CUP Role Mappings Not Working

Similar Messages

• Another FPN Thread: Remote role assignment not working

  Hi all,
  We have successfully implemented FPN for use in our ESS and BW environment and we are experiencing very little problems with it. We now want to start implementing it for our eRecruitment and SRM systems (as producers). For some reason we are not able to use the Remote Role Assignement functionality.
  We have set up trust for the systems and use SSO.
  Connection test for the producer is successfull.
  We can see the Producer content in the pcd on the consumer.
  Server times are the same.
  As far as I know I have correctly set permissions on producer and consumer.
  Possible cause: We are in the process of upgrading our consumer Portal to NW 7.0 SPS15 and have encountered some problems. The system is partially upgraded, so some components are SP15 and some others are still SP13. This is currently under investigation by SAP. Can this be an issue as our producer portals all are still on SP13?
  I hope to hear from you soon. Please ask if you need any screenshots. Thanks in advance.
  Best regards,
  Jan Laros

  Hi Jan,
  if remote role assignment not works, you can also use remote delta links. I only work with remote delta links because i have more options   and a better performance.
  If your connection works you can go to Content Administration ->Portal Content-> NetWeaver-Content-Producer. Hier you can see your remote system. Now you can copy the role and add it to your portal-content.
  If you can not see the content make sure that you have the same user  on both sides also check the premissions on the portal-content of your remote system. To test the connection it is easier to add Everyone group to the content of your remote system.
  regards,
  Sharam

• Row Level Security - Data filter - Roles Variable Not working in OBIEE 11.1.1.7.1

  Hi all,
  Previously, we were using OBIEE 11.1.1.5.0 and we were able to assign users to application roles by using the initialization block to assign the ROLES session variables.
  1. My USER_SECURITY table in Oracle database:
  USER_NAME | USER_ID | ROL
  user1       | 1723    | GobalDataRole
  user2       | 1739    | GobalDataRole
  user3      | 1743    | GobalDataRole
  2. The SQL query in my session initialization block:
  select USER_NAME, USER_ID, ROL
  from USER_SECURITY
  where USERNAME = ':USER'
  3. The row-wise initialization option is not checked.
  4. In the Oracle Enterprise Manager Fusion Middleware Control, we created new application role: GobalDataRole and sync with rpd.
  5. The GobalDataRole is used in the RPD to filter the data under permissions --> data filter. GobalDataRole only has access to Country A data.
  6. Result: under my account, also in rpd Manage --> Sessions, user variable details
  User_name , user_id & Rol variable is working fine as expected,
  When we log in as user1, we can see in My Account, user assigned to: BI Consumers; Authenticated Role; GobalDataRole
  When we log in as user2, we can see in My Account, user assigned to: BI Consumers; Authenticated Role; GobalDataRole
  When we log in as user3, we can see in My Account, user assigned to: BI Consumers; Authenticated Role; GobalDataRole
  User1, User2, and User3 are able to see the data correctly according the their data access setup.
  Now, we using OBIEE 11.1.1.7.1 and using the same method, but we not able to assign users to application roles by using the initialization block to assign the ROLES session variables anymore.
  Result:
  User_name & user_id variable is working fine as expected, but the ROl variaible is not capturing the DB value,
  When we log in as user1, we can see in My Account, user assigned to: BI Consumers; Authenticated Role
  When we log in as user2, we can see in My Account, user assigned to: BI Consumers; Authenticated Role
  When we log in as user3, we can see in My Account, user assigned to: BI Consumers; Authenticated Role
  User1, User2, and User3 can see all data (which is wrong) because they are not assigned to the correct application role that sets the data restriction/filter.
  Has anyone encountered the same issue? Any advice on how to solve this?
  Thanks in advance!
  Satheeshkumar P

  Thanks user10615659     ,
  - Yes the variable ROLES available in OBIEE 11.1.1.7.1
  - Tested the init block and variables in offline rpd its working as expected.
  - In online rpd, except ROLES and GROUP variable remaining variables working fine.
  - Verified log file in both online and offline init block testing - the init block execution is successful.
  Thanks

• Mappings not working for REST

  I am working on my first REST application in ColdFusion and I am noticing that application specific mapping defined in Application.cfc does not seem to work!
  Is it something that is not supposed to work because the application.cfc is only utilized when the REST service is initialized and subsequently its not utilized? Thank you for any insight.
  EDIT:
  When I had first posted this I thought it was just application specific mappings that did not work. Later on I discovered that it was mappings in general. Even if you had set a server level mapping in the administrator it did not matter. The REST service always defaulted to the wwwroot starting path. Seems like a pretty significant issue unless I am missing something very obvious.

  First off I have to apologize for the late response, I have not been able to work on this due to some other projects and just now getting back to it.
  I will try to explain a bit further, I have two applications, one is an application that we have been using for the past several years and the second one is new that we are building to transition to REST services for various reasons.
  Application Structures under WWWROOT on IIS
  MAIN Application Structure
  /MainApplication/
    /cfc
    /services
    /view
  index.cfm
  Application.cfc
  REST Application Structure
  /RESTApplication/
    /services
    /restPath1
    /restPath2
  Application.cfc
  What I was trying to is not recreate any of the services or cfcs by creating a REST Application side by side. So in my REST application, since they are both running under wwwroot I thought I could reference the components in the MainApplication directly as MainApplicatoin.cfc.myComponent . This is where I get the error that the component does not exist. Now if I copy the component directory /cfc/ to my REST Application root I can reference them just fine. I have tried to use server level mapping from the admin, Application mapping from the RESTApplications's Application.cfc and just direct path reference following the path under wwwroot. None of these have worked for me.
  The same thing happens with the services directory as well. Essentially any reference to MainApplication. returns an error.
  So what it appears to me is happening is that in  REST application you do not have an option to reference any components from any other directory on the server other than the its own.    

• Application Role does not work

  In EM, I add a new application role to an ADF web application.
  This application role named simple11_AR_superAdmin and it has a group member named simple11_G_superAdmin.
  This group is created in weblogic console and assign users.
  However, this setting does not work. This application can be login by all users (including weblogic).
  How to enable application roles? Does application role of EM equal to application role created in Jdeveloper?

  DO NOT UPDATE ON THE PHONE ITSELF! Never do this! You risk bricking your iPhone and seeing the Silver Apple Logo of Death due to incomplete downloads and/or crashing! This has happened to me on my old iPhone as well as thousands of others. Use iTunes and iTunes only to update Apps!

• Azure Web role scaling not working when using Reserved IP

  Hi,
  I am using autoscaling feature for long time now on my web role deployment. I've recently create new deployment (with same web role bits) to use a reserved IP. Since that moment, the autoscaling is NOT working anymore. I can see many AutoscaleAction failures
  in the Management Portal Operation logs.
  When I try to update the role instance count using REST call (via Azure Management Studio of Cerebrata), I get the following error:
  Code: BadRequest
  Message: A reserved IP cannot be added, removed or changed during deployment update or upgrade.
  I cannot find anything about scaling and reserved IP on the net but I can't believe I am the only one in this situation ?!?!
  Thanks for your help
  Jean Bédard
  Regards, Jean

  Hi,
  Refer to the
  Publish Windows Azure Application Wizard on MSDN, specifically #7 in Configuration Your Settings.
  When ‘Deployment Update’ is checked, only the changes since your last deployment will be pushed out to update your services. This is not possible when changing the virtual network settings of the service. To enable full deployments, you have two options:
  Uncheck the ‘Deployment update’ checkbox
  Click ‘Settings’ on the ‘Deployment update’ item, and select ‘If deployment can’t be updated, do a full deployment’.

• Business role customizing not working in crm 2007 web client

  Can someone tell me what services need to be activated via sicf for business role customizing to work in the Web Client under the Administration component in CRM 2007.  I have everything else working in this are eg surveys, document template, fact sheet configuration, view configuration but the business role customizing when selected just opens a blank screen
  Thanks in advance
  Eddie

  Hi Eddie,
  The SAP CRM 2007 Master guide suggests enabling all the SICF services in the SAP namespace.
  We had some script errors in CRM UI, but once all the SICF services were activated, they simply disappeared.
  The IDES demo systems are also set up this way, so you can try doing it.
  Regards,
  Padma

• FPN - error trying to lookup object - remote role assignment not working

  Hello everyone,
  We have implemented a Federated Portal Network connection in our landscape between our portals.
  We use only remote role assignment functionality.
  Everything was working fine, but since 2 days we encounter the following error in the Default trace.
  Error trying to lookup object: alias: <role name>
  It is possible to open the producer portal in the Portal Content Administration and also searching for the Producer portal roles is possible in User administration. But when we assign the remote role the tab is not displayed in the portal only the above mentioned error is shown in the default trace. Our portals run SP 12 and BI Java SP14.
  Is there a solution or workaround for this issue ?
  Martin

  Hi,
  I have the same issue as you, I cannot see role tabs in Consumer portal and I get the same error in the defaulttrace as you.
  What did you do to resolve this issue?
  Many thanks
  Gordon

• Security-role and security-role-assignment not working in WL7.0

  Hello all..
  Some EJB components that worked fine in WebLogic 6.1 no longer work in
  WL7.0. It has to do with the security-role and security-role-assignment
  descriptor elements no longer allowing anonymous users to be included in the
  authorization for a bean.
  For example, in WL6.1 placing these items in ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <role-name>Employees</role-name>
  </security-role>
  <method-permission>
  <role-name>Employees</role-name>
  <method>
  <ejb-name>CustomerEJB</ejb-name>
  <method-name>*</method-name>
  </method>
  </method-permission>
  and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
  <security-role-assignment>
  <role-name>Employees</role-name>
  <principal-name>guest</principal-name>
  <principal-name>system</principal-name>
  </security-role-assignment>
  worked fine for clients creating their context using a simple
  InitialContext() constructor without specifying SECURITY_PRINCIPAL or
  SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
  the security-role-assignment element above told WebLogic that "guest" was in
  the Employees role for purposes of this EJB archive.
  Worked in WL6.1, no longer works in WL7.0. Client receives typical
  permission exception:
  java.rmi.AccessException: Security violation: insufficient permission to
  access method 'create'
  If I explicity connect as "system" things are fine, or I can create a new
  user in the default realm in WebLogic, put a matching <principal-name>
  element in the section above, and connect as that user. Note that if I leave
  off the <security-role> section completely, or set the required role name to
  "everyone", the anonymous access works fine. Apparently the anonymous user
  is a member of "everyone" behind the scenes even though "everyone" does not
  appear in the realm list of groups or roles.
  So, my question boils down to this: Is there a "magic" username in WL7 like
  "guest" was in WL6.1 that can be mapped to the required role name, or must
  every client connection use a true weblogic-created user with appropriate
  role assignments used to map it to the required role name.
  -Greg
  P.S. Note that none of the EJB examples provided with WL used
  <security-role>..
  Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
  www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

  Below are the screen shots for PFCG:

• Role assignment not working

  Hi everyone,
  I am trying to assign different roles to different users for GRC - Risk Management 10.0; however it seems like standard roles don't have any affect on type of activity. I have maintained various levels of roles (e.g. risk owner, risk expert, risk manager, etc) using PFCG and assigned almost every role to the users; but it doesn't give them the authorization to create or edit anything, they can only display.
  The only workaround for this was assigning a role with the authorization object GRFN_USER (with 02 Change value enabled) or assigning SAP_GRC_FN_ALL (Power user role which also contains object GRFN_USER). However this would allow users to do "anything" they want which obviously isn't what I seek.
  I have tried changing customization options such as Maintain Custom Agent Determination Rules and Maintain Entity Role Assignment, it hasn't solved anything so far.
  I urgently require your assistance on this issue. Thank you.
  Regards,
  Seckin

  Hi,
  I 'm facing same kind of problem.
  Case 1:
  I tried with:
                    Assigning users to group (abap role) which didn't worked.
                    Assigning UME Role to group (abap role) which worked. Then i assigned the user to the UME Role, but the user is not getting the backend authorizations.
                    Assigning the portal role to the group (abap role), then when i assiged a user to the abap role from R/3 automatically the user is getting the portal role.
  How can i do the same from portal?
  Case2:     
  While distributing the portal roles to the ABAP system (System Administrator -> Permissions -> SAP Authorizations), the status is showing as "Role transfer compleated". but when i checked from the R/3 transaction WP3R, there are no portal roles.
  Why are the portal roles not getting transfered even though the status is green?
  Mr.Chowdary

• Custom Auth. Object with Profile and role assignment not working

  Hi,
  I have created custom Authorization Object with field ACTVT with allowed values - 01,02, 03. Now test it with custom program using AUTHORITY-CHECK OBJECT 'Z_AUTHORIZ' it is working fine and returning sy-subrc 12. At this point i have not created any role using this Auth Object.
  Now I have created custom role ZPM_**** and assigned above Auth object to it with value ACTVT 03. Assigned this role to user.
  When I try to test the above custom program with any ACTVT value it is giving sy-subrc as 0. Used below custom code in program.
  AUTHORITY-CHECK OBJECT 'Z_AUTHORIZ'
              ID 'ACTVT'  FIELD '01'.
  Am I missing anything? The profiles are generated correctly. 
  Best Regards,
  Nilesh

  Below are the screen shots for PFCG:

• ABAP centered role assignment not working

  I have been trying to implement ABAP centered role assignment for our users but not really having much luck in gettng it to work. I've been trying to make sense of it by using [the help guide|http://help.sap.com/saphelp_nwmobile71/helpdata/en/d2/3e3842b23d690de10000000a155106/frameset.htm] but I must be doing someting wrong. Here are the steps that  take.
  1. Create a single ABAP role - A single role with no menu or authorizatons
  2. Create a UME Group - I name the group exactly the same as the ABAP single role from the previous step
  3. Assign UME Group to Portal Role
  4. Assign mapped user to ABAP role
  Supposedly the ABAP role assingment is supposed to reflect through to the UME group membership so the portal user then sees the associated portal tab.
  Can you enlighten me?
  Thanks in advance

  Hi,
  I 'm facing same kind of problem.
  Case 1:
  I tried with:
                    Assigning users to group (abap role) which didn't worked.
                    Assigning UME Role to group (abap role) which worked. Then i assigned the user to the UME Role, but the user is not getting the backend authorizations.
                    Assigning the portal role to the group (abap role), then when i assiged a user to the abap role from R/3 automatically the user is getting the portal role.
  How can i do the same from portal?
  Case2:     
  While distributing the portal roles to the ABAP system (System Administrator -> Permissions -> SAP Authorizations), the status is showing as "Role transfer compleated". but when i checked from the R/3 transaction WP3R, there are no portal roles.
  Why are the portal roles not getting transfered even though the status is green?
  Mr.Chowdary

• Merging roles is not working in QA box

  Hello folks,
  I have Portal SP13, i merged 2 roles and it is working according to my requirement in the development box. but when i transport the same from Development box to QA box it is showing as a seperate role.
  In dev box the role got merged and in QA its not getting merged.
  I checked and compared the properties of worksets and roles in DEV and QA, both are same and we dont have any diffrence.
  Please throw some suggestions to solve this.
  Thanks & Regards
  Kumar

  @micheal,
  You are right, only one user is able to see as per req. and other see as multiple options.
  @Koti,
  I have cleared the cache, logoff and login many times, still i am having the same prob.
  Thanks & Regards
  Kumar

• Grant privileges to subprogram via role: should not work?

  I bought Selftestsoftware for 1z0-147 for 9i and 10g. Selftestsoftware is endorsed by Oracle, should be high quality.
  But its below sample question and answer seem to be wrong: It says that privilege for subprogram can be granted via role. But from Urman 9i book, all roles are disabled inside stored procedures.
  Did Selftestsoftware made a mistake? Or the question did not mention or assume that the subprogram is based on invoker rights not definer right?
  Question:
  All users in the HR_EMP role have UPDATE privileges on the EMPLOYEE table. You create the UPDATE_EMPLOYEE procedure. HR_EMP users should only be able to update the EMPLOYEE table using this procedure.
  Which two statements should you execute? (Choose two.)
  GRANT UPDATE ON employee TO hr_emp;
  GRANT SELECT ON employee to hr_emp;
  REVOKE UPDATE ON employee FROM hr_emp;
  REVOKE UPDATE ON employee FROM public;
  GRANT EXECUTE ON update_employee TO hr_emp;
  Explanation:
  The two statements you should execute are:
  REVOKE UPDATE ON employee FROM hr_emp;
  GRANT EXECUTE ON update_employee TO hr_emp;
  Unless you are the owner of the PL/SQL construct, you must be granted the EXECUTE object privilege to run it or have the EXECUTE ANY PROCEDURE system privilege. By default, a PL/SQL procedure executes under the security domain of its owner. This means that a user can invoke the procedure without privileges on the procedures underlying objects. To allow HR_EMP users to execute the procedure, you must issue the GRANT EXECUTE ON update_employee TO hr_emp; statement. To prevent HR_EMP users from updating the EMPLOYEE table unless they are using the UPDATE_EMPLOYEE procedure, you must issue the REVOKE UPDATE ON employee FROM hr_emp;
  All of the other options are incorrect because they will not meet the specified requirements.
  Edited by: user13270686 on Jun 7, 2010 9:22 PM

  The answer is correct, and the explanation complete.
  Inside stored procedures roles are disabled. This is because privileges are checked at compile time and roles can change between compile time and execute time.
  However, privilege to execute the procedure can be granted to a role. During execution of the procedure the privileges of the procedure's owner apply.
  This is because you want to have encapsulation: when tables and procedures are in the same schema, you won't have any privilege problem, as the owner of a set of tables will always have privilege (you can not revoke them).
  Sybrand Bakker
  Senior Oracle DBA

• Roles tab not working in USER MANAGEMENT OF EP6 SP9

  Hi
  I have successfully installed WAS 6.4 SP9 with EP6 SP9, TREX, KMC.  When I click on USERAdministration -> ROLES, Im getting an error in a Dialog box
    "Internet Explorer cannot open the Internet Site http://<hostname>:<port>/irj/portal". Operation Aborted
  I got the same error even after 3 times fresh installation.  During installation process I didn't encountered any error.
  Can anyone guide me in this.
  thanks
  raj

  as already said this is a problem with Portal SP9. There is a problem with the iview.
  You have two choices. Install a newer patch (patch 13).
  Or go directly to the WebAS Java start page
  http://
  There you can logon to the UME Interface ( a link is provided at the startpage) and assign roles to users or groups.
  The usermanagement is the same for portal and webas java so it should work - at least it did for me.
  Tell me if it works.
  Message was edited by: Dirk Jäckel