Dynamic roles in ALBPM

Similar Messages

• BPM Dynamic Roles

  Hi All,
  I am trying to figure out how I can dynamically assign roles within BPM. So I want to be able to route the BPM process to the manager of the user that the process was assigned. I am just not sure how to dynamically do this within BPM.
  Any thoughts? Any documentation on dynamic roles would be greatly appreciated.
  We are using BPM 11g.
  --S                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

  So is it the call CreateResourceList that lets you actually set the user / approle for a flow?
  It looks like that might be on the right track.
  --S                                                                                                                                                                                                                                                                                                               

• Dynamic Role -- Group Mapping not working in WebLogic 10

  I have an installation I am migrating from 9.2 to 10. It uses Dynamic Role Mapping:
  From my Weblogic.xml within the deployment:
      <security-role-assignment>
          <role-name>EELSSystemAdministrator</role-name>
          <externally-defined/>
      </security-role-assignment>I am using SPNEGO SSO, and it is working fine, it retrieves the principles from LDAP and adds them to the subject, so everything is fine there. I have defined the deployment constraint "EELSSystemAdministrator" as a Global Role, and then Added a condition "group" and set it to the LDAP Group (SMS EELSSystemAdministrator) which is one of the three principles being returned from LDAP.
  When the Role mapper runs, it returns the following in the logs:
  <SecurityRoleMap> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users, SMS EELSSystemAdministrator,SMS EELSReportAnalyst]>
  <SecurityRoleMap> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(SMS EELSSystemAdministrator ,[everyone,users,SMS EELSSystemAdministrator,SMS EELSReportAnalyst]) -> false>
  <SecurityRoleMap> <primary-rule evaluates to NotApplicable because of Condition>
  <SecurityRoleMap> <urn:bea:xacml:2.0:entitlement:role:EELSSystemAdministrator:top, 1.0 evaluates to Deny>
  <SecurityRoleMap> <XACML RoleMapper: accessing role EELSSystemAdministrator: DENIEDIn my 9.2 Installation that is working I get the following in the logs:
  <SecurityRoleMap> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users,SMS EELSSystemAdministrator,SMS EELSReportAnalyst]>
  <SecurityRoleMap> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(SMS EELSSystemAdministrator,[everyone,users,SMS EELSSystemAdministrator,SMS EELSReportAnalyst]) -> true>
  <SecurityRoleMap> <Evaluate urn:oasis:names:tc:xacml:1.0:function:or(true) -> true>
  <SecurityRoleMap> <primary-rule evaluates to Permit>
  <SecurityRoleMap> <urn:bea:xacml:2.0:entitlement:role:EELSSystemAdministrator:type@E@Furl@G@M@Oapplication@EEELSWeb@[email protected]@O$@S@VDSTAMP@S@W@M@OcontextPath@E@UEELS@M@Ouri@E@U, 1.0 evaluates to Permit>
  <SecurityRoleMap> <XACML RoleMapper: accessing role EELSSystemAdministrator: GRANTED> I am not sure why my 9.2 deployment lists the role type as a "url" (which points to the right deployment, and 10 lists it as the word "top". Either way, it is not authenticating to my global role based on the Group returned from LDAP.
  I'm pretty much out of troubleshooting idea's, having compared every config file/log file etc to find descrepancies in my setup. Anyone have any suggestions, perhaps something that has to be setup differently in 10 then in 9.2?
  Thanks in Advance,
  John

  Update:
  I checked a bunch of settings, and it seems to be working now, very odd.

• Authorizations: Dynamic roles

  Hello everybody,
  We are going to migrate our authorizations from 3.x concept to BI-7.
  With the new concept we are compelled to respect certain requirements like to include into the single user profile every InfoObject “AuthorizationRelevant” (that are also built-in into the InfoProvider, indented for the future analysis).
  -     Certain users had only one dynamic role. In such a case we are able to restrict for instance:
  o     0CO_AREA = a value;
  o     every other InfoObject “AuthorizationRelevant” = “*” (every single values)
  -     Certain users had two or more dynamic roles; in such a case we are supposed to:
  o     ROLE 1: 0CO_AREA = a value; every other InfoObject “AuthorizationRelevant”, for instance 0COMANY_CODE  = “*” (every single values)
  o     ROLE 2: 0COMANY_CODE = a value; every other InfoObject “AuthorizationRelevant”, for instance 0CO_AREA = “*” (every single values)
  In this particular case though we expect that the system will ignore our restrictions because it is adding the two roles in fact:
  ROLE 1 is set: 0CO_AREA = a value;
  ROLE 2 is set: 0CO_AREA = “*”.
  Base on what we just described above, here they are our questions:
  1.     Does exist a symbol (for instance “:”   “>”) that we can assigned to every InfoObject “AuthorizationRelevant” in order to cheat the system making it understand that it is there but not relevant for the authorizations (instead using “*”)?
  2.     If not can you please suggest us another way to cope with the problem of having for a user more dynamic roles assigned.
  Thank you very much
  Matteo Mariniello

  Hello,
  I don't have a solution but I think I understood Matteo's goal which is not at all to authorized users to do anything they want to.
  He wants to restrict certain tasks but when it comes for a user to have two or more dynamic roles the addition of them make the restriction useless.
  As he said
  Dynamic Role 1)
  0CO_AREA = a value
  0COMP_CODE= *
  Dynamic Role 2)
  0CO_AREA = *
  0COMP_CODE= A VALUE
  Therefore; the addition of them for ONE user is going to make the restrictions
  0CO_AREA = a value
  0COMP_CODE= a value
  USELESS!!
  Take Care
  Domenico

• Init function to habilite dynamic roles

  Hi
  We want user dynamic roles at database level, we are using JAAS for security at application level, we want to habilite the roles in a database procedure in base of jaas username, but we need execute this database procedure before any other action, like an init() function, where can we execute this method ? I tried in the ApplicationModule constructor but it don't function well because I need to use the function getApplicationModule to obtain de JAAS user.
  Where can I execute this method ? maybe a function at Application Module level
  Thanks in advance
  Liceth

  Liceth,
  With functionality like this you have to always remember that many things (such as Application Module instances en DB connections) are pooled and re-used, so the constructor of an ApplicationModuleImpl is definately NOT the place!
  If I understood your problem correctly, it sounds very similar to the problem you would be facing when using Business Components together with the VPD (Virtual Private Database) feature of the Oracle Database. It boils down to you having to execute a PL/SQL procedure every time a database connection is obtained from the database connection pool when an ApplicationModule instance is checked out from the ApplicationModulePool for a particular user/session.
  If you search OTN on the combination VPD and BC4J, you will certainly find some very useful documents that will probably help you implement your solution.
  Kind regards,
  Peter Ebell
  JHeadstart Team

• Dynamic roles in Agent Assignment

  Dear All
  I have a requirement of assigning dynamic roles which is stored in container element. When i select the role in the agent assignment of the task all the system roles come in the drop down. How to assign the role stored in the container element in agent assignment.
  Thanx in advance

  You can use a simple rule that returns the agents having that role FM PRGN_READ_USERS_FOR_ONE_AGR will do the trick.
  Or else I think you can just use a role as an expression (haven't done this myself). Just as you would pass in USUSERNAME, prefix it with AG. You may have an issue with data types though if the role name is longer than the standard HR object name, I haven't tried it for this very reason.

• Dynamic role Assignment in Portal using Web dynpro Java?

  Hi All,
  We have following requirement for dynamic role assignment.
  1) User Login to Portal.
  2) User Clicks on Home Tab in Portal, through RFC/BAPI, get Role from Backend(ECC) and compare the role ID with Portal Object ID through UME.
  Role gets assigned in Portal after comparison, if it exists in Portal.
  Can you please let me know what all steps I need to do to complete the above assignment.
  Thank you
  Ravi

  Thanks Tobias.
  To be precise I will explian my requirement.
  1) User Login ( User ID will be input to RFC)
  2) RFC will get Role for that user ID from Backend(ECC) and return that role ID to Portal.
  3) Now With the help of UME API, need to search role ID in Portal, If it exists, no action.
  If Role ID does not exists, then it shuld assign that role in Portal.
  Sorry for tedious comment.
  I am a bit new to webdyn pro.
  Can you please tell me each step i need to follow to complete the above requirement.
  Many Thanks,
  Ravi

• Creating dynamic workflow usin ALBPM

  Does ALBPM provides functionality such as creating dynamic workflow. That is workflow are created by users (similar to windows workflow foundation)

  You can do this using a "controller" process design pattern. Controller in this context is just an automatic activity to put in your process to cause work item instances to flow to different activities in the process. The benefit to having this activity is that it allows the adhoc or user designed behavior you're looking for. Once an instance reaches the Controller automatic activity, the logic inside this activity would determine where it needs to go next via a conditional transition coming out of the Controller. Once done, the instance returns to the contoller and goes where the original user designated it should go.
  The set up for this is typically an array that the first user defines. Each item in the array contains the role and the activity in the role that it should go to next. The sequence of items in the array defines where it goes next as each item in the array is popped off the stack. Consider using a parametric role so you do not clutter up the process with 100 different roles. You'd instead just define the parameter of the role you'd like it to flow to next.
  The controller automatic activtiy would just be in an Automatic Handler role.
  Dan

• OBPM 10gR3 Dynamic Role Assignment at user login

  Hi,
  For all the great integration with LDAP in 10gR3, unfortunately, the system is unable to deal with dynamically-defined LDAP groups.
  Our goal is to apply a BPM Role to ALL humans defined in our LDAP.
  All humans happen to already be defined by a dynamically-defined LDAP group called 'AllPeople'.
  It would have been perfect if we could simply assign our BPM Role, 'Employee', to the LDAP group, 'AllPeople'. Sadly you can't (one for the next release pls).
  So as a workaround, what we want to do instead is assign the BPM Role 'Employee' to each individual user dynamically when they first login.
  Since the FDI library is useless outside of a BPM context (you'll find that some of the familiar methods of RoleAssignment are missing), We opted to create an actual BPM process to conduct role assignments, and we would then trigger it via PAPI.
  The question then was, where/when do we invoke the process such that it does the role assignment quickly and soon enough for the appropriate views and applications to appear in their workspace straight after login?
  We opted for a customised implementation of the SSOWorkspaceLoginInterface class.
  However, we tried making the invocation in the setupAuthenticatedSession() and the processRequest() methods but, although the role assignment was successfully done in either case, sadly the user's session was loaded without the new changes - perhaps loaded quicker than the role assignment could be fed back through the directory.
  Therefore, we dumped the invocation in the actual constuctor - and this seems to work for the most part. Yet on the odd ocassion, the role assignment is not quick enough to be realised in the user's workspace session - the user has to logout and back in before the changes are realised.
  We've even tried to get the execution to sleep for a second or two, while the PAPI thread goes about doing the role assignment - again not much success.
  So I really have 2 questions:
  1. Where during login can we make a PAPI call to do a role assignment so that it should be picked up by the time the session is created? perhaps we already are doing it in the right place.
  2. How could we refresh/request a new session cookie without explicitly logging out and back in again? Note, page refresh is not enough.
  Thanks for reading.

  Sorry for the belated response - I don't get notified of replies.
  The code for my custom SSOLoginModule class is:-
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import java.io.FileInputStream;
  import java.io.IOException;
  import java.util.Properties;
  import fuego.workspace.security.SSOWorkspaceLoginInterface;
  import fuego.papi.Arguments;
  import fuego.papi.CommunicationException;
  import fuego.papi.InstanceInfo;
  import fuego.papi.OperationException;
  import fuego.papi.ProcessService;
  import fuego.papi.ProcessServiceSession;
  import fuego.sso.SSOLoginException;
  import fuego.sso.SSOUserLogin;
  import fuego.jsfcomponents.Util;
  import fuego.workspace.model.common.WorkspaceApplicationBean;
  public class CustomSSOWorkspaceLogin extends SSOUserLogin implements SSOWorkspaceLoginInterface {
  private ProcessService pService;
  private ProcessServiceSession pServiceSession;
  private Properties properties;
  public SSOWorkspaceDBLogin() {
  //Do the role assignment here because it works, and does not work in the ideal location of setupAuthenticatedSession method
  pService = createProcessService();
  pServiceSession = createProcessServiceSession();
  assignDefaultRole(Util.getHttpServletRequest().getRemoteUser());
  private ProcessService createProcessService() {
  return WorkspaceApplicationBean.getCurrent().getProcessService();
  private ProcessServiceSession createProcessServiceSession() {
  return pService.createSession("yourdirectoryusername","yourdirectorypassword",null);
  //This method is used to remotely invoke a BPM process to do the role assignment - no external API to do this directly!
  private void assignDefaultRole(String email) {
  try {
  String processId = "myRoleAssignmentProcessId";
  String argumentName = "argumentName"; //the name of the input argument to feed in the participant
  String argumentValue = email;
  Arguments arguments = Arguments.create();
  arguments.putArgument(argumentName, argumentValue);
  InstanceInfo instance = pServiceSession.processCreateInstance(processId, arguments);
  Long waitTime = new Long(1000);
  Long timeLimit = new Long(5000);
  boolean roleAssigned = false;
  boolean timeLimitExceeded = false;
  Long startTime = System.currentTimeMillis();
  //Allow role assignment thread to complete
  while (!roleAssigned && !timeLimitExceeded) {
  try {
  Thread.sleep(waitTime);
  if (pServiceSession.processGetInstance(instance.getId()).isCompleted()) {
  roleAssigned = true;
  if (System.currentTimeMillis() - startTime > timeLimit) {
  timeLimitExceeded = true;
  } catch (InterruptedException e) {
  e.printStackTrace();
  //close process service session
  pServiceSession.close();
  //Do not close the service itself as it is shared with the Workspace itself!
  //pService.close();
  } catch (Exception e) {
  e.printStackTrace();
  public void setupAuthenticatedSession(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
  //Unfortunately, the below does not work here because the role assignment is not fast enough
  //The result is that the user logs in but cannot see any applications because the role assignment has not been made in time.
  //Therefore, we run the below statements from the constructor - ugly but functions.
  //pService = createProcessService();
  //pServiceSession = createProcessServiceSession();
  //assignDefaultRole(httpservletrequest.getRemoteUser());
  public void processRequest(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
  }

• Dynamic role setting in human task

  Hi,
  I would like to use the human task activity in a BPEL process setting the role that has to complete the activity dynamically.
  I mean, inside the human task editor, there is a section named "Assignment and Routing policy" where I add a participant to the task. There, I have two options: By name (which I have already used) or by expression.
  I would like to assign the role from a variable of my process. This is, I invoke the business rules engine, and the result is a role. Then, I want to assign the human task to that role. It this possible? How do I do this?
  Thanks in advance,
  Zaloa

  We do the same. We invoke a service from BPEL before the human workflow activity. This service returns a department (that is also present in our OID) based on some instance data. We assign this role to the human task in the task definition like this:
  <routingSlip xmlns="http://xmlns.oracle.com/bpel/workflow/routingSlip">
  <globalConfiguration>
  <expirationDuration duration="/task:task/task:payload/ns0:humanTaskInformation/ns0:expirationDate"
  type="XPATH"/>
  </globalConfiguration>
  <participants isAdhocRoutingSupported="false">
  <participant name="Department">
  <resource isGroup="true" type="XPATH">/task:task/task:payload/ns0:humanTaskInformation/ns0:department</resource>
  </participant>
  </participants>
  <notification includeTaskAttachments="false" actionable="false"
  secureNotifications="false"/>
  </routingSlip>
  This works.
  As Eric already indicated, you should see some error detail in the audit trail when the human workflow activity "falls through".
  Regards, Ronald

• Application roles and dynamic roles

  Hello all,
  In my custom workflow, i need to send approvals to some employees. The list of their positions are created in Lookup table. The procedure i am following now is, i am creating appliation roles and adding the names of the people who are in those positions to that role.
  In the workflow, i am sending the notification to that role and all the people in that role get the notification.
  My question is, how is this different from creating role dynamically?
  Which one is preferable?
  Thanks
  Kumar

  Hi,
  How often do the users change? If there is a regular turnover of users, then it would be easier to maintain as an adhoc role which is created for each process and the users dynamically added to the role. If there is very little turnover of users in the table, then this is less of a maintenance overhead.
  Do the users have an extra responsibility purely to receive the notification? If so, they might not want to see that as an option when they log in, in which case you should consider an adhoc role.
  How many instances of the process are likely to be running at the same time? Who should be notified if the list of users changes during the process execution - the old list, or the new list? Depending on the answers, there are pros and cons of building the solution using responsibilities or adhoc roles - only you and your client know the answers, though.
  Matt
  WorkflowFAQ.com - the ONLY independent resource for Oracle Workflow development
  Alpha review chapters from my book "Developing With Oracle Workflow" are available via my website http://www.workflowfaq.com
  Have you read the blog at http://www.workflowfaq.com/blog ?
  WorkflowFAQ support forum: http://forum.workflowfaq.com

• How to add dynamic roles to a document service in webcenter.

  Hi Everybody,
  I am using webcenter11.1.1.4.0. I integrated UCM with webcenter. Most of the documents are public and some documents are sensitive. Now one of my requirements is, I have to add public folders in webcenter. Another requirement is, For sensitive documents i have to select some people as per requirement. That means those people only can see the documents.
  Can anybody suggest me to achive the above thing.
  Thanks in Advance.
  Regards,
  SEW Support

  One additinoal qeustein - How to place the generated tab somewhere on the View? Now it's just placed at the bottom...
  This qustion is answered - I just have to change the root element for cl_wd_dynamic_tool=>create_table_from_node

• Dynamic calculation of privileges into business role

  hi,
  I have a requirement to create business roles containing a dynamic list of privileges. In addition, a  costcenter attributes allows to determine the right privileges, within a business role, to assign.
  I thought to use dynamic groups so that each time I assign a business role, a calculation of privileges based on costcenter is achieved.
  for example:
  BR1;FR10;Z_technical_privileges
  BR1;FR30;Z_technical_privileges2
  This list is often updated that's why I need it to be dynamic.
  In the filter tab of the dyn group, I set a request to retrieve the mskeys of privileges (here is mskey of PRIV:ROLE:<sys>:Z_technical privileges & PRIV:ROLE:<sys>:Z_technical_privileges2)
  Then I attach the dyn groups to the role (BR1) by setting up the autoassign field in the membership tab of the role.
  When I assign the BR to a user, no privilege is provisioned (user already have an account in that system).
  Am I forgetting something or doing something wrong?
  how can I include the "check" on costcenter attributes?
  thanks
  Guillaume

  Hello Guillaume,
  dynamic roles find you the pool of people, that can be used in a business roles. If you attach a dynamic role to a BR, those users will become members of the BR.
  You are trying the same with privileges and that's why nothing happens. Because privileges can't become members of the BR.
  Are the different lists of privileges, that need to be assigned to users via the costcenter-attribute really changing so much?
  You could use the dynamic groups to look for the members of a costcenter and assign those to the BR specific for that costcenter with the privileges added to the BR. That means one BR per costcenter and the privileges need to be changed manually or maybe via a job.
  Hmm... where do the new privileges come from? How would you find them dynamically anyway? If you have a SQL statement for that, it should be possible to create a job, that adds the new privileges to the BR and delete old ones.
  I don't see a fast and easy way to do this, but I haven't come across a request like this yet, so maybe there is one and I just don't know it (yet ^^).
  Regards,
  Steffi.

• Assigning roles dynamically through an application

  We have an application being written in PowerBuilder 7.0.3 which accesses an Oracle 8.0.5 database running on OpenVMS. Is there a way to dynamically assign roles through the application to ensure that no modifications are made outside of the application?
  Thanks

  The use of dynamic roles for security is a very bad idea! Even if you set a password on the role, determining the name and the password for the role is trivial. Just open the binary using notepad, and search for "set role" and the password is right there.
  The only way to securely design your application is to place the controls in the database where they can not be manipulated. Use stored procedures, functions, and views!
  HTH,
  Aaron C. Newman
  AppProtect, Inc.

• Dynamic BirthDay Message On Portal

  HI All,
           I have a requirement that the Portal should show birth day greetings on the birthdays of the users i.e, as soon as the user logs in, a birth day message should be displayed. I can think of the following senarios:
  1. The Masthead Of Portal Should Change on His Date Of Birth.
  2. The Portal Should Show a Birth Day Message as a Pop-up Window.
  3. Creation of a Dynamic Role, such that as soon as the user logs in, Birth Day role is to be made visible and rest of the time, it would be invisible.
  Can some one please assist me that how can I move forward with either of these.
  Cheers!!!
  Umang

  Hi
  See make thing simple, just develop one application like Birthday Calendar which show the monthwise birthdate and employee name, there you can put common wishes for all.
  Here you can use Webdynpro java and ABAP to do it.
  As you are asking it might create complications for a big organization, even for maintaining and system performance wise.