Expdp users, roles, grants (privs)

(sorry for the cross-posting - I'm not sure how to delete or move threads and I posted this in the general questions forum thinking I was in this forum)
So, I think this works - still in the process of testing - but what I want to do is the following:
1) Export ONLY users, passwords, and privs from TEST
2) Clone PROD --> TEST
3) Drop all users in TEST excluding system users.
4) Import original users file from Step 1.
I think I've got it with the following. Am I missing anything? I'm testing, but if someone else has done this, I would be happy to hear from something I may be missing.
JOB_NAME=EXPDP_USERS
DIRECTORY=DTPUMP
REUSE_DUMPFILES=Y
FULL=Y
DUMPFILE=users_test.dmp
LOGFILE=users_test_expdp.log
INCLUDE=SCHEMA:"IN (SELECT USERNAME FROM dba_users where default_tablespace NOT in('SYSAUX','SYSTEM'))",ROLE,USER,SYSTEM_GRANT,ROLE_GRANT,DEFAULT_ROLE,TABLESPACE_QUOTA

Pl do not post duplicates - expdp users, roles, grants (privs)

Similar Messages

Script for Users, Roles,Grant,Tablespace

Hi,
Please guide me on the following .
I am moving database to new Unix server .
so can I create the script which will check the existing Users, Roles, Grants, Tablespaces from current database and store that data.
And using same soared data I want to create the same " Users, Roles, Grants, Tablespaces" using the script.
Can i do this. Please guide me how to do this so I will help me to move database
Thanks,
Amol

You should run ?\rdbms\admin\utlrp (note the ?, which is shorthand for ORACLE_HOME) from the database server. to make sure you have the correct script. You can call sqlplus from Toad easily.
The script affects PL/SQL only. PL/SQL resides in the SYSTEM tablespace in the SYS schema. You don't have 400G of PL/SQL. It should take a few minutes only.
The SYSTEM schema WILL be imported. SYS will not be imported, but automagically recreated. The only thing you will miss is Grants which have been made by SYS directly to end-users or roles, outside those defined in catalog.sql
Sybrand Bakker
Senior Oracle DBA

Custom plugin based on user role membership

Hi all,
I would like to develope a custom plugin that generates account userid (on process form) with different syntax against role membership.
With "syntax" I mean name.surname.random_number for employee users and surname.company.random_number for example.
I'll try to explain the scenario more in details:
1. I create a user identity through a request
2. After user identity has created successfully, I assign a role to the user. Since roles are associated with access policies, role assignment triggers provisioning on target system.
3. The custom plugin that I would like to develope shuold be able to generate proper userid against role membership. For example if I assigned the role "Project Manager" the custom plugin should generate the account userid with name.surname.random_number format; viceversa if I assigned the role "External Reseller" the custom plugin should generate the account userid with surname.company.random_number format.
Looking for custom plugin based on role membership in forum, I found a couple of threads about this subject:
- Email notifications after role grant
- Re: OIM 11g Role Membership Event Handlers.
I tried to implement what explained in the threads, but I would be sure about what I've done.
Here what I've done:
1. created plugin.xml file
2. created EventHandler.xml metadata file
3. developed a java calss for testing pourpose
4. copied the custom plugin class to OIM server for example in $MIDDLEWARE_HOME/OIMPlugins/lib
NOTE: during this operation I have exactly mantained the same directory structure of custom java package.
For example custom plugin class is under my.custom.plugin java package and I have copied custom java class under $MIDDLEWARE_HOME/OIMPlugins/lib/my/custom/plugin folder
5. created a zip file containing custom plugin class (always with its directory structure) and plugin.xml file
6. copied the zip file to $OIM_HOME/server/plugins
7. edited ant.properties file (under $OIM_HOME/server/plugin_utility) setting wls.home and oim.home variables
8. built the wlfullclient.jar (only the first time)
9. registered the custom plugin
10. created the custom plugin dataset file
11. imported it in OIM database using "weblogicImportMetadata" utility
12. purged cache using "PurgeCache" utility
NOTE: all the steps above was executed using the system user running OIM process
test java class
package com.zeropiu.sky.custom.eventhandlers;
import java.io.Serializable;
import java.util.HashMap;
import com.thortech.util.logging.Logger;
import oracle.iam.platform.kernel.spi.ConditionalEventHandler;
import oracle.iam.platform.kernel.spi.PostProcessHandler;
import oracle.iam.platform.kernel.vo.AbstractGenericOrchestration;
import oracle.iam.platform.kernel.vo.BulkEventResult;
import oracle.iam.platform.kernel.vo.BulkOrchestration;
import oracle.iam.platform.kernel.vo.EventResult;
import oracle.iam.platform.kernel.vo.Orchestration;
import oracle.iam.platform.context.ContextManager;
import java.util.Set;
public class TestUserAnonimi implements PostProcessHandler, ConditionalEventHandler {
     private static final Logger logger = Logger.getLogger("com.zeropiu.sky.custom.eventhandlers");
private static final String className = "TestUserAnonimi";
     @Override
     public void initialize(HashMap<String, String> arg0) {
          // TODO Auto-generated method stub
          String methodName = "initialize";
          System.out.println("###### " + className + " - " + methodName);
     @Override
     public boolean isApplicable(AbstractGenericOrchestration abstractGenericOrchestration) {
          // TODO Auto-generated method stub
          String methodName = "isApplicable";
System.out.println("###### " + className + " - " + methodName + " - STARTED");
System.out.println("###### " + className + " - " + methodName + " - ContextManager.getContextType(): " + ContextManager.getContextType());
System.out.println("###### " + className + " - " + methodName + " - ContextManager.getContextSubType(): " + ContextManager.getContextSubType());
System.out.println("###### " + className + " - " + methodName + " - abstractGenericOrchestration.getOperation(): " + abstractGenericOrchestration.getOperation());
System.out.println("###### " + className + " - " + methodName + " - Printing ContextManager parameters");
HashMap allContextManagerPairs = ContextManager.getAllValuesFromCurrentContext();
Set<String> allContextManagerParams = allContextManagerPairs.keySet();
String[] parameters = allContextManagerParams.toArray(new String[allContextManagerParams.size()]);
for (int i = 0; i < parameters.length; i++) {
          System.out.println("###### " + className + " - " + methodName + " - Context parameter " + i + ": " + parameters[i] + " - Object type is: " + Utils.getObjectType(ContextManager.getValue(parameters)));
System.out.println("###### " + className + " - " + methodName + " - ENDED");
return true;
     @Override
     public boolean cancel(long arg0, long arg1,     AbstractGenericOrchestration arg2) {
          // TODO Auto-generated method stub
          String methodName = "cancel";
          System.out.println("###### " + className + " - " + methodName);
          return false;
     @Override
     public void compensate(long arg0, long arg1, AbstractGenericOrchestration arg2) {
          // TODO Auto-generated method stub
          String methodName = "compensate";
          System.out.println("###### " + className + " - " + methodName);
     @Override
     public EventResult execute(long arg0, long arg1, Orchestration orchestration) {
          // TODO Auto-generated method stub
          String methodName = "Eventresult execute";
          System.out.println("###### " + className + " - " + methodName);
          return null;
     @Override
     public BulkEventResult execute(long arg0, long arg1, BulkOrchestration arg2) {
          // TODO Auto-generated method stub
          String methodName = "BulkEventResult execute";
          System.out.println("###### " + className + " - " + methodName);
          return null;
plugin.xml file
<?xml version="1.0" encoding="UTF-8"?>
<oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<plugins pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
<plugin pluginclass="com.zeropiu.sky.custom.eventhandlers.TestUserAnonimi" version="1.0" name="TestUserAnonimi">
</plugin>
</plugins>
</oimplugins>
EventHandler.xml metadata file
<?xml version='1.0' encoding='UTF-8'?>
<eventhandlers xmlns="http://www.oracle.com/schema/oim/platform/kernel" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd">
<action-handler class="com.zeropiu.sky.custom.eventhandlers.TestUserAnonimi" entity-type="RoleUser" operation="CREATE" name="TestUserAnonimi" stage="preprocess" order="1007" sync="FALSE" />
</eventhandlers>When I assign a role to a user through OIM web interface, I can see in OIM log file all System.out.println contained in initialize(), isApplicable() and BulkEventResult execute() methods. Is it correct? Can I implement my custom plugin logic now, or my starting point is wrong?
###### TestUserAnonimi - initialize
###### TestUserAnonimi - isApplicable - STARTED
###### TestUserAnonimi - isApplicable - ContextManager.getContextType(): ADMIN
###### TestUserAnonimi - isApplicable - ContextManager.getContextSubType():
###### TestUserAnonimi - isApplicable - abstractGenericOrchestration.getOperation(): CREATE
###### TestUserAnonimi - isApplicable - Printing ContextManager parameters
###### TestUserAnonimi - isApplicable - Context parameter 0: origuser - Object type is: java.lang.String
###### TestUserAnonimi - isApplicable - Context parameter 1: oimuser - Object type is: java.lang.String
###### TestUserAnonimi - isApplicable - Context parameter 2: RESOLVED_LOCALE - Object type is: java.lang.String
###### TestUserAnonimi - isApplicable - Context parameter 3: counter - Object type is: java.lang.String
###### TestUserAnonimi - isApplicable - Context parameter 4: TIME_ZONE - Object type is: java.lang.String
###### TestUserAnonimi - isApplicable - Context parameter 5: ipaddress - Object type is: java.lang.String
###### TestUserAnonimi - isApplicable - ENDED
##### TestUserAnonimi - BulkEventResult execute
Thanks,
Daniele
Edited by: 886636 on Jan 24, 2012 2:53 AM
Edited by: 886636 on Jan 24, 2012 2:53 AM

Probably I don't explain myself clearly....sorry for that!
Anyway you are right, the role of the user can change after the user is initially provisioned.
I'll try to summarize to be sure to have understood your answer and to explain my scenario more in details:
1. After user identity creation, I'll assign the role "Project Manager". Before role assignment the user has not any role. So using a pre-populate adapter I can retrieve the assigned role and compose the right userid.
2. After step 1, I need to assign another role to the user, the new role should be "External Reseller" for example. In this case the user has a role already. What I would is: basing on the role that I'm assigning (External Reseller), the pre-populate should compose the right userid. Obviously this second userid will be different from the first one and this means a new account will be created for the user. At the moment I don't care to deprovisioning the first userid.
Is it possible with pre-populate adapter?
Sorry again for my not very clear explanations.
Daniele
Edited by: 886636 on Jan 24, 2012 4:10 AM

Missing Role Grants after datapump

Hello OTN-Community,
I have a problem with datapump. I am using some include filters to get the relevant data exported. One of these filters inlcudes the ROLES of my database which starts with a certain expression.
After the export into another database these roles exists but all of the role grants and the grants to other users misses. The object grants are exported correctly.
What am I doing wrong?
The export script:
declare
/*some declare specification are not copyed*/
cursor curSchema is
select
distinct
t.Mdbn_Name Name
from
ProphetMaster.Dat_MdBn t
where
Upper(t.MDBN_Name) not in ('****', '***');
begin
-- Schemas festlegen
SchemaList := '''****'',''***''';
if ExportAllProphetUsers then
for recSchema in curSchema loop
      SchemaList := SchemaList||','''||recSchema.Name||'''';
end loop;
end if;
-- Dateigröße
FileSizeStr := to_char(MaxFileSize)||'M';
-- Verzeichnis
DirectoryName := 'PHT_PUMP_DIR';
execute immediate 'create or replace directory "'||DirectoryName||'" as '''|| PumpDir||'''';
-- JobName
JobName := 'PHT_EXPORT'||DateStr;
-- Filename
if not FilenameWithDateTime then
DateStr :='';
end if;
Filename := 'PHTDB'||DateStr||'_%U.DMP';
Logfilename := JobName||'.LOG';
-- Job festlegen und Ausführen
h1 := dbms_datapump.open (operation => 'EXPORT', job_mode => 'FULL', job_name => JobName, version => 'COMPATIBLE');
dbms_datapump.set_parallel(handle => h1, degree => ParallelExecutions);
dbms_datapump.add_file(handle => h1, filename => Logfilename, directory => DirectoryName, filetype => 3);
dbms_datapump.set_parameter(handle => h1, name => 'KEEP_MASTER', value => 0);
--10g
--dbms_datapump.add_file(handle => h1, filename => Filename, directory => DirectoryName, filesize => FileSizeStr, filetype => 1);
--11g
dbms_datapump.add_file(handle => h1, filename => Filename, directory => DirectoryName, filesize => FileSizeStr, filetype => 1, reusefile =>OverwriteFiles);
dbms_datapump.set_parameter(handle => h1, name => 'INCLUDE_METADATA', value => 1);
dbms_datapump.set_parameter(handle => h1, name => 'DATA_ACCESS_METHOD', value => 'AUTOMATIC');
-- Include Schemas
--dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'IN('||SchemaList||')', object_type => 'DATABASE_EXPORT/SCHEMA');
dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'IN('||SchemaList||')', object_type => 'DATABASE_EXPORT/SCHEMA');
dbms_datapump.metadata_filter(handle => h1, name => 'INCLUDE_PATH_EXPR', value => 'IN(''DATABASE_EXPORT/SCHEMA'')');
--Include Profiles
dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'like ''PROFILE_%''', object_type => 'PROFILE');
dbms_datapump.metadata_filter(handle => h1, name => 'INCLUDE_PATH_EXPR', value => 'IN(''PROFILE'')');
--Include Roles
dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'like ''***%''', object_type => 'ROLE');
dbms_datapump.metadata_filter(handle => h1, name => 'INCLUDE_PATH_EXPR', value => 'IN(''ROLE'')');
-- Größenabschätzung
dbms_datapump.set_parameter(handle => h1, name => 'ESTIMATE', value => 'BLOCKS');
--Start Job
dbms_output.put_line('Import Job started; Logfile: '|| LogFileName);
dbms_datapump.start_job(handle => h1, skip_current => 0, abort_step => 0);
-- Wait for ending and finishing job
dbms_datapump.wait_for_job(handle=>h1,job_state =>job_state);
dbms_output.put_line('Job has completed');
dbms_output.put_line('Final job state = ' || job_state);
dbms_datapump.detach(handle => h1);
The Import Script:
begin
dbms_output.Enable(buffer_size => null);
-- Verzeichnis
DirectoryName := 'PHT_PUMP_DIR';
execute immediate 'create or replace directory "'||DirectoryName||'" as '''|| PumpDir||'''';
-- JobName
JobName := 'PHT_IMPORT'|| to_char(sysdate,'_yyyy-MM-DD-HH24-MI');
--FileNames
Filename    := 'PHTDB'||FileNameDateStr||'_%U.DMP';
LogFilename := JobName||'.LOG';
h1 := dbms_datapump.open (operation => 'IMPORT', job_mode => 'FULL', job_name => JobName, version => 'COMPATIBLE');
--Wenn der Datapumpimport auf einer Standardversion ausgeführt wird, muss diese Aufrufzeizeile genutzt werden
--h1 := dbms_datapump.open (operation => 'IMPORT', job_mode => 'FULL', job_name => JobName, version => '10.2');
dbms_datapump.set_parallel(handle => h1, degree => ParallelExecutions);
dbms_datapump.add_file(handle => h1, filename => Logfilename, directory => DirectoryName, filetype => 3);
dbms_datapump.set_parameter(handle => h1, name => 'KEEP_MASTER', value => 0);
dbms_datapump.add_file(handle => h1, filename => Filename, directory => DirectoryName, filetype => 1);
dbms_datapump.set_parameter(handle => h1, name => 'INCLUDE_METADATA', value => 1);
dbms_datapump.set_parameter(handle => h1, name => 'DATA_ACCESS_METHOD', value => 'AUTOMATIC');
dbms_datapump.set_parameter(handle => h1, name => 'REUSE_DATAFILES', value => 0);
dbms_datapump.set_parameter(handle => h1, name => 'TABLE_EXISTS_ACTION', value => 'REPLACE');
dbms_datapump.set_parameter(handle => h1, name => 'SKIP_UNUSABLE_INDEXES', value => 0);
--Start Job
dbms_output.put_line('Import Job started; Logfile: '|| LogFileName);
dbms_datapump.start_job(handle => h1, skip_current => 0, abort_step => 0);
-- Wait for ending and finishing job
dbms_datapump.wait_for_job(handle=>h1,job_state =>job_state);
dbms_output.put_line('Job has completed');
dbms_output.put_line('Final job state = ' || job_state);
dbms_datapump.detach(handle => h1);

Has no one any idea?

Export / import tablespace with all objects (datas, users, roles)

Hi, i have a problem or question to the topic export / import tablespace.
On the one hand, i have a database 10g (A) and on the other hand, a database 11g (B).
On A there is a tablespace called PRO.
Furthermore 3 Users:
PRO_Main - contains the datas - Tablespace PRO
PRO_Users1 with a role PRO_UROLE - Tablespace PRO
PRO_Users2 with a role PRO_UROLE - Tablespace PRO
Now, i want to transfer the whole tablespace PRO (included users PRO_MAIN, PRO_USER1, PRO_User2 and the role PRO_UROLE) from A to B.
On B, I 've created the user PRO_Main and the tablespace PRO.
On A , i execute following statement:
expdp PRO_Main/XXX TABLESPACES=PRO DIRECTORY=backup_datapump DUMPFILE=TSpro.dmp LOGFILE=TSpro.log
On B:
impdp PRO_Main/XXX TABLESPACES=PRO DIRECTORY=backup_datapump DUMPFILE=TSpro.dmp LOGFILE=TSpro.log
Result:
The User PRO_Main was imported with all the datas.
But i 'm missing PRO_USER1, PRO_User2 and the role PRO_UROLE...
I assume, i 've used wrong parameters in my expd and / or impdp.
It would be nice, if anybody can give me a hint.
Thanks in advance.
Best Regards,
Frank

When you do a TABLESPACE mode export by specifying just the tablespaces, then all that gets exported are the tables and their dependent objects. The users, roles, and the tablespace definitions themselves don't get exported.
When you do a SCHEMA mode export by specifying the schemas, you will get the schema definitions (if the schema running the export is privied) and all of the objects that the schema owns. The schema does not own roles or tablespace definitions.
In your case, you want to move
1. schemas - which you already created 1 on your target database
2. roles
3. everything in the tablespaces owned by multiple schemas.
There is no 1 export/import command that will do this. This is how i would do this:
1 - move the schema definitions
a. you can either create these manually or
b1. expdp schemas=<your list of schemas> include=user
b2 impdp the results from b1.
2. move the roles
expdp full=y include=role ...
remember, this will include all roles. If you want to limit what gets exported, then use:
include=role:"in ('ROLE1', 'ROLE2', ETC.)
impdo the roles just exported
3. move the user information
a. If you want to move all of the schema's objects like functions, packages, etc, then you need to use a schema mode
export
expdp user/password schemas=a,b,c ...
b. If you want to move only the objects in those tablespaces, then use the tablespace export
expdp user/password tablespaces=tbs1, tbs2, ...
c. import the dumpfile generated in step 3
impdp user/password ...
Hope this helps.
Dean

Find the roles granted on tables in oracle 10g

Hi,
I need to find what roles granted to what tables in a schema. I try to query dba_tab_privs but this will give what roles granted to tables, but i want to find what tables are missing these roles in a schema?
any help is appreciated.
Thanks...

789287 wrote:
i have another scenario where i have 2 different schemas such as TEST_A ans TEST_B. here TEST_B. at TEST_B user have 2 roles B_query and b_update and granted these roles to TEST_B user.
TEST_A need to access the TEST_B objects, when i grant the A_QUERY, A_UPDATE to TEST_A user. then i login as TEST_A user to access the TEST_B objects gets an eror object doesn't exist.
i dont want to grant privileges directly on to the TEST_B objects to TEST_A user. is there anyway i can accomplish this through the role?
i thought it would appropriate to ask the question here rather opening a thread.
Thanks...consider to actually post the actual SQL & complete error response from Oracle.
How do I ask a question on the forums?
SQL and PL/SQL FAQ

Modify Script to Create User Role on Single Database.

Hi All,
Below is the script to create user role on database. Here problem is when I execute this script, it creates user role for all database within an instance and I want it to create user role only on 2 database say TEST1 and TEST2
Can anyone help me to modify the script?
--===================================================================================
-- Description
-- Database Type: MSSQL
-- This script creates a role called 'gdmmonitor' for ALL databases.
-- It grants some system catalogs to this role to allow Classification and Assessment on the database.
-- It then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.
-- before runnign this script
-- you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
-- This sqlguard login doesn't need to be added to any database or given
-- any privilege. The script will take care of that.
-- Note:
-- If you wish to use a different login name (instead of 'sqlguard') you need to change
-- the value of the variable '@Guardium_user' in the script below;
-- (Look for the string: "set @Guardium_user = 'sqlguard'" and replace the 'sqlguard')
-- after runnign this script
-- Nothing to do, the script already creates the db user
-- User/Password to use
-- User: sqlguard (or any other name, if changed)
-- Pass: user defined
-- Role: gdmmonitor
--===================================================================================
PRINT '>>>==================================================================>>>'
PRINT '>>> Creating role: "gdmmonitor" at the server level.'
PRINT '>>>==================================================================>>>'
-- Change to the master database
USE master
-- *** If a different login name is desired, define it here. ***
DECLARE @Guardium_user AS varchar(50)
set @Guardium_user = 'sqlguard'
DECLARE @dbName AS varchar(256)
DECLARE @memberName AS varchar(256)
DECLARE @dbVer AS nvarchar(128)
SET @dbVer = CAST(serverproperty('ProductVersion') AS nvarchar)
SET @dbVer = SUBSTRING(@dbVer, 1, CHARINDEX('.', @dbVer) - 1)
IF (@dbVer = '8') SET @dbVer = '2000'
ELSE IF (@dbVer = '9') SET @dbVer = '2005'
ELSE IF (@dbVer = '10') SET @dbVer = '2008'
ELSE IF (@dbVer = '11') SET @dbVer = '2012'
ELSE SET @dbVer = '''Unsupported Version'''
IF (@dbVer != '2000')
BEGIN
-- This privilege is required to peform a specific MSSQL test.
-- Test name: SQL OLEDB disabled (DisallowAdhocAccess registry key)
-- Procedure execute: EXEC master.dbo.sp_MSset_oledb_prop
-- Purpose: To display provider property, not changing anything.
PRINT '==> Granting MSSSQL 2005 and above setupadmin server role'
EXEC master..sp_addsrvrolemember @loginame = @Guardium_user, @rolename = N'setupadmin'
END
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if they exist
CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL)
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND mbr.groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the role gdmmonitor on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the role gdmmonitor on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.spt_values TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysconfigures TO gdmmonitor
GRANT SELECT ON dbo.sysdatabases TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syslogins TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
-- Grant execute privileges to the role for MSSql Common
PRINT '==> Granting common EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON sp_helpdbfixedrole TO gdmmonitor
GRANT EXECUTE ON sp_helprotect TO gdmmonitor
GRANT EXECUTE ON sp_helprolemember TO gdmmonitor
GRANT EXECUTE ON sp_helpsrvrolemember TO gdmmonitor
GRANT EXECUTE ON sp_tables TO gdmmonitor
GRANT EXECUTE ON sp_validatelogins TO gdmmonitor
GRANT EXECUTE ON sp_server_info TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sql_logins TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
GRANT SELECT ON sys.server_role_members TO gdmmonitor
GRANT SELECT ON sys.configurations TO gdmmonitor
GRANT SELECT ON sys.master_key_passwords TO gdmmonitor
GRANT SELECT ON sys.server_principals TO gdmmonitor
GRANT SELECT ON sys.server_permissions TO gdmmonitor
GRANT SELECT ON sys.credentials
TO gdmmonitor
--This is called by master.dbo.sp_MSset_oledb_prop.
--By defautl it should have already been granted to public.
GRANT EXECUTE ON sys.xp_instance_regread TO GDMMONITOR
GRANT EXECUTE ON sys.sp_MSset_oledb_prop TO GDMMONITOR
END
-- Re-add the dropped members
IF EXISTS (SELECT 1 FROM #rolemember)
BEGIN
PRINT '==> Re-adding the role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- END of role creation on database
PRINT '==> END of role creation on: ' + @dbName
PRINT ''
-- Change to the msdb database
USE msdb
set @memberName = ''
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if it exists
TRUNCATE TABLE #rolemember
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM .dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the gdmmonitor role on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the gdmmonitor role on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
GRANT SELECT ON dbo.backupset TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
-- Grant execute privileges to the role for MSSql 2005 or above
PRINT '==> Granting MSSql 2005 and above EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON msdb.dbo.sp_enum_login_for_proxy TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
END
IF (@dbVer > '2000' and @dbVer < '2012')
--This sp is not available in SQL 2012
BEGIN
GRANT EXECUTE ON sp_get_dtspackage TO gdmmonitor
END
-- Re-add the dropped members
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Re-adding the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the temporary table
DROP TABLE #rolemember
-- END of role creation on database
PRINT '==> END of gdmmonitor role creation on: ' + @dbName
-- Role creation complete
PRINT '<<<==================================================================<<<'
PRINT '<<< END of creating role: "gdmmonitor" at the server level.'
PRINT '<<<==================================================================<<<'
PRINT ''
PRINT '>>>==================================================================>>>'
PRINT '>>> Starting application database role creation'
PRINT '>>>==================================================================>>>'
use master
DECLARE @databaseName AS varchar(80)
DECLARE @executeString AS varchar(7950)
DECLARE @dbcounter as int
set @dbcounter = 0
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases where name not in ('master', 'msdb')
and not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @dbcounter = @dbcounter + 1
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'PRINT ''>>> Starting MSSql ' + @dbVer + ' role creation on database: ' + @databaseName + ''' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'/* Variable @memberNameDBname must be declare within the string or else it will fail */ ' +
'DECLARE @memberName' + cast(@dbcounter as varchar(5)) + ' as varchar(50) ' +
'/*find any members of the role if it exists*/ ' +
'CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL) ' +
'INSERT INTO #rolemember ' +
'SELECT DISTINCT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr ' +
'WHERE usr.uid = mbr.memberuid ' +
'AND groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'/*Drop the Role Members If they exist*/ ' +
'IF EXISTS (SELECT * FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Dropping the role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Dropping member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_droprolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/*drop the role if it exists*/ ' +
'IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'BEGIN ' +
'PRINT ''==> Dropping the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_droprole ''gdmmonitor'' ' +
'END ' +
'/* Create the role */ ' +
'PRINT ''==> Creating the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_addrole ''gdmmonitor'' ' +
'/* Grant select privileges to the role for MSSql Common */ ' +
'PRINT ''==> Granting common SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON dbo.sysmembers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysobjects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysprotects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysusers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON dbo.syspermissions TO gdmmonitor ' +
'/* Check if the version is 2005 or greater */ ' +
'IF (' + @dbVer + ' != ''2000'') ' +
'BEGIN ' +
'/* Grant select privileges to the role for MSSql 2005 and above */ ' +
'PRINT ''==> Granting MSSql 2005 and above SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON sys.database_permissions TO gdmmonitor ' +
'GRANT SELECT ON sys.all_objects TO gdmmonitor ' +
'GRANT SELECT ON sys.database_principals TO gdmmonitor ' +
'GRANT SELECT ON sys.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON sys.database_role_members TO gdmmonitor ' +
'END ' +
'/* Re-add the dropped members */ ' +
'IF EXISTS (SELECT 1 FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Re-adding the gdmmonitor role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Re-adding member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_addrolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/* drop the temporary table */ ' +
'DROP TABLE #rolemember ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT ''<<< END of role creation on: ' + @databaseName + ''' ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT '' ''' +
'PRINT '' '''
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
-- Adding user to all the databases
-- and grant gdmmonitor role, only if login exists.
PRINT '>>>==================================================================>>>'
PRINT '>>> Add and Grant gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '>>> on all databases.'
PRINT '>>>==================================================================>>>'
USE master
/* Check if @Guardium_user is a login exist, if not do nothing.*/
IF NOT EXISTS (select * from syslogins where name = @Guardium_user)
BEGIN
PRINT ''
PRINT '************************************************************************'
PRINT '*** ERROR: Could not find the login: ''' + @Guardium_user + ''''
PRINT '*** Please add the login and re-run this script.'
PRINT '************************************************************************'
PRINT ''
END
ELSE
BEGIN
DECLARE @counter AS smallint
set @counter = 0
-- This loop runs 4 time just to make sure that the @Guardium_user gets added to all db.
-- 99% of the time, this is totally unnecessary. But in some rare case on SQL 2005
-- the loop skips some databases when it tried to add the @Guardium_user.
-- After two to three executions, the user is added in all the dbs.
-- Might be a SQL Server bug.
WHILE @counter <= 3
BEGIN
set @counter = @counter + 1
set @databaseName = ''
set @executeString = ''
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases
where not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'/*Check if the login already has access to this database */ ' +
'IF EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'/*Check if login already have gdmmonitor role*/ ' +
'IF NOT EXISTS (SELECT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr WHERE usr.uid = mbr.memberuid ' +
'AND mbr.groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'AND usr.name = ''' + @Guardium_user + ''') ' +
'BEGIN ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END ' +
'END ' +
'IF NOT EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'PRINT ''==> Adding user [' + @Guardium_user + '] to database: ' + @databaseName + ''' ' +
'execute sp_adduser [' + @Guardium_user + '] ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END '
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
END -- end while
-- Required for Version 2005 or greater.
IF (@dbVer != '2000')
BEGIN
-- Grant system privileges to the @guardium_user. This is a requirement for >= SQL 2005
-- or else some system catalogs will filter our result from assessment test.
-- This will show up in sys.server_permissions view.
PRINT '==> Granting catalog privileges to: ''' + @Guardium_user + ''''
execute ('grant VIEW ANY DATABASE to [' + @Guardium_user + ']' )
execute ('grant VIEW ANY DEFINITION to [' + @Guardium_user + ']' )
END
PRINT '<<<==================================================================<<<'
PRINT '<<< Finished Adding and Granting gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '<<< on all databases.'
PRINT '<<<==================================================================<<<'
PRINT ''
END
GO

Thanks a lot Sir... it worked.
Can you also help me in troubleshooting below issue?
This script is working fine on all databases except one MS SQL 2005 database. build of this database is 9.00.3042.00
SA account with highest privileges is been used for script execution. errors received are as follow:
>>>==================================================================>>>
>>> Creating role: "gdmmonitor" at the server level.
>>>==================================================================>>>
==> Granting MSSSQL 2005 and above setupadmin server role
==> Starting MSSql 2005 role creation on database: master
(0 row(s) affected)
==> Dropping the gdmmonitor role members on: master
==> Creating the role gdmmonitor on: master
Msg 15002, Level 16, State 1, Procedure sp_addrole, Line 16
The procedure 'sys.sp_addrole' cannot be executed within a transaction.
==> Granting common SELECT privileges on: master
Msg 15151, Level 16, State 1, Line 117
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 118
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 119
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 120
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 121
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 122
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 123
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 124
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 125
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 126
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
==> Granting common EXECUTE privileges on: master
Msg 15151, Level 16, State 1, Line 130
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 131
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 132
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 133
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 134
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 135
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 136
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.

Query user roles and access

hi,
How can query user roles and access in whole database? I want to list username, status, rights, and role
thanks
P

Hi,
The data dictionary view dba_users has one row per user.
The data dictionary view dab_role_privs has one row for every distinct combination of user and role that actually occurs ion your database,
Are you interested in system privileges? See dba_sys_privs.
Are you interested in individual grants, like the privilege to UPDATE a given table, or the privilege to execute a given stored procedure? See dba_tab_privs. (Don't be fooled by the name; it's not just for tables.)
I hope this answers your question.
If not, post some CREATE statements, that create tables, roles, and whatever else you want, and some GRANT statmeents that grant privileges on those objects. Pos the results that you would want to get from those objects and grants.

Easy Question: How to identify user roles within form?

Hi folks,
I would like to display/hide button which calls static data maintenance form (from other form) based on current user roles.
If user has role "STATIC_DATA" granted then DISPLAY button (which calls static data form), else DO NOT DISPLAY it.
Any example, how to get user roles within form?
Thanks,
Tomas

I can do it with below code:
declare
l_cnt number;
begin
select count(*)
     into l_cnt
     from user_role_privs
where granted_role = 'STATIC_DATA';
if l_cnt > 0 then
        -- display it
else
     -- do not display
end if;
end;I think, above should work.
Thanks,
Tomas

Probs in granting privs

hi there..
i created a user named as x and given th privileges like create,select,update.
but the user can able to create table but he cant able to select th particular table..
for eg..
grant select
2 on student
3 to x;
Grant succeeded.
but..
from x's side.. he is getting the error as..
SQL> select * from student;
select * from student
ERROR at line 1:
ORA-00942: table or view does not exist..
plz guide me..to solve this prob.
shiv
beginner in sql

Your post on the "SQL and PL/SQL" forums (probs in granting privs was in the right place and has already been answered. This forum is for discussing the SQL Developer tool, rather than general SQL or PL/SQL questions.
theFurryOne

Assign user role to network group people

Hi everyone,
What user role should I assign to network people if they wan to be able to discovery(add) and manage their network devices by themselves. I have tried Advanced Operator and Operator two roles, but non of them came up with Discovery Wizard option. I really don't
want to assign them to Operations Manager Administrators group because I'm pretty sure they will mess up SCOM within couple mins!!!!!

Hi,
We can create runas account for discovery with the network discovery wizard, the runas account type is community string only.
Network devices that use SNMP v1 or v2 require a Run As account that specifies a community string, which acts like a password to provide read-only access to the device.
Regards, Yan Li
Hi Yan Li,
After reading your post couple times, I'm confused now. I did have two run as account created for community string and snmpv3 authentication. When I ran Discovery Wizard for network devices, I can select either one of them to run without problem,
and discover network devices. My account is under Operation Manager Administrators role, so I have full permissions to do anything I want.
My question is that how to configure or create User Roles for network group people, so they can also run Discovery Wizard and manage their network devices without putting them into Operation Manager Administrators group. Ex: there is not Administration
tab for them, they only see Network Monitoring folder under Monitoring. Because I don't want them to mess up those options under Administration.
Is it just like the previous post said that only two options? Thank you.
1) grant them as a SCOM administrators right
2) scom administrator help them to do network discovery

Which user role I need to use for import WSM policies?

Hi.
I'm looking for a user role that has the grant for to import new policies in wsm via EM (soaadmin em).
There is a preconfigured user that can do that?
If no, how can I create one new give him the right permission?
Is it possible?
Obviously using the admin one I can made this operation but ADMIN has too many privileges.
Thank you
diego

Hi Colins,
Thanks for your suggestion to create a sample on the APEX. I will do that and will post the problem in the FORUM.
Normally I add my name at the end of each conversation in the forum. I forgot to add one in this thread.
Cheers,
Krishna.

Problem with a calculated member browsing cube with a specific user role

Good evening to all of you .
I am not a newbie about SSAS nor an expert developer.
I use SSAS 2008 R2 Standard Edition.
I try to simplify my problem with a calculated measure.
I have a CUBE with :
[Measures].[Sales Amount]
Dimension STORES - Dimension CUSTOMERS - Dimension DATE
I have also 2 user roles :
Direction Role can see all members of all dimensions.
Customize Role has a restriction about Dimension STORES ..it can see only a STORE of all (Suppose to have 100 stores).
User that has a Customize Role, when browse cube in Excel , want to see for a specific CUSTOMER , Sales Amount of his own STORE but also the total Sales Amount of ALL STORES for that Customer...
Is it possibile to do that ???
Can you give any suggestion also using Adventure Works Cube ???
I was able to create a calculated measure like that below.
It does not work...It give the same result of Sales Amount
It seems that Customize Role win Always about every kind of calculate measure i need to create..
i.e SUM([STORES].[STORES].[ALL STORES],[Measures].[Sales Amount])
Thanks in advance.

Hi maretix,
According to your description, you have a customize role which limit the user can only see data about his own STORE. Now this user wants to see the total Sales Amount for his own STORES only. Right?
In Analysis Services, when granting custom access to dimension data, it has a option "Enable Visual Total" in Advanced dimension security. By default, the
VisualTotals property is disabled (set to False). This default setting maximizes performance because Analysis Services can quickly calculate the total of all cell values, instead of having to spend time selecting which
cells values to calculate. So you always get same result which is the total for all STORES.
In this scenario, please select this option. When you enable the VisualTotals property, your custom role can only view aggregated totals for dimension members to which the role has permission.
Reference:
Grant custom access to dimension data (Analysis Services)
If you have any question, please feel free to ask.
Best Regards,
Simon Hou
TechNet Community Support

BPEM End User role does not appear

Hi masters
What should I do to make the BPEM End User role appears on the portal Identity Management ?

Hi Ganga,
Firstly, check the BPM usage type is loaded in your SAP NetWeaver 7.3 system at http://<host>:<port>/utl/UsageTypesInfo
If the BPM usage type is loaded, check the BPM configuration wizards have been run in the SAP NetWeaver Administrator - http://<host>:<port>/nwa > Configuration > Scenarios > Configuration Wizard
Finally check the role exists via the SAP NetWeaver Administrator - http://<host>:<port>/nwa > Configuration > Security > Identity Management
If you aren't seeing all the options in SAP NetWeaver Administrator then you need to find someone with more authority and get them to grant you the SAP_BPM_SuperAdmin or SAP_BPM_SuperDisplay role.
If that's all ok you can then go back and check the role is visible in the Portal.
Regards,
Jocelyn

How to hide custom fields in Shopping cart depening on user role

Hi,
We have some custom fields in shopping cart for basic view. Every thing works fine. Now client is asking to hide all the custom fields based on user role.
I found some function module to fund roles. now my main problem is unable to find the cusotm filed screen field name.
When I tryed to find the screen field name using BBPSC02/03, its giving 'GT_DISPLAY_100-FIELD'. If I try to use this field, its not working.
Could you pls tell me how to find custom screen filed name to hide in shopping cart.
Thanks,
Ram

Hi Ram,
As Laurent suggested,to hide the custom fields based on the user role,you need to implement the logic in BADi "BBP_CUF_BADI_2".
You have the importing parameter IV_USER in this BADI.
Pass this parameter to tables AGR_USERS and AGR_USERT to get the user role
OR
Use FM: BAPI_USER_GET_DETAIL
with USERNAME= user id and can retrieve Table: ACTIVITYGROUPS Field:AGR_NAME
if you want the otherway around
you can also use FM: RSRA_USERS_OF_AGR_GET
with I_AGR_NAME= role and you can retieve Table: ACTIVITY_GROUPS_USERS Field: UNAME(usr Id)
Then check the value for the User role as obtained using the above steps and accordingly set the property for the custom fields to hide them.
BR,
Deepti.

Expdp users, roles, grants (privs)

Similar Messages

Maybe you are looking for