Default role with membership login

Similar Messages

• Default role  with password - reality check

  I support the database for an application. We upgraded from Oracle10 to Oracle11 9 months ago. Then recently we applied the OCT CPU.
  The application admin says that they have a program that has recently stopped working that worked after the Oracle11 upgrade.
  The application user has a default role which has a password. Is that possible? A default role with a password. Would this have ever worked in any version of Oracle?

  Default role with password is a feature even available with Oracle XE. Default roles are activated without requiring role password in Oracle 10.2:
  SQL> drop user admin cascade;
  User dropped.
  SQL> drop user test cascade;
  User dropped.
  SQL> drop role rwp;
  Role dropped.
  SQL> select * from v$version;
  BANNER
  Oracle Database 10g Express Edition Release 10.2.0.1.0 - Product
  PL/SQL Release 10.2.0.1.0 - Production
  CORE    10.2.0.1.0      Production
  TNS for 32-bit Windows: Version 10.2.0.1.0 - Production
  NLSRTL Version 10.2.0.1.0 - Production
  SQL>
  SQL> create user admin identified by oraclexe;
  User created.
  SQL> grant create session, create table to admin;
  Grant succeeded.
  SQL> grant unlimited tablespace to admin;
  Grant succeeded.
  SQL> grant create user to admin;
  Grant succeeded.
  SQL> grant create role to admin;
  Grant succeeded.
  SQL>
  SQL> create user test identified by oraclexe;
  User created.
  SQL> grant create session to test;
  Grant succeeded.
  SQL>
  SQL> connect admin/oraclexe;
  Connected.
  SQL> create table t(x varchar2(10));
  Table created.
  SQL> insert into t values('admin OK');
  1 row created.
  SQL> commit;
  Commit complete.
  SQL> create role rwp identified by oraclexe;
  Role created.
  SQL> grant all on t to rwp;
  Grant succeeded.
  SQL> grant rwp to test;
  Grant succeeded.
  SQL>
  SQL> connect test/oraclexe;
  Connected.
  SQL> select * from session_roles;
  ROLE
  RWP
  SQL> select * from admin.t;
  X
  admin OK
  SQL> insert into admin.t values('test OK');
  1 row created.
  SQL> commit;
  Commit complete.
  SQL> select * from admin.t;
  X
  admin OK
  test OK
  SQL>There have been changes between Oracle 10.2 and 11.2 because the same script fails in 11.2 unless the role is set with the password:
  SQL> drop user admin cascade;
  User dropped.
  SQL> drop user test cascade;
  User dropped.
  SQL> drop role rwp;
  Role dropped.
  SQL> select * from v$version;
  BANNER
  Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
  PL/SQL Release 11.2.0.1.0 - Production
  CORE    11.2.0.1.0      Production
  TNS for Linux: Version 11.2.0.1.0 - Production
  NLSRTL Version 11.2.0.1.0 - Production
  SQL>
  SQL> create user admin identified by oraclexe;
  User created.
  SQL> grant create session, create table to admin;
  Grant succeeded.
  SQL> grant unlimited tablespace to admin;
  Grant succeeded.
  SQL> grant create user to admin;
  Grant succeeded.
  SQL> grant create role to admin;
  Grant succeeded.
  SQL>
  SQL> create user test identified by oraclexe;
  User created.
  SQL> grant create session to test;
  Grant succeeded.
  SQL>
  SQL> connect admin/oraclexe;
  Connected.
  SQL> create table t(x varchar2(10));
  Table created.
  SQL> insert into t values('admin OK');
  1 row created.
  SQL> commit;
  Commit complete.
  SQL> create role rwp identified by oraclexe;
  Role created.
  SQL> grant all on t to rwp;
  Grant succeeded.
  SQL> grant rwp to test;
  Grant succeeded.
  SQL>
  SQL> connect test/oraclexe;
  Connected.
  SQL> select * from session_roles;
  no rows selected
  SQL> select * from admin.t;
  select * from admin.t
  ERROR at line 1:
  ORA-00942: table or view does not exist
  SQL> insert into admin.t values('test OK');
  insert into admin.t values('test OK')
  ERROR at line 1:
  ORA-00942: table or view does not exist
  SQL> commit;
  Commit complete.
  SQL> select * from admin.t;
  select * from admin.t
  ERROR at line 1:
  ORA-00942: table or view does not exist
  SQL>
  SQL> set role rwp identified by oraclexe;
  Role set.
  SQL> select * from session_roles;
  ROLE
  RWP
  SQL> select * from admin.t;
  X
  admin OK
  SQL> insert into admin.t values('test OK');
  1 row created.
  SQL> commit;
  Commit complete.
  SQL> select * from admin.t;
  X
  admin OK
  test OK
  SQL>10.2 Security Guide says:
  If you are granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in a SET ROLE statement. However, if the role is made a default role and enabled at connect time, then the user is not required to enter a password.
  11.1 and 11.2 Secuirty Guide says:
  If a user is granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in the SET ROLE statement. You cannot authenticate a password-authenticated role on logon, even if you add it to the list of default roles. You must explicitly enable it with the SET ROLE  statement using the required password.
  Edited by: P. Forstmann on 20 févr. 2010 10:28

• Restricting administrator tab to user created with default role OIM 11g R2

  Hi,
  I have a query, if we create a user in OIM 11g R2 without any admin role and then login to Self Service screen (Identity) with the newly created user, we can see the Administration Tab is visible to the user.
  Is this mean that by default user is having admin role assigned to him to do some of the admin activities.
  Please let me know how to control this behavior and not to show the Administration tab to the user until and unless he is having some admin roles assigned to him.
  Please help.

  You can hide Administration tab for normal users using EL's. By default users will get this tab when they login to identity console even though admin role is not assigned to them. But if you do any operation on any users, request will be raised accordingly.
  Check this link to configure EL's http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/uicust.htm#autoId18

• Creation of BP with default role

  Hi ,
     I have a requiement where in I want a Business Partner to be created with a default role ,i.e CRM006. I can do this in GUI with the help of authorizations.
  But the same does not work in PCUI.
  My requirement is whenever a user creates a Business Partner, Role CRM006 automatically gets assigned to it.
  please sugest something.
  Help will be apreciated.
  Regards
  Sourabh Verma

  Hi PREMKUMAR LNS,
  you can easily implement BADI: BADI_CRM_BP_UIU_DEFAULTS
  IF_UIU_BP_DEFAULTS~GET_DEFAULT_VALUES
  and write something like this:
  assign cr_me->('TYPED_CONTEXT') to <typed_context>.
    if sy-subrc = 0.
      lr_typed_context ?= <typed_context>.
      if lr_typed_context is bound.
        assign lr_typed_context->('HEADER') to <context_node>.
        if sy-subrc = 0.
          try.
              lr_node            ?= <context_node>.
            catch cx_sy_move_cast_error.  "EC_NOHANDLER
          endtry.
          if lr_node is bound.
            lr_coll_wrapper ?= lr_node->collection_wrapper.
            if lr_coll_wrapper is bound.
              try.
                  lr_current ?= lr_coll_wrapper->get_current( ).
                  check lr_current is bound.
  controllo la tipologia di account
                  zbp_category = lr_current->get_property_as_string( 'BP_CATEGORY' ).
                 zbp_group    = lr_current->get_property_as_string( 'BP_GROUP' ).
                  if zbp_category = '1'.
                  elseif zbp_category = '2'.
                Set default role at creation to "Relation"
                     break domino.
                      zobp_category = lr_current->get_property_as_string( 'BP_ROLE' ).
                      if  zobp_category is initial.
  Here you are setting the default role   
                    lr_current->set_property( iv_attr_name = 'BP_ROLE'
                                     iv_value = 'BUP002' ).
                      endif.
                  else.
                  endif.
                catch cx_sy_move_cast_error.
              endtry.
            endif.
          endif.
        endif.
      endif.
    endif.

• User Default Mappings attribute "role" with condition "OR"

  Hello,
  we are using GRC 5.3 SP 8.1.
  User default mappings with more than one "role" attribute and the condition "OR" don't seem to work. After provisioning no user parameters have changed in backend system. When I configure only one "role" with the condition "AND" everything works fine, request types are the same.
  Any suggestions?
  Thanks,
  Manuel

  Hallo Sirish,
  thanks for this helpful answer.
  In the note it says: "After upgrade from 5.2 to 5.3 SP08.1, the user defaults were not provisioned."
  So this error only occurs when upgraded from 5.2 to 5.3 SP8.1 or is it a gnerally bug in SP 8.1?
  I configured some new conditions in our test system and it worked. So in my opinion only the old configured user default mappings don't work because of the upgrade (???). I'm a little bit confused...
  Regards,
  Manuel Kunkel

• Content area should be a white area/page with the first/default role

  Hi All,
  Pealse help me
  When user logs in to the Portal, content area should be a white area/page with the first/default role
  Thanks,
  Jyothi.

  hi,
  simple way, create a static HTML page with your company logo (or empty page) and upload to KM, assign it to existing Home role as a KM document iview that loads first.(make entry point - yes).
  assign the role to everyone group with property -sort priority 10 for role (low compared to all other roles)
  regards,
  mahesh.

• DEFAULT ROLE FOR USER

  I swich to Oracle11g express and create user
  CREATE USER LEO
  IDENTIFIED BY xy
  DEFAULT TABLESPACE USERS
  TEMPORARY TABLESPACE TEMP
  PROFILE DEFAULT
  ACCOUNT UNLOCK;
  -- 3 Roles for LEO
  GRANT AUTHENTICATEDUSER TO LEO;
  GRANT CONNECT TO LEO;
  GRANT FER_ADMIN TO LEO WITH ADMIN OPTION;
  ALTER USER LEO DEFAULT ROLE FER_ADMIN;
  -- 1 System Privilege for LEO
  GRANT CREATE SESSION TO LEO;
  -- 1 Tablespace Quota for LEO
  ALTER USER LEO QUOTA UNLIMITED ON USERS;
  and after login i check
  select * from SESSION_ROLES
  and i have none role
  if I set role all works fine.
  Why I doesn't have DEFAULT ROLE after login.
  Pleas for help .

  here is the solution
  default roles and grants
  Edited by: Leo Lakota on 4.10.2012 5:52

• Reg:Howq to set Default role on SSO Authentication

  We have a scenario where Default roles should be set to Contributor on SSO Authentication(not using LDAP). I have the below configuration
  SSO_DefaultRoles=contributor
  SSO_ModifyExtraParams=true
  SSO_SetAuthInfo=true
  SSO_IsSimpleAuth=false
  in oraclessopluginfilter_environment.cfg. But on SSO login, I see that users are assigned only guest role because of which they don't have check in option. Can you please help me out with how to set up default roles on SSO authentication.
  Thanks in advance for your time and effort
  Praveen

  Hi Jon,
  For any code changes in bsp components we need it's z-instance and that we get after enhancing the respective entity for eg views, context nodes etc..
  In case you are not familiar with the enhancement, please refer to some thread which explain about the component enhancement concept.
  Coming to this requirement..
  You need to enhance bp_roles component, then enhance rolelist view and roles context node.. redefine the GET_V_PARTNERROLE method.. copy the parent class code and do the necessary changes to manipulate the entries in gt_ddlb_add
  Check the statement at line no 107..
  gr_ddlb_roles->set_selection_table( it_selection_table = gt_ddlb_add ).
  Just before above statment call, manipulate gt_ddlb_add to keep the required role value at index 1..
  Another thing in my test system i can't see any role as "Account" under SPRO customizing "Business Partner Roles" instead "Business Partner (Gen.)" is available, don't know if you are able to see Account Role in the Roles DDLB..
  i would suggest debug the get_v_partnerrole method once at line no 107 see the entries in gt table you will get an idea what you need to change.
  Hope this helps..
  Cheers,
  Sumit Mittal

• What is the default admin user account login id and password in Windows 8?

  Hi all,
  The current admin acccount in Windows 8 system are changed to Standard and no other Admin account is available in the system.
  What is the default admin user account login id and password in Windows 8?
  Or 
  Is there way to change the User role for the account?
  Please use Marked as Answer if my post solved your problem and use
  Vote As Helpful if a post was useful.

  I am able to login as a Normal user, can not login as administrator.Hence can not install any software or change my user settings or create a new user.
  What is the default admin password. How can i reset it form my user account
  C:\Users\Amit>net user Administrator
  User name                    Administrator
  Full Name
  Comment                      Built-in account for administering the computer/domain
  User's comment
  Country/region code          000 (System Default)
  Account active               No
  Account expires              Never
  Password last set            7/26/2012 12:57:03 PM
  Password expires             Never
  Password changeable          7/26/2012 12:57:03 PM
  Password required            Yes
  User may change password     Yes
  Workstations allowed         All
  Logon script
  User profile
  Home directory
  Last logon                   9/16/2013 1:16:30 PM
  Logon hours allowed          All
  Local Group Memberships      *Administrators
  Global Group memberships     *None
  The command completed successfully.

• Help with custom login module

  i've been following franks' tutorial on how to use a custom login module. but no matter what i do, i cant get the jsp to authenticate my valid database account.
  jazn-data.xml file
  <!-- JAZN Realm Data -->
  <name>scott</name>
  <credentials>!tiger</credentials>
  <jazn-loginconfig>
  <application>
  <name>foo</name>
  <login-modules>
  <login-module>
  <class>oracle.sample.dbloginmodule.DBTableLM.DBSystemLoginModule</class>
  <control-flag>required</control-flag>
  <options>
  <option>
  <name>debug</name>
  <value>true</value>
  </option>
  <option>
  <name>jdbcUrl</name>
  <value>jdbc:oracle:thin:@localhost:1521:orcl</value>
  </option>
  <option>
  <name>log_level</name>
  <value>ALL</value>
  </option>
  </options>
  </login-module>
  </login-modules>
  </application>
  </jazn-loginconfig>
  </jazn-data>
  orion-application.xml
  <jazn provider="XML" location="jazn-data.xml"      
  default-realm="jazn.com">
  <property name="role.mapping.dynamic" value="true"/>
  <property name="jaas.username.simple" value ="true" />
  </jazn>
  is there anything wrong with the settings?I've followed the tutorial to the last step. yet i cant get anything. Please help!

  Sorry about the incomplete previous post:
  I am trying to do the authentication using a customized login module in a stand alone OC4J server. I put some debug statements and found out that the authentication works but fails to authorize. I get the following error:
  NOTIFICATION J2EE RMI-00005 Login permission not granted for myApp (testUser)
  The only way I have been able to get this to work is to add the user 'testUser' in system-jazn-data.xml and specify that 'testUser' has the role 'USERS'. It's not practically possible to specify all the users in system-jazn-data.xml. Is there a workaround this? I have pasted below snippets of orion-application.xml and system-jazn-data.xml. Any help is greatly appreciated. Thanks in advance
  I have specified the following in orion-application.xml
  <namespace-access>
  <read-access>
  <namespace-resource root="">
  <security-role-mapping>
  <group name="USERS"/>
  </security-role-mapping>
  </namespace-resource>
  </read-access>
  <write-access>
  <namespace-resource root="">
  <security-role-mapping>
  <group name="USERS"/>
  </security-role-mapping>
  </namespace-resource>
  </write-access>
  </namespace-access>
  </orion-application>
  In system-jazn-data.xml I have given permission for the role 'USERS' to login.
  <grant>
  <grantee>
  <principals>
  <principal>
  <realm-name>jazn.com</realm-name>
  <type>role</type>
  <class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
  <name>jazn.com/USERS</name>
  </principal>
  </principals>
  </grantee>
  <permissions>
  <permission>
  <class>com.evermind.server.rmi.RMIPermission</class>
  <name>login</name>
  </permission>
  </permissions>
  </grant>

• Default roles and grants

  I have role called role_test and this is granted to user user_test and made it as default role.
  but role_test is protected by password i.e to set role need to give password.
  set role role_test identified by test_role_pass;
  My question is when the user user_test loggs in will automatically gets this role_test as it is grated as default role ?
  or still he needs to call set role identified by password to enable this role.
  I am using oracle 11g database.Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
  Is there any change of this behaviour with oracle versions 10g to 11g ?
  Thanks,
  Phani

  Phani_Orcl wrote:
  Is there any change of this behaviour with oracle versions 10g to 11g ?Yes, there is. Password protected roles in 11g are not enabled at login time even if it is a default role:
  SQL> create role r1;
  Role created.
  SQL> create role r2 identified by r2;
  Role created.
  SQL> create user u1 identified by u1
    2  /
  User created.
  SQL> grant create session to u1
    2  /
  Grant succeeded.
  SQL> grant r1,r2 to u1
    2  /
  Grant succeeded.
  SQL> alter user u1 default role all
    2  /
  User altered.
  SQL> connect u1/u1
  Connected.
  SQL> select * from session_roles;
  ROLE
  R1
  SQL>
  And it is documented
  Authorizing a Role by Using the Database
  You can protect a role authorized by the database by assigning the role a password. If a user is granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in the SET ROLE statement. <font color=red>You cannot authenticate a password-authenticated role on logon, even if you add it to the list of default roles. You must explicitly enable it with the SET ROLE statement using the required password.</font>
  SY.

• GRC 10.0 - Auto Approve default roles

  Hello All,
  Could you please help out me in the below scenarios.
       1) We have maintained default roles in NBWC- Access Management - Default roles.
       Also set the parameter 2038 to Yes- Auto approve roles without approver.
  In MSMP we have maintained Escape path if approver is not found at the role level.
  As default roles have no approver maintained request is taking the Escape Path which should not happen.
  We just want to auto approve the defualt roles and other than defualt roles request should take escape path if no approver found.
       2) In other action its quite same as the above one.
       When we are using provisioning type REMOVE for role removal. Request also takes the Escape path as Defualt roles has no approver.
  Once the ,Manager at first stage is approved, request should close for the removal type access.
  Please advise. Thanks in advance.

  In your custom initiator, you need to have mapped out all the scenarios of which path each line item in your request goes to.
  The condition columns can be an array of attributes, i.e. Request Type, Role name, Role Connector (System the Role is in), Functional area etc.
  In your case, if you want "default roles" auto approved, easiest thing to so is create an empty path (i.e. No stages) and have the initiator set so that if the "Role Name" is "X" (i.e. your default role), go to the path with no stages.
  BRF plus Flate Rule - GRC Integration - Governance, Risk and Compliance - SCN Wiki

• ARQ: Default Role Provisioning Problem in Access Request???

  Hi,
  This Business Scenario is very common to have default role(s) assigned to a User at the back end system. So I have the same requirement. In achieving this, I followed below thread here:
  MSMP Issue - GRC 10
  I have also followed the note#1616092  for configuring the Default Roles.
  I have performed below activities:
  1. Param#2009 = YES
  2. Param#2010 = 001
  3. Param#2011 = REQUEST
  4. Param#2013 = SYSTEM
  5. Param#2038 = YES
  6. Imported a test role and NO ROLE OWNER is maintained.
  7.In NWBC->-AM->RM, I maintained a test role as a default.
  Now when I raise a request, application is successfully adding the default role to the request. However, the problem I am facing is that, one Manager approves the request, it is getting failed.
  The Audit Log says that, the STAGE is "Completed" but I could also see "No Agent Found, Cancelling path XYZ (in stage no. 002- GRAC_ROLEOWNER)
  May I know what I am missing here? Why I am getting error and how can I resolve it?
  Please advise.
  Regards,
  Faisal

  Hi Faisal,
  sorry for late resposne I was away traveling.
  default roles are being added by default to access request
  Yes, these roles are added to the access request.
  FN: OK
  and this roles are following your normal paths which I guess assumes manager and role owner.
  How such roles (not having role owner) will follow the normal path Manager->Role Owner if we are enabling routing (Rule ID: GRAC_MSMP_ROUTE_NO_ROLEOWNER) at manager stage level? Can you please help me understand this?
  FN: OK If you enable routing it will go to routing path. I have understood your post as you put in question the behavior of default roles and my point was - they act exacly the same like regular roles.
  - request is going to detour path
  Does it answer my question?
  FN: My point was default roles like all other will go to detur path (assuming you setup it globaly)
  Deafault roles can have separate path (in my case) where only supervisor is approving it.
  Instead of "GRAC_MSMP_ROUTE_NO_ROLEOWNER"  I believe we can have our own rule to have a separate path for such default roles based upon business requirement. Correct me, if required.
  FN; correct
  It was design in way that initiator rule based on role crtivality is sending this rule to separate path without role owner.
  Again, I believe you have enabled your custom rule here to achieve your business requirement instead standard rule id.
  correct
  If you do not have separate path - this role like any other will follow standard path you have.
  Here, I had used a stage called "ZNO_STAGE_PATH" for routing the system line item, which does not have any owner. I used the same path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER"Rule ID and it is working fine as of now.
  FN: good
  My question is that, do you think if I don't use "ZNO_STAGE_PATH" as Path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, should it follow the standard Manager->Role Owner path and these default roles get approved and assigned automatically?
  FN: You should use the path ZNO_STAGE_PATH as path ID for routing rule.
  If the role does not have role owner it will not allow you the even get to Role Onwer stage - request will be detured.
  My point from the begining was - instead of using the routing rule - in our case we used separate path for default roles without role owner:) only consisted with manager stage. Again your approach is different but also will work.
  Then which Path ID should I use for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, as it is mandatory?
  Should I use my current path for New/Change Account where at Manager level this was routed due to non availability of role owner?
  Are you asking for default roles?
  Please advise.
  Regards,
  Faisal

• RE: Default role config in CUP

  Dear Experts,
  I got a problem with default role configuration. Please help me in resolving the issue.
  I want to configure defaults for all request types like new account and change account as well. Also I what the option "Create if user does not exist" to YES.
  This means when ever change account workflow is executed for the existing users, default roles are getting assigned redundantly. is there any way to fix this problem.
  My solution is to schedule "PRGN_COMPRESS_TIMES" job so that system will delete all redundant roles. Please advise if there  is any other alternative. Client is insisting to have the option "Create if user does not exist"in Auto provisioning enabled.
  I appreciate your help.
  Thanks,
  Raj

  Hi
  Set the below parameters it never assign the role for change request.
  it is working in our system.
  CUP---->Configuration->Roles>Default Roles-->Request type = New Hire

• To set a default role according to the user.

  Hi,
  I would like to set different default roles according to users. For example, we have the following prerequisites:
  1) 3 roles: roleA | roleB | roleC (in this order).
  2) 3 differents users: user1, user2, user3.
  So, if I log-in with the user1, the default role should be the roleA; if I log-in with the user2, the default role should be the roleB; and so on.
  But I don't want to change the order of the roles using "sort priority" property.
  How can I do this?
  Thanks,
  Samantha.

  Hello Samantha,
  Does each of the users need to have each of the roles? If not you could just not assign the other roles except the one you want to display as default role (a assume you mean the role that is displayed first after logon).
  If each of your users need every role, I am afraid your requirement is not realizable unless you use the sort priority property. Why don't you want to use it in the first place?
  On possible yet circuitous way to meet your requirements would be the following:
  Create another role for each of your user(-group)s. Say in your case Role 1, Role 2 and Role 3 which are not defined as entry points.
  Assign roleA, roleB and roleC to Role 1 where roleA has the lowest sort priority; and assign user1 to role 1.
  Assign roleA, roleB, roleC to Role 2 where roleB has the lowest sort priority; and assign user 2 to Role 2
  and so on.
  Of course you need to use sort priority for that and I think thats hard to maintain. (probably not even what you are looking for)
  Maybe you can get a litle more concrete what you are trying to achieve.
  best regards
  Stefan