Creating a Role view in a workflow

I'm trying to create a role view in my workflow with the following code but it gives me an error: com.waveset.util.InternalError: Unable to locate ViewHandler for 'role'.
<Action application='com.waveset.session.WorkflowServices'>
            <Argument name='op' value='createView'/>
            <Argument name='type' value='Role'/>
            <Return from='view' to='view'/>
          </Action>Has anyone created a role from a workflow, java or SPML?

nvm figured it out.
<Action id='0' application='com.waveset.session.WorkflowServices'>
          <Argument name='op' value='createView'/>
          <Argument name='type' value='Role'/>
          <Argument name='viewId' value='Role'/>
          <Argument name='Form' value='Empty Form'/>
          <Argument name='authorized' value='true'/>
          <Return from='view' to='role'/>
        </Action>

Similar Messages

Create Material Specific View via Workflow

Hello,
I am trying to build a simple workflow that is started when a new material is created and then 3 workitems are sent parallel to 3 users, each one has to create a different view for this material.
Some technical details:
R3 version: ECC 5.00
BOR object: BUS1001006
Method:     Create or Createviews (not sure about this)
The thing is that the views to be created have to be set in the system hardcoded, e.g. - every time the same agent creates the Accounting view, etc...
But no matter what I tried in the Binding, I can not set a constant value to the container element:
ViewListLine.MaintenanceStatus
Any creative ideas will be very much appreciated !
Thank you very much,
Ronen

Hai Vijayasekar
I will give you some steps please follow
1) Goto Tcode PFTC : Standard Task > Create Button>Workflow Templete
For Create Container
Element : ZBUS1001006
Name    : ANy Name
Description
Data Type & Properties
Data Type:
select Object Type : BOR Object Type for BUS1001006
Properties:
Parameter Settingd : check all Import, Export & Mandatory Checkboxes
Basic Data :
Abbr : Create_View
Name : Some Name
Work Item Text : Create View Material & -
Click on DELE Button & Select Material From The List
Object Catagory : BOR Object Type
Object Type     : BUS1001006
Method          : View
Triggering Events
Obj Catagory       Object Type       Event
BOR Object         BUS1001006        View
activate it
Enter on BUS1001006 Object Type you will get Quadratel<> Button after that
double click on Quadratel<> button you get green button
after that the system will generate the task No.
check in the Event linkage Tcode : SWETYPV
if you find an entry with your Workflow and linkage active
goto Tcode : SWEC click on New Entries
Change Doc Obje       Obj Cat    Obj Type      Event on create
Material              BOJ Obje   BUS1001006    View   Option Button(Checked)
save this
goto Tcode : SWEC
Change Doc Object    : Material
       Obj Catagoty : BOR Type
       Obj Type      : BUS1001006
       Event         : View
       Check with On Create Button
Goto SWETYPV
       Obj Catagoty : BOR Type
       Obj Type      : BUS1001006
       Event         : View
       Receiver Type : Some Work Flow No: WS80000431 like this
Click on Work flow Builder & Test It
Thanks & regards
Sreenivasulu P

How to create Roles to user in WORKFLOW

How can i create a role to an user in Workflow so that i can send e-mail notification....!! and where shoul i mention that role..ie wheather in notification or message...???

Given that you have a role, you can mention that role in "Performer" (Node Tab) of the Notification. If you want to fetch the role name value dynamically, then create an attribute with the type "Role" and assign that attribute in the Perfomer field.

How can I create only SPRO view role?

Hello,
On my production server I want to create a role for SPRO view. How it is possible?
Please help me
regards
Kariyath

Hello Kariyath,
Please check this thread for this purpose:
Re: Transaction List in SPRO
This thread allows you to have all transactions in SPRO in a role.
Next you need to change activities to 03. Make sure you remove authorization objects like s_admi_fcd,s_btch_nam,s_cts_admi etc from this role.
regards.
ruchit.

Create Business role from workflow

We have problem crating a Business role from workflo in SIM 8.1.0.7. Especially we can not set PrimaryObjectGroup of the newly crated role.
Is there a way to set this parameter or to set the type of the tole to be Business Role not ITrole.
Here is the code for the creation
<set name='roleObject'>
<new class='com.waveset.object.Role'>
</new>
</set>
<invoke name='setName'>
<ref>roleObject</ref>
<s>role1</s>
</invoke>
<invoke name='setAuthType'>
<ref>roleObject</ref>
<s>BusinessRole</s>
</invoke>
<invoke name='setDescription'>
<ref>roleObject</ref>
<s>Test</s>
</invoke>

I was able to create the role by this code:
<set name="rolesvar">
<invoke name='getObject' class='com.waveset.ui.FormUtil'>
<select>
<ref>:display.session</ref>
<ref>context</ref>
<invoke name='getLighthouseContext'>
<ref>WF_CONTEXT</ref>
</invoke>
</select>
<s>Role</s>
<s>Template</s>
</invoke>
</set>
<set name='roleObject'>
<new class='com.waveset.object.Role'>
<invoke name='getPrimaryObjectClass'>
<ref>rolesvar</ref>
</invoke>
</new> </set>
<invoke name='setName'>
<ref>roleObject</ref>
<s>BusinesRole1</s>
</invoke>
<invoke name='setAuthType'>
<ref>roleObject</ref>
<s>BusinessRole</s>
</invoke>
<invoke name='setDescription'>
<ref>roleObject</ref>
<s>Test Business Role</s>
</invoke>
<invoke name='setMemberObjectGroupRef'>
<ref>roleObject</ref>
<invoke name='getObjectGroupRef' class='com.waveset.object.ObjectGroup'>
<select>
<ref>:display.session</ref>
<ref>context</ref>
<invoke name='getLighthouseContext'>
<ref>WF_CONTEXT</ref>
</invoke>
</select>
<s>Org1</s>
</invoke>
</invoke>
But there Template is a real object which have to be created.Is there a static method for geting an objectClass variable and passing it as an argument to the constructor ??
Edited by: piaggio100 on 2011-10-20 16:13

Creating standard roles transaction

Hello,
Please let me know transaction code of standard roles creation in SAP Business Workflow.
Regards,
Amey

Create Roles
The role also contains the authorizations users need to access the transactions, reports, web-based applications and so on, contained in the menu.
You can assign a role to an unlimited number of users.
Procedure
To create a single role:
1.     Choose the pushbutton Create role or the transaction PFCG in the initial transaction SAP Easy Access. You go to the role maintenance.
2.     Specify a name for the role.
The roles delivered by SAP have the prefix 'SAP_'. Do not use the SAP namespace for your user roles.
SAP does not distinguish between the names of simple and composite roles. You should adopt your own naming convention to distinguish between simple and composite roles.
3.     Choose Basic maintenance (in the Profile, Other objects menu).
4.     Choose Create.
5.     Enter a meaningful role description text. You can describe the activities in the role in detail.
You may use an existing role as a reference.
6.     Assign transactions, programs and/or web addresses to the role in the Menu tab. The user menu which you create here is called automatically when the user to whom this role is assigned logs on to the SAP System. You can create the authorizations for the transactions in the role menu structure in the authorizations tab.
If you want to call the transactions in a role in another system, enter the RFC destination of the other system in the Target system field.
You should only use RFC destinations which were created using the Trusted System concept () to guarantee that the same user is used in the target system. This is only necessary if you want to navigate via the Easy Access Menu in the SAPgui.
If you use the Workplace Web Browser, you can use any destination containing a logical system with the same name.
If the Target system field is empty, the transactions are called in the system in which the user is logged on.
You can also specify a variable which refers to an RFC destination. Variables are assigned to the RFC destinations in the transaction SM30_SSM_RFC.
To distribute the role into a particular target system, specify the target system (its Release must be 4.6C) and choose Distribute. This function is most useful when you use the Workplace.
You can create the user menu:
o     from the SAP menu
You can copy complete menu branches from the SAP menu by clicking on the cross in front of it in the user menu. Expand the menu branch if you want to put lower-level nodes or individual transactions/programs in the user menu.
o     from a role
this function copies a defined role menu structure in the same system into the current role. You can also copy the menu structure of a role delivered by SAP. Click on the menu branches and copy them.
o     from an area menu
You can copy area menus (SAP Standard and your own) into a role menu. Choose an area menu from the list of menus and copy the transactions you want.
o     Import from file
See Upload/Download roles.
o     Transaction
You can put a transaction code in the user menu directly.
o     Program
This function puts programs, transaction variants or queries in the user menu. They need not be given a transaction code.
ABAP Report
Choose a report and a variant. You can skip the selection screen.
You can generate a transaction code automatically and copy the report description by setting checkboxes.
SAP Query
Enter a user group and query name. If the query has a variant, you can specify it. You can also specify a global query. See Query work areas.
Transactions with variants
The system administrator can create transaction variants in the SAP System Personalization. Transaction variants adjust complex SAP System transactions to customer business processes, by e.g. hiding superfluous information and adding other information such as pushbuttons, text or graphics. You can put a transaction variant call in a user menu by entering the transaction code and variant which you created in the transaction SHD0.
BW report
Include a Business Information Warehouse report. Enter the report ID.
ReportWriter, Search, Report
These function put other application-specific report types in the user menu.
o     Others
Enter other objects:
Web address or file
Enter internet/intranet links with a descriptive text and the web address. You can enter a file name if the browser can call an application.
Drag and relate component
Enter the component name.
Knowledge Warehouse link
Use the Document field possible entries help. Choose the information object type. You go to a selection screen in which you can search for the object in the Knowledge Warehouse.
There are other pushbuttons for editing the user menu. Choose a menu entry with the cursor before you call one of the following functions.
Function:     Meaning
Create folder
Group transactions, programs, etc. in a folder
Change node text
Change a menu entry text
Move down
Move a menu entry down one place
Move up
Move a menu entry up one place
Delete nodes
Delete a menu entry
Any subnodes are also deleted.
Delete all nodes
Delete the complete role menu
Translate node
Translate a menu entry
Documentation
Display the documentation of transactions, programs, etc.
Find doc.
Find programs
You can restructure the menu by Drag & Drop.
The Menu tab status is red if no menu nodes are assigned. If at least one menu node is assigned, the status is green.
You can assign Implementation Guide (IMG) projects or project views to a role under Utilities  Customizing auth. Do this to generate IMG activity authorization and assign users. The authorization to perform all activities in the assigned IMG projects/project views is generated in profile generation. You make the assignments in a dialog box. Choose Information to display more information on using this option.
7.     Save your entries.
You have created a role.

Is there any way to create admin role only for one resource.

Hi all,
I am trying to create an admin role with 'update user' capability. But I want to restrict the user(with the admin role) to be able to update a user's attribute only for one resource, The user(with the admin role) should not be able to update the attributes of the other resources which a user have.
Is there any way to create admin role only for one resource?
I customized the tabbed user form to show only one resource attribute (deleting the missing fields and adding my tab for the resource) and then assigned this new User Form to the user(with the admin role) in security tab.
It works fine. But the problem is that if any user(with the admin role) is also admin of some other resource then he/she will not be able to view the other resource attributes.
Please suggest,
thanks

The loop function always repeats the same region so of course the fade is also copied. So option+drag the original region to make a (non clone) copy, fade the first region and loop the second one (which you just copied).

Using FindObjects view in a workflow?

Hello all,
could somebody provide a simple example of how to use FindObjects view in a workflow?
when I try to use getView type FindObjects - I get what essentially is a view template.
<Action id='0' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='getView'/>
<Argument name='id' value='User'/>
<Argument name='type' value='FindObjects'/>
<Argument name='options'>
<map>
<s>objectType</s>
<s>User</s>
<s>maxResults</s>
<s>100</s>
</map>
</Argument>
<Return from="view" to="findView"/>
</Action>
Tried to use refreshView with command=find - nothing changes.
<Action application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='refreshView'/>
<Argument name='view' value='$(findView)'/>
<Argument name='options'>
<map>
<s>command</s>
<s>find</s>
</map>
</Argument>
<Return from="results" to="users"/>
</Action>
How do I call it to actually go and find users and return me some results? I essentially need to find User objects based on some complicated attribute conditions, and would like to specify which attributes to return - similar to what the Find_Objects.jsp does, but programmatically from a workflow ...
Thank you.

Hello Raghavendra,
Except for step 4 everything is the same. Instead of for the Validation Group it just says Group.
With single validation in Validate step, workflow works fine.
I have created Validation Group as follows:
1. Edit Validation Groups
2. Add a Sibling
3. Goto individual validations and select the newly created Validation Group in Group property field of the individual validation.
Thanks,
Vinay

Modify Script to Create User Role on Single Database.

Hi All,
Below is the script to create user role on database. Here problem is when I execute this script, it creates user role for all database within an instance and I want it to create user role only on 2 database say TEST1 and TEST2
Can anyone help me to modify the script?
--===================================================================================
-- Description
-- Database Type: MSSQL
-- This script creates a role called 'gdmmonitor' for ALL databases.
-- It grants some system catalogs to this role to allow Classification and Assessment on the database.
-- It then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.
-- before runnign this script
-- you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
-- This sqlguard login doesn't need to be added to any database or given
-- any privilege. The script will take care of that.
-- Note:
-- If you wish to use a different login name (instead of 'sqlguard') you need to change
-- the value of the variable '@Guardium_user' in the script below;
-- (Look for the string: "set @Guardium_user = 'sqlguard'" and replace the 'sqlguard')
-- after runnign this script
-- Nothing to do, the script already creates the db user
-- User/Password to use
-- User: sqlguard (or any other name, if changed)
-- Pass: user defined
-- Role: gdmmonitor
--===================================================================================
PRINT '>>>==================================================================>>>'
PRINT '>>> Creating role: "gdmmonitor" at the server level.'
PRINT '>>>==================================================================>>>'
-- Change to the master database
USE master
-- *** If a different login name is desired, define it here. ***
DECLARE @Guardium_user AS varchar(50)
set @Guardium_user = 'sqlguard'
DECLARE @dbName AS varchar(256)
DECLARE @memberName AS varchar(256)
DECLARE @dbVer AS nvarchar(128)
SET @dbVer = CAST(serverproperty('ProductVersion') AS nvarchar)
SET @dbVer = SUBSTRING(@dbVer, 1, CHARINDEX('.', @dbVer) - 1)
IF (@dbVer = '8') SET @dbVer = '2000'
ELSE IF (@dbVer = '9') SET @dbVer = '2005'
ELSE IF (@dbVer = '10') SET @dbVer = '2008'
ELSE IF (@dbVer = '11') SET @dbVer = '2012'
ELSE SET @dbVer = '''Unsupported Version'''
IF (@dbVer != '2000')
BEGIN
-- This privilege is required to peform a specific MSSQL test.
-- Test name: SQL OLEDB disabled (DisallowAdhocAccess registry key)
-- Procedure execute: EXEC master.dbo.sp_MSset_oledb_prop
-- Purpose: To display provider property, not changing anything.
PRINT '==> Granting MSSSQL 2005 and above setupadmin server role'
EXEC master..sp_addsrvrolemember @loginame = @Guardium_user, @rolename = N'setupadmin'
END
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if they exist
CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL)
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND mbr.groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the role gdmmonitor on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the role gdmmonitor on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.spt_values TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysconfigures TO gdmmonitor
GRANT SELECT ON dbo.sysdatabases TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syslogins TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
-- Grant execute privileges to the role for MSSql Common
PRINT '==> Granting common EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON sp_helpdbfixedrole TO gdmmonitor
GRANT EXECUTE ON sp_helprotect TO gdmmonitor
GRANT EXECUTE ON sp_helprolemember TO gdmmonitor
GRANT EXECUTE ON sp_helpsrvrolemember TO gdmmonitor
GRANT EXECUTE ON sp_tables TO gdmmonitor
GRANT EXECUTE ON sp_validatelogins TO gdmmonitor
GRANT EXECUTE ON sp_server_info TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sql_logins TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
GRANT SELECT ON sys.server_role_members TO gdmmonitor
GRANT SELECT ON sys.configurations TO gdmmonitor
GRANT SELECT ON sys.master_key_passwords TO gdmmonitor
GRANT SELECT ON sys.server_principals TO gdmmonitor
GRANT SELECT ON sys.server_permissions TO gdmmonitor
GRANT SELECT ON sys.credentials
TO gdmmonitor
--This is called by master.dbo.sp_MSset_oledb_prop.
--By defautl it should have already been granted to public.
GRANT EXECUTE ON sys.xp_instance_regread TO GDMMONITOR
GRANT EXECUTE ON sys.sp_MSset_oledb_prop TO GDMMONITOR
END
-- Re-add the dropped members
IF EXISTS (SELECT 1 FROM #rolemember)
BEGIN
PRINT '==> Re-adding the role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- END of role creation on database
PRINT '==> END of role creation on: ' + @dbName
PRINT ''
-- Change to the msdb database
USE msdb
set @memberName = ''
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if it exists
TRUNCATE TABLE #rolemember
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM .dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the gdmmonitor role on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the gdmmonitor role on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
GRANT SELECT ON dbo.backupset TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
-- Grant execute privileges to the role for MSSql 2005 or above
PRINT '==> Granting MSSql 2005 and above EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON msdb.dbo.sp_enum_login_for_proxy TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
END
IF (@dbVer > '2000' and @dbVer < '2012')
--This sp is not available in SQL 2012
BEGIN
GRANT EXECUTE ON sp_get_dtspackage TO gdmmonitor
END
-- Re-add the dropped members
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Re-adding the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the temporary table
DROP TABLE #rolemember
-- END of role creation on database
PRINT '==> END of gdmmonitor role creation on: ' + @dbName
-- Role creation complete
PRINT '<<<==================================================================<<<'
PRINT '<<< END of creating role: "gdmmonitor" at the server level.'
PRINT '<<<==================================================================<<<'
PRINT ''
PRINT '>>>==================================================================>>>'
PRINT '>>> Starting application database role creation'
PRINT '>>>==================================================================>>>'
use master
DECLARE @databaseName AS varchar(80)
DECLARE @executeString AS varchar(7950)
DECLARE @dbcounter as int
set @dbcounter = 0
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases where name not in ('master', 'msdb')
and not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @dbcounter = @dbcounter + 1
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'PRINT ''>>> Starting MSSql ' + @dbVer + ' role creation on database: ' + @databaseName + ''' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'/* Variable @memberNameDBname must be declare within the string or else it will fail */ ' +
'DECLARE @memberName' + cast(@dbcounter as varchar(5)) + ' as varchar(50) ' +
'/*find any members of the role if it exists*/ ' +
'CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL) ' +
'INSERT INTO #rolemember ' +
'SELECT DISTINCT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr ' +
'WHERE usr.uid = mbr.memberuid ' +
'AND groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'/*Drop the Role Members If they exist*/ ' +
'IF EXISTS (SELECT * FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Dropping the role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Dropping member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_droprolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/*drop the role if it exists*/ ' +
'IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'BEGIN ' +
'PRINT ''==> Dropping the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_droprole ''gdmmonitor'' ' +
'END ' +
'/* Create the role */ ' +
'PRINT ''==> Creating the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_addrole ''gdmmonitor'' ' +
'/* Grant select privileges to the role for MSSql Common */ ' +
'PRINT ''==> Granting common SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON dbo.sysmembers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysobjects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysprotects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysusers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON dbo.syspermissions TO gdmmonitor ' +
'/* Check if the version is 2005 or greater */ ' +
'IF (' + @dbVer + ' != ''2000'') ' +
'BEGIN ' +
'/* Grant select privileges to the role for MSSql 2005 and above */ ' +
'PRINT ''==> Granting MSSql 2005 and above SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON sys.database_permissions TO gdmmonitor ' +
'GRANT SELECT ON sys.all_objects TO gdmmonitor ' +
'GRANT SELECT ON sys.database_principals TO gdmmonitor ' +
'GRANT SELECT ON sys.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON sys.database_role_members TO gdmmonitor ' +
'END ' +
'/* Re-add the dropped members */ ' +
'IF EXISTS (SELECT 1 FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Re-adding the gdmmonitor role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Re-adding member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_addrolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/* drop the temporary table */ ' +
'DROP TABLE #rolemember ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT ''<<< END of role creation on: ' + @databaseName + ''' ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT '' ''' +
'PRINT '' '''
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
-- Adding user to all the databases
-- and grant gdmmonitor role, only if login exists.
PRINT '>>>==================================================================>>>'
PRINT '>>> Add and Grant gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '>>> on all databases.'
PRINT '>>>==================================================================>>>'
USE master
/* Check if @Guardium_user is a login exist, if not do nothing.*/
IF NOT EXISTS (select * from syslogins where name = @Guardium_user)
BEGIN
PRINT ''
PRINT '************************************************************************'
PRINT '*** ERROR: Could not find the login: ''' + @Guardium_user + ''''
PRINT '*** Please add the login and re-run this script.'
PRINT '************************************************************************'
PRINT ''
END
ELSE
BEGIN
DECLARE @counter AS smallint
set @counter = 0
-- This loop runs 4 time just to make sure that the @Guardium_user gets added to all db.
-- 99% of the time, this is totally unnecessary. But in some rare case on SQL 2005
-- the loop skips some databases when it tried to add the @Guardium_user.
-- After two to three executions, the user is added in all the dbs.
-- Might be a SQL Server bug.
WHILE @counter <= 3
BEGIN
set @counter = @counter + 1
set @databaseName = ''
set @executeString = ''
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases
where not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'/*Check if the login already has access to this database */ ' +
'IF EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'/*Check if login already have gdmmonitor role*/ ' +
'IF NOT EXISTS (SELECT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr WHERE usr.uid = mbr.memberuid ' +
'AND mbr.groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'AND usr.name = ''' + @Guardium_user + ''') ' +
'BEGIN ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END ' +
'END ' +
'IF NOT EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'PRINT ''==> Adding user [' + @Guardium_user + '] to database: ' + @databaseName + ''' ' +
'execute sp_adduser [' + @Guardium_user + '] ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END '
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
END -- end while
-- Required for Version 2005 or greater.
IF (@dbVer != '2000')
BEGIN
-- Grant system privileges to the @guardium_user. This is a requirement for >= SQL 2005
-- or else some system catalogs will filter our result from assessment test.
-- This will show up in sys.server_permissions view.
PRINT '==> Granting catalog privileges to: ''' + @Guardium_user + ''''
execute ('grant VIEW ANY DATABASE to [' + @Guardium_user + ']' )
execute ('grant VIEW ANY DEFINITION to [' + @Guardium_user + ']' )
END
PRINT '<<<==================================================================<<<'
PRINT '<<< Finished Adding and Granting gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '<<< on all databases.'
PRINT '<<<==================================================================<<<'
PRINT ''
END
GO

Thanks a lot Sir... it worked.
Can you also help me in troubleshooting below issue?
This script is working fine on all databases except one MS SQL 2005 database. build of this database is 9.00.3042.00
SA account with highest privileges is been used for script execution. errors received are as follow:
>>>==================================================================>>>
>>> Creating role: "gdmmonitor" at the server level.
>>>==================================================================>>>
==> Granting MSSSQL 2005 and above setupadmin server role
==> Starting MSSql 2005 role creation on database: master
(0 row(s) affected)
==> Dropping the gdmmonitor role members on: master
==> Creating the role gdmmonitor on: master
Msg 15002, Level 16, State 1, Procedure sp_addrole, Line 16
The procedure 'sys.sp_addrole' cannot be executed within a transaction.
==> Granting common SELECT privileges on: master
Msg 15151, Level 16, State 1, Line 117
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 118
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 119
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 120
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 121
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 122
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 123
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 124
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 125
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 126
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
==> Granting common EXECUTE privileges on: master
Msg 15151, Level 16, State 1, Line 130
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 131
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 132
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 133
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 134
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 135
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 136
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.

OIA Web Services - Create a Role

I was looking through the API guide for OIA here:
http://download.oracle.com/docs/cd/E24179_01/doc.1111/e23366/toc.htm
I realized that there is no web service to create a role or policy (no policy methods at all). Am I missing something? Shouldn't this be one of the most basic functions? There is a call to create a user and you can read all the role and business unit information that you need but nothing is there to create a role. Can someone confirm this and possibly point me in the right direction if I did want to create a role programatically?

Hi,
It's because the role and policies require versioning through the workflows where as the ther OOTB API's are either queries, simple updates against 1 or more tables, or don't require OIA's workflow engine
Regards,
Daniel

CLI based Roles/Views

Hi Guys,
I'm trying to configure a view that will allow a user access to do a few mundane tasks such as read the startup conifg, a few show commands, change the terminal settings, etc.
I've configure a view called RO and assigned a few exec commands (see below):
parser view RO
secret 5 $1$m3Iz$ltDKR58NxImIZEEwX/vbV0
commands exec include terminal length
commands exec include terminal
commands exec include show startup-config
commands exec include show
I've also created a user and assigned it to this view
username sc view RO password 0 sc
Now, when I login with the user sc I am unable to move from user mode to privliged mode, I get an access denied error as seen below:
R1>en
Password:
% Access denied
Have I done something wrong? How do I configure the router so that I can create a role with the required commands and assign it to users? I thought I had it down pat but it isnt working.
Any advice you have would be greatly appreciated
TIA
Rgds
Scott

Hi Wen,
See config extract below:
VIEWS_R1#sho run
Building configuration...
Current configuration : 1218 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname VIEWS_R1
boot-start-marker
boot-end-marker
enable password password
aaa new-model
aaa authentication login default local
aaa authorization exec default if-authenticated
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username sc privilege 15 password 0 abc123
username sc2 view RO password 0 abc123
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
duplex auto
speed auto
line con 0
logging synchronous
line aux 0
line vty 0 4
transport input telnet
line vty 5 14
transport input telnet
line vty 15
transport input telnet
parser view RO
secret 5 $1$E6ex$JrkjcJd94q4vM/QrQL9F31
commands exec include terminal length
commands exec include terminal
commands exec include show startup-config
commands exec include show
end
Note: This config differs slightly from that mentioned in my previous posts. I've had to rebuild it as I lost my test environment. In the above config, the user sc2 is assigned the view RO. I'm doing all this testing in GNS3, happy to upload the configs for you if you prefer.
A difference I have noticed between your output and what I get is that my user "sc2" is not logged into privilged mode. I guess this is because I dont have it set on the vty lines. If I do set it, as already stated, the view doesnt take affect and the user gets all commands available to that priv level.
Heres what I see (I've added the passwords so you can see waht I'm doing):
User Access Verification
Username: sc2 (this user has the RO view assigned to them)
Password: abc123
VIEWS_R1>en
Password: RO (the RO view enable password)
% Access denied
VIEWS_R1>en
Password: password (the root view enable password)
VIEWS_R1#sho parser view
No view is active ! Currently in Privilege Level Context
VIEWS_R1#sho run | i sc2
username sc2 view RO password 0 abc123
VIEWS_R1#
Any idea why my view isnt taking affect?
Rgds
Scott

How to prevent end user to create a Query View and save back to BW Server?

Dear All :
Do Someone know that how to setup authorization for Bex Query View Creation? We want to prevent end user to create a Query View to save back to BW Server his favorite folder. when our user run Bex Query, he can base on this query and use Bex Analyzer's save function to save a Query View and save into his favorite folder.
My question is :
1. Can we set up a Authorization to prevent end user to save Bex Query View?
2. Or can I remove Save function from Bex Analyzer to prevent end user use save function, But Developer should not to be prevent .
Thanks for all of your kindly response.
Best Regard
Lawrence Kuo

Hi.
Yes, you can do it like you outline in your point 1):
You need to use the authorization object S_RS_COMP for this. This object let's you control what parts/components of a query the user can do stuff to. So, in your case, you need to have a role for the users, where you do not grant create-access to the component QVW, and then you need another role for developers, where you grant full access or whatever you need for your developers.
See [this post|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a6c54319-0e01-0010-20a4-fb81ad32f330?QuickLink=events&overridelayout=true&5003637661135] and the [SAP Help entry|http://help.sap.com/saphelp_nw70/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/content.htm].
You will also need to use the authorization object S_RS_COMP1. If you already have a productive system with users doing reporting, both objects will be maintained in one of the roles already.
You also want to consider using the object S_RS_PARAM to allow users to create variants for the variabel screen.
Good luck.
Jacob

Authorization: create a query view in Production

Hi BI experts,
We are on BI 7.0 and we have some queries in Production...the issue here is 2 users want to create a global Query View and saved it under a some Role ....
how should the authorization in PFCG can be done....
Right now
1) In PFCG I created a Role where in Included those 2 Users
2) Under authorizations Tab ---> change authorization
i have a profie for Business information warehouse under that BEx - components ..
I put the infocueb name , name of the reporting component...type of reporting comp - I choose Query View..
Is anything else we have to do ...coZ the user still cannot create a query view in production.
Your comments will be returned with full points ....
Thanks

Dear Nikhil,
In case of BW 3.5, you have two transactions for management authorization: Maintains Roles (PFCG) and Reporting Authorizations Object (RSSM).
In Maintains Roles (PFCG) you can setup the role profile, create, add authorization object and setup.
In Reporting Authorizations Object (RSSM) you can setup the authorization by characteristics which you need restrict by value, also you can access to RSRT transaction where you simulate the query execution, after that, you come back to RSSM transaction and select Authorization Check Log to see the output execute. The difference between 7.0 is which you need to access with specific user in other word, if you need to test user 1, you could access in BW 3.5 with this user 1 and run RSRT, then you check output in RSSM Authorization Check Log.
Into your role you should have the following authorization object:
S_RS_FOLD for see folder InfoArea.
S_USER_AGR activity 01,02 and 22 and role name
S_USER_TCD transaction code RRMX
And
S_RS_COMP activity 03 and 16, InfoArea, InfoCube, Name of Reportign, Type.
S_RS_ICUBE activity 03 and 16, InfoCube Data, InfoArea, InfoCube.
Into the role after you assign authorization object created in RSSM, you should setup the value of each characteristic selected for the object.
I hope that can help you,
Luis

Create users , roles, link roles to users

Hi Experts,
how do we create users , roles and link roles to users in oracle discoverer?
If they are the users created in the oracle database, how is discoverer access given to them? EUL5_EUL_USERS has the list of the users and roles for discoverer.
thanks.

Hi User,
Below is the document link step by step process how to give access to end-users here is the topic Viewer and Plus Access with E-Business Suite
http://ascbi.com/thirdparty_documents.htm_
Hope it helps you.promptly award points here is the link http://forums.oracle.com/forums/ann.jspa?annID=939
By,
KK

Create Admin Role

Hi,
How can I create an admin role in portal? PortalSystemAdministrator role has many privilages. I would like to create a new admin role which should be just be able to create users.
Thanks in advance.

Hi Sandeep,
There is the code that u can use for create Organization. In the same way u can create Admin Role I think...
<Action id='1'>
               <expression>
               <block>
               <set name='og'>
          <new class='com.waveset.object.GenericObject'>
          <map>
                         <s>orgDisplayName</s>
          <ref>newOrg</ref>
          <s>orgParentName</s>
          <ref>oldOrg</ref>
          </map>
          </new>
          </set>
          <invoke name='setId'>
          <ref>og</ref>
          <concat>
          <s>Org:</s>
          <invoke name='currentTimeMillis' class='java.lang.System'/>
          </concat>
          </invoke>
               </block>
               </expression>
               </Action>
               <Action id='2' application='com.waveset.session.WorkflowServices'>
          <Argument name='op' value='checkinView'/>
          <Argument name='view'>
          <ref>og</ref>
          </Argument>
          </Action>
Thanx
Shant

Creating a Role view in a workflow

Similar Messages

Maybe you are looking for