Distributed Objects access control

Similar Messages

• SAP Business Objects Access control with BI4.1 and enterprise authetication

  Hi Team,
  We are on BI 4.1 with enterprise authentication. We are using IDM (oracle waveset 8) for access management. Currently we receive request from IDM and we manually configure user in BI4.1. We are now planning to automate this process, like as soon as user request place request through IDM , his access wil lget configure in BI 4.1
  can we achieve this using SAP Business Objects Access controle or with any other method ? Need your guidance
  Thanks,
  Nivedita

  Hi Andrea,
  1. you configure the BOE Server with the SAP authentication for your SAP server
  1b you configure trust between the portal server and the SAP system
  2. you import the portal iView template as part of the SAP Kit into the portal server
  3. you create a new system (or use an existing one) in the portal system landscape and configure the properties of the Crystal Enterprise properties
  4. you create a new iView based on the portal iView template
  ingo
  I have some difficulties to create a new system, I don't know witch option i should choose.
       System (from template)     
       +BI JDBC System
       BI ODBO-Compliant OLAP System
       BI SAP Query System
       BI XMLA-Compliant OLAP System
       EP 5.0 System
       HTTP System
       JDBC System
       KM Lotus System
       KM WebDAV System
       KM Windows System
       SAP system using connection string
       SAP system using dedicated application server
       SAP system with load balancing
       Web Service System using WSDL URL+
       System (from PAR)
       com.sap.km.cm.repository.manager
       com.sap.km.common.domino
       com.sap.netweaver.coll.appl.gw
       com.sap.netweaver.coll.appl.sync
       com.sap.portal.httpconnectivity.urlsystem
       com.sap.portal.ivs.sl.connector.helper
       com.sap.portal.runtime.application.soap
       com.sap.portal.systems.bi
       com.sap.portal.systems.datasource
       com.sap.portal.systems.EP5
       com.sap.portal.systems.jdbc
       com.sap.portal.systems.sap
       com.sap.portal.systems.webservices
       com.sap.portal.unification50.template
  Thanks a lot
  Selvam

• Cannot remove the access control entry object on the object because the ACE isn't present

  Hello,
  I am very new to using Powershell and Exchange Management Shell, and have no prior experience using either of these tools. However, the software I am installing requires me to use the EMS tool in order to set certain permissions for a user in Exchange, which
  will be like the admin account. 
  The command I am attempting to run follows as:
  Get-ExchangeServer | Remove-ADPermission -User $newusername -Deny -ExtendedRights Receive-As -Confirm:$False 
  This throws me an error saying:
  cannot remove the access control entry on the object because the ACE isn't present. I've done some research, and have found that this error is quite common, but the solutions do not apply to what I am specifically trying to accomplish. I am simply trying
  to remove the Receive-As permission for the admin user that I just created.
  Once again, I am very new to Exchange and Powershell, but if there is any advice anyone has, it would greatly appreciated.

  I ran this command, and a very long list was displayed, it looks like everything is there.
  The weird thing is that I was able to run a previous command which granted Receive-As access to the user I am creating: 
  Get-ExchangeServer | Add-ADPermission -User $newusername -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin -Confirm:$False 
  The description for the commands to run read to 'grant permissions and to revoke denies, if present'. I'm not sure what this means, but the second part of this pertains to the second command that I am having trouble with:
  Get-ExchangeServer | Remove-ADPermission -User $newusername -Deny -ExtendedRights Receive-As -Confirm:$False

• Access Controlled Business Object ??

  Hello,
  Can anyone share few views about Access Controlled Business Object and RBAM Data. I have never used them before and wanted to know more about these like how it affects the security and all.
  Please dont point to any reference links or pdf's to see the info abt Access Controlled BO's becoz I have already read enough material and all I had is confusion .
  So, kindly share your personal views about this topic here rather than referring a document which is somewhere else.
  Thanks in advance.
  regards,
  vatsav

  Hello Vatsav,
  I have used an employee association with access context to "1000 - Employee Self Service" and
  "1003 - Management". It works very well.
  In my case simple business user should see only their own data (1000 - Employee Self Service) and a business user with a management role (1003 - Management) can see all data.
  If you want to use a different logic (such as access context code 1000/1003/1007), maybe you have a problem.
  Regards,
  Kay Kressner

• ORA-24247: network access denied by access control list (ACL)error-UTL_HTTP

  I am getting following ACL error while executing following procedure:
  create or replace procedure sat_proc as
  http_req utl_http.req;
  http_resp utl_http.resp;
  BEGIN
  http_req := utl_http.begin_request('www.yahoo.com');
  http_resp := utl_http.get_response(http_req);
  utl_http.end_response(http_resp);
  END;
  exec sat_proc;
  ORA-29273: HTTP request failed
  ORA-06512: at "SYS.UTL_HTTP", line 1130
  ORA-24247: network access denied by access control list (ACL)
  ORA-06512: at "TRANSDBA.SAT_PROC", line 5
  ORA-06512: at line 1
  I am able to execute successfully while executing above code as PL/SQL block:
  DECLARE
  http_req utl_http.req;
  http_resp utl_http.resp;
  BEGIN
  http_req := utl_http.begin_request('www.yahoo.com');
  http_resp := utl_http.get_response(http_req);
  utl_http.end_response(http_resp);
  END;
  PL/SQL procedure successfully completed.
  Could help me find why I am getting error while executing same code in a procedure? Is there any privilege missing?

  GRANT EXECUTE ON SYS.UTL_HTTP TO <your_user>;
  SQL> set time on
  17:21:01 SQL> set role none;
  Role set.
  17:21:23 SQL> @utl_http.sql
  17:21:34 SQL> DECLARE
  17:21:34   2  http_req utl_http.req;
  17:21:34   3  http_resp utl_http.resp;
  17:21:34   4  BEGIN
  17:21:34   5  http_req := utl_http.begin_request('www.yahoo.com');
  17:21:34   6  http_resp := utl_http.get_response(http_req);
  17:21:34   7  utl_http.end_response(http_resp);
  17:21:34   8  END;
  17:21:34   9  /
  PL/SQL procedure successfully completed.
  17:21:35 SQL> connect / as sysdba
  Connected.
  17:22:47 SQL> connect dbadmin/admindb
  Connected.
  17:23:06 SQL> @utl_http.sql
  17:23:22 SQL> DECLARE
  17:23:22   2  http_req utl_http.req;
  17:23:22   3  http_resp utl_http.resp;
  17:23:22   4  BEGIN
  17:23:22   5  http_req := utl_http.begin_request('www.yahoo.com');
  17:23:22   6  http_resp := utl_http.get_response(http_req);
  17:23:22   7  utl_http.end_response(http_resp);
  17:23:22   8  END;
  17:23:22   9  /
  PL/SQL procedure successfully completed.
  17:23:23 SQL> set role none;
  Role set.
  17:23:29 SQL> @utl_http.sql
  17:23:31 SQL> DECLARE
  17:23:31   2  http_req utl_http.req;
  17:23:31   3  http_resp utl_http.resp;
  17:23:31   4  BEGIN
  17:23:31   5  http_req := utl_http.begin_request('www.yahoo.com');
  17:23:31   6  http_resp := utl_http.get_response(http_req);
  17:23:31   7  utl_http.end_response(http_resp);
  17:23:31   8  END;
  17:23:31   9  /
  DECLARE
  ERROR at line 1:
  ORA-29273: HTTP request failed
  ORA-06512: at "SYS.UTL_HTTP", line 1130
  ORA-24247: network access denied by access control list (ACL)
  ORA-06512: at line 5
  17:23:31 SQL> above is from test user
  Below is from SYSDBA account
  SQL> set time on
  17:20:53 SQL> revoke execute on sys.utl_http to dbadmin;
  revoke execute on sys.utl_http to dbadmin
  ERROR at line 1:
  ORA-00905: missing keyword
  17:22:03 SQL> revoke execute on sys.utl_http from dbadmin;
  revoke execute on sys.utl_http from dbadmin
  ERROR at line 1:
  ORA-04020: deadlock detected while trying to lock object
  ACLiLZU+w09hR7gQAB/AQAjcw==
  17:22:32 SQL> /
  Revoke succeeded.
  17:22:52 SQL> Edited by: sb92075 on Jun 10, 2010 5:24 PM

• Creating SOD matrix with the help of Access control default ruleset

  I am creating the SOD matrix for the existing roles of CRM and HR modules.  As I am the security consultant therefore does not have the functional knowledge about the conflicts for CRM and HR transactions. My question is can I use the function/actions/risks conflicts provided with the Access control 5.3 default ruleset.  We are not using Access control for these systems, so I want to know whether I can take the help of AC 5.3 default risks to create the SOD matrix based on it.
  For e.g, like H001 default HR risk, I would make sure not to assign PA30(maintain HR data) with the PA03/PA04(maintain personal control record) as this will result in the providing conflict "Modify payroll master data and then process payroll". 
  Once I have the SOD list based upon AC 5.3, I can consult the Business approver/auditor to verify and modify as per the business requirement.
  Maybe I am thinking the wrong way, please provide your inputs so I can work on it.  Any help appreciated.
  Thanks,
  Sanjay Desai

  The most important thing to keep in mind is that you need to build a rule set that reflects the customers real business risk!
  What you build there will influence the way the customer will be able to continue work, assign access and perform control activities. The input HAS to come from the business!
  You can use the SAP standard risk definitions as a starting point for discussions, and the HR functions are an excellent building block to identify the transactions and necessary authorization objects that allow users to perform the actions.
  But the real challenge is to identify the risks as perceived/accepted by the business!
  Frank.

• Role Based Access Control in Java

  Hi,
  we are designing a software solution that makes use of the Role Based Access Control pattern to control access of functions, EJBs, Servlets to certain users based on their "role".
  I have not been able to understand clearly how that pattern can be implemented in Java. In addition, I stumbled on the java.security.acl and I wondering how will the package work together with RBAC pattern (Or is the pattern already implemented in some package)?
  Does any1 have any comments on this? Thnx
  Dave

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징

  제품 : ORACLE SERVER
  작성날짜 : 2005-11-24
  FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징
  =======================================================================
  PURPOSE
  row leve의 security 및 context관리 방법인 FGAC에 대한 간단한 개념 및 사용방법은
  <bul 23026>에 제시하였다.
  이 문서에는 FGAC를 위한 dbms_rls package의 8i ~ 10g까지의 version별 특징을
  정리하며, STATIC_POLICY와 POLCICY_TYPE parameter에 대해서는 예제를 이용하여
  자세히 살펴보도록 한다.
  Explanation & Examples
  dbms_rls.add_policy를 사용할 때 일반적으로 주는 value값의 예제는 다음과 같다.
  이중 대부분은 default값을 이용하여, 일반적으로는 앞의 5개의 parameter만
  value를 주면 된다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  > object_schema => 'SCOTT', -
  > object_name => 'EMP', -
  > policy_name => 'POL1', -
  > function_schema => 'SYS', -
  > policy_function => 'PREDICATE', -
  > statement_types => 'SELECT', -
  > static_policy => false, -
  > policy_type => DBMS_RLS.DYNAMIC
  > long_predicate => false);
  1. FGAC의 version별 특징
  (1) sec_relevant_cols/sec_relevant_cols_opt : 10G
  위에 기술한 add_policy procedure의 parameter외에 10g에서 추가된
  parameter로 다음 두 parameter가 존재한다.
  이 parameter는 해당되는 column이 조회될때만 policy가 작동하게 하기 위한
  것으로 metalink.oracle.com site에서 <Note 250795.1> 를 살펴보면 사용 방법
  및 예제를 확인 가능하다.
  - sec_relevant_cols
  - sec_relevant_cols_opt
  (2) long_predicate : 10G
  default는 false이며, true로 지정하는 경우 predicate이 4000 bytes이상이
  될 수 있다.
  (3) statement_types : 10G부터 INDEX type추가
  9i까지는 SELECT, INSERT, UPDATE, DELETE에 대해서는 FGAC를 적용할 수
  있었으나, 10g부터는 INDEX type도 지정 가능하다.
  index를 지정하는 경우, function-based index 생성을 제한할 수 있으며,
  자세한 예제는 metalink.oracle.com site에서 <Note 315687.1>를 조회하여
  확인할 수 있다.
  (4) EXEMPT ACCESS POLICY 권한 : 9i
  특정 user가 모든 fine-grained access control policy의 영향을 받지
  않도록 하려면 exempt access policy권한을 grant하면 되며, 이것은 9i부터
  소개되었다.
  SQL> grant exempt access policy to scott;
  와 같은 방식으로 권한을 부여하면 되며, 이에 대한 자세한 예제는
  metalink.oracle.com site에서 <Note 174799.1>를 통해 확인 가능하다.
  (5) synonym에 대한 policy설정 : 9.2
  synonym에 대해서 VPD (Virtudal Private Database)에 대한 policy를 설정하는
  것이 가능해 졌으며 이에 대해서는 metalink.oracle.com에서 <Note 174368.1>를
  조회하여 자세한 방법 및 예제를 살펴볼 수 있다.
  (6) static_policy : 8.1.7.4
  static_policy paramter는 8i에는 없던 것으로 9i에서 도입되면서, 8.1.7.4에도
  반영되었다. default값은 false이며, 8173까지는 항상 false인 형태로 동작한다.
  즉, policy function이 매번 object를 access할때마다 실행된다.
  8.1.7.4부터는 이 parameter를 true로 설정할 수 있는대, 이렇게 되면
  해당 session에서 policy function이 한번 실행되고 그 function이 shared pool에
  cache되어 있으면 재실행없이 그대로 사용된다.
  10g부터는 (7)번에 설명하는 policy_type parameter가 추가되어,
  이 parameter에 true로 지정하는 대신, static_type은 false로 두고,
  policy_type을 dbms_rls.static 으로 지정하면,
  9i와 8174에서 static_policy를 true로 한것과 같은 결과가 나타난다.
  (7) policy_type: 10g
  다음과 같이 5가지 value가 가능하며, 이 중 default는 dynamic이다.
  - STATIC
  policy fuction에 포함된 predicate이 runtime환경에 따라 다른 결과를 내지
  않는 경우 사용하게 된다. 예를 들어 sysdate의해 다른 결과를 return하는
  경우에는 사용하면 사용하면 문제가 될 수 있다.
  static을 사용하는 경우 policy function은 한번 실행되어 SGA에 올라온 다음
  이후 같은 session에서 같은 object를 사용시에는 재실행 없이 해당 predicate의
  결과를 그대로 사용한다.
  - SHARD_STATIC
  STATIC과 같으나, 이 값은 다른 object에 대해서도 같은 predicate function이
  사용되는 경우, 먼저 cache된 predicate을 찾아서 있으면 그 값을 이용한다.
  STATIC의 경우는 다른 object 사이에서는 공유하지 않으며 같은 object에
  대해서만 cache된 값을 사용한다.
  - CONTEXT_SENSITIVE
  한 session에서 context가 변경되면 그때 predicate를 재 실행시킨다.
  WAS(web application server)를 사용하는 경우 connection pooling방법을
  기본적으로 사용하는대, 이 경우 하나의 session을 여러 사용자가 이어서
  교대로 사용하는 방식이 된다. 이 경우 middle tier단에서 context를 설정해
  주면 context가 변경될때마다 predicate를 새로 실행시켜 변경된 sysdate나
  session_user등의 값을 다시 계산하게 되는것이다.
  jdbc에서 context설정에 관한 예제는 metalink.oracle.com에서
  <Note 110604.1>에서 확인가능하다.
  - SHARED_CONTEXT_SENSITIVE
  context_sensitive와 동일하며, 단 shared_static과 마찬가지로 여러 object에
  대해서 같은 predicate을 사용하는 경우 다른 object에 대한 같은 predicate이
  cache되어 있는지를 먼저 살펴본다.
  존재하면 session private application context가 변경되기 전까지 그 predicate의
  결과를 그대로 사용한다.
  - DYNAMIC
  이 값이 default값이다. 즉, predicate function이나 시스템이나 환경에
  영향을 받는다고 판단하여 statement가 실행될때마다 매번 predicate function을
  재 실행하여 환경에 맞는 값을 return하여 준다.
  아래에서 sysdate 값에 따라 다른 결과를 return하게 되어 있는
  predicate을 이용한 예제를 통해 정확한 메카니즘을 확인한다.
  2. static_policy 및 policy_type의 value에 따른 policy function의 작동예제
  (a) STATIC_POLICY => TRUE and POLICY_TYPE => NULL
  (1) 기존에 pol1 policy가 존재하는 경우 다음과 같이 drop시킨다.
  SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
  (2) 다음과 같이 predicate function을 scott user로 만들어둔다.
  SQL> create or replace function PREDICATE (obj_schema varchar2, obj_name varchar2)
  2 return varchar2 is d_predicate varchar2(2000);
  3 begin
  4 if to_char(sysdate, 'HH24') >= '06' and to_char(sysdate, 'MI')<'05' then
  5 d_predicate := 'ename = sys_context (''USERENV'' , ''SESSION'');
  6 else d_predicate := 'sal>=3000';
  7 end if;
  8 return d_predicate;
  9 end predicate;
  10 /
  (3) pol1을 새로 add시킨다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  object_schema => 'SCOTT', -
  object_name => 'EMP', -
  policy_name => 'POL1', -
  function_schema => 'SCOTT', -
  policy_function => 'PREDICATE', -
  statement_types => 'SELECT', -
  static_policy => TRUE, -
  policy_type => NULL);
  (4) adams user에서 scott.emp를 조회해 본다.
  단 다음과 같이 scott.emp에 대한 select권한을 king에게 주어야 한다.
  SQL>grant select on emp to king;
  SQL>!date
  Thu Nov 24 14:01:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  5분이후가 되어 predicate function의 if조건을 만족하지 않아도,
  king user는 같은 값을 emp table에 대해서 return한다.
  SQL>!date
  Thu Nov 24 14:10:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  (b) STATIC_POLICY => FALSE and POLICY_TYPE => DBMS_RLS.DYNAMIC
  (1) 기존의 policy를 다음과 같이 drop시킨다.
  SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
  (2) pol1을 새로 add시키는대 이대 static_policy와 policy_type을 다음과 같이
  변경한다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  object_schema => 'SCOTT', -
  object_name => 'EMP', -
  policy_name => 'POL1', -
  function_schema => 'SCOTT', -
  policy_function => 'PREDICATE', -
  statement_types => 'SELECT', -
  static_policy => flase, -
  policy_type => dbms_rls.dynamic);
  (3) king user에서 조회해본다.
  predicate function은 위의 2-(a)에서 실행한 것을 그대로 사용한다.
  즉 (a)를 실행하지 않은 경우, 조회전에 (a)-(2)번을 실행해야 한다.
  SQL>!date
  Thu Nov 24 15:01:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  5분 이후가 되어 다시한번 king user에서 실행해본다.
  SQL>!date
  Thu Nov 24 15:10:13 EST 2005
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7788 SCOTT ANALYST 7566 19-APR-87 3000
  20
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  7902 FORD ANALYST 7566 03-DEC-81 3000
  20
  RELATED DOCUMENTS
  <Note 281970.1> 10g Enhancement on STATIC_POLICY with POLICY_TYPE Behaviors
  in DBMS_RLS.ADD_POLICY Procedure
  <Note 281829.1> Evolution of Fine Grain Access Control FGAC Feature From 8i
  to 10g

  first you could use default column values, not a trigger, which is more expensive.
  if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it )

• Change in Access Control components on the Service Marketplace

  Hello GRC community:
  We would like to inform you that as of yesterday (5/30) the Access Control components for support messages/SAP Notes have been changed (they have actually been replaced so all messages/notes logged under the old component will be moved/replaced to the new).
  The main 4 components are now:
  New: GRC-SAC-ARA     Access Risk Management
  Old: GRC-SAC-SCC          Risk Analysis & Remediation (formerly Compliance Calibrator) 
  New: GRC-SAC-ARQ     Access Request
  Old: GRC-SAC-SAE          Compliant User Provisoning (formerly  Virsa Access Enforcer) 
  New: GRC-SAC-EAM     Emergency Access Management
  Old: GRC-SAC-SFF          Superuser Privilege Management (formerly Virsa Firefighter) 
  New: GRC-SAC-BRM     Business Role Management
  Old: GRC-SAC-SRE          Enterprise Role Management (formerly Virsa Role Expert)
  There are also NEW components specific to areas of functionality. If you are not sure of what component to log your message under, please use the main components above.
  GRC-SAC-ADS          Directory Services
  GRC-SAC-BI             Access Control BW
  GRC-SAC-CONF       Configuration
  GRC-SAC-DAS          Dashboard
  GRC-SAC-REP          Repository
  GRC-SAC-RPT          Reporting
  GRC-SAC-UAR          User Access Review
  GRC-SAC-UPG          Installation & Upgrade
  GRC-SAC-WF           Workflow
  Ramelyn Paredes
  AGS Primary Support

  Hello COmmunity,
  To Summarise in Short: New features introduced to V10.0 : GRC 10.0 is ABAP based, so extraction of data from users is fast & analysis as well.
  As usual, the names for the Access control tool has been changed
  A. Access Risk Analysis (RAR)
  1. USOBT & object information will be automatically updated with GRC rather than manual upload (earlier version)
  2. Mass Users can be imported from .CSV file for risk analysis, Role analysis etc.,
  3. Variant creation / reuse for any report analysis
  4. Option of having multiple rule sets & simulating users across multiple rule sets at same time
  5. Risk analysis for CUA, Composite roles
  6. Mitigation by system, risk id, mass mitigation for users, audit trail etc.,
  7. Risk analysis for HR objects
  B. Emergency Access Management (SPM)
  1. Mass reporting for all FF users, Ids, Executions
  2. Centrally maintained for all systems rather than individual ERPs.
  C. User Access Management (CUP)
  1. Customizable Access request forms
  2. HR based role assignment for position, org unit
  3. IDM integration using GRC Web services
  D. Business Role Management (ERM)
  1. Concept of Business role mapping for Technical roles.
  2. Audit Trails & PFCG Change history.
  Finally, the look, reporting format has been changed to provide additional information for analysis.
  More important - GRC V5.3 support is till 2015 & SAP has planned to push the customers to upgrade to 10.0. Eventually SAP is also planning to release GRC 11.0 by mid next year. So we have to wait & watch the show

• Distributing objects around circle

  I am working on Mac OS 10.4.11 and Adobe CS3 ME.
  I know it's possible to evenly distribute objects in a line. But I would like to evenly distribute objects in a circle shape. Can that be done in Indesign or Illustrator?

  Yes, it can be done in either InDesign or Illustrator.
  I'm going to give you the steps in InDesign, but Illustrator is almost identical.
  First draw the shape that you want to distribute. Position it where you would want the top or 12 o'clock item.
  Now, switch to the Rotate tool. As you do, a rotation center point appears inside the bounding box of the original object.
  This center point needs to be moved to the center of the circle that you want to rotate the object around. (Or where the hands of the clock would originate from.)
  Hold the Option or Alt key and click where the roatation center point needs to be.
  A dialog box appears.
  Enter the angle of roation. This is usually an amount that is created by dividing 360. For instance, if you want 10 objects around the circle, you would enter the rotation amount of 36 degrees.
  If you wanted 12 objects, you would enter the rotation amount of 30 degrees. You figure out what you want.
  Use the Preview amount to see what it would look like. When you like what you have, click the Copy button (not the OK button).
  You will now have one new object in position. At this point you have "primed the pump" so to speak. InDesign now knows to make a copy at a certain rotation.
  Go to Object > Transform Again > Transform Again. The keyboard shortcut is Cmd-Opt-3 or Control-Alt-3.
  Each time you invoke the command, a new copy appears in position.
  This is the classic way to distribute objects in a circle.
  There are other ways to do it that would put the object around an actual circular object.
  But you might as well learn this one first.

• Distributed transactions, distributed objects

  An observation and a conjecture about distributed transactions
  and distributed object references:
  Distributed non-service object references are persistent, and
  a transaction can, in principle, propagate to the distributed
  object through a method call from another partition.
  However, in order to make the transaction propagate to the
  object's partition the object must also have the
  isTransactional attribute set to TRUE. The Fort&eacute; runtime
  system apparently uses the isTransactional property not only
  for rollback of a distributed object's state, but also to
  indicate whether it is desired that transactions propagate to
  the object's partition. Thus, the behavior of a distributed
  object reference with respect to distributed transactions can
  be controlled by the value of the isTransactional attribute
  in the same way that the behavior of an environment-visible
  service object with respect to distributed transactions can
  be controlled by the dialog duration.
  Comments?
  John Hodgson |Descartes Systems Group Inc.|Tel TBD
  Systems Engineer|120 Randall Drive |Fax TBD
  |Waterloo, Ontario |www.descartes.com
  |CANADA N2V 1C6 |[email protected]
  Get Your Private, Free Email at http://www.hotmail.com
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>

  http://transxtrail.sourceforge.net/

• User management and Access Control in HCM Cloud

  Hello,
  Information is scarce about User management and Access Control in Oracle Cloud generally. Today, I have two questions :
  - How can I bridge HCM Cloud user store with my on-premise IDM or security repository in order to allow identty governance to flow to HCM Cloud service ?
  The only information I got was that you can declare manually and by bulk import through files my users. This is not really interresting as I have an automatic IDM with workflows and identity control on provisioning and de-provisioning.
  Is there a SPML or proprietary endpoint to do it automatically ? What are the prerequisites ? Do I have to implement OIM on my side ?
  - Once my users are created, how can I do webSSO from my internal security repositories to the HCM Cloud service ?
  I do not want to distribute new set of login / passwords to my users. Is it possible to do Identity Federation (SAML 2.0 or WS-Fed) with HCM Cloud service ? What are the prerequisites ? Do I have to implement OAM on my side ?
  I accept all pieces of information you can give me on this topic to help me understand the funcitonalites, limits and options offered by Oracle Cloud and more precisely by HCM Cloud service.
  Best regards,

  OIDDAS has limited capability of access control and information hiding. Presently, the permissions and privileges can be set at a realm level, and fine grained access control / information hiding cannot be done.
  At present, the only way to restrict view and access control is by appplying ACLs (which is not the safest bet).

• SAP GRC Access Control 5.3 intergration with orcale

  Good Day GRC Gurus,
  We want to integrate SAP GRC Access Control 5.3 with ORACLE.
  It would be great if someone could share some documents, presentation and experience on the same.
  Thanks in advance!!!!!!!!!!!!!
  Thanks and Regards,
  Jagat

  Hello Hersh,
  RTA for Oracle is basically a set of PL/SQL stored procedures to create grc schema, grant access and object creation. The package was created using oracle 11.5.10.2 version. I am not sure about the compatibility of the package with the new versions of oracle but still batch mode risk analysis is achievable even if the RTA is not compatible.
  I do not really like batch mode but it does serve the purpose. If I get a chance to test oracle RTA on new version I will surely share it with you.
  Best Regards,
  Amol Bharti
  http://amudee.com

• Access Control Context in Engineering Record screen

  Hello Gurus,
  I need to remove the Access Control Context and Owning Tet field from the PLM Engineering Record screen. Is it possible to do with configuration to hide these fields?
  I removed from "Specify Object Types for PLM Authorization check".
  Kindly advice.
  Thanks & Regards
  Jo

  Hi Jo ,
  You cannot hide it via configuration as access control context is coming from component reuse . I created it while my team was developing PLM ECR in SAP Labs India.
  One possible approach is to do a custom development to hide this field .
  Thanks & Regards,
  Abhishek.

• Distributed objects

  Hi,
  I have a doubt while going through mastering ejb book. can any one clarify me abt this of exactly what happening
  internally.
  In the implicit middleware:
  " when a client call a distributed object, the client calls a stub which is a client-side proxy object which inturn
  calls over the network the skeleton, which is a server side proxy object then the request interceptor intercepts
  the requests from the clients and then performs the middleware the your distributed object needs".
  In other place i found the following information:
  " The client never invokes the method on the actual instance of the bean, rather the request is intercepted by
  the Ejb container and then delegated to the actual bean instance".
  So what i want to know is what is the actual elements reprsenting the skeleton, request interceptor and stub on client
  side.
  chetana_vir

  So what i want to know is what is the actual
  al elements reprsenting the skeleton, request
  interceptor and stub on client
  side.On the client side, the objects are the vendor-specific implementations of your Remote interface. (The Home acts as the "locator".) However, you don't ever really need to use anything beyond what your interface has provided. Don't worry about the stubs - they're hiding "under" the Remote interface.
  As for the server side, once again you never "see" the skeletons or the request interceptors - all you need to be concerned with is the code in your EJB. The vendor classes take care of accessing and maintaining the various instances of your EJB.
  Personally, having done "straight" RMI, I find this one of the most compelling "beauties" of EJBs. Just get the stuff in order, deploy it, and go!