E-Recruiting and Manager Role?

Similar Messages

• SAP E- Recruitment and Manager BSP

  Hi,
  When i try loging to Manager BSP encountring an error message "you dont have required authorization to use this start page". btw we are on E- Recruitment Enhancement pack 1.
  I have maintained the required settings. ie. reference user and a dialog user. Have also maintained Business partner for this role.
  Rest of my other roles like internal candidate / ext candidate, recruiter , restricited recruiter, administrator are working fine.
  Manager BSP is an issue. Would appreciate if you could share in your inputs on same.
  Thanks for your time.
  Kind regards
  Saipriyan

  Which authorization roles did you assign to your user?
  Try out the SAP_RCF* roles.
  In productive use, build your customer based roles.
  If you customized customer specific start pages, you need customer roles. There is an authorization check on the start page id.
  Trace the authorization checks via Transaction ST01

• Error in User Management and Assigning Role

  Hi,
  I have configured LDAP authentication on LiveCycle Server. I get the userlist with LDAP in my admin console under User Management - User & Groups. But as soon I click on any of the LDAP username I am getting error to contact administrator. Same also happens when I check the checbox infront of the username and tries to assing role.
  My Livecycle server is on WAS6.1, I also have server setup on my local where the same LDAP i have configured and I am able to access users and assign role. Is there any problem with WAS6.1 ?
  I checked the logs and i got following exception in server logs.
  [10/24/08 10:57:58:467 EDT] 00000039 IDPLoggedExce W com.adobe.idp.common.errors.Logger$LogConsumer run UserM:GENERIC_WARNING: [Thread Hashcode: 1028668752] | [com.adobe.idp.um.businesslogic.directoryservices.DirectoryServicesManagerBean] errorCode:8193 errorCodeHEX:0x2001 message:getPrincipal public chainedException:java.lang.NullPointerExceptionchainedExceptionMessage:null chainedException trace:java.lang.NullPointerException
  at com.adobe.idp.um.businesslogic.directoryservices.DirectoryServicesManagerBean.getCacheKey s(DirectoryServicesManagerBean.java:1583)
  at com.adobe.idp.um.businesslogic.directoryservices.DirectoryServicesManagerBean.findPrincip al(DirectoryServicesManagerBean.java:1608)
  at com.adobe.idp.um.businesslogic.directoryservices.EJSLocalStatelessDirectoryServicesManage rBean_0dbf3d20.findPrincipal(Unknown Source)
  at com.adobe.idp.um.api.impl.DirectoryManagerImpl.findPrincipal(DirectoryManagerImpl.java:13 8)
  at com.adobe.idp.um.ui.user.CreateNewUserAction.doExecute(CreateNewUserAction.java:139)
  at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
  at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
  at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
  at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
  at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
  at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1075)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1016)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
  at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:1 73)
  at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java: 190)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
  at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
  at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java: 190)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
  at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:113)
  at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java: 190)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
  at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:771)
  at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:679)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:546)
  at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
  at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.jav a:90)
  at com.ibm.ws.web

  Hello Do anyone get anything about above exception, or is there any other information needed, please let me know ?
  I still cannot found the solution for above problem, and it stops me to configuring users on Adobe LiveCycle ES, we have purchased Livecycle ES version 8.0

• OAM manage roles and Authorization in WebLogic integration

  Hi
  Had anyone done weblogic integration where OAM manages roles and Authorization?
  I could read in Oracle WebLogic integration document that,
  "The Security Provider only supports authentication for portals."
  I wanted to figure out if anyone has done this before or Is it possible to delegate role management and Authorization responsibility to OAM?
  Thanks
  Kiran Thakkar

  Thanks for the quick response.
  Thanks
  Kiran Thakkar

• Travel Management: Role and authorization

  Dear forumers!
  What standard travel management role can I copy and modify according to my requirements in order to let the user only watch t-codes TRIP, PR05, etc. without a right to edit data? Or there should be some other actions with a role to make it for watch only without editing?
  Standard roles are:
  SAP_FI_TV_TRAVELER - we don't need this one
  SAP_FI_TV_TRAVEL_ASSISTANT
  SAP_FI_TV_ADMINISTRATOR - I already use this role
  SAP_FI_TV_MANAGER_GENERIC
  SAP_FI_TV_ADVANCE_PAYER - we don't need this one
  SAP_FI_TV_TRAVEL_MANAGER - I already use this role
  Best regards,
  Eldar

  Hi,
  Always the best process to do is to copy the standard role and customize it for own authorization concept (Business requirement). I think there is an another thread with the same issue in SAP HCM as well.
  Regards,
  Dora.

• Reg: Hiring Manager role in E-Recuitment EHP4

  Hi all,
             i am working with Ehp4 . My business package for  Recruiter is Recruiter1.4.1  . I am trying to create a requisition from the recruiter login . I have a field HIRING MANAGER . Wat is the role tat we should assign for the Hiring Manager. 
  Thanks
  Priya

  Hi,
  I have the same problem on ERECRUIT604 EHP4 SP4. I cannot retrieve managers using Find Hiring Manager search on the Create Requisition page.
  I have though found out that there are 2 cases.
  On the one-instance solution with HR and ER on the same server an employee is retrieved as a Manager if there are following relationsships to his CP object:
  B     207     Is identic     BP
  B     208     Is identic     US
  B     209     Has employ     P
  B     650     Has candid     NA
  Especially the relationship CP B208 US is critical. The problem is though that this relationship is not created automatically be the system as on the one-instance solution the user is retrieved from IT105 subtype 0001 via P object, so you have to create this relationsship manually. Or am I wrong?
  On the two-instance solution with HR on one machine and ER on another the above solution does not work at all. Here the relationship CP B208 US is created via ALE, but it does not help for retrival of Hiring Managers.
  I have also added the 'manager' role to the employee, the employee is the manager in the Organizational Structure, and still I cannot retrieve him.
  Maybe it's a bug in the system. Anyway I cannot find any hints telling what are the assumptions for using this functionality.
  Waiting for an answer
  Best regards,
  Beata

• E-Recruiting EhP4 -- Management Involvement

  In E-Recruiting EhP4, a manager can identify and make substitutes in the application. What can these substitutes do. Using their log-in (into MSS), can these substitutes be able to see the managers ranking (for example) and maintain them

  Hello,
  The substitute maintained by the manager is the one who assume his responsibility in E-rec when he is absence.
  The E-recruiting manager role can do two things:
    --> Create Requisitions
    --> Maintain Substitutes
  Please have a look at the following documentation for further details:
  http://help.sap.com/erp2005_ehp_04/helpdata/EN/48/99a0c399273987e10000000a421937/frameset.htm
  Regards,
  Bentow.

• REST API: Create Deployment throwing error BadRequest (The specified configuration settings for Settings are invalid. Verify that the service configuration file is a valid XML file, and that role instance counts are specified as positive integers.)

  Hi All,
  We are trying to access the Create Deployment method stated below
  http://msdn.microsoft.com/en-us/library/windowsazure/ee460813
  We have uploaded the Package in the blob and browsing the configuration file. We have checked trying to upload manually the package and config file in Azure portal and its working
  fine.
  Below is the code we have written for creating deployment where "AzureEcoystemCloudService" is our cloud service name where we want to deploy our package. I have also highlighted the XML creation
  part.
  byte[] bytes =
  new byte[fupldConfig.PostedFile.ContentLength + 1];
              fupldConfig.PostedFile.InputStream.Read(bytes, 0, bytes.Length);
  string a = Encoding.UTF8.GetString(bytes, 0, bytes.Length);
  string base64ConfigurationFile = a.ToBase64();
  X509Certificate2 certificate =
  CertificateUtility.GetStoreCertificate(ConfigurationManager.AppSettings["thumbprint"].ToString());
  HostedService.CreateNewDeployment(certificate,
  ConfigurationManager.AppSettings["SubscriptionId"].ToString(),
  "2012-03-01", "AzureEcoystemCloudService", Infosys.AzureEcosystem.Entities.Enums.DeploymentSlot.staging,
  "AzureEcoystemDeployment",
  "http://shubhendustorage.blob.core.windows.net/shubhendustorage/Infosys.AzureEcoystem.Web.cspkg",
  "AzureEcoystemDeployment", base64ConfigurationFile,
  true, false);   
  <summary>
  /// </summary>
  /// <param name="certificate"></param>
  /// <param name="subscriptionId"></param>
  /// <param name="version"></param>
  /// <param name="serviceName"></param>
  /// <param name="deploymentSlot"></param>
  /// <param name="name"></param>
  /// <param name="packageUrl"></param>
  /// <param name="label"></param>
  /// <param name="base64Configuration"></param>
  /// <param name="startDeployment"></param>
  /// <param name="treatWarningsAsError"></param>
  public static
  void CreateNewDeployment(X509Certificate2 certificate,
  string subscriptionId,
  string version, string serviceName, Infosys.AzureEcosystem.Entities.Enums.DeploymentSlot deploymentSlot,
  string name, string packageUrl,
  string label, string base64Configuration,
  bool startDeployment, bool treatWarningsAsError)
  Uri uri = new
  Uri(String.Format(Constants.CreateDeploymentUrlTemplate, subscriptionId, serviceName, deploymentSlot.ToString()));
  XNamespace wa = Constants.xmlNamespace;
  XDocument requestBody =
  new XDocument();
  String base64ConfigurationFile = base64Configuration;
  String base64Label = label.ToBase64();
  XElement xName = new
  XElement(wa + "Name", name);
  XElement xPackageUrl =
  new XElement(wa +
  "PackageUrl", packageUrl);
  XElement xLabel = new
  XElement(wa + "Label", base64Label);
  XElement xConfiguration =
  new XElement(wa +
  "Configuration", base64ConfigurationFile);
  XElement xStartDeployment =
  new XElement(wa +
  "StartDeployment", startDeployment.ToString().ToLower());
  XElement xTreatWarningsAsError =
  new XElement(wa +
  "TreatWarningsAsError", treatWarningsAsError.ToString().ToLower());
  XElement createDeployment =
  new XElement(wa +
  "CreateDeployment");
              createDeployment.Add(xName);
              createDeployment.Add(xPackageUrl);
              createDeployment.Add(xLabel);
              createDeployment.Add(xConfiguration);
              createDeployment.Add(xStartDeployment);
              createDeployment.Add(xTreatWarningsAsError);
              requestBody.Add(createDeployment);
              requestBody.Declaration =
  new XDeclaration("1.0",
  "UTF-8", "no");
  XDocument responseBody;
  RestApiUtility.InvokeRequest(
                  uri, Infosys.AzureEcosystem.Entities.Enums.RequestMethod.POST.ToString(),
  HttpStatusCode.Accepted, requestBody, certificate, version,
  out responseBody);
  <summary>
  /// A helper function to invoke a Service Management REST API operation.
  /// Throws an ApplicationException on unexpected status code results.
  /// </summary>
  /// <param name="uri">The URI of the operation to invoke using a web request.</param>
  /// <param name="method">The method of the web request, GET, PUT, POST, or DELETE.</param>
  /// <param name="expectedCode">The expected status code.</param>
  /// <param name="requestBody">The XML body to send with the web request. Use null to send no request body.</param>
  /// <param name="responseBody">The XML body returned by the request, if any.</param>
  /// <returns>The requestId returned by the operation.</returns>
  public static
  string InvokeRequest(
  Uri uri,
  string method,
  HttpStatusCode expectedCode,
  XDocument requestBody,
  X509Certificate2 certificate,
  string version,
  out XDocument responseBody)
              responseBody =
  null;
  string requestId = String.Empty;
  HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(uri);
              request.Method = method;
              request.Headers.Add("x-ms-Version", version);
              request.ClientCertificates.Add(certificate);
              request.ContentType =
  "application/xml";
  if (requestBody != null)
  using (Stream requestStream = request.GetRequestStream())
  using (StreamWriter streamWriter =
  new StreamWriter(
                          requestStream, System.Text.UTF8Encoding.UTF8))
                          requestBody.Save(streamWriter,
  SaveOptions.DisableFormatting);
  HttpWebResponse response;
  HttpStatusCode statusCode =
  HttpStatusCode.Unused;
  try
  response = (HttpWebResponse)request.GetResponse();
  catch (WebException ex)
  // GetResponse throws a WebException for 4XX and 5XX status codes
                  response = (HttpWebResponse)ex.Response;
  try
                  statusCode = response.StatusCode;
  if (response.ContentLength > 0)
  using (XmlReader reader =
  XmlReader.Create(response.GetResponseStream()))
                          responseBody =
  XDocument.Load(reader);
  if (response.Headers !=
  null)
                      requestId = response.Headers["x-ms-request-id"];
  finally
                  response.Close();
  if (!statusCode.Equals(expectedCode))
  throw new
  ApplicationException(string.Format(
  "Call to {0} returned an error:{1}Status Code: {2} ({3}):{1}{4}",
                      uri.ToString(),
  Environment.NewLine,
                      (int)statusCode,
                      statusCode,
                      responseBody.ToString(SaveOptions.OmitDuplicateNamespaces)));
  return requestId;
  But every time we are getting the below error from the line
   response = (HttpWebResponse)request.GetResponse();
  <Error xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
    <Code>BadRequest</Code>
    <Message>The specified configuration settings for Settings are invalid. Verify that the service configuration file is a valid XML file, and that role instance counts are specified as positive integers.</Message>
  </Error>
   Any help is appreciated.
  Thanks,
  Shubhendu

  Please find the request XML I have found it in debug mode
  <CreateDeployment xmlns="http://schemas.microsoft.com/windowsazure">
    <Name>742d0a5e-2a5d-4bd0-b4ac-dc9fa0d69610</Name>
    <PackageUrl>http://shubhendustorage.blob.core.windows.net/shubhendustorage/WindowsAzure1.cspkg</PackageUrl>
    <Label>QXp1cmVFY295c3RlbURlcGxveW1lbnQ=</Label>
    <Configuration>77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjwhLS0NCiAgKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKg0KDQogIFRoaXMgZmlsZSB3YXMgZ2VuZXJhdGVkIGJ5IGEgdG9vbCBmcm9tIHRoZSBwcm9qZWN0IGZpbGU6IFNlcnZpY2VDb25maWd1cmF0aW9uLkNsb3VkLmNzY2ZnDQoNCiAgQ2hhbmdlcyB0byB0aGlzIGZpbGUgbWF5IGNhdXNlIGluY29ycmVjdCBiZWhhdmlvciBhbmQgd2lsbCBiZSBsb3N0IGlmIHRoZSBmaWxlIGlzIHJlZ2VuZXJhdGVkLg0KDQogICoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCi0tPg0KPFNlcnZpY2VDb25maWd1cmF0aW9uIHNlcnZpY2VOYW1lPSJXaW5kb3dzQXp1cmUxIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS9TZXJ2aWNlSG9zdGluZy8yMDA4LzEwL1NlcnZpY2VDb25maWd1cmF0aW9uIiBvc0ZhbWlseT0iMSIgb3NWZXJzaW9uPSIqIiBzY2hlbWFWZXJzaW9uPSIyMDEyLTA1LjEuNyI+DQogIDxSb2xlIG5hbWU9IldlYlJvbGUxIj4NCiAgICA8SW5zdGFuY2VzIGNvdW50PSIyIiAvPg0KICAgIDxDb25maWd1cmF0aW9uU2V0dGluZ3M+DQogICAgICA8U2V0dGluZyBuYW1lPSJNaWNyb3NvZnQuV2luZG93c0F6dXJlLlBsdWdpbnMuRGlhZ25vc3RpY3MuQ29ubmVjdGlvblN0cmluZyIgdmFsdWU9IkRlZmF1bHRFbmRwb2ludHNQcm90b2NvbD1odHRwcztBY2NvdW50TmFtZT1zaHViaGVuZHVzdG9yYWdlO0FjY291bnRLZXk9WHIzZ3o2aUxFSkdMRHJBd1dTV3VIaUt3UklXbkFrYWo0MkFEcU5saGRKTTJwUnhnSzl4TWZEcTQ1ZHI3aDJXWUYvYUxObENnZ0FiZnhONWVBZ2lTWGc9PSIgLz4NCiAgICA8L0NvbmZpZ3VyYXRpb25TZXR0aW5ncz4NCiAgPC9Sb2xlPg0KPC9TZXJ2aWNlQ29uZmlndXJhdGlvbj4=</Configuration>
    <StartDeployment>true</StartDeployment>
    <TreatWarningsAsError>false</TreatWarningsAsError>
  </CreateDeployment>
  Shubhendu G

• Error While creating Collection Management role

  Hi
  We did a client copy and Iam getting the error "Database error UDM_PR_HEAD UDM_COLL_BUPA 5" whenever I tried to create collection management roles.
  Database error UDM_PR_HEAD UDM_COLL_BUPA 5
  Message no. UDM_WORK_LIST010
  Diagnosis
  Database instruction UDM_PR_HEAD was not successful.
  Procedure
  If you can reproduce the error message, contact SAP Support.
  Anyone knows anything about this error?
  Thanks

  Hi Ram,
  sorry for the inconvenience, can you provide the collections management(ecc6.0) configuration document.
  i am trying to learn that but i could not find any related document .
  Thanks,
  Ravi

• Managed Role Scope

  I learned that roles in DS are scoped to where they are created. Meaning if I create a managed role called role1 in ou=Roles,dc=sun,dc=com only entries (ie users and groups) under the ou=Roles branch will have visibility to role1. But since all my users are created underneath a different ou (ie ou=People), how do I get role1 to be visible to the users under ou=People? From a day's worth of reading, this doesn't seem possible. The only way around is to create the role under the ou=People branch. In this approach, all the member searches are behaving correctly. My concern is we will have thousands of roles, what's the scalability of having that many roles mingled with all 750,000 user entries under ou=People...
  Any help is appreciated!

  The problem with that is the nsRole virtual attribute never gets >calculated. While, the nsRoleDN will allow me to find all the roles for a >given user with a search filter like this:
  uid=user1 nsRoleDN
  I need the nsRole virtual attribute to find role members (all members >with a particular role)
  for example, using this search filter
  nsRole=cn=role1,ou=roles,dc=sun,dc=com
  to retrieve all members of role1. and this does not work unless role1 >was in the same scope as the user or aboveWhat about using
  nsRoleDN=cn=role1,ou=roles,dc=sun,dc=com
  It should return all members of role1. In the same time usage of on-the-fly computed nsRole attribute in searches isn't supported - please see Note 2 in the same link:
  http://docs.sun.com/source/816-5606-10/roles.htm#1117631

• "Discovery Manager" role cannot place a mailbox on hold

  My Company is testing Exchange 2013 and Exchange Online. We would like to have all discovery functions managed by our legal team.  We have assigned test users the “Discovery Manager” role.  That role should allow them rights to search all mailboxes
  and put search results on hold. Additionally, the discovery manager role should allow them to select a user mailbox in EAC, open the "Mailbox Features" page and enable litigation hold on the mailbox (no searching required). 
  We have found the second feature, enabling litigation hold without searching, is unavailable to discovery managers when using EAC. The "Mailbox Features" page is not exposed to discovery mangers using EAC.  The discovery manager can place a mailbox
  on hold using PowerShell but that would not be a reasonable option for our legal team.
  Please confirm if my understanding is correct, discovery manager should be able to place a mailbox on hold as well as in-place hold using EAC.
  Thanks in advance,
  Ron

  Does "Get-RoleGroup "discovery Management" | FL *role*" show that the Legal Hold role is assigned to the Discovery Mgmt role Group? If so, then  you may need to assign the "Recipient Management" or "Help Desk" role to those users as well or if you wish
  to security trim their access, create a customized RBAC role for them.
  Alternatively, see if they can simply set litigation hold via Powershell with set-mailbox
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)

  I have 2 questions and these are very urgent :-
  1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
  2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
  contractactors and employess. How do I map LDAP group contractors to weblogic security
  Role contractors? Similarly for employees ?
  2. I have not defined contarctors and employeees under People container in IPlanet.
  e.g. The RDN for contractor is
  uid=1234,ou=dir,dc=orams,dc=com
  Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
  under People ) OR I have to write my own custom code ?
  3. I am planning to use Roles insetad of groups to manage the logical grouping in
  iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
  parameters ?)
  This is very urgent ....so if any of you can throw any hints that will be greatly
  appreciated.
  --Sunita

  Hi Ariel,
  The driver is bundled with the product in WLS 6.1sp1. you don't have to
  download any additional driver. Use it as you normally would only thing to
  remember is if you are trying to write standalone java code then you have to
  have weblogic.jar in your classpath. For the rest of the info follow the wls
  docs for 6.1
  HTH
  sree
  "Ariel" <[email protected]> wrote in message
  news:3bb4a643$[email protected]..
  We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
  downloaded the JDriver from bea.com, but all the istructions that camewith
  it are for WLserver 5.1.
  What has to be done to do this with 6.1 sp1?
  Thanks,
  Ariel

• Custom Distribution Group management role (manager excpeiton)

  My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
  By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
  technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
  Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
  words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
  sufficient permissions. this operation can only be performed by a manger of the group”.
  New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
  New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
  New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
  When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
  group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
  Below confirms by scope.
  Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
  Name DisplayName SamAccountName GroupType
  distro1 distro1 distro1 Universal, SecurityEnabled
  distro2 distro2 distro2 Universal, SecurityEnabled
  distro3 distro3 distro3 Universal, SecurityEnabled
  On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
  Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
  Name
  Add-DistributionGroupMember
  Disable-DistributionGroup
  Enable-DistributionGroup
  Get-ADServerSettings
  Get-AcceptedDomain
  Get-DistributionGroup
  Get-DistributionGroupMember
  Get-DomainController
  Get-DynamicDistributionGroup
  Get-Group
  Get-MailUser
  Get-Mailbox
  Get-OrganizationalUnit
  Get-Recipient
  Get-ResourceConfig
  Get-User
  New-DistributionGroup
  New-DynamicDistributionGroup
  Remove-DistributionGroup
  Remove-DistributionGroupMember
  Remove-DynamicDistributionGroup
  Set-ADServerSettings
  Set-DistributionGroup
  Set-DynamicDistributionGroup
  Set-Group
  Set-OrganizationConfig
  Update-DistributionGroupMember
  Write-AdminAuditLog

  Hello,
  I understand that you have create custom management scope for each group and assigned a custom role to it.
  But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
  You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
  Check below link. http://exchange2010cmd.blogspot.de/
  You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
  You can either use existing default policy or create new policy and assign this management role to it.
  Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
  NOTE: If you are creating new policy , place that name instead of default policy name".
  I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
  Now, regarding your second concern, that your custon role has to many role entries.
  You can remove unwanted role entries.
  Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
  Before linking management role to email policy, remove unwanted role entry from role.
  I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer.

• Integrate IdM roles with Sun Access Manager roles

  Hi all,
  I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
  I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
  What are the important differences between static and dynamic roles in AM?
  Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
  Thanks.

  I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
  About directory server roles:
  http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
  Forum thread reference:
  http://forums.sun.com/thread.jspa?threadID=5208694
  Here are roughly the steps I followed to get this working.
  Access Manager roles setup:
  1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
  Identity Manager roles setup:
  1. Create a new role in Identity Manager: tab Roles, click New....
  2. Assign the LDAP resource to synchronize the role with.
  3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
  4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
  * In the column Value override, select Text.
  * In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
  * In the text box, enter the role DN text (ex: cn=test_role,dc=com).
  5. Save the role. You can now add the role to a user.

• When to use "my role" and "partner role" in BPEL?

  I'm a bit confused when to set/use partner role and my role.
  Can anyone shed a little light,
  regards, Henrik

  Saurabh,
  > I humbly disagree with your explanation of inputs
  No need to be humble, you can boldy disagree. :)
  You're right that I did technically use the wrong term in that sentence of my explanation. I updated the post and corrected it. However the gist of what I was saying is still true.
  There are two invocation types. People use different terms but here I'll call them request-response and one-way. A request-response invocation type is used for what we typically think of as a "synchronous" process. That is, the service consumer is blocked until the service responds. It's like methodA() in Java calling methodB(). methodA() is blocked until methodB() completes. (In fact, this is exactly what it's like since all invocations on our BPEL engine ultimately go through our Java API.)
  In the case of one-way, the service consumer is not blocked. This is often referred to as fire-and-forget. It simply sends its request, then it is free to continue or do whatever it wants. Moreover, nothing is returned to the client (you fired-and-forgot, remember). Typical "asynchronous" BPEL processes uses this invocation type.
  So we have those two invocation types. Yet the problem before us how to have an asynchronous process return a result. You can't use request-response because the service consumer is blocked until the process finishes. You can't just use a one-way because nothing is returned to the caller. What to do?
  The way the BPEL standard solved the problem is to use two one-way invocation types. The first one is to invoke the process. The second one is a one-way from the BPEL process to the service consumer to return the result. There are some glaring implications of this:
  1. When the BPEL process returns it's result, things have now switched: The BPEL process becomes the service consumer, and the (original) service consumer becomes the service.
  2. The service consumer has to be able to listen for one-way invocation type requests.
  3. The BPEL process has to know how and where to call the service consumer back. This information is passed in the original request. As well as containing the data payload, it contains a callback address and unique identifier. This, in essence, is what the WS-Addressing standard is about.
  Now the definition of a one-way invocation type in a WSDL is:
      <portType name="aaa">
          <operation name="bbb">
              <input message="tns:ccc"/>
          </operation>
      </portType>Compare that to a request-response invocation type:
      <portType name="aaa">
          <operation name="bbb">
              <input message="tns:ccc"/>
              <output message="tns:ddd"/>
          </operation>
      </portType>Let's look again out our example WSDL:
      <portType name="SelectService">
          <operation name="processRequestQuote">
              <input message="tns:RequestQuote_processRequestQuote"/>
          </operation>
      </portType>
      <portType name="SelectServiceCallback">
          <operation name="processRequestQuoteResponse">
              <input message="tns:RequestQuote_processRequestQuoteResponse"/>
          </operation>
      </portType>Here comes the good bit... Both portTypes have an <input> operation. But that's because they are both one-way invocation types, and there is no choice but use the <input> element -- that's the standard. You can't imply put <output> because there's no such thing in the standard. However we know that one of those is to actually return the result. That is, it's the output, even though it's labelled <input>.
  Hopefully that's given you enough information now. Re-read my first post, above, and it should make more sense.
  Incidentally, this is why you rarely see try asynchronous web services, because the caller has to also be a listener. And if you want to call a service, who wants to also have to write code to listen, to handle responses coming out of order, etc. This is one of the advantages of using an orchestration engine like Oracle BPEL Process Manager. The framework takes care of the hard work, and you can simply call an aysnchronous service and not have to worry about how to get the response back -- the engine does it for you.
  Regards,
  Robin.