Explanation of Process Default Roles: Administrator and Owner

Similar Messages

• Explaning the concept or roles, groups and owners

  Hi, i'm trying to find any documentation which explains theses concepts i 've tried the oracle library but it was no results.
  Can anyone help me?
  I'm trying to undestand that.

  Hello,
  have you gone through the BPM tutorial:
  http://download.oracle.com/docs/cd/E13154_01/bpm/docs65/tutorial/index.html
  It gives some basic understanding of the implementation ofthe roles and groups.
  If you are looking for further material on the topic then look into the following material on studio:
  http://download.oracle.com/docs/cd/E13154_01/bpm/docs65/studio/index.html
  Check the documentation for organization.
  Hope this helps,
  Regards,
  Jaydev Doshi.

• Difference between roles Administrator and Super admin

  Dear Portal Gurus,
  Pls let me know the difference between
  roles Administrator and Super admin
  Thanks.
  Jack

  Hi Jack,
  The Administrator is the role that has all the rights that includes J2ee engine rights too but an superadmin is the one that has the role to the three admin roles that are
  Content Admin
  User Admin
  System Admin
  THIS IS THE BASIC DIFFERENCE BETWEEN SUPERADMIN AND ADMINISTRATOR.
  PS:Reward Point Please
  Regards,
  Naveen Gupta

• GP: Process default Roles Cleared when transported

  Hi,
       I have created an impersonalized form that triggers a process in guided procedures.
  I have set the default roles for process as impersonalized form needs all the roles to be defaulted.
  Its working fine in the test system. When I transport this to Production, the default roles get cleared. I get an error message when the form is submitted - ERROR_NO_DEFAULT_USER_FOR_ROLE .
  Version: Adobe Livecycle designer 7.1
  NW2004s SP15
  Thank you,
  Vasu
  Edited by: Subramanya Srinivas Mullapudi on Feb 6, 2009 6:41 PM

  But as I'm using an Impersonalized form, even when I assign the default roles, the impersonalized form still pointing to the process with no default roles. Its not recognizing the default roles assigned in administration.
  I cannot change the process to add default roles (in production). So whenever I submit the form I get the error "ERROR_NO_DEFAULT_USER_FOR_ROLE"
  Complete error:
  SAP Guided Procedures - Error Page
     What happened?
     An internal error occurred while processing your request
     What can you do?
     Try again later. If the problem persists, contact your system
     administrator.
    Additional Error Information
     FormPostprocessor.ERROR_NO_DEFAULT_USER_FOR_ROLE
     com.sap.caf.eu.gp.base.exception.EngineException:
     FormPostprocessor.ERROR_NO_DEFAULT_USER_FOR_ROLE at
     com.sap.caf.eu.gp.model.iforms.postproc.FormPostprocessor.createProcessRoleInstance(FormPostprocessor.java:176)
  at
     com.sap.caf.eu.gp.model.iforms.postproc.FormPostprocessor.prepareProcessRoles(FormPostprocessor.java:157)
  at
     com.sap.caf.eu.gp.model.iforms.postproc.FormPostprocessor.initiateProcess(FormPostprocessor.java:289)
  at
     com.sap.caf.eu.gp.model.iforms.postproc.FormPostprocessor.processData(FormPostprocessor.java:564)
  at
     com.sap.caf.eu.gp.model.iforms.FormPostProcessor.doPost(FormPostProcessor.java:182)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at
     javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at
     com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at
     com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at
     com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
  at
     com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
  at
     com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
  at
     com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
     at
     com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at
     com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at
     com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
     at
     java.security.AccessController.doPrivileged(AccessController.java:207)
     at
     com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
  at
     com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
     Sorry for any inconvenence

• ESS Guided procedure Default role assignment

  We are implementing ESS in EP7 with ECC 6.0
  After setting up Life and Work events it seems that there are default roles Administrator and Overseer that need to be assigned to portal roles, I am just not sure what portal roles to assign.  Are these supposed to be assigned to Guided procedure type roles or to MSS type roles?
  Any insight would be helpful

  Hi Gail,
  These roles are for the GP processes.
  The Default Roles should be configured for each process
  This is an important step as this will ensure that the process is started without the user having to assign users who have will administer and oversee the execution of the process. Typically the users who are assigned to the processes as Administrators are the HR administrators and overseers could be managers. However this is not a hard-and-fast rule and this has to be decided at the time of implementation.
  hope this helps!!
  Regards,
  Sharadha

• Role Mapper and Authorizer

  At one point I posted a forum entry and posted a solution for my entry regarding keeping the app deployments around while recreating/overwriting the domain using WLST offline. Keep App Deployments while recreating the domain in WLST offline
  Things seems to work, except that I noticed that the XACML Role Mapper and Authorizer that were created the first time around (when there is no domain folder) are getting replaced by default Role Mapper and Authorizer (on subsequent runs when the domain folder already exists and we overwrite the domain)
  Basically the first readDomain is causing this. without reading the domain, I cannot get the app list.
  System.setProperty("com.bea.cie.script.throwException","true")
  appdeps={}
  try:
    readDomain('c:/temp/basicWLSDomain')
    cd('/AppDeployments')
    apps=ls(returnMap='true')
    for app in apps:
    appdeps[app]=ls(app,returnMap='true', returnType='a')
  except:
    pass
  try:
    closeDomain()
  except:
    pass
  #=======================================================================================
  # Open a domain template.
  #=======================================================================================
  readTemplate("c:/wls11/wlserver_10.3/common/templates/domains/wls.jar")
  #=======================================================================================
  # Configure the Administration Server and SSL port.
  # To enable access by both local and remote processes, you should not set the
  # listen address for the server instance (that is, it should be left blank or not set).
  # In this case, the server instance will determine the address of the machine and
  # listen on it.
  #=======================================================================================
  cd('Servers/AdminServer')
  set('ListenAddress','')
  set('ListenPort', 7001)
  create('AdminServer','SSL')
  cd('SSL/AdminServer')
  set('Enabled', 'True')
  set('ListenPort', 7002)
  #=======================================================================================
  # Define the user password for weblogic.
  #=======================================================================================
  cd('/')
  cd('Security/base_domain/User/weblogic')
  cmo.setPassword('weblogic11g')
  #=======================================================================================
  # Create a JMS Server.
  #=======================================================================================
  cd('/')
  create('myJMSServer', 'JMSServer')
  #=======================================================================================
  # Create a JMS System resource.
  #=======================================================================================
  cd('/')
  create('myJmsSystemResource', 'JMSSystemResource')
  cd('JMSSystemResource/myJmsSystemResource/JmsResource/NO_NAME_0')
  #=======================================================================================
  # Create a JMS Queue and its subdeployment.
  #=======================================================================================
  myq=create('myQueue','Queue')
  myq.setJNDIName('jms/myqueue')
  myq.setSubDeploymentName('myQueueSubDeployment')
  cd('/')
  cd('JMSSystemResource/myJmsSystemResource')
  create('myQueueSubDeployment', 'SubDeployment')
  #=======================================================================================
  # Create and configure a JDBC Data Source, and sets the JDBC user.
  #=======================================================================================
  cd('/')
  create('myDataSource', 'JDBCSystemResource')
  cd('JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
  create('myJdbcDriverParams','JDBCDriverParams')
  cd('JDBCDriverParams/NO_NAME_0')
  set('DriverName','com.pointbase.jdbc.jdbcUniversalDriver')
  set('URL','jdbc:pointbase:server://localhost/demo')
  set('PasswordEncrypted', 'PBPUBLIC')
  set('UseXADataSourceInterface', 'false')
  create('myProps','Properties')
  cd('Properties/NO_NAME_0')
  create('user', 'Property')
  cd('Property/user')
  cmo.setValue('PBPUBLIC')
  cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
  create('myJdbcDataSourceParams','JDBCDataSourceParams')
  cd('JDBCDataSourceParams/NO_NAME_0')
  set('JNDIName', java.lang.String("myDataSource_jndi"))
  cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
  create('myJdbcConnectionPoolParams','JDBCConnectionPoolParams')
  cd('JDBCConnectionPoolParams/NO_NAME_0')
  set('TestTableName','SYSTABLES')
  #=======================================================================================
  # Target resources to the servers.
  #=======================================================================================
  cd('/')
  assign('JMSServer', 'myJMSServer', 'Target', 'AdminServer')
  assign('JMSSystemResource.SubDeployment', 'myJmsSystemResource.myQueueSubDeployment', 'Target', 'myJMSServer')
  assign('JDBCSystemResource', 'myDataSource', 'Target', 'AdminServer')
  #=======================================================================================
  # Write the domain and close the domain template.
  #=======================================================================================
  setOption('OverwriteDomain', 'true')
  setOption('CreateStartMenu', 'false')
  writeDomain('c:/temp/basicWLSDomain')
  closeTemplate()
  #=======================================================================================
  # Exit WLST.
  #=======================================================================================
  exit()
  So I thought I will create the XACML Authorizer and Role Mapper myself instead of letting the default domain creation process do it. but that is resulting in duplicates on the first run (when the domain folder does not exist) and in the subsequent runs (when the domain folder already exists), I see one XACML and one default.
  cd('/')
  create('base_domain', 'SecurityConfiguration')
  cd('SecurityConfiguration/base_domain/Realm/myrealm')
  ls('a')
  create('XACMLAuthorizer', 'weblogic.security.providers.xacml.authorization.XACMLAuthorizer','Authorizer')
  create('XACMLRoleMapper', 'weblogic.security.providers.xacml.authorization.XACMLRoleMapper','RoleMapper')
  I am going no where with Oracle Support. I am wondering if anyone ran into this before.

  com.oracle.cie.config-wls-schema_10.3.6.0.jar has various SecurityConfiguration XML fragments and the wrong fragment is being used when the domain is recreated.
  I am thinking it is a logic issue in domain creation.

• So tired of assigning default roles in each edit post activation......GP

  Hi:
  My dears, is there anyway of set up the default roles for a GP and keep them no matter activation/edition action is perform....
  I set them up in:
  -  Guided procedures--> Administration --> Assign Default Roles
  -  Guided procedures --> Design time -->Process --> Default Roles
  But in active/edit operation all the default roles are deleted....
  Thanks a lot for your time on this thread.
  Rocío.

  Hi:
  My dears, is there anyway of set up the default roles for a GP and keep them no matter activation/edition action is perform....
  I set them up in:
  -  Guided procedures--> Administration --> Assign Default Roles
  -  Guided procedures --> Design time -->Process --> Default Roles
  But in active/edit operation all the default roles are deleted....
  Thanks a lot for your time on this thread.
  Rocío.

• GP difference between Portal Role GP Administrator and Process Role Admin

  Please explain the difference between the Portal Role "GP Administrator" and the Process Role  "Administrator"
  In the CAF-GP Security guide, it says that the Process Role "Administrator" can "Maintain process instances using the GP administration tools".  What does this mean?
  If a user has the Portal Role "GP Administration" and he DOES NOT have the Process Role "Administrator" for ANY process, he can still maintain ALL of the process instances from the Administration workset.  He doesn't need to have the Process Role "Administrator" assigned to him.

  All three have the same Admion rights.
  They are the default users created when you are creating a domain.
  If not used or edited they are a major security risk!
  If you just use say weblogic or portaladmin and do not take care of changing the password or security privilige (changing the group from Admin, or deleting this user if not required) of yahooadmin then anyone knowing the admin url can login with this default username and its default password.
  I would personally prefer creating custom users and remove the default users.
  Regards,
  Rommel Sharma

• Process Administrator and Workspace admin url for 10gR3

  I am running 10gR3 bpm locally.
  Url to access my local workspace is http://localhost:8585/workspace/faces/jsf/workspace/workspace.xhtml
  Could you let me know the URL for accessing the process administrator and workspace admin.
  Thanks in advance.

  Looking at your port 8585 it is the default port for Studio, in Studio there is no webconsole or workspace administrator, those applications only are available in enterprise.
  If your case is enterprise then the url is /webconsole and /portaladmin
  HTH

• Cannot map roles other than Project Administrator and SOA Designer

  I've installed PS4 HC FP Stage 3 on Windows, and I have seeded the demo community users. When I use Business Process Workspace to map roles to these users, the only roles available to me in the Select Role list are Project Administrator and SOA Designer. I was expecting to be able to map far more roles, thus:
  * mtwain needs the Project Creator, Designer, Deployer, Project Documentor, and SOA Designer roles.
  * jcooper needs the Designer role.
  Any idea what's wrong?

  I would like to know also. I have made many DVDs, but the number order does seem to be random. For presentation purposes I want to play a specific clip by hitting it's corresponding number on the DVD player remote when the DVD is at a complete stop (so if I put the movie clip in the 2 spot and hit the number 2 on the remote, then the 2 movie clip will play). I can get this to work from the menu by dropping them in iDVD in the order I want and waiting for each to encode before dropping the next, but at a complete stop I cannot ensure number 2 on the remote will play number 2 on the DVD. To me it looks like iDVD gives those numbers in the order in which the audio is encoded when burning, with the shorter clips first and longer ones last.
  Can anyone help me?

• Use of default XACML with custom role mapper and authorization provider

  Hi,
  Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
  My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
  Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?

  I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
  Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
  The chosen approach depends on where you're getting the role information from.

• Bug? I can't change administrator and subject of process dynamically

  See below. Are they bugs? How should I solve them?
  Symptom 1:
  In a process, I set administrator using expression, and subject using a variable.In the first human activity,I set administrator="adm_a",subject="subject_a".In the second activity,I set administrator="adm_b",subject="subject_b".But atually the process' adm and subject always took vaules assigned in the first human activity.It seems that the process' adm and subject can only be assigned values once.
  Symptom 2:
  Besides that,another bug is that I must initialise DOs used in expression and variables at the same time.When I assigned a constant to DO used in a variable of process's subject in the start event and assigned values to DO used in expression of process' administrator in the first human activity, the process couldn't be start,an error showing "SourceDO must be populated..." in the log. However, when I assigned values to DOs used by administrator and subject in the same place--the start event or the first human activity,the error didn't show again and the process started successfully.

  Did you the expression for setting the administrator as follows?
  Example : getPrincipalByUniqueName("ID","user")
  You can have dynamic texts for each task.
  Goto UserTexts tab and create a variable and you can use the same variable under parameterized texts section
  2. If you are using the DOs in the expressions to compute values then you should initialize the values
  Anil
  Edited by: Anilkumar Vippagunta on Nov 27, 2010 11:44 PM

• Roles and Owner details

  Hi,
  We are using Oracle 8i database.
  We need to extract roles and owner names which were created the roles. Please let us know in which data dictionary table I'll get these details.
  Note: I have already verified DBA_ROLES , ROLE_TAB_PRIVS and ROLE_SYS_PRIVS. I didnt get the details.
  Thanks,
  Suri

  A role is simply named a collection of privileges it does not have an owner. As far as I know, there is no easy way to determine which user created a role.
  If by "We need to extract roles and owner names which were created the roles" you actually mean that you want to know which users have particular roles, then something like:
  SELECT grantee, granted_role
  FROM dba_role_privs
  WHERE granted_role IN (<list of roles you are interested in>)John

• Default roles and grants

  I have role called role_test and this is granted to user user_test and made it as default role.
  but role_test is protected by password i.e to set role need to give password.
  set role role_test identified by test_role_pass;
  My question is when the user user_test loggs in will automatically gets this role_test as it is grated as default role ?
  or still he needs to call set role identified by password to enable this role.
  I am using oracle 11g database.Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
  Is there any change of this behaviour with oracle versions 10g to 11g ?
  Thanks,
  Phani

  Phani_Orcl wrote:
  Is there any change of this behaviour with oracle versions 10g to 11g ?Yes, there is. Password protected roles in 11g are not enabled at login time even if it is a default role:
  SQL> create role r1;
  Role created.
  SQL> create role r2 identified by r2;
  Role created.
  SQL> create user u1 identified by u1
    2  /
  User created.
  SQL> grant create session to u1
    2  /
  Grant succeeded.
  SQL> grant r1,r2 to u1
    2  /
  Grant succeeded.
  SQL> alter user u1 default role all
    2  /
  User altered.
  SQL> connect u1/u1
  Connected.
  SQL> select * from session_roles;
  ROLE
  R1
  SQL>
  And it is documented
  Authorizing a Role by Using the Database
  You can protect a role authorized by the database by assigning the role a password. If a user is granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in the SET ROLE statement. <font color=red>You cannot authenticate a password-authenticated role on logon, even if you add it to the list of default roles. You must explicitly enable it with the SET ROLE statement using the required password.</font>
  SY.

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce