache class hogs more and more CPU time with each rule of this kind you add to the system.
  Regards,
  Patrick

• How to Add Active Directory user to Admin Role

  Hi All,
  I am trying to figure out how to add a AD user to the Admin Role..
  I am connected to AD and can see the user (myself), however, when I try to add myself to the admin role, it says user not found.
  I go to Security Realms > myreals > Roles and Policies > Global Roles > Roles > Admin > View Role Condition.
  I see that the Administrators Group is already added. Now I click "add Conditions" and select "User" from the Predicate List and type in the user " Doe' John".
  On the next screen I get "user: John or Dow" does not exist.
  Another option could be to add the user to the Administrator group, but I couldnt figure out how to do that as well. When I navigate to the user under Users or Groups, I dont see an option to add that user to the Administrator group.
  Is it that you can only add users created in Weblogic to the Admin group?
  Any help on this will be very appreciated.
  Thanks in advance.

  I think I got it. I had to add the AD group the user is part of to the Admin role.

• Create a role without becoming a member...

  I looked all over and couldn't find the answer....I'm 99% sure it's possible....Just cannot remember for the life of me.
  What I'm trying to do is create a role (Create Role TestRoleABC) without becoming a member of it or having the admin ability attached to the ID I'm creating the role with.
  So, example being. Using ID "AppID123", I issue "Create Role TestRoleABC". After creation, the ID "AppID123" is now a member of "TestRoleABC" and has the ability to grant it. I only want accounts that have the "Grant Any Role" priv to be able to do so....
  Thanks.

  Topher34 wrote:
  I looked all over and couldn't find the answer....I'm 99% sure it's possible....Just cannot remember for the life of me.
  What I'm trying to do is create a role (Create Role TestRoleABC) without becoming a member of it or having the admin ability attached to the ID I'm creating the role with.
  So, example being. Using ID "AppID123", I issue "Create Role TestRoleABC". After creation, the ID "AppID123" is now a member of "TestRoleABC" and has the ability to grant it. I only want accounts that have the "Grant Any Role" priv to be able to do so....
  Thanks.when all else fails Read The Fine Manual
  http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_6012.htm#i2066772
  "If you create a role that is NOT IDENTIFIED or is IDENTIFIED EXTERNALLY or BY password, then Oracle Database grants you the role with ADMIN OPTION. However, if you create a role IDENTIFIED GLOBALLY, then the database does not grant you the role. A global role cannot be granted to a user or role directly. Global roles can be granted only through enterprise roles."

• Creating Custom Role

  Hi,
  We want to create custom roles in ABAP (su01) and assign them to some user ids.
  The role should have below previleges:
  1) Developer Access (already provided) role and the users are able to create Objects in ESR and ID.
  2) Should have access to create Namespace in ESR.
  3) Should have access to create Alerts in ALRTCATDEF.
  I think SAP_XI_CONTENT_ORGANIZER_ABAP and SAP_XI_CONTENT_ORGANIZER_J2EE should help in the above requirement.
  Can anyone please confirm?
  Do not suggest to give ADMIN access
  Thank you,
  Pankaj.

  Hi,
  I did see the link, but still I am not aware which role should be used to access ALRTCATDEF tcode.
  If I assign SAP_XI_CONTENT_ORGANIZER_J2EE, then the user will be able to create Namespace, but what about creating alerts?
  The link just mentions about RWB -> Alert Configuration and Alert Inbox, but nothing about ALRTCATDEF tcode.
  Thank you,
  Pankaj.