Creating Groups/Roles in Weblogic 7.0
I've noticed something odd when dealing with Roles, but not sure if it's just me,
or a known issue.
I finally got Weblogic to authenticate users through Active Directory (woo hoo!).
I have a set of roles defined, but that's where the problem comes in.
I can't seem to add a group name to a role unless that group is defined in Weblogic.
Not only that, but if that group does not have a user assigned to it, I can't
add the group to the role.
I'd like to be able to create roles that are assigned groups from AD, not ones
defined in Weblogic. Is there a way to do this? I'd hate to have to create bogus
users and groups just to allow proper authentication and role assignment to occur.
If anyone has experienced this, or might know what I am doing wrong, I'd appreciate
the help.
Thanks!
hi,
Pl chk the link
http://help.sap.com/saphelp_nw04s/helpdata/en/25/87273c3f2b3c7ce10000000a11402f/frameset.htm
Ramesh
Similar Messages
-
PostEvent to create OIM Roles based on AD groups
Hi,
we want to create a similar roles in OIM based on groups in AD.
What would be the best way to create roles in OIM using the AD group recon or any other way using the group defination in AD.I’m looking for some guidance in doing this ! either using post-process event or any other method ?
Thanks Richardothe option is Scheduled task.
1. use OOTB AD group loolup recon and reconcile all the AD groups in lookup.
2. write a scheduled task using OIM API to create group/role in OIM
a. get the lookup data into map
b. loop through each record of the map
c. use oim api to create group
if(isGroupExists()
group all ready exists
else
createGroup
Role manager API --oim11g
http://docs.oracle.com/cd/E17904_01/apirefs.1111/e17334/toc.htm
tcGroupOperationsIntf API ----oim 10g
http://otndnld.oracle.co.jp/document/products/id_mgmt/idm_903/doc_cd/javadocs/operations/Thor/API/Operations/tcGroupOperationsIntf.html -
Creating Global Roles in 9.1 using WLST
Hi,
Did anyone try creating Global Roles in Weblogic 9.1 ?
Since in Weblogic 9.1, the Authorizer and Role Mapper providers are XACML based, I am not sure if we can use WLST offline to create global roles.
Can someone please shed some light on this.
Thanks -agreddyAs far as i know you could never create roles via WLST offline, only via WLST online.
Thanks,
-satya
BEA Blog: http://dev2dev.bea.com/blog/sghattu/ -
How to create a DBA role in weblogic 11g
Hi,
How can I create a role that will have permissions to create, delete, test and configure Data sources and won't be able to do/touch anything else?
Thanks,
VitalyHi Vitaly
No. This is NOT possible. Basically you want Edit/Modify prvileges only for DataSources section. In high level, you can get like full access to all the areas which is Adminstrators. Or get Read Only access to all the areas like Monitors Group. Or just get Deployers who can only deploy. But you can get like access to only few areas in weblogic console. Below is just high level 3 important groups.
Login into Weblogic Console -> Security Realms -> myrealm -> Groups tab and you can see list of groups that you can assign to any users.
Administrators - Administrators can view and modify all resource attributes and start and stop servers.
Deployers - Deployers can view all resource attributes and deploy applications.
Monitors - Monitors can view and modify all resource attributes and perform operations not restricted by roles.
Thanks
Ravi Jegga -
Creating group dynamically in active directory depending on their role
Hi,
I have sycn oid and active directory using directory integration platform. Now the scenario is We have one system says hr system which take care of entering all the user information. Once it submit that information it goes to oid. Now we want that when we import all that user from oid to active directory it didn't duplicate any user as well as depending on their role it should create groups dynamically in active directory. For e.g: If user belong to Trainee category or manager category it must create Trainee group & Manager group & respective person should go into that group. I don't know whether my question is placed in right group or not. I am using filter to do this task but not able to write proper condition in "source matching filter" and "destination matching rule". Any help will be appreciated.
Thanks,
Sonya SharmaThanks Tamim. To clear your thought, i will explain again. I have sync oid and active directory through Directory integration platform. I have created user in oid.(cn=users,dc=mycompany,dc=com). It get sync in active directory properly. Now i have created two group in active directory say for e.g Trainees and Manager. There is a field name position in oid which is a custom attribute. When i fill the information of user in oid, I have to fill "Position" attribute also. So my question is that, if i fill Trainee as a value in Position attribute and click on submit it should go in Trainee Group In active directory and not in user group. Same for manager. How can we achieve this? Can we do it through filter? Or any other way? It's needed desperately. Please help me in resolving this issue.
Regards,
Sunil -
How to create/get user & role in Weblogic 9.2 programmatically?
Hi,
I am new to Weblogic 9.
I need to create a web service to manage user/role in WebLogic 9.
Searching thru the web and found some classes like:
AtnSecurityMgmtHelper, AtnProviderDescription etc
Are those the correct classes to create/retrieve user & role?
If so, what jar file contains those classes and where is the jar
file?
Thanks in advance,
TerryYou can do it with WLST help
http://e-docs.bea.com/wls/docs92/config_scripting/config_WLS.html#wp1019913
or via JMX through http://e-docs.bea.com/wls/docs92/javadocs/weblogic/management/security/authentication/UserEditorMBean.html and such -
Create , delete "security roles" in weblogic console - sample Security providers
Hi Everyone:
Weblogic gave out sample Security Providers for version 7.0 and 8.1. In
those sample Security Provider , the author of codes used property files as
Security Providers Database, however he/she didn't show how to create a
Manageable Sample Role Mapping Provider or Manageable Sample Authentication
Provider, so Administrator of weblogic console can create and delete
"security roles" in weblogic console.
Have anyone known how to do that?
Ming Qin"ming qin" <[email protected]> wrote in message news:[email protected]..
Hi Everyone:
Weblogic gave out sample Security Providers for version 7.0 and 8.1.In
those sample Security Provider , the author of codes used property filesas
Security Providers Database, however he/she didn't show how to create a
Manageable Sample Role Mapping Provider or Manageable SampleAuthentication
Provider, so Administrator of weblogic console can create and delete
"security roles" in weblogic console.
Have anyone known how to do that?
I would ask in the weblogic.developer.interest.management.console newsgroup.
>
Ming Qin -
I have 2 questions and these are very urgent :-
1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
contractactors and employess. How do I map LDAP group contractors to weblogic security
Role contractors? Similarly for employees ?
2. I have not defined contarctors and employeees under People container in IPlanet.
e.g. The RDN for contractor is
uid=1234,ou=dir,dc=orams,dc=com
Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
under People ) OR I have to write my own custom code ?
3. I am planning to use Roles insetad of groups to manage the logical grouping in
iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
parameters ?)
This is very urgent ....so if any of you can throw any hints that will be greatly
appreciated.
--SunitaHi Ariel,
The driver is bundled with the product in WLS 6.1sp1. you don't have to
download any additional driver. Use it as you normally would only thing to
remember is if you are trying to write standalone java code then you have to
have weblogic.jar in your classpath. For the rest of the info follow the wls
docs for 6.1
HTH
sree
"Ariel" <[email protected]> wrote in message
news:3bb4a643$[email protected]..
We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
downloaded the JDriver from bea.com, but all the istructions that camewith
it are for WLserver 5.1.
What has to be done to do this with 6.1 sp1?
Thanks,
Ariel -
How to create Users/Roles for ldap in weblogic without using admin console
Is it possible to create Users/Roles for ldap in weblogic without using admin console? if possible what are the files i need to modify in DefaultDomain?
or is there any ant script for creating USers/Roles?
Regards,
Raghu.
Edited by: user9942600 on Jul 2, 2009 1:00 AM
Edited by: user9942600 on Jul 2, 2009 1:58 AMHi..
You can use wlst or jmx to perform all security config etc.. same as if it were perfomred from the admin console..
.e.g. wlst create user
..after connecting to admin server
serverConfig()
cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator")
cmo.createUser("userName","Password","UserDesc")
..for adding/configuring a role
cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/RoleMappers/XACMLRoleMapper")
cmo.createRole('','roleName', 'userName')
...see the mbean docs for all the different attributes, operations etc..
..Mark. -
Groups/Roles ACI Procedures for Creating Accounts
Hello;
I am trying to determine the steps I need to perform in order to create a group/role, under "Groups"; "Groups" does not yet exist inside of my directory.
Inside of "Groups", I wish to create a container named "UserAdmins", for which users I make as members would be capable of creating accounts for other users.
In my current environment, in order to create user accounts, admins must be able to add/modify entries in:
1. People
2. group
3. auto.home
4. aliases
My questions, given the information below is:
A. Do my ACI's seem sound for my purposes?
B. How do I create a second ACI, similar to UserAdmins, but with the added ability of "deleting" entries as well as add and modify? (say called "SuperUserAdmins").
-----Create Groups---------------------
dn: ou=Groups, sub,dc=domain,dc=com
objectclass: top
objectclass: organizationalunit
ou: Groups
-----UserAdmins.aci--------------------
aci: (target="ldap:///dc=sub,dc=domain,dc=com") (targetattr =
"*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn =
"ldap:///cn=UserAdmins,ou=Groups,dc=sub,dc=domain,dc=com";)
dn: ou=Groups, dc=sub,dc=domain,dc=com
objectclass: top
objectclass: organizationalunit
ou: Groups
------Initial add of Members to UserAdmins--------
dn: cn=UserAdmins, ou=Groups, dc=sub,dc=domain,dc=com
cn: UserAdmins
objectclass: top
objectclass: groupofuniquenames
ou: Groups
uniquemember: uid=smitha, ou=People, dc=sub,dc=domain,dc=com
uniquemember: uid=youngt, ou=People, dc=sub,dc=domain,dc=com
uniquemember: uid=weizerb, ou=People, dc=sub,dc=domain,dc=comThe last field is for the attribute to delegate. You can read about it here: https://technet.microsoft.com/en-us/library/cc772662%28v=ws.10%29.aspx
You can also refer to this for updating AdminSDHolder container: http://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Weblogic.Admin tool and creating groups/users
Hi All,
This is newbe question. How do I use the weblogic.Admin tool to create
a user.
I tried to INVOKE the UserEditorMBean.createUser method using the
Admin tool and got "No MBeans found"
Could somebody please give me an example?
Regards,
Tony"Tony Nathan" <[email protected]> wrote in message
news:[email protected]..
Hi All,
This is newbe question. How do I use the weblogic.Admin tool to create
a user.
java weblogic.Admin -username weblogic -password weblogic -url
http://localhost:7001 INVOKE -mbean
Security:Name=myrealmDefaultAuthenticator -method createUser testusername
testpassword testpassword -
Can't create Application Role in Obiee 11g Enterprise Manager
Hi All,
I was working on obiee11g enterprise manager. I created some of the groups in weblogic console. Now I wanted to create application roles in enterprise manager for those groups. I am surprised that, the "*Create*" button is inactive on the application role page of enterprise manager. I only i could see tthe actives ones "*Create Like*", "*Edit*" and "*Delete*".
Please assist shoud I need any additional configuration for the same.urgent!!
Thank you in advance,
BK.Click on Create Like button
Then click cancel on the Create Like dialog box
Go back to the Create button, it now works
But if you log out and log back in, the Create button is disabled again
so may repeat the above process of accessing the 'Create Like' button first to enable the Create button
< Bug:13983399> CREATE BUTTON IS DISABLED IN FUSION MIDDLEWARE CONTROL IN OBIEE 11.1.1.6.0 ENV
Please mark helpful or correct if answered.
Thanks,
- A.Y -
Hi,
I have created a Novell LDAP Group. In my realm I have now two authentication
providers: default and novell, both optional. If I authenticate my user which
is stored in the novell ldap the user is correctly authenticated (request.getRemoteUser()
!= null), although the log says user denied (no matter if the user is in the embedded
ldap or the novell, but maybe the other one always complains). (novell user gets
rejected if password is wrong)
For a novell group i create a role with the condition: caller is a member of the
group"novell group" this seems not to work. with request.isUserInRole("novell
group") i get "false" !!
any ideas??
regards
tobiasfound my mistake. i created a role in the weblogic console which i also have defined
in the web.xml. then i also need to assign this role to the principal (my group)
in the weblogic.xml.
if i have a role not defined in the web.xml the request.isUserInRole(<RoleName>)
works fine, but not in the above described case without assignment in the weblogic.xml.
"Tobias Voigt" <[email protected]> wrote:
>
Actually groups are also configured correctly as it seems for me. On
the group
page, the ldap group is also listed (in the provider column it says NovellAuthenticator).
Also if i look at the output of weblogic.security.Security.getCurrentSubject()
the LDAP group is also listed as a Principal.
weblogic.security.SubjectUtils.isUserInGroup(<Subject>,<LDAPGroup>) says
true.
but request.isUserInRole(<Role for Members in LDAPGroup>) says false.
(Btw: Weblogic 8.1 sp1)
"tm" <no-reply> wrote:
Hi Tobias,
It sounds like you can successfully use users
in your Novell LDAP server but you cannot
successfully use groups from the LDAP server.
(ie. when you login, it's finding the user, but it
isn't finding the user's groups thus the role isn't working).
I'm assuming that you have configured a NovellAuthenticator.
You must configure the NovellAuthenticator to tell
how groups are stored in your Novell LDAP server
(ie. tell it about the group schema). If this is not
correctly configured, then groups won't work.
See http://e-docs.bea.com/wls/docs81/secmanage/providers.html#1172008
for more information on configuring group schemas for LDAP authentication
providers.
-tm
"Tobias Voigt" <[email protected]> wrote in message
news:[email protected]...
Hi,
I have created a Novell LDAP Group. In my realm I have now twoauthentication
providers: default and novell, both optional. If I authenticate myuser
which
is stored in the novell ldap the user is correctly authenticated(request.getRemoteUser()
!= null), although the log says user denied (no matter if the useris in
the embedded
ldap or the novell, but maybe the other one always complains). (novelluser gets
rejected if password is wrong)
For a novell group i create a role with the condition: caller is amember
of the
group"novell group" this seems not to work. withrequest.isUserInRole("novell
group") i get "false" !!
any ideas??
regards
tobias -
How to use security roles in Weblogic server?
Hello Gurus,
I am new to Weblogic server and I am trying to investigate how to make
use of security roles in weblogic server (5.1.0). Can anyone point me
to some documentation. Specifically, I am looking for instance level,
and method level security and how to use it.
Thanks for taking your time to read this e-mail.
Thank You all in advance,
Hari.You should read the security information in the Servlet 2.2 specification
that WL 5.1 implements:
http://java.sun.com/products/servlet/download.html
Chapter 11 deals with declarative and programmatic security, and includes a
section on roles:
11.4 Roles
A role is an abstract logical grouping of users that is defined by the
Application Developer or
Assembler. When the application is deployed, these roles are mapped by a
Deployer to security
identities, such as principals or groups, in the runtime environment.
A servlet container enforces declarative or programmatic security for the
principal associated with
an incoming request based on the security attributes of that calling
principal. For example,
1. When a deployer has mapped a security role to a user group in the
operational environment. The
user group to which the calling principal belongs is retrieved from its
security attributes. If the
principal's user group matches the user group in the operational environment
that the security
role has been mapped to, the principal is in the security role.
2. When a deployer has mapped a security role to a principal name in a
security policy domain, the
principal name of the calling principal is retrieved from its security
attributes. If the principal is
the same as the principal to which the security role was mapped, the calling
principal is in the
security role.
Cameron Purdy
http://www.tangosol.com
"Hari" <[email protected]> wrote in message
news:[email protected]..
Hello Gurus,
I am new to Weblogic server and I am trying to investigate how to make
use of security roles in weblogic server (5.1.0). Can anyone point me
to some documentation. Specifically, I am looking for instance level,
and method level security and how to use it.
Thanks for taking your time to read this e-mail.
Thank You all in advance,
Hari. -
Creating a role for t.code FBL1N
Hi All,
Creating a role (PFCG), I've to assign the t.code FBL1N only.
In this role and for the t.code FBL1N, I've to exclude a certain Vendor Account Group.
Could anyone help me?
ThanksHi ,
For the task that you want to perform .
First of all have a basic idea of how the authorization objects pertaining to a T code are checked , go to T code SU24 and give the input transaction as FBL1N and execute . there you will find the list of all the authorization objects that would be available for FBL1N.
go through their documentation and understand the behaviour .
Secondly , in case of FBL1n you cannot restrict based on account group at the granual level you can control on document type authorization group F_BKPF_BLA .
For creating a role Go to t code PFCG create a role assing the t code , provide the auhtorization values , generate the role and assign the role to the user ID that you want to assign it to .
Hope this helps .
Regards ,
Dewang T .
Maybe you are looking for
-
I Installed windows with bootcamp on my imac, with the support software(drivers,etc). Windows works perfectly appart from the usb hubs. Can anyone help me?
-
Physical Filename Issue ( got past this ) and New Invalid Guideline Issue
I had a problem ( from before ) getting a file called --> test_oracle.edi into the system. I am using a set up of EDI X12 over Generic Exchange together with FILE 1.0 protocol. The file has a sender of ACME and a receiver of GLOBALCHIPS, which to be
-
Hi, I am trying out an BPM scenario for an N:1 mapping,in which i'll be sending N number of 2 different structure of messages.The source file got picked from the Source.The SXMB_MONI describes that the "Message being sent",but i couldn't get at t
-
I have created one material using COMMPRO1 transaction and i have assigned Division for it. Now i want to know where that division gets stored...so that i can retrieve the division based on product guid. I want the table name for fetching the divisio
-
Xml reading/parsing problems
I am attempting to setup values in an application with information from an xml file. Some of the values are strings. I have replaced the & symbol with & but the strings seem to be getting cut off. Should I be doing it this way or should I update my a