EBS Resposibility mapping to Roles in EM without EBS SSO

Hello All,
I have a hard time on figuring out how to implement data level security in OBIEE 11g.
We are implementing OBIEE 11g with EBS r12 source ( NOT OOTB) . The EBS ICX based integration has NOT been used instead SSO is achieved thru Windows Native Authentication ( user logs in Windows credentials without entering username or password )
Now when it comes to authorization part the Responsibilities from EBS need to be passed to Roles in EM and Web catalog groups in presentation services.
How can we implement data level security per EBS hierarchies .?
Anyone has tried this before .? Pls help.!
Thanks in advance,
-SVS

SSVS wrote:
Thanks for the response.
Custom table with Network login ID an EBS RESP , USER ID could be populated and refreshed nightly to capture the updates. Also I was mainly wondering about data security , for eg. Consider Projects Module , there are certain restriction for certain Projects and Task information are pertinent to Project Managers and not all users with Projects Role could access this information.
Likewise for any financial module. Pls let me know.
Thanks,
-SVSThe way we implemented security in projects module, is by creating an ETL interface that does a full load of the project security table, which holds the project managers to their projects information. So the table would look like below:
User ID Project Number Active_Flag
abc123 301301301 Y
bbc123 103103103 N
There will be another table which stores the user to roles relationship like svee mentioned in his post. Roles session variable would be puling data from the user to role table, where as project_key sesison variable would pull in the data from the project security table, and therefore both data level and object level security is achieved.
Please mark if helps.
Thanks,
-Amith.

Similar Messages

  • Creating/Mapping security roles without authentication

    Hello all, I am new to WebLogic 9.1, and I appreciate your help in advance.
    I have an HTTP header pre-populated with the roles a logged-in user has (these roles are defined outside websphere), and the user has already been authenticated.
    I want to map each role from my header to a URI configured in weblogic, so it can authorize/deny access to that page within the container, based on the role in the header.
    What would be a good approach to doing this? I have been looking through the security documentation, and I am a bit overwhelmed, I'm not sure where to begin.
    Thanks

    Hi,
    1) as said, nothing prevents you from building a JAAS LoginModule that does what you need - e.g. authenticate a user against LDAP, then connect to the database and query for his/her user roles. You can't have container managed authorization without authentication though.
    There will be a change in API in JDeveloper 11 (and most likely in JDeveloper 10.1.3.4 - upcoming) that allows you to set a Subject into the OC4J context, in which case you don't need container managed autehntication. However, I don't have it tested yet and can't tell to what extend this would be useful
    3) Sure, you can build a JAAS LoginModule that doesn't care for authentication. However, this doesn't work with container managed security. As far as I am aware, the only option to not show a login dialog is to use certificates. And certificates are not yet to use with custom LoginModules. So the above mentioned API - that is available as a backported patch for 10.1.3.1 - might do the trick
    Frank

  • Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

    Hi
    I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
    This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
    1. Can we integrate both structural authorizations and position based role mapping in one system?
    2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
    3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
    4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
    Any help or suggestions on the above would be appreciated.
    Thanks and Regards
    Arun R

    Hi
    1. Can we integrate both structural authorizations and position based role mapping in one system?
    Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
    2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
    No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
    3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
    Create user in SU01.SU10 first before creating infotype 105 in PA30.
    4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
    *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
    Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
    Hope this helps.
    Charmaine

  • Problem mapping LoginModule roles to ejb security roles

    I have "successfully" managed to implement the DBSystemLoginModule. When I run my application I successfully authenticate to the database, the login module successfully retrieves the users roles from the database and adds them to the subject:
    PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
    LoginContext lc = new LoginContext("current-workspace-app", cbh);
    lc.login();
    I then perform a lookup on a bean using the same user:
    Hashtable env = new Hashtable();
    env.put(Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory");
    env.put("java.naming.security.principal",username);
    env.put("java.naming.security.credentials",password);
    env.put("java.naming.provider.url", "ormi://localhost:23891/current-workspace-app");
    Context ic = new InitialContext(env);
    final SessionEJBHome sessionEJBHome =
    (SessionEJBHome) PortableRemoteObject.narrow( ic.lookup( "SessionEJB" ), SessionEJBHome.class );
    Finally, I create an instance of the bean and call a method of this bean.
    SessionEJB sessionEJB;
    sessionEJB = sessionEJBHome.create( );
    sessionEJB.testMe( );
    I am expecting (hoping) that the roles retrieved from the database by the login module may be used to authenticate the ejb methods. i.e. if (in ejb-jar.xml) the method "testMe" has a method-permission with role-name of "ABC" then this method may only be accessed if the user is a member of the "ABC" role retrieved from the database by the login module. However I get the message:
    "username is not allowed to call this EJB method"
    When I add a security-role-mapping in orion-ejb-jar.xml mapping the role "ABC" to the group "ABC" (and impliesALL="true") then the method is called successfully. However, if I add a security-role-mapping mapping the role "DEF" to the group "DEF" (which the user is not a member of) the ejb method is (wrongly) called successfully (with implies all="false" the method always fails). In other words there seems to be no mapping of the roles retrieved by the login module to the ejb security roles.
    Can anyone please enlighten me on how I can achieve the mapping of the ejb security roles to the roles obtained from the login module.
    Thanks
    PS I have this problem with JDeveloper 10.1.3 (Developer Preview 10.1.3.0.2.223 and Early Access 10.1.3.0.3.3412)

    Hi Sebastian,
    yes, it is possible to do such mapping. And here how it works:
    1. define security roles in the ejb-jar.xml within the <security-role>. For example:
    <security-role>
         <role-name>test</role-name>
    </security-role>
    2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
    <security-permission>
       <security-role-map>
          <role-name>test</role-name>
          <server-role-name>myUMErole</server-role-name>
       </security-role-map>
    </security-permission>
    the myUMErole must be defined in the UME!
    Does this answer your question?

  • Can I map iwtUser-role to an attribute in external LDAP???

    Hi,
         I am using external LDAP for authentication. In the Ext. LDAP I am using
    there is an attribute named title in every user cn. I want to use this
    attribute for portal to decide which role the user belongs to. I mapped
    iwtUser-role to title in Ext. LDAP configuration. When I go to console I
    see user(s) under the roles defined in title attribute(in Ext. LDAP).
    From console if I try to change the desktop profile of a role and check
    'apply changes to all subroles', it's not applying changes to all users
    who have the title as that role (even though when I go to that user(s),
    I see them under the right tole). However, when I look at the
    iwtUser-role attribute in profile LDAP using a LDAP browser it shows
    /domainname/defaultRole which is not the value mapped (in Ext. LDAP). Do
    you have any idea why it is happeing? I would like to know if mapping
    iwtUser-role to an attribute in Ext. LDAP is right thing in the first
    place (I am doing this because the Ext. LDAP is already populated, I
    have no roles in that, all users are at same level and I have permission
    to change title attribute only in Ext. LDAP).
    Thanks,
    Siva Kancheti.

    Block off the default role if you don't want anyone going into that role but only
    the ones defined. You can do this by setting the filter to a value that will return
    nothing. (example, title=nonexistant), since the search filter will not return
    results, no one will be placed in that role (otherwise have to manually go into that
    role and 'move' users).
    Hope this helps,
    Manon
    Siva kancheti wrote:
    Hi,
    I am using external LDAP for authentication. In the Ext. LDAP I am using
    there is an attribute named title in every user cn. I want to use this
    attribute for portal to decide which role the user belongs to. I mapped
    iwtUser-role to title in Ext. LDAP configuration. When I go to console I
    see user(s) under the roles defined in title attribute(in Ext. LDAP).
    From console if I try to change the desktop profile of a role and check
    'apply changes to all subroles', it's not applying changes to all users
    who have the title as that role (even though when I go to that user(s),
    I see them under the right tole). However, when I look at the
    iwtUser-role attribute in profile LDAP using a LDAP browser it shows
    /domainname/defaultRole which is not the value mapped (in Ext. LDAP). Do
    you have any idea why it is happeing? I would like to know if mapping
    iwtUser-role to an attribute in Ext. LDAP is right thing in the first
    place (I am doing this because the Ext. LDAP is already populated, I
    have no roles in that, all users are at same level and I have permission
    to change title attribute only in Ext. LDAP).
    Thanks,
    Siva Kancheti.

  • Mapping UME Roles to J2EE Engine Security Roles

    Hi all,
    is there a way to map the roles defined in UME which are used in a Web Dynpro application to those declared as part of an EJB descriptor?
    Any help is highly appreciated.
    Regards,
    Sebastian

    Hi Sebastian,
    yes, it is possible to do such mapping. And here how it works:
    1. define security roles in the ejb-jar.xml within the <security-role>. For example:
    <security-role>
         <role-name>test</role-name>
    </security-role>
    2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
    <security-permission>
       <security-role-map>
          <role-name>test</role-name>
          <server-role-name>myUMErole</server-role-name>
       </security-role-map>
    </security-permission>
    the myUMErole must be defined in the UME!
    Does this answer your question?

  • How to map Application Roles to Enterprise Roles

    Hello,
    i am having a problem with mapping Application Roles (from ADF Security) to the corresponding Enterprise Roles. I have already seen that it is possible with a tool called Enterprise Manager, but what if i do not have it??
    Can i map the roles in WebLogic Server itself? I have searched for such ability and did not found it. Also have not seen any tutorial on the internet. Someone help me pls.
    The version i am using is 12.1.2.0.0.

    Application roles and permissions defined within WebCenter Portal are stored in its policy store and, consequently, apply to the WebCenter Portal application only.
    Application Roles : Application roles control the level of access a user has to information and services in WebCenter Spaces. Specifically, application roles determine what a user can see and do in their personal space.
    Application Permissions : Again every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in their personal Portal.
    Enterprise roles are different. Enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Portal.
    2. How and where do we create these 5 Application Roles in WC 11.1.1.8 version ?
    You can create an application role from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> Roles -> Create Role
    See : Managing Security Across Portals for more info :
    http://docs.oracle.com/cd/E29542_01/webcenter.1111/e27738/wcadm_ps_security.htm#WCADM398
    3. Last, where and how do we MAP these Application Roles TO Enterprise Roles in 11.1.1.8 version ?
    First, You can grant privileges to a specified group (say sales group) of users by granting Enterprise Roles in Enterprise LDAP.
    Next, Create custom application roles (say Contributor, Moderator, UIDesigner, Application Specialist, etc) and assign the appropriate permissions as explained above.
    Then, You can assign one or more Application Roles to a specified group (say sales group) from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> users & Groups
    I hope it helps.

  • Mapping security roles to other roles

    I found the security newsgroup and posted the question there under the same topic. Kindly respond there.
    Message was edited by:
    jheinone

    Hi Sebastian,
    yes, it is possible to do such mapping. And here how it works:
    1. define security roles in the ejb-jar.xml within the <security-role>. For example:
    <security-role>
         <role-name>test</role-name>
    </security-role>
    2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
    <security-permission>
       <security-role-map>
          <role-name>test</role-name>
          <server-role-name>myUMErole</server-role-name>
       </security-role-map>
    </security-permission>
    the myUMErole must be defined in the UME!
    Does this answer your question?

  • How to do hibernate mapping for table or view without a primary key

    Hi,
    Anyone knows how to do hibernate mapping for table or view without a primary key?
    thanks.
    cc

    or you can make all column primary key .Anybody seriously considering that as a good idea should understand the implications:
    1. this requires that each row be unique - that's a minor issue normally, but can be a significant problem in some cases
    2. in practically all databases, a primary key constraint creates a unique index - this has many implications:
    a) in most databases, the index stores a copy of the column data that is indexed - this suggestion therefore more than doubles the data storage required for the data
    b) whenever an indexed column is changed, the index has to be maintained - this suggestion then more than doubles the work that each UPDATE statement has to do, since both the table and the index have to be maintained for any UPDATE at all
    This might work OK for toy projects, but it doesn't scale well at all...

  • Map wls roles to application roles

    how can i map weblogic roles to my application roles ?
    already, i config db authentication in wls
    but how can i map it to jazen-data.xml file ?

    Hi,
    either you create the same roles in jazn-data.xml in which case they are automatically used after deployment or you have a look at how to map user groups (not application roles) created in jazn-data.xml to WLS groups using the weblogic.xml file
    Frank

  • Is there a way to automatically map CRM Roles to Portal Roles

    <b>Scenario:</b>
    When a new user registers on our portal he is assigned a CRM Role, however, he still needs to be assigned a Portal Role. Since we will have many users registering through our portal we do not want to assign roles to users manually. We want this to be an automated process, which requires almost no administration after the initial configuration.
    <b>Solution we are looking for:</b>
    Ideally we would like to do some configuration on the Portal side that would some how pull roles from CRM user store and map them on to appropriate Portal roles. In our case the reverse would also be ok as well, i.e. we do some configuration on the CRM side that would push the appropriate role to the Portal and do the Portal Role assignment.
    Does anyone know how to do this? I am very new to portals so a detailed explanation would be very helpful.
    Thanks for all the help!
    Muhammad Osman Yousuf

    No, the portal role will not be the same for the same CRM Role.
    So for example...
    On the CRM side we have CRM_ROLE_A, CRM_ROLE_B, and CRM_ROLE_C and on the Portal sider we have PORTAL_ROLE_A and PORTAL_ROLE_B.
    All mappings given are possible...
    CRM_ROLE_A = PORTAL_ROLE_A
    CRM_ROLE_B = PORTAL_ROLE_A and PORTAL_ROLE_B
    CRM_ROLE_C = PORTAL_ROLE_B
    The solution you mentioned, will it work with the above mappings?
    Thanks for all the help!
    Muhammad Osman Yousuf

  • Is it possible to create a role with PERM_READER_EXTENSIONS_WEB_APPLICATIONS without Service Invoke?

    I need to restrict user access to Workspace processes.  Using the adminui, service management, I gave my test group INVOKE_PERM permissions to this service.  This works good.  The users of the test group can only see this process.  However, for these users the SOAP calls do not work.  I am using a reader extended form and I am getting the error below.  If I add the Reader Extension Web Application role, the SOAP call work, but the user of the test group can see all other processes.  I created a role and gave it PERM_READER_EXTENSIONS_WEB_APPLICATIONS, Service Read, INVOKE_PERM and other combinations.  This role only works if I add Service Invoke and this give users access to all processes.  How can I get a role to provide the Reader Extension without using Service Invoke?
    An error has occurred. See error log for more details.
    User TORRES, ALEJANDRO G does not have the Service Invoke Permission on Service ReaderExtensionsService.

    I found the answer to my question.  I had to give INVOKE permission to all the services used by the process.

  • Map security roles to group within LDAP using external 3rd Party LDAP

    I'm haveing a problem mapping my logical role defined in my web.xml to a role within Active Directory. I'm currently authenticating using Active Directory succsfully, however after the user is authenticated I get a message from the OC4J container that my role can not be found. Can you map a logical role to group within Active Directory? Below are details about my configuration.
    Any help would be greatly appreciated.
    Log.xml log entry that confirms webtA is communicating successfully with AD.
    SG_TEXT>JAAS-LDAPLoginModule: authenticating user wmgraham</MSG_TEXT>
    </PAYLOAD>
    </MESSAGE>
    <MESSAGE>
    <HEADER>
    </CORRELATION_DATA>
    <PAYLOAD>
    <MSG_TEXT>JAAS-LDAPLoginModule: DN for user wmgraham is cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi</MSG_TEXT>
    </PAYLOAD>
    </MESSAGE>
    <MESSAGE>
    <HEADER>
    Error reported in the log
    <MESSAGE>
    <HEADER>
    <TSTZ_ORIGINATING>2008-08-27T11:38:05.991-04:00</TSTZ_ORIGINATING>
    <COMPONENT_ID>j2ee</COMPONENT_ID>
    <MSG_TYPE TYPE="TRACE"></MSG_TYPE>
    <MSG_LEVEL>16</MSG_LEVEL>
    <HOST_ID>F2287032-W</HOST_ID>
    <HOST_NWADDR>30.30.16.14</HOST_NWADDR>
    <MODULE_ID>security</MODULE_ID>
    <THREAD_ID>14</THREAD_ID>
    <USER_ID>wmgraham</USER_ID>
    </HEADER>
    <CORRELATION_DATA>
    <EXEC_CONTEXT_ID><UNIQUE_ID>30.30.16.14:59560:1219851485804:6</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
    </CORRELATION_DATA>
    <PAYLOAD>
    <MSG_TEXT>for group=[JAZNGroupAdaptor: webta] there's no matching role found.</MSG_TEXT>
    </PAYLOAD>
    </MESSAGE>
    Web.xml Logical Role definition
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>allpages</web-resource-name>
    <url-pattern>/servlet/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>WEBTA_J2EE_USER</role-name>
    </auth-constraint>
    </security-constraint>
    <security-role>
    <role-name>WEBTA_J2EE_USER</role-name>
    </security-role>
    Orion-web.xml This file maps the logical role defined in webxml to a group within Active Directory.
    <security-role-mapping name="WEBTA_J2EE_USER">
    <group name="webta"/> <-- Group defined in AD -->
    </security-role-mapping>

    What is the name of the group in AD (provide the DN) that you want to map the j2ee logical role WEBTA_J2EE_USER? What are the group search base and group mapping attribute?
    When wmgraham logs into the app, the 3rd party ldap login module will attempt to query for the groups wmgraham is a member of - this is done using the group search base configuration for the provider.
    In this example, the DN is "cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and likely user search base is set to "ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi".
    Assuming group search base is (say) "ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and and group mapping attr is "cn", then the role mapping you mention should work for group DN "cn=webta,ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi"

  • How to configure roles at runtime without changing application code?

    Hi,
    We have implemented Custom Login Module security for our application. Our requirement is to configure the roles without changing the application code.
    Our Authentication Type is 'JAAS With Custom Login Module' and Authorization Type is 'JAAS'.
    According to 10.1.3 section of JhsDevGuide1013.pdf, we need to configure the roles in web.xml and also need to give the role in the 'Authorized roles/permissions' section of the group.
    We dont want to change the application definition once we go live just for adding roles. That is overhead for us as we may need to configure more roles according to our business requirements, but each time we dont want to change the code and re-deploy the application.
    Please let us know the way to meet our requirement.
    Thanks in advance.
    Thanks & Regards,
    Ramakrishna. P

    Hello,
    The JHeadstart Developers Guide has an excellent chapter about security to answer questions like these.
    For example, you could use the JHeadstart based custom security, with datatables, that will enable you to add roles and users at runtime.
    Regards,
    Evert-Jan de Bruin
    JHeadstart Team

  • Multi-mapping with message bundling but without using BPM

    Hi all,
    I have a requirement to bunch specific no. of records (say 50) from source message and create separate target messages for those bunches. For example, if the source message has 120 records, then there should be three separate target messages created containing 50, 50 and 20 records each.
    I am wondering whether this multi-mapping is possible without using BPM, as the typical no. of records in the source message are in the range of 600 to 800, and rarely (twice or thrice a month) they shoot up to 2000. So my concern is whether BPM would affect the performance. We are using PI at SP12.
    Regards,
    - Shankar.

    Sorry for late reply.. Well the sender is a file system, which sends a single XML file containing multiple records. (I mean I have a sender file adapter that polls periodically from a specific path and picks up the file when it is available)
    The no. of records in the source file may be different in each run. The requirement on the receiver system is that it can handle a file which has maximum of 'n' records only (say 50 in my example)
    Now the sender file can contain any no. of records. It may contain 10 on some day, or 200 the next day, or 120 on the third day. But on the receiver side, I want the files to be created such that each will contain AT MAX 50 records.
    So, if source file has <=50 records, then there will be only 1 target file having the same no. of records.
    If source file has between 51 to 100 records, then there will be two target files. One will have 50 records, and the second will have remaining records.
    And so on..
    Regards,
    - Shankar.

Maybe you are looking for

  • What to do, as I have two Apple ID accounts?

    Hi there And i wonder if someone could tell me if there is a way i can stop having owe of two Apple ID accounts, in the iTunes Store, and pass all my shopping for my current Apple ID accounts... Check it Out !!! Bye, Lúcio Marques <[email protected]>

  • Safari 8.0.2 update broke Safari

    The Safari 8.0.2 update I got on Dec 15th broke my Safari on Mac OS X 10.10.1. It is unusable. Crashes on launch 99% of the time, on the rare occasion when it does not crash and I see safari window as soon as I click on the window to get focus it cra

  • After updating to Iphone 4s ro IOs6 I have no carrier.

    The carrier has reset all of their codes . I have done network resets. I cannot do a "restore" due to an "unknown error" Any more suggestions?

  • Running Forms/Reports in Developer Suite

    Hi, I have installed Oracle Internet Developer Suite and Database 9i. I develop a simple form but I could not run it. Before Running form I started OC4J Instance. While I am running the from then browser download a file jini.exe and does not appear a

  • Radio Button Options

    I'm using Mac Pro 9.5 to edit a fillable PDF form. We have radio buttons for payment choices. I need another field to automatically fill with a fee if a certain radio button is selected. Is this possible, and if so, how do I do it?