Dynamic, rules based security
My organization has an application that needs a very fine grained scurity model, that changes very often and is based upon a rules machnisem (written in PL/SQL). Is there a way to combine a rule based mechanism with the internal ACL mechanism of the iFS ?
null
Hi Harvey_SO,
According to your description, you get the security ignored when using custom dynamic role-based security. Right?
In Analysis Services, it has some role overlapping scenarios, if two roles used to secure attributes in two different dimensions, which might both apply to some users simultaneously, it can cause the user has no security applied from either role. Please
refer to workarounds in the link below:
The Additive Design of SSAS Role Security
If you have any question, please feel free to ask.
Best Regards,
Simon Hou
TechNet Community Support
Similar Messages
-
Dynamic Rule based implementation in PL/SQL
Hi,
We are trying to implement a dynamic rule based application in Oracle 9i. Its simple logic where we store expressions as case statments and actions seperated by commas as follows.
Rule: 'Age > 18 and Age <65'
True Action: 'Status = ''Valid'' , description = ''age in range'''
False Action: 'Status =''Invalid'', Description=''Age not in range'''
Where Age,Status, description are all part of one table.
One way of implementing this is fire rule for each record in the table and then based on true or false call action as update.
i.e
select (case when 'Age > 18 and Age <65' then 1 else 0 end) age_rule from tableX
(above query will in in a cursor xcur)
Then we search for
if age_rule = 1 then
update tablex set Status = ''Valid'' , description = ''age in range'' where id=xcur.id;
else
update tablex set Status =''Invalid'', Description=''Age not in range'' where id=xcur.id;
end if;
This method will result in very slow performance due to high i/o. We want to implement this in collection based method.
Any ideas on how to dynamically check rules and apply actions to collection without impact on performance. (we have nearly 3million rows and 80 rules to be applied)
Thanks in advanceReturning to your original question, first of all, there is a small flaw in the requirements, because if you apply all the rules to the same table/cols, than the table will have results of only last rule that was processed.
Suppose rule#1:
Rule: 'Age > 18 and Age <65'
True Action: 'Status = ''Valid'' , description = ''age in range'''
False Action: 'Status =''Invalid'', Description=''Age not in range'''
and Rule#2:
Rule: 'Name like ''A%'''
True Action: 'Status = 'Invalid'' , description = ''name begins with A'''
False Action: 'Status =''Invalid'', Description=''name not begins with A'''
Then after applying of rule#1 and rule#2, results of the rule#1 will be lost, because second rule will modify the results of the first rule.
Regarding to using collections instead of row by row processing, I think that a better approach would be to move that evaluating cursor inside an update statement, in my tests this considerably reduced processed block count and response time.
Regarding to the expression filter, even so, that you are not going to move to 10g, you still can test this feature and see how it is implemented, to get some ideas of how to better implement your solution. There is a nice paper http://www-db.cs.wisc.edu/cidr2003/program/p27.pdf that describes expression filter implementation.
Here is my example of two different methods for expression evaluation that I've benchmarked, first is similar to your original example and second is with expression evaluation moved inside an update clause.
-- fist create two tables rules and data.
drop table rules;
drop table data;
create table rules( id number not null primary key, rule varchar(255), true_action varchar(255), false_action varchar(255) );
create table data( id integer not null primary key, name varchar(255), age number, status varchar(255), description varchar(255) );
-- populate this tables with information.
insert into rules
select rownum id
, 'Age > '||least(a,b)||' and Age < '||greatest(a,b) rule
, 'Status = ''Valid'', description = ''Age in Range''' true_action
, 'Status = ''Invalid'', description = ''Age not in Range''' false_action
from (
select mod(abs(dbms_random.random),60)+10 a, mod(abs(dbms_random.random),60)+10 b
from all_objects
where rownum <= 2
insert into data
select rownum, object_name, mod(abs(dbms_random.random),60)+10 age, null, null
from all_objects
commit;
-- this is method #1, evaluate rule against every record in the data and do the action
declare
eval number;
id number;
data_cursor sys_refcursor;
begin
execute immediate 'alter session set cursor_sharing=force';
for rules in ( select * from rules ) loop
open data_cursor for 'select case when '||rules.rule||' then 1 else 0 end eval, id from data';
loop
fetch data_cursor into eval, id;
exit when data_cursor%notfound;
if eval = 1 then
execute immediate 'update data set '||rules.true_action|| ' where id = :id' using id;
else
execute immediate 'update data set '||rules.false_action|| ' where id = :id' using id;
end if;
end loop;
end loop;
end;
-- this is method #2, evaluate rule against every record in the data and do the action in update, not in select
begin
execute immediate 'alter session set cursor_sharing=force';
for rules in ( select * from rules ) loop
execute immediate 'update data set '||rules.true_action|| ' where id in (
select id
from (
select case when '||rules.rule||' then 1 else 0 end eval, id
from data
where eval = 1 )';
execute immediate 'update data set '||rules.false_action|| ' where id in (
select id
from (
select case when '||rules.rule||' then 1 else 0 end eval, id
from data
where eval = 0 )';
end loop;
end;
Here are SQL_TRACE results for method#1:
call count cpu elapsed disk query current rows
Parse 37 0.01 0.04 0 0 0 0
Execute 78862 16.60 17.50 0 187512 230896 78810
Fetch 78884 3.84 3.94 2 82887 1 78913
total 157783 20.46 21.49 2 270399 230897 157723
and this is results for method#2:
call count cpu elapsed disk query current rows
Parse 6 0.00 0.00 0 0 0 0
Execute 6 1.93 12.77 0 3488 170204 78806
Fetch 1 0.00 0.00 0 7 0 2
total 13 1.93 12.77 0 3495 170204 78808
You can compare this two methods using SQL_TRACE. -
Can you create a javascript dynamic menu based on security data in oracleDB
I am looking for a dynamic javascript menu that is generated based on the user role... basically i get the user role from ldap and then I have a Security table in oracle data base that has the permission info and i want to generate my dynamic menu based on the data in the database table.... the table has the following columns
private String userId;
private String security_level; // page level , field level
private String permission; //CRUD
private String permissionType; //ALLOW, DENYHello Suzie,
It is possible but you have "many" ways to do it, since what will happen is the javascript will be generated by an application.
Are you developing a J2EE application? with or without JSF?
The best way will be to Google to find a good Javascript menu library, and adapt the generation of it based on the content of your database.
Regards
Tugdual Grall -
Using container managed form-based security in JSF
h1. Using container managed, form-based security in a JSF web app.
A Practical Solution
h2. {color:#993300}*But first, some background on the problem*{color}
The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
- Username
- Group
- Password
The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
1. Start up your app server and log into the admin interface (http://localhost:4848)
2. Drill down into Configuration > Security > Realms.
3. Here you will see the default realms defined on the server. Drill down into the file realm.
4. There is no need to change any of the default settings. Click the Manage Users button.
5. Create a new user by entering username/password.
Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
h2. {color:#993300}*Step 2: Create the project*{color}
Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
1. Start by creating a new Visual Web JSF project.
2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
1. login.jsp (A Visual Web JSF file)
2. loginproxy.jspx (A plain JSPX file)
3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
Code follows for each of the files:
h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
<navigation-rule>
<from-view-id>/login.jsp</from-view-id>
<navigation-case>
<from-outcome>loginproxy</from-outcome>
<to-view-id>/loginproxy.jspx</to-view-id>
</navigation-case>
</navigation-rule>
NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
<jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
<f:view>
<webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:textField binding="#{login.username}"
id="username" style="position: absolute; left: 216px; top:
96px"/>
<webuijsf:passwordField binding="#{login.password}" id="password"
style="left: 216px; top: 144px; position: absolute"/>
<webuijsf:button actionExpression="#{login.button1_action}"
id="button1" style="position: absolute; left: 216px; top:
216px" text="GO"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
</webuijsf:page>
</f:view>
</jsp:root>h3. *login.java -- implent the
button1_action() method in the login.java backing bean*
public String button1_action() {
setValue("#{requestScope.username}",
(String)username.getValue());
setValue("#{requestScope.password}", (String)password.getValue());
return "loginproxy";
}h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="2.0">
<jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
doctype-system="http://www.w3.org/TR/html4/loose.dtd"
doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
<jsp:directive.page contentType="text/html"
pageEncoding="UTF-8"/>
<html>
<head> <meta
http-equiv="Content-Type" content="text/html;
charset=UTF-8"/>
<title>Logging in...</title>
</head>
<body
onload="document.forms[0].submit()">
<form
action="j_security_check" method="POST">
<input type="hidden" name="j_username"
value="${requestScope.username}" />
<input type="hidden" name="j_password"
value="${requestScope.password}" />
</form>
</body>
</html>
</jsp:root>
{code}
h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
target page, placed in the secure folder to test access*
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
<jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
<f:view>
<webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:staticText id="staticText1" style="position:
absolute; left: 168px; top: 144px" text="A Secure Page"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
</webuijsf:page>
</f:view>
</jsp:root>
{code}
h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
*web.xml will be used to define:*
- Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
- Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
- Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
*sun-web.xml will be used to define:*
- This is where you map a Role to the Users or Groups that are allowed to use it.
+I know this is confusing the first time, but basically it works like this:+
*Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
{code}
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description/>
<url-pattern>/faces/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name/>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>User</role-name>
</security-role>
{code}
h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
{code}
<security-role-mapping>
<role-name>User</role-name>
<group-name>Users</group-name>
</security-role-mapping>
{code}
h3. {color:#ff6600}*Almost done!!!*{color}
h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
h3. {color:#ff6600}*_Gotcha #1_*{color}
You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
h3. {color:#ff6600}*_Gotcha #2_*{color}
Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
*DONE!!!*
h2. {color:#993300}*_Here's how it works:_*{color}
1. The user requests the a page from your context (http://localhost/MyLogin/)
2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
5. The user enters username and password and clicks a button to submit.
6. The button's action method stores away the username and password in the request scope.
7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
9. The hidden username and password fields grab the username and password variables from the request scope.
10. The loginproxy page is automatically submitted with the magic action "j_security_check"
11. j_security_check notifies the container that authentication needs to be intercepted and handled.
12. The container authenticates the user credentials.
13. If the credentials fail, the container forwards the request to the login.jsp page.
14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
+Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
+The user is now at the secure welcome page.+
If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
Kerry RandolphIf you want login security on your web app, this is one way to do it. (the easiest way i have seen).
This method allows you to create a custom login form and error page using JSF.
The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
I'm new to programming, so none of this may be a good practice, or may not be secure at all.
I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
--Kerry -
we have an airline pricing system whose rules change often, and rather than re-designing tables and the client application code everytime that happens, we would like to develop a rule-based system to dynamically store the rules in a rule-based system that doesn't require re-design and code modification.
any ideas ?
here is an example of the data that we would like to store
if seasonality is LOW
and passenger is CHILD
and carrier is TRW
and origination is COS
and destination is PIT
and ticket code is Y
then price is 908
seasonality for carrier TRW is LOWfor travel between 01/15/06 to 04/15/06
seasonality for carrier JAR is LOW for travel between 02/01/06 to 05/01/06
age for carrier TRW is CHILD for passenger age betwen 2 and 12
age for carrier JAR is CHILD for passenger age between 6 and 14
.. and another price can be given with an entirely different set of rules
reason is ask in this forum is I read a blog of someone who praises the set-based nature of the SQL language for developing exactly this kind of system, rather than trying to implement it on the client (for example using JRules)What version of Oracle are you on? 10g introduced a rules engine into the database (Oracle Rules Manager and/or Oracle Expression Filter) which would seem to be right up your alley.
Justin -
Rule based location substitution:
Hi,
We have the following scenario:
Material : X
Location : A ->B -> C (B is a substitute of A and C is a substitute of B)
ATP position A = 2
B = 2
C = 2
Sales Order of 10 raised at A : Location substitution happens and partially confirms sales order with 6 quantities.
Therefore new ATP position is as below
A = 0
B = 0
C = 0
Now we want to give confirmation(of 4 quantities) based on external lead time to vendor. This will be based on source-list in R/3. The PO to vendor can be based on any of the location based on source-list. i.e. it can be from A,B, or C. The source list is dynamic and can change based on business decision. i.e today the PO plant can be A. It can change tomorrow and be B.
What is the best possible way to model the scenario?
The constraint is that we are not allowed to change the checking rule.
Regards
SameerHi Sameer,
Your scenario is rules based location substitution and then MRP based upon source list.
No matter whether plant A or plant B or C comes on line item , demand should be placed on plant suggested by source list.
I think you can control it using source list field MRP "1 Record relevant to MRP" and planning Plant.
Example : sales order line item plant is A and in source list planning plant is B then , PO will be created at plant B.
Then it will be a two step MRP process:
1.P.O from Plant B to vendor
2. STO from plant B to A.
Thanks
Pavan Verma -
Hi all,
I am currently working on a project which required to Implemented 500-600 rules in the System. Some of them are global Rules and some are just module level rules.
Is there any pattern exist for Rule Based System?
Thanks in Advance
RashmikantJust 1 pattern?
The short answer: No.
The longer (though still short answer):
A rules engine is not the easiest thing to implement, just 2 or 3 classes don't hack it if you're working with a dynamic rule base that is steered based on input/ouput and states.
There are rules engines for sale and there also a few opensource, look on the internet, use your best best friend. -
hi,
my database is 10.2.0.1...by default optimizer_mode=ALL_ROWS..
for some sessions..i need rule based optimizer...
so can i use
alter session set optimizer_mode=rule;
will it effect that session only or entire database....
and following also.i want to make them at session level...
ALTER SESSION SET "_HASH_JOIN_ENABLED" = FALSE;
ALTER SESSION SET "_OPTIMIZER_SORTMERGE_JOIN_ENABLED" = FALSE ;
ALTER SESSION SET "_OPTIMIZER_JOIN_SEL_SANITY_CHECK" = TRUE;
will those effect only session or entire database...please suggest< CBO outperforms RBO ALWAYS! > I disagree - mildlyWhen I tune SQL, the first thing I try is a RULE hint, and in very simple databases, the RBO still does a good job.
Of course, you should not use RULE hints in production (That's Oracle job).
When Oracle eBusiness suite migrated to the CBO, they placed gobs of RULE hints into their own SQL!!
Anyway, always adjust your CBO stats to replicate an RBO execution plan . . . .
specifically CAST() conversions from collections and pipelined functions.Interesting. Hsve you tried dynamic sampling for that?
Hope this helps. . .
Don Burleson
Oracle Press author
Author of “Oracle Tuning: The Definitive Reference”
http://www.dba-oracle.com/bp/s_oracle_tuning_book.htm -
Hi,
Rule Based Optimization is a deprecated feature in Oracle 10g.We are in the process of migrating from Oracle 9i to 10g.I have never heard of this Rule based Optimization earlier.I have googled for the same.But, got confused with the results.
Can anybody shed some light on the below things...
Is this Optimization done by Oracle or as a developer do we need to take care of the rules while writing SQL statements?
There is another thing called Cost Based Optimization...
Who will instruct the Oracle whether to use Rule Based Optimization or cost Based Optimization?
Thanks & Regards,
user569598Hope the following explanation would be helpful.
Whenever a statement is fired, Oracle should goes through the following stages:
Parse -> Execute -> Fetch (fetch only for select statement).
During Parse, Oracle first evaluates, Syntatic checking (SELECT, FROM, WHERE, ORDER BY ,GROUP and etc) and then Semantic Checking (columns names, table name, user permission on the objects and etc). Once these two stages passes, then, it has to decided whether to do soft parse or hard parse. If similar cursor(statement) doesn't exits in the shared pool, Oracle goes for Hard parse where Optimizer comes in picture for generating query plan.
Oracle has to decide either RBO or CBO. It also depends on the OPTIMIZER_MODE parameter value. If RULE hint is used, RBO will be used, if there are no statistics for those tables involved in the query, Oracle decides RBO, (condition applies). If statistics are available, or dynamic samplying is defined then Oracle use CBO to prepare the Optimal execution plan.
RBO is simply relies on set of rules where CBO relies on statistical information.
Jaffar -
IDM, GRC and position based security
We use position based security in our ERP system and are implementing GRC. In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs. We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead. There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.
Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?
How can IdM be configured to react to a position change and update the roles appropriately?
Has anyone implemented GRC and IDM with position based security?
Regards,
WayneHi Wayne,
In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.
You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.
I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.
So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.
This is all theory though, I'm just getting started with IdM myself.
Kind regards,
Dagwin -
Transport of code based security
Hello,
we have WAS 6.40 and we have a lot of differents views in the key storage services, and also a lot of entries in everyone. We granted the domains to every different view and entry, so we have a lot of rules of code based security with differents domains-views-entries.
The problem is that we want to transport that configuration of code security of the WAS 6.40 from our development enviroment to production enviroment and we don't want to recreate by hand all the code based security, because is a lot of work. Anybody knows how to transport the assigned code domains of every view to the production system? When we save the view, the code domains isn't saved in the file.
Thanks a lot,
Daniel SutilYes, your main security is based on Enterprise groups. This way if something changes on SAP end, group disapears etc.. Your BO security is intact.
As sub members of Enterprise group SAP group/role will inherit all the parent security.
On deleting the groups, I think you have to unmap them from SAP page in Authentication..... Haven't played with that part much, sorry. -
Rule based ATP is not working for Components
Hi All,
Our requirement is to do availability check through APO for Sales order created in ECC,so we are using gATP.
Requirement: We are creating salesorder for BOM header (Sales BOM) and avaialbility check should happen for components i.e. Product avalaibility & Rule based substitution.
Issue: Product availiabilty is working for components but rules based substituion is working, mean Rules are not getting determind for components.
Settings:
- Header doesnot exist in APO and compnents do exist in APO
- Availability check is not enabled for header item category and enabled for Item category for components
- Rules have been created for Components in APO
- Rule base ATP is activated in Check instructions
We have also tried MATP for this i.e. PPM created in APO but still didn't get the desired result.
If we create salesorder for the component material directly then Rule based ATP is happening, so for components Rule based ATP is not working.
How do we enable enable Rulesbased ATP for components, i mean is there any different way to do the same.
Thanks for help.
Regards,
JagadeeshHi Jagdeesh,
If you are creating BOM in ECC and CIFing PPM of FG/Header material to APO, I think you need to CIF Header material, too, with material integration model.
Please include header material in you integration models for material, SO and ATP check as well.
For component availability check, you can use MATP; but for MATP, FG should be in APO. You need not to CIF any receipts of FG (stock, planned orders, POs etc), so that MATP will be triggered directly. Then maintaining Rules for RMs will enable to select available RMs according to the rule created.
Regards,
Bipin -
Dear Colleagues,
I am currently developing a J2EE application using WLS 6.1.
My team and I have to implement a security requirement to suit our company's needs.
The security requirements are that, users' password need to be aged (30 days maximum) and we need to provided a GUI front-end (JSP) to allow users to change their password when these expire after 30 days.
Our internal contacts in the company, have already taken the lead to find out about whether we will be able to use the WLS 6.1 platform to do this and the answer we got back, was.
Now we need to develop our own security module.
I have 2 questions:
1. How can we turn off the WLS security in order develop our own application-based security module?
2. How can we develop a security module that allows us to age users' password and provide them with facilities to change their passwords when these expire?
At the moment, we are using the default BEA WebLogic login.jsp page and there some configuration in the web.xml for this. I will be grateful if you could advise me on how to turn this default security off so that we can write our own security module.hi,
1.You can write your own realm in 61 which can plugged for your security
calls.
2. once you write your ownrealm.. you can access it through weblogic
api/ur api..
thanks
kiran
"Richard Koudry" <[email protected]> wrote in message
news:3dd0d081$[email protected]..
Dear Colleagues,
I am currently developing a J2EE application using WLS 6.1.
My team and I have to implement a security requirement to suit ourcompany's needs.
>
The security requirements are that, users' password need to be aged (30days maximum) and we need to provided a GUI front-end (JSP) to allow users
to change their password when these expire after 30 days.
>
Our internal contacts in the company, have already taken the lead to findout about whether we will be able to use the WLS 6.1 platform to do this and
the answer we got back, was.
>
Now we need to develop our own security module.
I have 2 questions:
1. How can we turn off the WLS security in order develop our ownapplication-based security module?
>
2. How can we develop a security module that allows us to age users'password and provide them with facilities to change their passwords when
these expire?
>
At the moment, we are using the default BEA WebLogic login.jsp page andthere some configuration in the web.xml for this. I will be grateful if you
could advise me on how to turn this default security off so that we can
write our own security module. -
Hide multiple rows in a dynamic table based on the row value.
Hi,
I need to hide multiple rows in a dynamic table based on the specific value of that row.
I cant find the right expression to do that.
please helpGo to the Row Properties, and in the Visibility tab, you have "Show or hide based on an expression". You can use this to write an expression that resolves to true if the row should be hidden, false otherwise.
Additionally, in the Matrix properties you should take a look at the filters section, perhaps you can achieve what you wish to achieve through there by removing the unnecessary rows instead of just hiding them.
It's only so much I can help you with the limited information. If you require further help, please provide us with more information such as what data are you displaying, what's the criteria to hiding rows, etc...
Regards
Andrew Borg Cardona -
Dynamic LOV based on Current user
How do i make a dynamic LOV based on the user id of the current user.
Also how to insert values from a form into a database
Can anyone please help me out.
ThanksUse portal.wwctx_api.get_user to get the currently logged in userid.
The simplest example of a form manipulating data is to create the form based on a table. All DML works automagically. You can base your form on a procedure with dummy columns and do your own DML if you wish. Lots more flexibility that way...
Maybe you are looking for
-
Gallery application will not open
Gallery on my Samsung Stellar will not open. i can backup the pictures via the direct USB connection to my computer but when i try to open the Gallery app i get a pop up message, that disappears quickly, that basically says to delete some software o
-
My macbook pro makes every 3 seconds a ticking sound
Hello everybody i've bought my macbook pro 3 months ago and he is making all the time a ticking sound. sometimes it's quiet but sometimes it's also very loud. it comes from the left side of my mac and i think it's a fan. could somebody help me please
-
Server cannot find the printer on my imac
a externe server (windows) cannot find the printer on my imac.
-
Why has my pop3 server name been changed without permission?
I tried to open thunderbird tonight and it informs me I require certification to a server unknown to me. Has my email been compromised? Jon
-
Why is the DAQ outputs distorted?
I am trying to output two voltage sine waves(90 degrees out of phase) from my DAQ card. I use a for loop to create two arrays of 1000 samples each. I then send each of these arrays to my DAQ card for sampling of 5000S/s. One of the outputs(measured o