DEFAULT ROLE ALL

Similar Messages

• ALTER USER USERNAME DEFAULT ROLE ALL;

  Hi,
  I want to know, what is the meaning of "ALTER USER CARDS DEFAULT ROLE ALL"

  It's easy to understand things when you try them,
  Connected to:
  Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - Production
  With the Partitioning, Oracle Label Security, OLAP, Data Mining
  and Real Application Testing options
  SQL> grant connect to newuser identified by newuser;
  Grant succeeded.
  SQL> conn newuser/newuser
  Connected.
  SQL> select * from session_roles;
  ROLE
  CONNECT
  SQL> conn / as sysdba
  Connected.
  SQL> create role new_user;
  Role created.
  SQL> grant select any table to new_user;
  Grant succeeded.
  SQL> grant new_user to newuser;
  Grant succeeded.
  SQL> conn newuser/newuser
  Connected.
  SQL> select * from session_roles;
  ROLE
  CONNECT
  NEW_USER
  SQL> conn / as sysdba
  Connected.
  SQL> alter user newuser default role connect;
  User altered.
  SQL> conn newuser/newuser
  Connected.
  SQL> select * from session_roles;
  ROLE
  CONNECT
  SQL> set role new_role;
  set role new_role
  ERROR at line 1:
  ORA-01919: role 'NEW_ROLE' does not exist
  SQL> set role new_user;
  Role set.
  SQL> select * from scott.dept;
      DEPTNO DNAME          LOC
          10 ACCOUNTING     NEW YORK
          20 RESEARCH       DALLAS
          30 SALES          CHICAGO
          40 OPERATIONS     BOSTONHTH
  Aman....

• Identifying users without DEFAULT ROLE ALL

  I want to query the database catalog to identify users who have been defined without DEFAULT ROLE ALL. Unfortunately I do not see anything in DBA_USERS that would tell me this.
  I suppose I could run DBMS_METADATA.EXTRACT_DDL to generate scripts for all users, and examine the output, but I would like something more direct.
  Thanks,
  Mike Tefft

  DBA_ROLE_PRIVS will tell me if there are any non-default roles. But it will not tell me if the user has been set for DEFAULT ROLE ALL.
  Here is the scenario I am trying to detect:
  06:56:27 > create user mjt_test_user_a identified by xxxx;
  User created.
  Elapsed: 00:00:00.01
  06:56:27 > create user mjt_test_user_b identified by xxxx;
  User created.
  Elapsed: 00:00:00.03
  06:56:27 >
  06:56:27 > create role mjt_test_role1;
  Role created.
  Elapsed: 00:00:00.01
  06:56:27 > create role mjt_test_role2;
  Role created.
  Elapsed: 00:00:00.00
  06:56:27 >
  06:56:27 > grant mjt_test_role1 to mjt_test_user_a ;
  Grant succeeded.
  Elapsed: 00:00:00.00
  06:56:27 > grant mjt_test_role1 to mjt_test_user_b ;
  Grant succeeded.
  Elapsed: 00:00:00.01
  06:56:27 >
  06:56:27 >
  06:56:27 > alter user mjt_test_user_a default role mjt_test_role1 ;
  User altered.
  Elapsed: 00:00:00.03
  06:56:27 > alter user mjt_test_user_b default role all;
  User altered.
  Elapsed: 00:00:00.00
  06:56:27 >
  06:56:27 > select * from dba_role_privs where grantee like 'MJT%TEST%' order by 1,2;
  GRANTEE                        GRANTED_ROLE                   ADM DEF
  MJT_TEST_USER_A                MJT_TEST_ROLE1                 NO  YES
  MJT_TEST_USER_B                MJT_TEST_ROLE1                 NO  YES
  2 rows selected.
  Elapsed: 00:00:00.03
  06:56:27 > At this point, both users look the same from DBA_ROLE_PRIVS. But if I add another role, it may be added as a non-default role (the scenario which burned me last night, and which I want to find out if it exists elsewhere).
  06:56:27 >
  06:56:27 > grant mjt_test_role2 to mjt_test_user_a ;
  Grant succeeded.
  Elapsed: 00:00:00.00
  06:56:27 > grant mjt_test_role2 to mjt_test_user_b ;
  Grant succeeded.
  Elapsed: 00:00:00.00
  06:56:27 >
  06:56:27 > select * from dba_role_privs where grantee like 'MJT%TEST%' order by 1,2;
  GRANTEE                        GRANTED_ROLE                   ADM DEF
  MJT_TEST_USER_A                MJT_TEST_ROLE1                 NO  YES
  MJT_TEST_USER_A                MJT_TEST_ROLE2                 NO  NO
  MJT_TEST_USER_B                MJT_TEST_ROLE1                 NO  YES
  MJT_TEST_USER_B                MJT_TEST_ROLE2                 NO  YES
  4 rows selected.
  Elapsed: 00:00:00.07
  06:56:27 >

• Default roles... by default

  Is there a way to have a role be default by default. In other words rather than
  1. grant a role to a user
  and then
  2. make that role default for each user granted the role (i.e. ALTER USER user_name DEFAULT ROLE role_name;)
  is there a way to have #2 above happen automatically when granting a role to a user? So that by default, roles granted are enabled as a default role for the user?
  Thanks.

  when granting a role to a user? So that by default,
  roles granted are enabled as a default role for the user?The user attribute of sys.user$.defrole seem to play a part in whether subsequent grant <role> to <theuser> commands will put roles on the "default roles" list or not. But as far as I know this is not (widely) documented.
  What you could do is to once issue
  alter user <theuser> default role all | all except <list of roles> This will set defrole to 1 and 3, respectively, and subsequent grants will make roles default roles for the user. Using the grant command with none | <list of roles> implies that subsequent role grants will not be enabled by default.
  (So, somebody issued another alter user user default role command with none or role_name, before you granted another role to the user.
  Also, I've mentioned this in another post just recently:
  Re: user can not do select,insert,update,delete on view when user has the role

• Default roles and grants

  I have role called role_test and this is granted to user user_test and made it as default role.
  but role_test is protected by password i.e to set role need to give password.
  set role role_test identified by test_role_pass;
  My question is when the user user_test loggs in will automatically gets this role_test as it is grated as default role ?
  or still he needs to call set role identified by password to enable this role.
  I am using oracle 11g database.Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
  Is there any change of this behaviour with oracle versions 10g to 11g ?
  Thanks,
  Phani

  Phani_Orcl wrote:
  Is there any change of this behaviour with oracle versions 10g to 11g ?Yes, there is. Password protected roles in 11g are not enabled at login time even if it is a default role:
  SQL> create role r1;
  Role created.
  SQL> create role r2 identified by r2;
  Role created.
  SQL> create user u1 identified by u1
    2  /
  User created.
  SQL> grant create session to u1
    2  /
  Grant succeeded.
  SQL> grant r1,r2 to u1
    2  /
  Grant succeeded.
  SQL> alter user u1 default role all
    2  /
  User altered.
  SQL> connect u1/u1
  Connected.
  SQL> select * from session_roles;
  ROLE
  R1
  SQL>
  And it is documented
  Authorizing a Role by Using the Database
  You can protect a role authorized by the database by assigning the role a password. If a user is granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in the SET ROLE statement. <font color=red>You cannot authenticate a password-authenticated role on logon, even if you add it to the list of default roles. You must explicitly enable it with the SET ROLE statement using the required password.</font>
  SY.

• Default role missing options in new gallery

  I am new to JDeveloper 11g. When accessing the software, I am selecting the "Default role" from the intial roles dialog. When selecting File / New, I get the following options only:
  General
  - Applications
  - Connections
  - Deployment Descriptors
  - Projects
  Business Tier
  - Web Services
  Client Tier
  - Extension Development
  Database Tier
  - Offline Database Objects
  All Items
  The help for New Gallery suggests I should be seeing much more than this (UML, XML, TopLink etc.) when logged in under the default role. Can anyone suggest what might be wrong? Is there a config file I can look at or update?
  I am running JDeveloper 11g on Windows XP SP3. The version of 11g is:
  Oracle JDeveloper 11g 11.1.1.0.1
  Studio Edition Version 11.1.1.0.1
  Build JDEVADF_MAIN.BOXER_GENERIC_081203.1854.5188
  Copyright © 1997, 2008 Oracle. All Rights Reserved.
  IDE Version: 11.1.1.0.31.51.88
  Product ID: oracle.jdeveloper
  Product Version: 11.1.1.0.31.51.88
  Any help gratefully received.

  User,
  All of the things you mention require a project; so, first create an application and a project; then, ensure the Technology Scope for the project matches what you want to do (right-click, properties, technology scope). Then, you should see all of the things you mention.
  John

• GRC 10.0 - Auto Approve default roles

  Hello All,
  Could you please help out me in the below scenarios.
       1) We have maintained default roles in NBWC- Access Management - Default roles.
       Also set the parameter 2038 to Yes- Auto approve roles without approver.
  In MSMP we have maintained Escape path if approver is not found at the role level.
  As default roles have no approver maintained request is taking the Escape Path which should not happen.
  We just want to auto approve the defualt roles and other than defualt roles request should take escape path if no approver found.
       2) In other action its quite same as the above one.
       When we are using provisioning type REMOVE for role removal. Request also takes the Escape path as Defualt roles has no approver.
  Once the ,Manager at first stage is approved, request should close for the removal type access.
  Please advise. Thanks in advance.

  In your custom initiator, you need to have mapped out all the scenarios of which path each line item in your request goes to.
  The condition columns can be an array of attributes, i.e. Request Type, Role name, Role Connector (System the Role is in), Functional area etc.
  In your case, if you want "default roles" auto approved, easiest thing to so is create an empty path (i.e. No stages) and have the initiator set so that if the "Role Name" is "X" (i.e. your default role), go to the path with no stages.
  BRF plus Flate Rule - GRC Integration - Governance, Risk and Compliance - SCN Wiki

• ARQ: Default Role Provisioning Problem in Access Request???

  Hi,
  This Business Scenario is very common to have default role(s) assigned to a User at the back end system. So I have the same requirement. In achieving this, I followed below thread here:
  MSMP Issue - GRC 10
  I have also followed the note#1616092  for configuring the Default Roles.
  I have performed below activities:
  1. Param#2009 = YES
  2. Param#2010 = 001
  3. Param#2011 = REQUEST
  4. Param#2013 = SYSTEM
  5. Param#2038 = YES
  6. Imported a test role and NO ROLE OWNER is maintained.
  7.In NWBC->-AM->RM, I maintained a test role as a default.
  Now when I raise a request, application is successfully adding the default role to the request. However, the problem I am facing is that, one Manager approves the request, it is getting failed.
  The Audit Log says that, the STAGE is "Completed" but I could also see "No Agent Found, Cancelling path XYZ (in stage no. 002- GRAC_ROLEOWNER)
  May I know what I am missing here? Why I am getting error and how can I resolve it?
  Please advise.
  Regards,
  Faisal

  Hi Faisal,
  sorry for late resposne I was away traveling.
  default roles are being added by default to access request
  Yes, these roles are added to the access request.
  FN: OK
  and this roles are following your normal paths which I guess assumes manager and role owner.
  How such roles (not having role owner) will follow the normal path Manager->Role Owner if we are enabling routing (Rule ID: GRAC_MSMP_ROUTE_NO_ROLEOWNER) at manager stage level? Can you please help me understand this?
  FN: OK If you enable routing it will go to routing path. I have understood your post as you put in question the behavior of default roles and my point was - they act exacly the same like regular roles.
  - request is going to detour path
  Does it answer my question?
  FN: My point was default roles like all other will go to detur path (assuming you setup it globaly)
  Deafault roles can have separate path (in my case) where only supervisor is approving it.
  Instead of "GRAC_MSMP_ROUTE_NO_ROLEOWNER"  I believe we can have our own rule to have a separate path for such default roles based upon business requirement. Correct me, if required.
  FN; correct
  It was design in way that initiator rule based on role crtivality is sending this rule to separate path without role owner.
  Again, I believe you have enabled your custom rule here to achieve your business requirement instead standard rule id.
  correct
  If you do not have separate path - this role like any other will follow standard path you have.
  Here, I had used a stage called "ZNO_STAGE_PATH" for routing the system line item, which does not have any owner. I used the same path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER"Rule ID and it is working fine as of now.
  FN: good
  My question is that, do you think if I don't use "ZNO_STAGE_PATH" as Path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, should it follow the standard Manager->Role Owner path and these default roles get approved and assigned automatically?
  FN: You should use the path ZNO_STAGE_PATH as path ID for routing rule.
  If the role does not have role owner it will not allow you the even get to Role Onwer stage - request will be detured.
  My point from the begining was - instead of using the routing rule - in our case we used separate path for default roles without role owner:) only consisted with manager stage. Again your approach is different but also will work.
  Then which Path ID should I use for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, as it is mandatory?
  Should I use my current path for New/Change Account where at Manager level this was routed due to non availability of role owner?
  Are you asking for default roles?
  Please advise.
  Regards,
  Faisal

• Defaults Roles Doubt - GRC 10.0

  Hi All,
  I have a query regarding default roles in GRC. In the role search screen when the user selects a role, there will be a defaults roles column which shows all existing defaults roles for different systems maintained in GRC.
  Actually our client requirement is that when a user selects role for ECC only defaults roles defined for ECC should show up. But currently default roles column shows all defaults roles defined in GRC.
  Is it possible to achieve our scenario? Anyone came across same issue?
  Regards,
  Sai.

  Dear Sai,
  the behaviour is standard as you have defined parameter 2011 as ROLE. To change the output you might need help of an ABAPler.
  Alternatively you can change parameter 2012 to REQUEST and then the requestor won't see the default roles as they are added to the request after submission. Only the approvers can see the added default roles.
  Best regards,
  Alessandro

• DEFAULT ROLE FOR USER

  I swich to Oracle11g express and create user
  CREATE USER LEO
  IDENTIFIED BY xy
  DEFAULT TABLESPACE USERS
  TEMPORARY TABLESPACE TEMP
  PROFILE DEFAULT
  ACCOUNT UNLOCK;
  -- 3 Roles for LEO
  GRANT AUTHENTICATEDUSER TO LEO;
  GRANT CONNECT TO LEO;
  GRANT FER_ADMIN TO LEO WITH ADMIN OPTION;
  ALTER USER LEO DEFAULT ROLE FER_ADMIN;
  -- 1 System Privilege for LEO
  GRANT CREATE SESSION TO LEO;
  -- 1 Tablespace Quota for LEO
  ALTER USER LEO QUOTA UNLIMITED ON USERS;
  and after login i check
  select * from SESSION_ROLES
  and i have none role
  if I set role all works fine.
  Why I doesn't have DEFAULT ROLE after login.
  Pleas for help .

  here is the solution
  default roles and grants
  Edited by: Leo Lakota on 4.10.2012 5:52

• RE: Default role config in CUP

  Dear Experts,
  I got a problem with default role configuration. Please help me in resolving the issue.
  I want to configure defaults for all request types like new account and change account as well. Also I what the option "Create if user does not exist" to YES.
  This means when ever change account workflow is executed for the existing users, default roles are getting assigned redundantly. is there any way to fix this problem.
  My solution is to schedule "PRGN_COMPRESS_TIMES" job so that system will delete all redundant roles. Please advise if there  is any other alternative. Client is insisting to have the option "Create if user does not exist"in Auto provisioning enabled.
  I appreciate your help.
  Thanks,
  Raj

  Hi
  Set the below parameters it never assign the role for change request.
  it is working in our system.
  CUP---->Configuration->Roles>Default Roles-->Request type = New Hire

• GP: Process default Roles Cleared when transported

  Hi,
       I have created an impersonalized form that triggers a process in guided procedures.
  I have set the default roles for process as impersonalized form needs all the roles to be defaulted.
  Its working fine in the test system. When I transport this to Production, the default roles get cleared. I get an error message when the form is submitted - ERROR_NO_DEFAULT_USER_FOR_ROLE .
  Version: Adobe Livecycle designer 7.1
  NW2004s SP15
  Thank you,
  Vasu
  Edited by: Subramanya Srinivas Mullapudi on Feb 6, 2009 6:41 PM

  But as I'm using an Impersonalized form, even when I assign the default roles, the impersonalized form still pointing to the process with no default roles. Its not recognizing the default roles assigned in administration.
  I cannot change the process to add default roles (in production). So whenever I submit the form I get the error "ERROR_NO_DEFAULT_USER_FOR_ROLE"
  Complete error:
  SAP Guided Procedures - Error Page
     What happened?
     An internal error occurred while processing your request
     What can you do?
     Try again later. If the problem persists, contact your system
     administrator.
    Additional Error Information
     FormPostprocessor.ERROR_NO_DEFAULT_USER_FOR_ROLE
     com.sap.caf.eu.gp.base.exception.EngineException:
     FormPostprocessor.ERROR_NO_DEFAULT_USER_FOR_ROLE at
     com.sap.caf.eu.gp.model.iforms.postproc.FormPostprocessor.createProcessRoleInstance(FormPostprocessor.java:176)
  at
     com.sap.caf.eu.gp.model.iforms.postproc.FormPostprocessor.prepareProcessRoles(FormPostprocessor.java:157)
  at
     com.sap.caf.eu.gp.model.iforms.postproc.FormPostprocessor.initiateProcess(FormPostprocessor.java:289)
  at
     com.sap.caf.eu.gp.model.iforms.postproc.FormPostprocessor.processData(FormPostprocessor.java:564)
  at
     com.sap.caf.eu.gp.model.iforms.FormPostProcessor.doPost(FormPostProcessor.java:182)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at
     javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at
     com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at
     com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at
     com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
  at
     com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
  at
     com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
  at
     com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
     at
     com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at
     com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at
     com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
     at
     java.security.AccessController.doPrivileged(AccessController.java:207)
     at
     com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
  at
     com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
     Sorry for any inconvenence

• Content area should be a white area/page with the first/default role

  Hi All,
  Pealse help me
  When user logs in to the Portal, content area should be a white area/page with the first/default role
  Thanks,
  Jyothi.

  hi,
  simple way, create a static HTML page with your company logo (or empty page) and upload to KM, assign it to existing Home role as a KM document iview that loads first.(make entry point - yes).
  assign the role to everyone group with property -sort priority 10 for role (low compared to all other roles)
  regards,
  mahesh.

• Default Role configuration  in CUP

  Hi Experts,
  We are on GRC 5.3 SP9 and I am trying to assign  default roles based on the request type
  I want default roles to be assigned only for certain request type
  these are the parameters I have configured
  Consider default roles: YES
  Request Type: NEW Hire
  Default roles level: request
  user attributes: Company
  So I am forced to choose default role user Attribute Company.
  I was expecting that whenever a request is created for a new hire I wanted such and such role to be assigned by default!
  but now whenever  a company( for which i mapped the default roles) is selected its putting default roles in all the request types
  I would expect its only puts default roles for my request type NEW HIRE
  for the respective company !
  Any thought? I am missing something?
  Regards
  MK

  Hello Alpesh,
  SAP has come  back saying that the application is designed that way always works with the comibation of  user attributes
  to me its clearly user attributes are taking over the request type ( clearly ingorning ) i dont see a point why they have field in default role configuration  for request type ( Request type  might as well be simply CUP)
  they have asked me try with user attribute  as system  instead of company , looks like it works !
  I will give you more info
  Best Regards
  MK

• Error adding Default roles after transport

  we are trying to transport our GP to another system.
  the transport imported successfully.
  but we are getting below error if we need to add the Default roles in the new portal system.
  Administartion -> Assign default roles ->
  Error/Message: The process template does not contain roles to which you can assign default values.
       Could not retrieve process template
  Design time:
       Error/Message: 1.Cannot retrieve activity template: Development object does not exist in the database
                      2.      Cannot retrieve object:
  Please suggest me if you have faced simiilar issue.

  Already I have tried in both from Administartion -> Assign Default Roles -> Select the process, by selecting the process & when we click on Open, this error is populated.
  Also in Design time -> select the process -> by clicking on the "Open" , I am getting this error.
  Also, I have tried the option to do "Edit All" to change the version of all the objects and transport them to targeted system.
  and , also implemented the SAP Note: 1321013.
  But in all the above cases, I am getting the same error.
  Then tried to remove the Default Roles and assigned all the roles to Initiator, then transported, still when I try to run the process and when I open the process getting the same error.
  SAP Note: 1321013:
  Terminate all process instances.
  Unlock all objects.
  Delete all process templates.
  Empty trash.
  Redeploy process templates.
  Release objects after Import.
  (http://wiki.sdn.sap.com/wiki/display/JSTSG/(GP)ICannotStartorOpenaProcess)