Date-based group or role membership

Similar Messages

• Custom plugin based on user role membership

  Hi all,
  I would like to develope a custom plugin that generates account userid (on process form) with different syntax against role membership.
  With "syntax" I mean name.surname.random_number for employee users and surname.company.random_number for example.
  I'll try to explain the scenario more in details:
  1. I create a user identity through a request
  2. After user identity has created successfully, I assign a role to the user. Since roles are associated with access policies, role assignment triggers provisioning on target system.
  3. The custom plugin that I would like to develope shuold be able to generate proper userid against role membership. For example if I assigned the role "Project Manager" the custom plugin should generate the account userid with name.surname.random_number format; viceversa if I assigned the role "External Reseller" the custom plugin should generate the account userid with surname.company.random_number format.
  Looking for custom plugin based on role membership in forum, I found a couple of threads about this subject:
  - Email notifications after role grant
  - Re: OIM 11g Role Membership Event Handlers.
  I tried to implement what explained in the threads, but I would be sure about what I've done.
  Here what I've done:
  1. created plugin.xml file
  2. created EventHandler.xml metadata file
  3. developed a java calss for testing pourpose
  4. copied the custom plugin class to OIM server for example in $MIDDLEWARE_HOME/OIMPlugins/lib
  NOTE: during this operation I have exactly mantained the same directory structure of custom java package.
  For example custom plugin class is under my.custom.plugin java package and I have copied custom java class under $MIDDLEWARE_HOME/OIMPlugins/lib/my/custom/plugin folder
  5. created a zip file containing custom plugin class (always with its directory structure) and plugin.xml file
  6. copied the zip file to $OIM_HOME/server/plugins
  7. edited ant.properties file (under $OIM_HOME/server/plugin_utility) setting wls.home and oim.home variables
  8. built the wlfullclient.jar (only the first time)
  9. registered the custom plugin
  10. created the custom plugin dataset file
  11. imported it in OIM database using "weblogicImportMetadata" utility
  12. purged cache using "PurgeCache" utility
  NOTE: all the steps above was executed using the system user running OIM process
  test java class
  package com.zeropiu.sky.custom.eventhandlers;
  import java.io.Serializable;
  import java.util.HashMap;
  import com.thortech.util.logging.Logger;
  import oracle.iam.platform.kernel.spi.ConditionalEventHandler;
  import oracle.iam.platform.kernel.spi.PostProcessHandler;
  import oracle.iam.platform.kernel.vo.AbstractGenericOrchestration;
  import oracle.iam.platform.kernel.vo.BulkEventResult;
  import oracle.iam.platform.kernel.vo.BulkOrchestration;
  import oracle.iam.platform.kernel.vo.EventResult;
  import oracle.iam.platform.kernel.vo.Orchestration;
  import oracle.iam.platform.context.ContextManager;
  import java.util.Set;
  public class TestUserAnonimi implements PostProcessHandler, ConditionalEventHandler {
       private static final Logger logger = Logger.getLogger("com.zeropiu.sky.custom.eventhandlers");
  private static final String className = "TestUserAnonimi";
       @Override
       public void initialize(HashMap<String, String> arg0) {
            // TODO Auto-generated method stub
            String methodName = "initialize";
            System.out.println("###### " + className + " - " + methodName);
       @Override
       public boolean isApplicable(AbstractGenericOrchestration abstractGenericOrchestration) {
            // TODO Auto-generated method stub
            String methodName = "isApplicable";
  System.out.println("###### " + className + " - " + methodName + " - STARTED");
  System.out.println("###### " + className + " - " + methodName + " - ContextManager.getContextType(): " + ContextManager.getContextType());
  System.out.println("###### " + className + " - " + methodName + " - ContextManager.getContextSubType(): " + ContextManager.getContextSubType());
  System.out.println("###### " + className + " - " + methodName + " - abstractGenericOrchestration.getOperation(): " + abstractGenericOrchestration.getOperation());
  System.out.println("###### " + className + " - " + methodName + " - Printing ContextManager parameters");
  HashMap allContextManagerPairs = ContextManager.getAllValuesFromCurrentContext();
  Set<String> allContextManagerParams = allContextManagerPairs.keySet();
  String[] parameters = allContextManagerParams.toArray(new String[allContextManagerParams.size()]);
  for (int i = 0; i < parameters.length; i++) {
            System.out.println("###### " + className + " - " + methodName + " - Context parameter " + i + ": " + parameters[i] + " - Object type is: " + Utils.getObjectType(ContextManager.getValue(parameters)));
  System.out.println("###### " + className + " - " + methodName + " - ENDED");
  return true;
       @Override
       public boolean cancel(long arg0, long arg1,     AbstractGenericOrchestration arg2) {
            // TODO Auto-generated method stub
            String methodName = "cancel";
            System.out.println("###### " + className + " - " + methodName);
            return false;
       @Override
       public void compensate(long arg0, long arg1, AbstractGenericOrchestration arg2) {
            // TODO Auto-generated method stub
            String methodName = "compensate";
            System.out.println("###### " + className + " - " + methodName);
       @Override
       public EventResult execute(long arg0, long arg1, Orchestration orchestration) {
            // TODO Auto-generated method stub
            String methodName = "Eventresult execute";
            System.out.println("###### " + className + " - " + methodName);
            return null;
       @Override
       public BulkEventResult execute(long arg0, long arg1, BulkOrchestration arg2) {
            // TODO Auto-generated method stub
            String methodName = "BulkEventResult execute";
            System.out.println("###### " + className + " - " + methodName);
            return null;
  plugin.xml file
  <?xml version="1.0" encoding="UTF-8"?>
  <oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <plugins pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
  <plugin pluginclass="com.zeropiu.sky.custom.eventhandlers.TestUserAnonimi" version="1.0" name="TestUserAnonimi">
  </plugin>
  </plugins>
  </oimplugins>
  EventHandler.xml metadata file
  <?xml version='1.0' encoding='UTF-8'?>
  <eventhandlers xmlns="http://www.oracle.com/schema/oim/platform/kernel" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd">
  <action-handler class="com.zeropiu.sky.custom.eventhandlers.TestUserAnonimi" entity-type="RoleUser" operation="CREATE" name="TestUserAnonimi" stage="preprocess" order="1007" sync="FALSE" />
  </eventhandlers>When I assign a role to a user through OIM web interface, I can see in OIM log file all System.out.println contained in initialize(), isApplicable() and BulkEventResult execute() methods. Is it correct? Can I implement my custom plugin logic now, or my starting point is wrong?
  ###### TestUserAnonimi - initialize
  ###### TestUserAnonimi - isApplicable - STARTED
  ###### TestUserAnonimi - isApplicable - ContextManager.getContextType(): ADMIN
  ###### TestUserAnonimi - isApplicable - ContextManager.getContextSubType():
  ###### TestUserAnonimi - isApplicable - abstractGenericOrchestration.getOperation(): CREATE
  ###### TestUserAnonimi - isApplicable - Printing ContextManager parameters
  ###### TestUserAnonimi - isApplicable - Context parameter 0: origuser - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 1: oimuser - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 2: RESOLVED_LOCALE - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 3: counter - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 4: TIME_ZONE - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 5: ipaddress - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - ENDED
  ##### TestUserAnonimi - BulkEventResult execute
  Thanks,
  Daniele
  Edited by: 886636 on Jan 24, 2012 2:53 AM
  Edited by: 886636 on Jan 24, 2012 2:53 AM

  Probably I don't explain myself clearly....sorry for that!
  Anyway you are right, the role of the user can change after the user is initially provisioned.
  I'll try to summarize to be sure to have understood your answer and to explain my scenario more in details:
  1. After user identity creation, I'll assign the role "Project Manager". Before role assignment the user has not any role. So using a pre-populate adapter I can retrieve the assigned role and compose the right userid.
  2. After step 1, I need to assign another role to the user, the new role should be "External Reseller" for example. In this case the user has a role already. What I would is: basing on the role that I'm assigning (External Reseller), the pre-populate should compose the right userid. Obviously this second userid will be different from the first one and this means a new account will be created for the user. At the moment I don't care to deprovisioning the first userid.
  Is it possible with pre-populate adapter?
  Sorry again for my not very clear explanations.
  Daniele
  Edited by: 886636 on Jan 24, 2012 4:10 AM

• Active Directory Group membership based on OIM Role

  In OIM 11g, is it possible to determine additional AD group membership based on role membership?
  If it is, could someone point me to documentation or give me a brief description of what to do in order to make this work?
  Thanks!

  In OIM 11g, is it possible to determine additional AD group membership based on role membership?
  If it is, could someone point me to documentation or give me a brief description of what to do in order to make this work?
  Thanks!

• Rule based Role membership in OIA is not pushing to OIM

  Hi All,
  Rule based Role membership in OIA is not pushing to OIM due to error as
  00:01:38,055 DEBUG [DBIAMSolution] Group Role container for JDE.JDE_BHRUSRTT found...
  00:01:38,144 ERROR [DBIAMSolution] Error Occured while adding users to role
  Thor.API.Exceptions.tcAPIException: Error occurred while find User information: USER_NOT_FOUND
  at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:234)
  at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
  at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
  at Thor.API.Operations.tcGroupOperationsIntf_13pobh_tcGroupOperationsIntfRemoteImpl_1035_WLStub.getAllMemberUsersx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
  at $Proxy396.getAllMemberUsersx(Unknown Source)
  at Thor.API.Operations.tcGroupOperationsIntfDelegate.getAllMemberUsers(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Meth
  Any one can help will be appreciate...
  Thanks
  Bikas
  Edited by: Bikas Mandal on Mar 27, 2013 6:15 AM

  Try these steps and let me know what you see:
  Login to OIA > Administration > Configuration > Workflows
  Select Role membership create workflow
  And check if you have added OIM provisioning server in the Step5 of the workflow.
  Cheers,
  Vamsi.

• AD Group Membership revoked on adding new group through role and acespolicy

  Hi all,
  when a user is created in OIM, it is provisioned with Default Role say CONTRACTS which will provision AD Account and a default AD group membership.
  when I assign a new role membership say BILLING, to assign additional AD group memberships through access policies, it is removing the default AD group membership from the user. But still the user is having both the roles CONTRACTS and BILLING.
  The ootb AD task, remove user from group is triggered.
  The problem is happening only in Testing environment.
  In development envi it is working fine.
  it is not removing the default group memberships.
  any ideas? thoughts? which I need to check.
  my oim server is 11.1.1.3.0, with weblogic setup.
  Edited by: Venu on Dec 2, 2011 1:06 PM

  Do one thing:
  Take New User
  Assign First BILLING
  Assign Second Group
  And then ASSIGN CONTRACT
  Update the results.
  It is happening in one env so you might have done some configuration or it could be env issue as well.

• Nesting of Rules for Auto Group (Role) Membership Rules in OIM 11gR2

  Does anyone know how to nest rules for auto group (role) membership in OIM 11gR2. The General rules in Design Console are no longer used for auto group membership and the rules that can be configured in the Role properties cannot be nested as far as I can see.
  Any info is appreciated.
  Thanks!

  My mistake... this is possible in the web ui.

• Export Users data with group membership

  Hey Guys,
  I'm using csvde to export users data for management reports.
  I'm asked to add to the exported data the group membership of the users and I'm having problem doing that.
  My current script is:
  csvde.exe -s 192.168.xx.xx -d "ou=CS,dc=Domain,dc=com" -r objectClass=user -l "Company,DisplayName,sAMAccountName,title,lastlogon,pwdLastSet" -f c:\usersonly-Users.csv
  Can anyone help me adding column with groups the user is member of?
  Thanks
  Nir 

  Add the memberOf attribute to the list of attribute values to retrieve.
  Richard Mueller - MVP Directory Services

• Query to group dates based on days of week

  Hi,
  I have a table containing the following format:
  Create table testtable(dates date, day_identifier number);
  The day_identifier column data contains the corresponding dates columns' day of week equivalent i.e.
  to_char(dates, 'd')
  The table contains following sample data:
  Dates
  Day_identifier
  01-Oct-2013
  3
  02-Oct-2013
  4
  04-Oct-2013
  6
  06-Oct-2013
  1
  08-Oct-2013
  3
  09-Oct-2013
  4
  11-Oct-2013
  6
  18-Oct-2013
  6
  21-Oct-2013
  2
  23-Oct-2013
  4
  I am looking for a query that will group the above data based on the day_identifier column data into the following format:
  01-Oct-2013 11-Oct-2013 1346
  18-Oct-2013 23-Oct-2013 246
  The above data if expanded i.e.
  all dates between 01-Oct-2013 and 11-Oct-2013 and having day of week value in 1,3,4,6
  and
  all dates between 18-Oct-2013 and 23-Oct-2013 and having day of week value in 2,4,6
  will give me the above table's resultset.
  Please help me in resolving the issue.
  Thanks.

  with
  groups as
  (select 'one' grp,
          to_date('01-Oct-2013','dd-Mon-yyyy') low_date,
          to_date('06-Oct-2013','dd-Mon-yyyy') high_date,
          '3,5,7' day_identifiers from dual union all
  select 'two',to_date('10-Oct-2013','dd-Mon-yyyy'),to_date('16-Oct-2013','dd-Mon-yyyy'),'1,2' from dual union all
  select 'six',to_date('20-Oct-2013','dd-Mon-yyyy'),to_date('26-Oct-2013','dd-Mon-yyyy'),'4,5,6' from dual
  dates as
  (select trunc(sysdate,'mm') + level - 1 the_date,to_char(trunc(sysdate,'mm') - level - 1,'d') day_identifier
     from dual
  connect by level <= to_number(to_char(last_day(sysdate),'dd'))
  select d.the_date,d.day_identifier,g.grp,g.low_date,g.high_date,g.day_identifiers
    from dates d,
         groups g
  where d.the_date between g.low_date(+) and g.high_date(+)
     and instr(','||g.day_identifiers(+)||',',','||d.day_identifier||',') > 0
  THE_DATE
  DAY_IDENTIFIER
  GRP
  LOW_DATE
  HIGH_DATE
  DAY_IDENTIFIERS
  10/01/2013
  1
  10/02/2013
  7
  one
  10/01/2013
  10/06/2013
  3,5,7
  10/03/2013
  6
  10/04/2013
  5
  one
  10/01/2013
  10/06/2013
  3,5,7
  10/05/2013
  4
  10/06/2013
  3
  one
  10/01/2013
  10/06/2013
  3,5,7
  10/07/2013
  2
  10/08/2013
  1
  10/09/2013
  7
  10/10/2013
  6
  10/11/2013
  5
  10/12/2013
  4
  10/13/2013
  3
  10/14/2013
  2
  two
  10/10/2013
  10/16/2013
  1,2
  10/15/2013
  1
  two
  10/10/2013
  10/16/2013
  1,2
  10/16/2013
  7
  10/17/2013
  6
  10/18/2013
  5
  10/19/2013
  4
  10/20/2013
  3
  10/21/2013
  2
  10/22/2013
  1
  10/23/2013
  7
  10/24/2013
  6
  six
  10/20/2013
  10/26/2013
  4,5,6
  10/25/2013
  5
  six
  10/20/2013
  10/26/2013
  4,5,6
  10/26/2013
  4
  six
  10/20/2013
  10/26/2013
  4,5,6
  10/27/2013
  3
  10/28/2013
  2
  10/29/2013
  1
  10/30/2013
  7
  10/31/2013
  6
  Regards
  Etbin

• Restrict data based on role ?

  There are several levels in on organization structure - how would i implement security such that folks in the org. tree can seen only data at/below their levels.
  ex;
  CEO->VP->DIR->MGR->DEPT
  The fact table carries dept only. So CEO should be able to see rollups at VP,DIR,MGR,DEPT levels. DIR should be able to see across all departments he manages.
  What facilities does discoverer provide to handle this kind of a requirement.
  The reports i have all need to present the same kind of information but the content should be based on the role.

  http://download-west.oracle.com/docs/html/B13918_03/security2.htm#sthref1002
  14.8.1 Introducing Virtual Private Databases, Single Sign-On, and Discoverer
  The Oracle9i Release 1 (and later) Enterprise Edition database's powerful Virtual Private Database (VPD) feature enables you to define and implement custom security policies. Among other things, the VPD feature enables you to enforce fine-grained access control based upon attributes of a user's session information (referred to as application context). This VPD functionality is commonly employed as a way of controlling access to data using the currently logged-on user's Single Sign-On (SSO) identity. For more information about setting up a VPD, see Oracle9i Application Developer's Guide - Fundamentals.
  If Discoverer has been configured to require SSO authentication, Discoverer can pass a Discoverer end-user's SSO user name to the database (as the CLIENT_IDENTIFIER attribute of the built-in application context USERENV). Providing a VPD policy based on SSO user names has been implemented in the database, the data returned to a Discoverer worksheet will be restricted to the data that the SSO user is authorized to access.
  You can optionally add user-defined PL/SQL statements to both database LOGON (and subsequent) triggers and to a Discoverer trigger (eul_trigger$post_login) to use the SSO user name to further control the data that is returned. You can use the database and Discoverer triggers separately or in conjunction with each other.
  14.8.2 Example showing how SSO user names can limit Discoverer data
  The Discoverer manager at Acme Corp. does the following:
  1.
  Configures the Discoverer middle tier machines so that SSO authentication is necessary to access the Discoverer URLs.
  2.
  Creates a Discoverer public connection called 'Analysis', that has access to a workbook called 'Sales'.
  3.
  Creates a VPD policy against the base tables of the workbooks. The VPD policy determines the data that is returned, based on the value of a variable called 'CONTEXT1'.
  4.
  Creates a database LOGON trigger that sets variable CONTEXT1 to the value of the SSO user name (extracted from the application context information passed to the database by Discoverer).
  The Sales workbook is used by two Discoverer users at ACME Corp., Fred Bloggs and Jane Smith. A typical workflow for these two users is shown below:
  1.
  User 'Fred.Bloggs' authenticates via SSO and accesses the top level Discoverer URL.
  2.
  Fred selects the public connection 'Analysis', and opens the workbook 'Sales'.
  3.
  Fred views the data in the default worksheet, and then logs out.
  4.
  User 'Jane.Smith' authenticates via SSO and accesses the top level Discoverer URL.
  5.
  Jane selects the public connection 'Analysis', and then opens workbook 'Sales'.
  6.
  Jane views the data in the default worksheet.
  Jane sees different data to Fred, despite the identical database connection, workbook, worksheet and database query. The difference is determined by the VPD policy being based on SSO user identities.
  FYI

• Overriding the default "date-based" restrictions in time reporting

  Hi all.
  When using CATS/ESS for reporting time on tasks / roles there are some built in date based rules which limits when time reporting is possible.
  The cProjects 4.5 (SP05) help describes this as follows for a task-based set-up
  The system creates a worklist in CATS to enable you to record your time for a role or task. The system selects all objects (tasks, project roles, or project definitions) to which you are assigned in the confirmation time frame:
  If you set up confirmation via tasks, the worklist displays all tasks for confirmation to which your user is assigned by means of a role for the confirmation time frame and which have been released. For the confirmation time frame, the system first checks
  the time frame you specified on the Staffing tab page. Then it checks the time frame you specified in the Tasks Assigned to Selected Project Role group box on the Tasks tab page. If you only made entries on one of the tab pages, these apply.
  Put differently there is as I understand it a two-step check against the date that the user is trying to report on
  a) check against dates in staffing tab of role
  b) check against dates in the "tasks assigned to selected project role" tab of the role
  The requirement we are looking at now is to make this check a bit more loose.  An example could be to say that time reporting is OK as long as the dates lie within the projects scheduled dates.
  Any comments / experiences around this?  Possible?  I assume one would need to try to influence how the worklist is built up.
  Best regards / Anders

  Hi Anders,
  The building up the CATS worklist is done in two side, ERP system and cProject system. Regarding your requirment I think, the logic is done in cProject side, where the logic is hard coded and no Badi to enhance it.
  Please see my report in the Wiki to have more details:
  https://www.sdn.sap.com/irj/sdn/wiki?path=/pages/viewpage.action&pageid=61926
  Kind regards,
  Zhenbo

• User= Group= SubGroup= Role: Now working when this link is used

  Hai,
  We are using EP 5.0 with LDAP 7.6 When a user id created it is attached to a group and the group is attached to a role. I introduced a nested group in this link as userid is attached to group, group is attached to sub group and subgroup is attached to role. When i did like this and login to the portal system the roles are not seen in the portal.
  Below are the things which i did,
  When a user id(Ex : MYTEST1) is created it is attached to a group(Ex : ESS_GE) by the below code.
         String group = "ESS_GE";
         String groupdn = "cn=" + group.toUpperCase() + "," + groupsRoot;
         String userdn = "cn=" + userid.toUpperCase() + "," + peopleRoot;
        // modifications for group and user
        LDAPModification[]  modGroup = new LDAPModification[2];
        LDAPModification[]  modUser  = new LDAPModification[2];
     // Add modifications to modUser
     LDAPAttribute membership = new LDAPAttribute("groupMembership", groupdn);
     modUser[0] = new LDAPModification( LDAPModification.ADD, membership);
     LDAPAttribute security = new LDAPAttribute("securityEquals", groupdn);
     modUser[1] = new LDAPModification( LDAPModification.ADD, security);
      // Add modifications to modGroup
      LDAPAttribute member = new LDAPAttribute("uniqueMember", userdn);
      modGroup[0] = new LDAPModification( LDAPModification.ADD, member);
      LDAPAttribute equivalent = new LDAPAttribute("equivalentToMe", userdn);
      modGroup[1] = new LDAPModification( LDAPModification.ADD, equivalent);
     // Modify the user's attributes
     lc.modify( userdn, modUser);
     // Modify the user's group attributes
      lc.modify( groupdn, modGroup);
  Group is attached to a role(EP_GE_USER_ROLE).  So the link is User =>Group=>Role which is MYTEST1=>ESS_GE=>EP_GE_USER_ROLE. This linke is working perfectly
  I introduced a nested group and changed the link as User=>Group=>Sub_Group=>Role  which is MYTEST1=>ESS_GE=>ESS_GE_ONLINE=>EP_GE_USER_ROLE.
  After this when I login with the user id MYTEST1 the Roles which are attached to ESS_GE_ONLINE is not shown. Any idea why the roles which are attached to group ESS_GE_ONLINE is not transferred to ESS_GE group. Should I have to add any other LDAP attributes apart from the one which are coded below.
    String group1 = "ESS_GE";
    String group2 = "ESS_GE_ONLINE";
    String groupdn1 = "cn=" + group1.toUpperCase() + "," + groupsRoot;
    String groupdn2 = "cn=" + group2.toUpperCase() + "," + groupsRoot;
    //Add ESS_GE_ONLINE group to ESS_GE group
    LDAPAttribute membership1 = new LDAPAttribute("uniqueMember", groupdn2);
    modGroup1[0] = new LDAPModification( LDAPModification.ADD, membership1);
    LDAPAttribute security1 = new LDAPAttribute("equivalentToMe", groupdn2);
    modGroup1[1] = new LDAPModification( LDAPModification.ADD, security1);
    //Add ESS_GE group to ESS_GE_ONLINE group
    LDAPAttribute membership2 = new LDAPAttribute("uniqueMember", groupdn1);
    modGroup2[0] = new LDAPModification( LDAPModification.ADD, membership2);
    LDAPAttribute security2 = new LDAPAttribute("equivalentToMe", groupdn1);
    modGroup2[1] = new LDAPModification( LDAPModification.ADD, security2);
    lc.modify( groupdn1, modGroup1);
    lc.modify( groupdn2, modGroup2); 
  Thanks & Regards,
  H.K.Hayath Basha.

  change that to the following and retest:
  Joshua Fowler wrote:
  I think you're correct. Under the Publish settings of the document, that's what "Class" points to.
  Here's the first main section of the code:
  package com.anselmbradford
    import flash.display.MovieClip;
    import flash.events.TimerEvent;
    import flash.utils.Timer;
    public class Main extends MovieClip
    * Create a new CountDown object, listen for updates and pass it the date to countdown to.
    public function Main()
    var cd:CountDown = new CountDown();
    cd.addEventListener( CountDownEvent.UPDATE , _updateDisplay );
    cd.init( new Date(2015,3,9,20,00) );
    * Update the display.
    private function _updateDisplay( evt:CountDownEvent ) : void
  Does this look correct?
  Thanks again!

• Defining security on a dimension based on a role

  Hi,
  I'm using SSAS 2008 R2 with reports on it with Panorama NovaView 6.2. I need to hide a few dimensions and measure groups from a certain group of users. When I'm defining the new role for them I see the only options for dimension set is either "read"
  or "read/write". I've tried entering the dimension data tab for the role, choosing an attribute from the dimension I want to hide, and enabling the user to see just the "all" member for that attribute. But when I browse the cube through
  SSMS, I see both the attribute and the measure next to it as showing blank and not the total with the "all" member.
  I saw older posts proposing to use perspectives, but they're not really security. I already have views based on the entire cube in Panorama and would like to re-use them. Any suggestions?...
  With thanks in advance,
  Ella

  Hi Ella,
  According to your description, you want to define security on a dimension, so that different users can see different dimension attributes or hierarchies, right?
  As you said, there is no "read" and 'read/write" option on the dimension tab, we cannot set "deny" option for the dimension when creating a role. Based on my research, it seems that there is no a directly way to achieve this requirement. What we can do is
  that "Deselect all members" for each attribute of the dimension in Dimension Data tab, which will hide all members of the dimension for the role. Even the dimension metadata is visible in the cube in clients, its members can't be seen. Here are some useful
  links for your reference.
  http://saysmymind.wordpress.com/2013/01/15/hide-a-specific-attribute-hierarchy-in-role-playing-dimension-ssas-multidimensional/
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/e2596eec-7c2d-48c0-8e81-538a8c632360/hide-dimension-based-on-roles
  If you have any concern about this behavior, you can submit a feedback at
  http://connect.microsoft.com/SQLServer/Feedback and hope it is resolved in the next release of service pack or product. Your feedback enables Microsoft to make software and services the best that they can be, Microsoft might consider to add this feature
  in the following release after official confirmation.
  Thank you for your understanding.
  Regards,
  Charlie Liao
  If you have any feedback on our support,
  please click here.
  Charlie Liao
  TechNet Community Support

• Federation, remote role assignment based on ABAP roles on producer

  Hi all,
  We have implemented the federated portal solution for our ESS users. We use the ABAP stack of the producer portal as user store for consumer and have no problems in assigning portal roles on our consumer based on ABAP roles in the backend (displayed as groups in the portal).
  Now we want to add some extra functionality (eg SRM and eRec) and we encounter some problems. These systems all have their own ABAP stack as user store. We have maintained the functional authorization model in the ABAP roles for instance in SRM. So an example:
  System I: ABAP + JAVA --> ECC 6.0
  Here we have the standard R/3 functionality and the producer portal (A) installed. Roles created on producer portal and assigned based on ABAP roles.
  System II: JAVA --> NW 7.0 Portal
  Our consumer portal (B) where we use roles created on the producer portal (A) on System I.
  System III: ABAP + JAVA --> SRM
  Our SRM system with SRM producer portal (C). In the ABAP stack of this sytem the functional SRM roles have been assigned to the users. We have created functional SRM Portal roles in order to use remote role assignment on consumer portal (B).
  +PROBLEM+
  We want to remotely assign portal roles created on the SRM Producer (C) to users on the consumer portal (B), based on the ABAP role assignment in the backend of system III. How can we achieve this in a fast and efficient way?
  Looking forward to your ideas. Anything helpfull will be gladly awarded with SDN points.
  Best regards,
  Jan Laros

  Jan,
  Interesting question. Let me share my experience and hope that's of some use to you.
  We started off federating corporate NetWeaver Portal (lets say B, parallel to your convention) as consumers to BI Portals (Lets say A).
  - B's UME points to Active Directory
  - A's UME points to BI ABAP user store
  - User ids are identical in both systems
  We ran into the problem of dual administration ((de)assigning portal role on both portals instead of just one) for a long time. The issue was because of different reasons at different times as we patched B's and A's. At one point we were on SP15 on both portals and we were told by SAP that RRA can be done on B for remote roles and the assignment propagates to A automatically if the following configuration is set up on both A and B.
  - A's permissions are relaxed allowing "Everyone" group checked for "End User" access as per ([http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm|http://help.sap.com/saphelp_nw04s/helpdata/en/43/2236fc0b413fe1e10000000a11466f/content.htm]
  However, we chose not to do the permission relaxation as enabling "Everyone" group with "End User" access can allow anyone to launch an iView (if the URL is known somehow) and the user would be able to see the layout of the iView, which can include text, etc. The user won't be able to access any data though, however, there is certain compromise on security which we decided that its not okay. So, we digressed in SAP's suggested practice because of security reasons.
  Today we, manage security on B using Active Directory groups and on A using Java groups (ABAP roles).
  In your case, I suggest investigating the option of relaxing the security on producer portal like in the above link. If you think its okay, all you have to do is, provision users on B by assigning remote roles from C and A.
  Either my story is applicable or I must have got you totally wrong,
  Kiran

• Blazeds + Spring security: fetch data based on current user

  Hi,
  I'm currently learning flex by trying to build an application with
  flex, blazeds and Spring. My application lets users log on using
  spring security (which I will probably combine with
  AcegiLogonCommand). I would like my assemblers to return different
  data based on which user is currently logged on (for instance to show
  that specific user's to-do list). To do this, I added a userId
  property to my spring security principals (by subclassing
  org.springframework.security.userdetails.User)
  and added user_id columns to user-specific data in the database. Now
  I would like to know how I can get the currently logged on user in my
  assembler so I can use its userId to fetch the user's data.
  Is the assembler the right place to decide which data to send to my
  flex application? If so, can anyone tell me how to determine which
  user is currently logged on in my assembler? If not, what would be the
  recommended way of dealing with user-specific data in my database in
  combination with blazeds?
  The only examples I have been able to find on the Internet so far only
  use different roles to determine what a user is or is not allowed to
  do, I have yet to find any examples where users store and retrieve
  user-specific data.
  Kind regards,
  Jeroen

  Hi,
  There is a field “Target Audience” in list whenever “Target Audience” is enable in “List Settings”, it accepts the name of a SharePoint group.
  For your requirement, you will need to get the name of the group which the current user belongs to. Then perform a query in a specific list to get all the items that
  contains the specific value in “Target Audience” field.
  Here is a code snippet about how to set Target Audience for an item, there are code lines about
  how to get the value of a “Target Audience” field:
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/a3ac41d8-42e9-4ec7-999f-036c4b06d3e2/programatically-set-target-audience-in-list-item
  A method about checking whether the current user is a member of the specified group:
  http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spweb.iscurrentusermemberofgroup.aspx
  Best regards,
  Patrick
  Patrick Liang
  TechNet Community Support

• How to filter the Rest Api data based on Taxanomy columns

  Hi Everyone,
  We are using SharePoint2010 Standard Edition.
  I wanted get the library details through REST Api. I am using as below:
  https://SiteUrl/_vti_bin/listdata.svc/Documents?$filter=Title eq 'SharePointDoc'
  Here I am able to get the info regarding "SharePointDoc". But when I am trying to get the details from Taxonomy filter, it didn't.
  Can anyone please tell me how can we filter based on Taxanomy fields.
  Thanks in Advance
  Krishnasandeep

  Hi,
  I understand that you wanted to filter the Rest Api data based on Taxanomy columns.
  Per my knowledge, in SharePoint 2010 , not all types of column are available via REST, most annoyingly managed metadata columns are amongst this group of unsupported column types.
  However, in SharePoint 2013, we can filter list items based on taxonomy (managed metadata) columns.
  Taxonomy fields can be now called via REST API using CAML query in REST calls.
  Here is a great blog for your reference:
  http://www.cleverworkarounds.com/2013/09/23/how-to-filter-on-a-managed-metadata-column-via-rest-in-sharepoint-2013/comment-page-1/
  You’d better to change the REST calls and the CAML query to check whether it works in SharePoint 2010.
  More information:
  http://platinumdogs.me/2013/03/14/sharepoint-adventures-with-the-rest-api-part-1/
  Best Regards,
  Linda Li
  Linda Li
  TechNet Community Support