Delegated admins adding roles, displaying unexpected.

Hi all
I need to paint a picture for this one so please be patient.
I have a delegated admin that I have given access to the organization called internal using the internal tabbed user form. They have capabilities to add users, edit, update, and I have included only specific Business Roles that they can add which excludes all other roles. This works perfectly.
I have a separate admin role that allows a delegated admin to do the same as above with a different set of specific business roles to an organizations call external using external tabbed user form. this works perfectly as well.
NOTE: The business roles are only available to their respective organizations.
My dilemma:
When I add both roles to 1 delegated admin I get behavior that I think could be different.
All the correct forms work, all the fields are correct everything works as expected except the roles.
When I select add roles it actually shows up the combination of both sets of business roles that the above capabilities gives me access to..not the ones assigned to their respective organization.
Now based on
1. The roles are only available to users in their respective organizations
2. And i have excluded roles from the other organizations
3. And I am selecting or creating a user in their specific organization
Should this display this way? And if so is there anything else I can do to just display the roles that are available to the organization?
Cheers

Similar Messages

  • Delegated Admin- Adding user causes unhandled exceptions

    Now that I've finally settled on 05q1, Im trying to create accounts using the delegated admin GUI.
    I click on my domain, then on "New". I then fill out first, last name, role is Business OA, no postal address, assign no service package, change the loginId and two passwords. At this point, when I click "Next", I get a "Server Error" screen with this information:
    This server has encountered an internal error which prevents it from fulfilling your request. The most likely cause is a misconfiguration. Please ask the administrator to look for messages in the server's error log.
    The messages below show up in /opt/sun/webserver/https-imap.domain.com/logs/errors. I couldn't find any other error for ds, identity, admin server, etc. After this exception, I also have to log back in to DA. The messages are quite vague (from an administrative standpoint) so any help is appreciated!
    [11/Jan/2006:10:32:02] failure (18149): for host xx.xxx.xxx.xxx trying to POST /da/wizard/WizardWindow, service-j2ee reports: Ap
    plicationDispatcher[da] WEB2649: Servlet.service() for servlet jsp threw exception
    javax.servlet.ServletException
    at org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:536)
    at jsps.com_sun_web_ui._jsp._wizard._WizardWindow_jsp._jspService(_WizardWindow_jsp.java:559)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
    at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
    at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
    at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
    at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
    at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
    at com.sun.web.ui.view.wizard.CCWizard.handleNextButtonRequest(CCWizard.java:730)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
    at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
    at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
    at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
    at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
    at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:807)
    at com.sun.comm.da.WizardWinServlet.service(WizardWinServlet.java:111)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
    at com.sun.comm.da.LoginFilter.doFilter(LoginFilter.java:128)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
    at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
    at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)
    ----- Root Cause -----
    javax.servlet.jsp.JspException
    at com.sun.web.ui.taglib.wizard.CCWizardTag.getWizardPageHTML(CCWizardTag.java:1577)
    at com.sun.web.ui.taglib.wizard.CCWizardTag.appendPageletBodyContentHTML(CCWizardTag.java:668)
    at com.sun.web.ui.taglib.wizard.CCWizardTag.appendWizardBodyHTML(CCWi
    [11/Jan/2006:10:32:02] failure (18149): for host xx.xxx.xxx.xxx trying to POST /da/wizard/WizardWindow, service-j2ee reports: WE
    B2798: [da] ServletContext.log(): [ERROR] Uncaught application exception
    com.iplanet.jato.NavigationException: Exception encountered during forward
    Root cause = [javax.servlet.jsp.JspException]
    at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:380)
    at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
    at com.sun.web.ui.view.wizard.CCWizard.handleNextButtonRequest(CCWizard.java:730)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
    at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
    at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
    at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
    at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
    at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:807)
    at com.sun.comm.da.WizardWinServlet.service(WizardWinServlet.java:111)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
    at com.sun.comm.da.LoginFilter.doFilter(LoginFilter.java:128)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
    at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
    at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)
    Root cause:
    javax.servlet.jsp.JspException
    at com.sun.web.ui.taglib.wizard.CCWizardTag.getWizardPageHTML(CCWizardTag.java:1577)
    at com.sun.web.ui.taglib.wizard.CCWizardTag.appendPageletBodyContentHTML(CCWizardTag.java:668)
    at com.sun.web.ui.taglib.wizard.CCWizardTag.appendWizardBodyHTML(CCWizardTag.java:658)
    at com.sun.web.ui.taglib.wizard.CCWizardTag.getHTMLStringInternal(CCWizardTag.java:469)
    at com.sun.web.ui.taglib.common.CCTagBase.doEndTag(CCTagBase.java:114)
    at jsps.com_sun_web_ui._jsp._wizard._WizardWindow_jsp._jspService(_WizardWindow_jsp.java:260)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
    at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
    at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
    at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
    at org.apache.catalina.cor
    [11/Jan/2006:10:32:02] failure (18149): for host xx.xxx.xxx.xxx trying to POST /da/wizard/WizardWindow, service-j2ee reports: St
    andardWrapperValve[WizardWinServlet]: WEB2792: Servlet.service() for servlet WizardWinServlet threw exception
    javax.servlet.ServletException: Uncaught exception
    at com.iplanet.jato.ApplicationServletBase.onUncaughtException(ApplicationServletBase.java:1415)
    at com.sun.comm.da.WizardWinServlet.onUncaughtException(WizardWinServlet.java:98)
    at com.iplanet.jato.ApplicationServletBase.fireUncaughtException(ApplicationServletBase.java:1164)
    at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:639)
    at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:807)
    at com.sun.comm.da.WizardWinServlet.service(WizardWinServlet.java:111)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
    at com.sun.comm.da.LoginFilter.doFilter(LoginFilter.java:128)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
    at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
    at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)
    ----- Root Cause -----
    com.iplanet.jato.NavigationException: Exception encountered during forward
    Root cause = [javax.servlet.jsp.JspException]
    at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:380)
    at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
    at com.sun.web.ui.view.wizard.CCWizard.handleNextButtonRequest(CCWizard.java:730)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
    at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
    at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
    at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
    at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
    at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:807)
    at com.sun.comm.da.WizardWinServlet.service(WizardWinServlet.java:111)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
    at com.sun.comm.da.LoginFilter.doFilter(LoginFilter.java:128)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.

    Might it have something to do with having not assigned service package? I read in the 05Q4 notes that in 05Q1, a service package had to be defined. I just tried to allocate some service packages to the domain and I get the same "Server Error" page when I click "Next" on the page where I choose how many service packages to allocate (i.e. the screen right before the "Summary" page)
    At least the errors are a little more informative in the webserver error log (sample below)
    I chose 3 service packages and attempted to allocate 50 each, No anonymous logins for calendar server and put in a calendar server hostname. All other fields were left to default.
    [12/Jan/2006:15:14:13] failure (18149): for host 63.241.196.147 trying to POST /da/wizard/WizardWindow, service-j2ee reports: Ap
    plicationDispatcher[da] WEB2649: Servlet.service() for servlet jsp threw exception
    javax.servlet.ServletException: String index out of range: -15
    at org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:536)
    at jsps.com_sun_web_ui._jsp._wizard._WizardWindow_jsp._jspService(_WizardWindow_jsp.java:559)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
    at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
    at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
    at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
    at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
    at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
    at com.sun.web.ui.view.wizard.CCWizard.handleNextButtonRequest(CCWizard.java:730)
    at sun.reflect.GeneratedMethodAccessor37.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
    at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
    at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
    at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
    at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
    at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
    at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:807)

  • Delegated Admin roles

    Hello
    I have 5 delegated admin roles assigned to a group.
    How do i get a list of delegated admin roles defined for that group in workshop( not through the admin portal )? Is there any API?
    Also do users of a group inherit the delegated admin roles defined for a group?
    Any help would appreciated.
    Thanks
    Vijay

    com.bea.p13n.security Package may gibve you some clue.
    Also, as a general rule, Roles are 'above' Groups. So if a user is a member of a group (which has a role defined), the user 'gets' that role.
    Thanks,
    Puneet

  • Delegated Admin and non-flat user/group structures

    Hello, I am trying to build a directory structure with several containers under an organization used to store different portions of userdata and group data (i.e. not only ou=people and ou=group, but also a few ou's like them). Server software is from OUCS 7u2 release. Users in "other" containers are populated into LDAP (ODSEE 11) by replication, filling in all the same attributes as a freshly DA-created account has.
    The Delegated Admin interface and other parts of the software accept this and work okay with this setup, displaying user information, allowing logins and so on - except for attempts to edit user accounts in the alternate containers in the DA (i.e. add/remove service packages, change quotas, etc.). First I've verified that this is not an LDAP problem - I can use both command-line ldapmodify and an LDAPBrowser GUI to edit the entries with no hiccups.
    I tracked that when trying to save account information for accounts in non-standard containers, the DA still tries to use a hard-coded path (i.e. uid=USERNAME,ou=people,o=DOMAINNAME,dc=DOMAIN,dc=NAME) despite the fact that the user account is (and DA displayed it from) uid=USERNAME,ou=morePeople,o=DOMAINNAME,dc=DOMAIN,dc=NAME.
    Possibly, this "hardcoding" stems from DA configuration in WEB-INF/classes/sun/comm/cli/server/servlet/serverconfig.properties which does list components of the LDAP structure:
    # Ldap configuration.
    # List of ldap hosts. Form is <ldaphost>:<portnumber>. (Default port = 389)
    # add additional hosts with ldaphost-<consecutive number>
    # Schema type is either "1" or "2".
    # Reconnect interval is in seconds
    # Group and people container is dn from organization dn (e.g ou=people)
    ldaphost-1=oucsldap01:389
    ldaphost-2=oucsldap02:389
    ldaphost-suffix=dc=DOMAIN,dc=NAME
    ldaphost-dcsuffix=dc=DOMAIN,dc=NAME
    ldaphost-maxcount=50
    ldaphost-schematype=2
    ldaphost-reconnectinterval=60
    ldaphost-peoplecontainer=ou=People
    ldaphost-groupcontainer=ou=Groups
    ldaphost-orgadminrole=cn=Organization Admin Role
    While the organization root dn is not explicit here (and shouldn't be), the default people container is... I might guess a coding error logic like this: indeed, the "ou=People" container should be used by default when creating a user via DA; as a likely error, it might also be used when editing existing users - instead of their existing full DN/parent DN.
    Questions:
    1) Does anyone have a working configuration with several user/group containers within an organization like this? Would you care to share details and workarounds, if were needed?
    2) I think that possibly the "shared domain/organization hosting" mode might help here - at least it is expected to have several LDAP trees with their delegated administrators performing as a single e-mail domain. Before I go and reconfigure everything, I'd love to hear if there are any success stories with this route? Is it a proper solution (or THE solution) for such config?
    Thanks,
    //Jim Klimov

    I wanted to follow up that reconfiguring the directory structure according to shared domain hosting, with branches for ISW-synchronized accounts as one of the sub-organizations which share the domain, and manually created OUCS-only accounts being in another sub-organization. This works for both messaging components and the DA, as long as UIDs are in ou=People in their organization. Somewhat unfortunately, ISW config seems to allow only one DSEE target branch and puts groups (CN) there as well. Well, for our needs to edit user attributes and service packages via DA, this suffices. Sometimes there are hiccups (Can not save changes), but they are intermittent and harder to trace debug; usually go away with restart of the DA web container. The DSEE LDAP instances are configured with plugins to enforce uid uniqueness across the organization and uniqueness of values of messaging email address attributes (mail, mailAlternateAddress, mailEqiuvalentAddress) to avoid mixups between user accounts in different branches.
    Also, we had a problem with Calendar server after migrating the LDAP entries: since our deployment used the nsUniqueID for calendar user identification, relocation of entries (the way we did it) generated new values for new entries and users got new empty caledar databases. On this POC this was not a major problem, and newer OUCS releases with a davUniqueID attribute should specifically be immune to this problem. However, for others trodding this path I can suggest that they export the LDAP database into LDIF including the unique IDs, recreate the suffixes as needed (the ISW target organization in DSEE should be a separate LDAP database suffix), change the LDIF entry pathnames, and import the LDIF anew. This would wipe old LDAP data and should add old nsUniqueIDs to relocated entries (unlike recreation via ldapadd or relocation via ldapmodrdn).
    We have also hit a problem with DA refusing to render the list of accounts (returning 0 or 25 empty entries in a table). The LDAP logs showed that on the LDAP side all is ok, and expected amount of replies was located. Pattern searches often produced the proper table with a subset of users in DA. Ultimately, we linked the problem to ISW binary base64-encoded attributes (dspswuserlink et al; some of those values also garbaged output of commadmin queries in a terminal) and created an LDAP ACI which forbade our DA-admin user to read,search,compare these attributes. This solved the problem for us. I wonder if a more generic solution is possible, so as to apply this ACI not to an explicitly named admin user but to any users with DA admin privileges (by group or role? which string, to cover them all in advance)? Or, perhaps, nobody except the ISW user account should see these ISW attributes?
    Hope this report helps others who would try to pioneer this path of messaging integration
    //Jim Klimov

  • Delegated Admin reports strange number of users

    I recently noted that our Delegated Admin (Delegated Administrator 6.4-2.05, B2008-04-29) Organizations page
    (the one which lists the hosted domains and particularly their "Number of Users") lists this number plain wrong.
    For many organizations it is reported as 0 or 1, for one there's a blank line, and only one seemingly has 39 users.
    When I click on organizations however, I see their full lists of users (I believe, ones which have a non-empty mail
    attribute set in LDAP) and there are tens in most orgs and over a hundred accounts in the larger org.
    What is wrong? Does DA's Organization-List page use some other means of counting the users than the individual
    Organization's page?

    JimKlimov wrote:
    In fact, while importing our old server, I did initialize most domains' users via
    ldapclient queries as discussed on-list in mid-2008. Nobody said that there
    are other static values outside of a user's account data :)The sunnumusers: attribute is commonly overlooked -- primarily because it is for admin-interface purposes only and doesn't impact on the operation of user accounts.
    Is it possible to replace this value of sunnumusers by a dynamic search (or
    counter), either in the GUI code or perhaps in the LDAP attribute?No. Any such dynamic search would have an adverse performance impact on the DA interface for large environments.
    What is the logically correct value, the count of users with mail attribute set?If you want the sunnumusers: to match the number of users displayed when you click on the organisation in the "Organizations" tab then you would count the users which matched the following search for the domain:
    ""(&(uid=*)(&(objectClass=inetuser)(|(inetUserStatus=active)(inetUserStatus=inactive))))""
    Regards,
    Shane.

  • Delegated Admin and User Management in WLP 9.2

    Hi,
    I've made Delegated Administrator role and a user for it. The user is Delegated Admin for our users and groups. Still that user cannot create new users, only new groups.
    The error message that shows when creating new user is "The subject does not have access to the specified group".
    What should I do to make it work ?
    Regards,
    Tanja

    Unfortunately, you've run into a bug in the product. See CR282051 in the WLP 9.2 release notes.
    http://edocs.bea.com/wlp/docs92/relnotes/relnotes.html#wp1147925
    If you have a support contract, you might be able contact BEA Support to see if a patch might be available.

  • Delegated Admin login fail

    I installed Solaris 9 05/9 and JES05Q4 in a Sun Fire V440 recently.
    I chose these components only:
    Directory server
    Administration server
    Web server
    Access manager
    Messaging server
    Delegated administrator
    Directory preparation tools
    I can use commadm to created users after installation and initial configuration, but I can't login to the delegated admin with any account. http://server.mydomain.com/da/DA/Login
    After I check the DA log file, it shows:
    WARNING: User &#91;admin&#93; has no valid role assigned, aborting login
    What kind of role required for da login ?
    Thanks in advance for any help.
    dx

    I recommend that you post your question to the Messaging Server forum (also listed at the bottom of the Java ES forums page):
    http://swforum.sun.com/jive/forum.jspa?forumID=15
    You might also want to search that forum for similar problem reports.

  • Cpu high while installing delegated admin 2nd instance.

    Hi,
    I am using Sun JES 2005Q1 on Solaris9 sparc platform.
    AM, Delegated Admin & MEM are running on 1 host which is working perfectly.
    I have installed another instance of AM on another host which is also working perfect.
    Whenever I try to install 2nd instance of Delegated Admin, the cpu utilization of my ldap server goes very high (98%) and installation doesnt proceed.
    I have increased the nsslapd-allidthreshold value from 4000 to 15000.
    Also indexing of attributes are already done.
    But still no luck for me.
    I am getting error logs on ldap server "search is not indexed".
    Can anyone help me out ?
    Regards,
    Shujaat Nazir Khan
    Senior System Engineer
    Cyber Internet Services (Pvt.) Ltd.

    The access manager has the same "oversight" but it was easy enough to fix by adding WS_ADMINHOST=admin.dom.tld to the amsamplesilent, and sed -i 's/--host=$WS_HOST/--host=$WS_ADMINHOST/g' to amws70config and amconfigupdate, and things actually worked when I did this (with a little more hackery, like manually editing mime.types and server.policy). This DA configurator is less straight forward, and when I fixed up the files and reran the failed scripts, things didn't work.
    Does it make sense to run the administration server in its own zone/machine from an architectural standpoint? There has to be at least one admin server, so is the point AM/DA makes "it may as well be running on the node that _requires_ it to be running" versus "separate services into logical partitions?" It seems to me the first option is "good enough" while the second makes sense, but I'm looking for confirmation or further input.

  • Folders under a role displayed for all users

    Hi
    I had created a role called Role A and this had two folders unders that named Folder A, Folder B. I assigned this role to User A only.
    I logged into the portal as User A, and saw that these two folders were visible, and as I had wanted it.
    But when I logged in with the administrator's account too, I noticed that along with Content Administration, User Administration, System Administration, I also had Folder A and Folder B.
    I checked the roles for Administrator and Role A has not been assigned.
    I dont want this Folder A and Folder B to appear in the admin's account.
    Please help.
    Thanks
    Manoj

    Hi
    Thanks for your help. Its not a permission issue for that folder, and no other groups are added in Role A.
    I guess, like Venkatesh says, it could be the content admin role or super admin role. But surprises me as to what would happen if there were more than 100 folders.
    There must be something else to it. I suspect this to be a cache problem, as I had added Role A to Administrator's group and then removed it from there. I will check this and confirm.
    Thanks for all help
    Regards,
    Manoj

  • Delegated Admin and Class of Service

    Hi
    we have configured
    Messaging Server
    Calendar server
    Instant Messaging Server
    and Portal Server
    We would like use delegated admin for user provisioning.
    We are able to modify default Class of Service templates to suit our needs for Messaging and Calendaring.
    We would also like to provide Portal desktop and Instant messaging access thru' delegated admin.
    Help us to configure these class of services either using directory console or any other method
    Thanks
    Saba

    rkbunca wrote:
    Recently we deleted about 3K users using: commadmin domain purge, and while
    it appears to have successfully deleted the users -- ldapsearch doesn't yield any
    output. The lower number of users is NOT reflected in the field "Number of Users"
    on the Delegated Admin page. It still shows the same number of users >11K we
    "had" prior to the deletion process.
    Any ideas to explain this discrepancy?The number of users displayed in the DA GUI is recorded in the "sunNumUsers" attribute associated with the domain e.g.
    dn: o=aus.sun.com,dc=aus,dc=sun,dc=com
    sunNumUsers: 11
    This is to avoid having to do an ldapsearch across the domain to get a count. You can manually update this attribute to get the number back-in-sync.
    The commadmin domain purge should have updated this value -- I couldn't find any pre-existing bugs to explain why it didn't happen in your case. I suggest you log a support case to get this looked into further.
    You may also want to check your directory audit logs to see if an attempt was made to update this attribute but failed for some reason.
    Regards,
    Shane.

  • Delegated Admin GUI customization

    The Delegated Admin GUI is not always very convenient in its default settings.
    For a couple of short examples that annoy me while I'm installing and migrating to this server:
    1) the user list is split by 10's of users per page or all users on one page, and 10 accounts per page is the default;
    2) I can search for users by their email addresses (and that's often more convenient than guessing/remembering what form of the name was entered), but I always have to select that option from a dropdown list, and be careful to type in the partial address before (or between) the wildcard asterisks, etc.
    Is it possible to provide some customization to the GUI - i.e. pre-selected value for "All users on one page", or perhaps better - an increased amount (100 instead of 10); preselect "Search by email" and enter two asterisks as the search field value to easily search for partial addresses (and process a double-asterisk as a single-asterisk - search for everyone - for reverse compatibility), etc?
    I believe these types of customizations should be easy to do, is that somehow supported/configured.
    The harder types of customizations i thought of (which may include coding) would be:
    1) extend/configure the list of attributes to search for (i.e. email doesn't seem to include aliases), and
    2) adding another default option - "Search by all of these attributes"

    JimKlimov wrote:
    The Delegated Admin GUI is not always very convenient in its default settings. A little bit of background. The Delegated Admin GUI is not designed to be the all encompassing provisioning tool and this is reflected in the lack of UI customisation guides and the limited functionality. The tool caters for the smaller organisation that wants to perform simple account/group/resource creation and deletion and also to big-ISP's that wanted a delegated administration tool for hosted domains.
    Medium sized organisations e.g. Universities tend to develop their own provisioning tools (usually for financial reasons).
    Larger organisations either have their own provisioning tools or make use of DA's user/account provisioning big brother :
    http://www.sun.com/software/products/identity_mgr/index.xml
    A customisation guide for common settings/modifications is available here:
    http://docs.sun.com/app/docs/doc/819-4438/acfdl?a=view
    For a couple of short examples that annoy me while I'm installing and migrating to this server:
    1) the user list is split by 10's of users per page or all users on one page, and 10 accounts per page is the default;I was able to increase the limit by changing the maxRows setting in the following file and restarting the webserver instance:
    /var/opt/SUNWwbsvr7/https-<hostname>/web-app/<hostname>/da/jsp/users/UserList.jsp
    2) I can search for users by their email addresses (and that's often more convenient than guessing/remembering what form of the name was entered), but I always have to select that option from a dropdown list, and be careful to type in the partial address before (or between) the wildcard asterisks, etc.Try using the "advanced search" instead (at the top of the GUI near the log out/help links)
    I believe these types of customizations should be easy to do, is that somehow supported/configured.You can make the customizations, the down side is that when you apply a DA patch they will be over-written. From memory they were planning on addressing this limitation at some stage but it appears to have dropped off the developers "radar".
    1) extend/configure the list of attributes to search for (i.e. email doesn't seem to include aliases), and It is supposed to : RFE#6296082 - "Need to provide ability to search for email alias in delegated admin" was implemented several years ago but the search as you said doesn't seem to include mailalternateaddress/mailequivalentaddress. You will need to log a support case to get this investigated further.
    2) adding another default option - "Search by all of these attributes"Refer to the advanced search.
    Regards,
    Shane.

  • RevokeRoleGrant fails for missing ADMIN CONFIGURATION role

    hi all
    I am using the API and authenticating as xelsysadm. I am able to read all of the roles associated to a user
    but cannot revoke any.
    I get the following error message.
    oracle.iam.identity.exception.ValidationFailedException: IAM-3056134:Role SYSTEM CONFIGURATION ADMINISTRATORS is NOT granted to user System Operator.:SYSTEM CON
    FIGURATION ADMINISTRATORS:System Operator
    I added SYSTEM CONFIGURATION ADMINISTRATORS role to xelsysadm and ran the role api and it shows up.
    I added the OPERATORS role to a new user and when I try to remove the OPERATORS role from that new user is when I get the error.
    Thanx
    Fred
    Edited by: Foresterf on Jul 22, 2011 1:33 PM

    hi sunny,
    I do not see a user called "System Operator". Do I need to add any roles to xelsysadm for this to work?
    here is the code usrKey=21 roleid=2 is the only entry in the roleKeySet.
    try
    roleOp.revokeRoleGrant(usrKey, roleKeySet);
    catch(ValidationFailedException vfe)
    logger.error("ValidationFailedException",vfe);
    throw new AIHelperException(vfe);
    catch (AccessDeniedException ex)
    logger.error("AccessDeniedException",ex);
    throw new AIHelperException(ex);
    catch(RoleGrantRevokeException ex)
    logger.error("RoleGrantRevokeException",ex);
    throw new AIHelperException(ex);
    here is the logging of my code.
    DEBUG,22 Jul 2011 22:13:06,201,[AI.AIOIMCLIENT][96],getting User
    DEBUG,22 Jul 2011 22:13:06,625,[AI.AIOIMCLIENT][98],21
    {Status=Active, [email protected], usr_key=21, User Login=MELFORESTER, Last Name=Forester, Xellerate Type=End-User, First Name=Melvin}
    DirectReports:
    DEBUG,22 Jul 2011 22:13:06,633,[AI.AIOIMCLIENT][99],getting User Roles
    DEBUG,22 Jul 2011 22:13:06,732,[AI.AIOIMCLIENT][103],Role id = 2
    {Role Display Name=OPERATORS, Role Unique Name=OPERATORS, ugp_create=Fri Apr 22 07:03:07 EDT 2011, Role Owner Key=1, Role Description=Operator role, Role Name=O
    PERATORS, ugp_update=Fri Apr 22 07:03:07 EDT 2011, Role Namespace=Default, Role Key=2, LDAP GUID=null, ugp_updateby=1, Role Category Key=2, ugp_data_level=1, Ro
    le Email=null, LDAP DN=null}
    DEBUG,22 Jul 2011 22:13:06,751,[AI.AIOIMCLIENT][103],Role id = 3
    {Role Display Name=ALL USERS, Role Unique Name=ALL USERS, ugp_create=Fri Apr 22 07:03:07 EDT 2011, Role Owner Key=1, Role Description=Default role for all users
    , Role Name=ALL USERS, ugp_update=Fri Apr 22 07:03:07 EDT 2011, Role Namespace=Default, Role Key=3, LDAP GUID=null, ugp_updateby=1, Role Category Key=2, ugp_dat
    a_level=1, Role Email=null, LDAP DN=null}
    DEBUG,22 Jul 2011 22:13:06,760,[AI.AIOIMCLIENT][110],Revoking OPERATORS Role
    DEBUG,22 Jul 2011 22:13:06,845,[AI.OIMHELPER][139],Adding role to revoke list 2
    DEBUG,22 Jul 2011 22:13:06,920,[AI.OIMHELPER][151],Revoking roles from user id 21 entityid 21
    ERROR,22 Jul 2011 22:13:08,222,[AI.OIMHELPER][158],ValidationFailedException
    oracle.iam.identity.exception.ValidationFailedException: IAM-3056134:Role SYSTEM CONFIGURATION ADMINISTRATORS is NOT granted to user System Operator.:SYSTEM CON
    FIGURATION ADMINISTRATORS:System Operator
    at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:234)
    at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
    at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
    at oracle.iam.identity.rolemgmt.api.RoleManager_ogut7n_RoleManagerRemoteImpl_1033_WLStub.revokeRoleGrantx(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
    at $Proxy2.revokeRoleGrantx(Unknown Source)
    at oracle.iam.identity.rolemgmt.api.RoleManagerDelegate.revokeRoleGrant(Unknown Source)
    Thanx
    Fred

  • Delegated Admin for Messaging does not run properly

    Hi, my environment is:
    iDS5.1, iMS5.2, iCS5.1 and Delegated Admin for Messaging 1.2.
    I have installed all the components and it seems to run fine, but when I log on to the Delegated Admin I cna't see the frame in the middle of the browser window. An error appears that "The page cannot be displayed".
    I had a look in the error log of the WebServer to see what might happen and I saw the following error message:
    Internal error: servlet service function had thrown ServletException (uri=/servlet/getPage): javax.servlet.ServletException: java.lang.Exception: ../templates/isp/SearchSelected.html:45 -> Template contains directive that first requires LdapEntry to be initiallized by program., stack: javax.servlet.ServletException: java.lang.Exception: ../templates/isp/SearchSelected.html:45 -> Template contains directive that first requires LdapEntry to be initiallized by program. at java.lang.Throwable.fillInStackTrace(Native Method) at java.lang.Throwable.fillInStackTrace(Compiled Code) at java.lang.Throwable.<init>(Compiled Code) at java.lang.Exception.<init>(Compiled Code) at javax.servlet.ServletException.<init>(ServletException.java:107) at netscape.nda.servlet.NDAIMSGetPage.execute(Compiled Code) at netscape.nda.servlet.NDAServlet.doPost(NDAServlet.java:117) at netscape.nda.servlet.NDAServlet.doGet(NDAServlet.java:138) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.iplanet.server.http.servlet.NSServletRunner.invokeServletService(NSServletRunner.java:897) at com.iplanet.server.http.servlet.NSServletRunner.Service(NSServletRunner.java:464) , root cause:
    I had no errors during the installation and the access to the LDAP server seems to be o.k. because it is possible to log on to the Del. Admin.
    Does anyone can give me hint what this might be?
    Any help would be very appreciate.
    THX
    Marcel

    iDS5.1, iMS5.2, iCS5.1 and Delegated Admin for Messaging 1.2.
    Why is anybody installing 3-year old software today?
    The error message implies that not all installation steps were done correctly. The most common problem is that when ims_dssetup.pl is run, the entries there are not correct for what you intend to put in during Messaging install...

  • Delegated Admin and Number of Users

    Recently we deleted about 3K users using: commadmin domain purge, and while
    it appears to have successfully deleted the users -- ldapsearch doesn't yield any
    output. The lower number of users is NOT reflected in the field "Number of Users"
    on the Delegated Admin page. It still shows the same number of users >11K we
    "had" prior to the deletion process.
    Any ideas to explain this discrepancy?
    -- Bob

    rkbunca wrote:
    Recently we deleted about 3K users using: commadmin domain purge, and while
    it appears to have successfully deleted the users -- ldapsearch doesn't yield any
    output. The lower number of users is NOT reflected in the field "Number of Users"
    on the Delegated Admin page. It still shows the same number of users >11K we
    "had" prior to the deletion process.
    Any ideas to explain this discrepancy?The number of users displayed in the DA GUI is recorded in the "sunNumUsers" attribute associated with the domain e.g.
    dn: o=aus.sun.com,dc=aus,dc=sun,dc=com
    sunNumUsers: 11
    This is to avoid having to do an ldapsearch across the domain to get a count. You can manually update this attribute to get the number back-in-sync.
    The commadmin domain purge should have updated this value -- I couldn't find any pre-existing bugs to explain why it didn't happen in your case. I suggest you log a support case to get this looked into further.
    You may also want to check your directory audit logs to see if an attempt was made to update this attribute but failed for some reason.
    Regards,
    Shane.

  • Delegated admin information incorrect

    How do I change the information associated with my Partnership when I send out a delegated admin request?
    Currently it then puts n email and a phone number as well as the name of my [partnership.
    Those need to be changed.
    Christine Adelmann

    Hi,
    Account Delegate Feature Facts:
    Account delegates have full access to your account. However, delegates cannot add, remove, or view other account delegates.
    You can add up to 10 account delegates.
    Note: Adding an account delegate does not give that person permission to use services that the account subscribes do. In other words for Windows Azure, the account delegate will not be a service administrator or a co-administrator.
    You might want to refer to the below article for more information
    http://blogs.msdn.com/b/mast/archive/2013/10/26/windows-azure-account-delegate-feature.aspx
    Hope this helps !
    Regards,
    Sowmya

Maybe you are looking for