Dynamically add Users to Roles

Similar Messages

• AppServer: problems trying to add users to roles in security dialog

  I'm trying to learn J2EE using AppServer. My current example has a client accessing
  an entity bean. I want two classes of user - Reader, and Updater. Most methods
  of Home and Remote are accessible to both classes, a few are restricted to users
  in Updater role. I'm currently having problems adding users to roles in deploytool.
  I have defined users using the Admin client.
  I have implemented and test run client and entity bean without security restrictions, it works.
  I have defined roles associated with the application.
  I have allocated roles to every method in Home and Remote interface of bean.
  I have extracted the generated XML file and checked the <assembly-descriptor> section and
  it appears that all roles and role descriptions are defined as required.
  deploytool lets me use the "Security Role Mapping" dialog, I can select either of my roles and
  try "Add user to role" - subsequent dialog shows my users and allows me to "Map user to role" -
  but selected user does NOT appear in the user names panel.
  What am I doing wrong or what am I omitting? Hints please!

  Thanks for suggestions. (I'm using Windows so file-protections pretty
  non-existent).
  I looked in the Sun file you mentioned and found the users were defined.
  When I restarted AppServer and deploytool, the users were shown in the appropriate
  panel.
  There is probably some minor bug in deploytool that causes the User Panel not
  to be updated as it should be after a user has been added to a role.

• Cannot add users to roles

  I have configured OpenLDAP data store with Access Manager. I can see the users added in LDAP in the Subjects tab of Access Manager, but when I create a role ad try to add users in the role I get the exception
  Plug-in com.sun.identity.idm.plugins.files.FilesRepo: Unable to find entry: C:\Documents and Settings\161101\amserver\idRepo\user\frank
  Can anybody suggest what is problem

  Hi there,
  The reason why you have file repo is because you installed the AM using file repo instead of LDAP.
  Deleting the File Repo configuration for that realm will not affect the configuration part of the AM ( I would still do a backup ... just in case) because the datastore configuration has nothing to do with that. The configuration part of the AM is at the platform level and you have that configured on the configurations tab of the platform. What I'm sugesting is on that specific Realm ( I usually use a different Realm other than the Root realm ... this way I'm sure not to mess it up ) go to the datastores (which is the place where user data is stored and not the configurations (though they might be the same) ) and delete the file datastore configuration (or point it to a different location ... but do not delete the files on the filesystem, because they are still in use by other Realms and the configuration ) .
  Configuration data and User repositories can be configured in different places .... which is what you are now trying to do .... have the conf on the file system and have the users on an LDAP.
  Defenetly do a backup of your stuff ... and if at all possible use a different realm other than the root realm.
  Hope this helps .... and makes any sense !
  Rp

• Add user to role during reconciliation

  Hi,
  I have this scenario:
  We have a database resource on which we run reconciliation to link accounts to our users in IDM.
  I also have roles that contains this resource. When the reconciliation runs I would like to add the user
  to that role, instead of linking the user to the resource account directly.
  Our problem now is that if users gets linked to the resource, and then gets the role, if the role is removed, the user still has the link to the resource.
  Did that make any sense?
  I'm guessing that I need to use the "per account workflow" to make this happen, but I'm not sure how to do write this workflow.
  Regards,
  Henrik

  Hi Henrik,
  You could do it during reconciliation with a per-account workflow.
  Another approach is to use a regular workflow that lists users with accounts on that target resource and processes each of them to remove any unneeded direct assignments. That is what I went with, and I run the workflow periodically.

• "Low-level" authorizations for accessing BW reports - add users to role

  Using the advice in Topic "Low-level" authorizations for accessing BW reports, I have been able to publish a query to a role that has 3 test users and each user gets the same query but with different data, as determined in the tables.
  Is there a way to look up the users and e-mail addresses from a table and associate them to the role? We have several hundred e-mail recipients that will not need BW access, but only need an e-mail with a static report that contains data on their own territories.

  Hi!
  i think programatically it might be complex. You got to maintain a seperate variant of report per user and use this variant to send mail. that means you need to maintain a variant and a Broadcast setting per user. once maintained you can use it any number of times the values will be recalculated everytime.
  with regards
  ashwin
  <i>PS n: Assigning point to the helpful answers is the way of saying thanks in SDN.  you can assign points by clicking on the appropriate radio button displayed next to the answers for your question. yellow for 2, green for 6 points(2)and blue for 10 points and to close the question and marked as problem solved. closing the threads which has a solution will help the members to deal with open issues with out wasting time on problems which has a solution and also to the people who encounter the same porblem in future. This is just to give you information as you are a new user.</i>

• How to add users to the container

  Hi,
  My JSF application has security enabled. The users and their roles are defined in a .xml file located in my container (standard). Is there any way I can dynamically add users to this .xml file? Right now I am able to add them manually, but it would be nice if they were added as soon as they joined my service.
  Best Regards
  Thomas

  There is always some way ...
  Most app servers will support custom login modules via the JAAS "LoginModule" interface. Glassfish has built-in modules for file, LDAP, certificate store and solaris authentication, but you can plug-in others. There is an article and sample for how to do this for a database at <http://dev2dev.bea.com/pub/a/2003/04/Pijpops.html> (targeted at BEA, but Glassfish, etc should be the same).
  Using a database or LDAP directory to store your users means there are plenty of standard tools for manipulating and managing the data, and any updates will be available immediately to your app server.
  If you want to stick to with the file module, you can obviously update the file directly, but then the app-server or domain might need a restart before your new users get picked up, and also if the file stores the passwords hashed, you have to know the particular hashing algorithm used. Otherwise, each app server usually exposes the admin functionality (like adding users) through some web-service or EJB interface -- but this tends to be app-server specific. Your app server docs should give more details.
  What app server and version are you using? Glassfish? JBoss?

• OIM 11g R1 - Add user to group after AD Reconciliation

  Hi,
  i want to add all reconcilated users from AD to OIM to a special role in oim, after a AD reconciliation.
  By default, all users get the role ALL_USERS. I want to add a futher role, for example ALL_AD_USERS.
  How to do this?
  Edited by: 960944 on Jan 15, 2013 5:11 AM

  I assume that here you are talking about AD TRUSTED RECONCILIATION and you don't have any other TRUSTED Reconciliation and this is the only way to bring users into OIM, then you can create a role and attach a membership rule say "Organization doesn't contain ZZZZ". It will satisfy all the users
  CONS: Here you won't be able to distinguish between users which are creating through Admin Console or from AD Trusted or from some other Trusted Recon.
  Now if you want only those users who are coming from AD then Add a task on Reconciliation Insert/Update Received and add user into Role using APIs.

• Portal user and role creation

  How do we add (bulk add) users and roles to Portal 6.0 without the management console ?
  Thanks ,
  Ravi

  Did anyone have an answer to this? I've used tools with other directories that permitted a bulk add or a flat file dirsync that allowed a CSV file to add accounts. I would be interested if someone has done this for portal 6.2 or 6.X.
  Thanks in advance,
  Mike

• Allow users to Dynamically add rows

  Hi,
  While creating form I found an option "Allow users to Dynamically add rows".I have requirement so that users should be able to create new lines if required for new TBHs. How does this option works, could some one let me know?
  Thanks,
  Ravii

  Hi,
  If the user has write access to the form and the option is selected to "Allow users to dynamically add rows" then when the user runs the form he has the option in the menu (Edit > Add Row)
  This will then open a window where the user can select members for the row dimension that he has access to.
  The function does not work if you have "Suppress Missing Data" selected.
  Helpful, correct, answered?? you know you can do it.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• How to find and add user's manager as approver for an action at runtime?

  Hi All,
  I am able to add logged in users to a role and initiate the process.
  But for 1st and 2nd level approval, I want to add supervisor and manger user id to the appropriate roles.
  How do I implement this?
  Thanks
  Sundar

  Hi,
  2 ways:
  1 - You can define a Structure String -> 0..n and define your role as Runtime Defined, so you associate this structure with your role. You will retrieve the users by role from UME, after this, initialize the structure withe the users. So the values will be transferred to your process. 
  see this link: /people/dipankar.saha3/blog/2007/05/31/how-to-create-dynamic-approval-process-using-conditional-loop-block-in-guided-procedure
  /people/berndt.woerner/blog/2007/09/19/different-ways-to-model-dynamical-assignment-of-user-to-process-roles-using-composition-tool-guided-procedures--part-1
  2 - Using Assign Users to Process Role Callable Object
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0c451f8-0dc2-2b10-e286-f5be915a07f7
  Best regards

• ORA-01935: missing user or role name

  Hello. I'm trying to change a users password, logged in as SYS. I'm using the script:
  ALTER USER dross IDENTIFIED BY 1111;
  Also tried:
  ALTER USER "dross" IDENTIFIED BY "1111";
  ALTER USER 'dross' IDENTIFIED BY '1111';
  ALTER USER 'dross' IDENTIFIED BY 1111;
  ALTER USER "dross" IDENTIFIED BY 1111;
  Any suggestions on what I could do?

  sb92075 wrote:
  is username 'DROSS' or 'dross'?Makes no difference. If user doesn't exist ALTER USER spits out
  ORA-01918: user 'XXX' does not existnot
  ORA-01935: missing user or role name To get the above error username must be omitted:
  SQL> ALTER USER IDENTIFIED BY XYZ
    2  /
  ALTER USER IDENTIFIED BY XYZ
  ERROR at line 1:
  ORA-01935: missing user or role nameSo ALTER USER statements OP posted doesn't add up with error that is raised. Have a feeling ALTER USER is generated dynamically and somehow username is NULL.
  SY.

• Creation of user sand roles

  Hello sdn
  i installed Newweaver snekapeakpreview(Java) in my system
  when i tried to create a new user other than admin , user is created but
  when i logged as newly created user it showing  password has expired please
  advise me to rectify this problem
  second is
  when i try to add iviews to roles which i created its  showing popup
  menu but it doesn't have the option  add iview to role
  iam unable to understand where im going wrong
  waiting for your valuable replies

  Hi Prasad,
  please check out my advise from this thread for solving your first problem: EP SP15 FROM SDN
  Hope it also solves your problem,
  Robert
  PS: I would suggest to open a new thread for the second problem, as it's not related to your thread name, and people might expecting something else in this thread.

• Dynamic Local User Issue

  When i look at snapins thru consoleone i can see that Zenwork 7.0.1 snapin is installaed.
  I have Novell Client 4.91 SP5 and Zenwork Client 7.0.173.91015 installed on the clients running WinXP Pro SP3.
  There is different of failures that happens..
  Senario 1:
  I install a Latitude D610 with a WinXP Pro SP3 original CD, from scratch. I only install the drivers for the LAN-card to get access to the network. I do not update windows updates etc.
  I install the Novell Client 4.91 SP5, after that i install Zenwork Client 7.0.173.91015. And apply some registry settings to make the novell client to use the "tab-function" and hide advanced settings etc..
  I have my eDir user "ADMIN1" with the policy package with settings to Dynamic Local User set to create a local user with name Admin, but im not using volatile user. So the local windows user Admin will be saved when logged out.
  I login once with my Admin1 user, it creates the local profile Admin from Default User (with the help of Zenworks, and the policy Dynamic Local User?). I restart the computer and login again, and the local profile Admin craches and create a new one from Default User but this local user profile is namned Admin.Computername.
  Ive tested this with atleast four other computers (different hardware) so it cant be a driver issue.
  Ive looked thru the local logs, and i cant find anything about any problem with reading the NTUSER.DAT as could be a problem to load the local profile.
  I even tested this senario when i update all windows updates etc, with two different version of the zenworks client and so on. ive been testning this for like 100 times now atleast. and same failure is happening. Ive even tested this in a virtual environment (vmware workstation).
  Senari 2:
  Like the problem descried above, in some cases it loss the connection or something with the zenwork server side and the zenwork client on the client computer... Since it does not attempt to use the settings from Dynamic Local User, becuase i got the windows login window, and i have to login to an already existing windows local account (with otherwords i cant login to the Admin-profile since i dont know the login information to this account since its created by zenworks / dynamic local user settings, and from the settings there you cant set a password, just the name and role of the windows accout that should be created)..
  And after a while i try again, and then the settings from Dynamic Local User passes by and log into the, (let me say) Zenworks created local user profile (set by Dynamic Local User settings).
  I wanna mention that all computers thats old, no reinstallation.. I can login to without problem, without any crashes of the Windows Local Profile.
  Ive succeded once without any Windows Local profile crash, rebooted this computer over and over again, and no failure. If you succed twice, it seems like its fine. But then i reinstalled this computer, just like i did to make it success. But this time it failed on the second try, and got a crashed profile....
  Its kinda old hardware to the server where i have my Zenworks, could that be the case? Could it be some timeouts?
  The concults i use to fix some problems in our environment updated zenworks from the serverside just before christmans.. Could it be any problems with some windows patch etc?
  Any help would be appreciated!
  // Jokohanho

  > installed on the clients running WinXP Pro SP3.
  <snip>
  > I restart the computer and login again, and the local
  > profile Admin craches and create a new one from Default User but this
  > local user profile is namned Admin.Computername.
  I only know of one XP SP3 issue that could cause this, but it involves a pw
  change and RP:
  "When you try to log on to a Windows XP SP3-based computer by using a
  roaming profile, the roaming profile cannot load."
  http://support.microsoft.com/kb/958058
  Regards
  Rolf Lidvall
  Swedish Radio (Ltd)

• User Exit to add user-defined selection critieria onto VL10G

  Does anyone know how to add user-defined selection criteria onto <b>VL10G</b> - Sales and purchase order display screen? OSS note <b>524424</b> states the userexit to transfer user-defined selection criteria from the selection screen to the report but no information on how to add the selection criteria on the screen. Is that something can be done through configuration or user-exit?
  Any advice or sample is greatly appreciated.

  I was in a hurry, I forgot to add, the user role specific selection screen assignment to VL10G is done at "delivery scenario" level
  The delivery scenarios that are predefined in the system can be found under Logistics Execution -> Outbound Process -> Goods Issue for Outbound Delivery -> Outbound Delivery -> Create -> Collective Processing of Documents for Shipment.
  You can make the following settings in a delivery scenario:
  <b>Selection screen</b>
  You can use the selection screen parameters to define the appearance of the selection screen used to select the delivery list.
  There are three combinations of selection parameters available that each include a different number of tabs.
  A long selection screen with no tabs
  A selection screen with three tabs
  A selection screen with six tabs
  The selection criteria is the same on all three screens in the standard system, it is simply arranged differently.
  This parameter also triggers scheduling of the report for processing the delivery list, with the same three available tab options.
  Customer enhancements are also possible in the LV50R_PREFZ1 program, which should be triggered from a delivery scenario.
  <b>User role</b>
  In the standard system, a predefined user role is assigned to each delivery scenario. If necessary, you can copy these user roles into your own user roles, make changes as required, and then assign them to a delivery scenario of your choice.
  If the user role assignment for a delivery scenario is changed in Customizing, the new settings are valid for all users that carry out this delivery scenario.

• How to add User Permissions to form created in InfoPath 2010 created for SharePoint document Library

  Hi,
  I created a form in InfoPath 2010 with three views (one for user input, the other two views to be used by supervisors) and published this to a SharePoint 2010 document library. Now the way this form is supposed to work is that when a User goes to the document
  library and adds a document, it is supposed to open the Form with the User's input view. When the User submits the document, only him/her should be able to open and possibly edit the the form. When the Immediate Supervisor opens the form, it should open in
  the Supervisors view and allow them to fill in only their section and not be able to edit or alter the user's data. When the Immediate Supervisor saves the document, the Over-all Supervisor should be able to open it in their view and not be able to edit or
  alter the sections filled out by the User and Immediate Supervisor.
  How would i go about completing this? I have the views created but now have the problem of associating these views with their respective users or groups.

  Hello,
  You need to first create user group in sharepoint site then add user in group according to their role. Later you need to call usergroup.asmx web service to get current logged-In user group name so you can switch view and also apply rule for editing or disabling
  controls in form.
  Follow this link to get group name:
  http://social.technet.microsoft.com/wiki/contents/articles/13271.sharepoint-2010-extracting-user-group-of-current-login-user-in-infopath-2010.aspx
  http://social.msdn.microsoft.com/Forums/en-US/018f5184-5c83-4a53-b66b-8c376fc800fc/how-to-get-current-users-sharepoint-group-name-sharepoint-2010-infopath-2010
  To apply rule on control:
  http://office.microsoft.com/en-in/infopath-help/add-rules-for-performing-other-actions-HA101783373.aspx
  Hope it could help
  Hemendra:Yesterday is just a memory,Tomorrow we may never see
  Please remember to mark the replies as answers if they help and unmark them if they provide no help