Getting admin role in solaris 11

Similar Messages

• How to get Admin Roles using SPML in SUN IdM 7.1

  Hi,
  I am tring to get Roles and Admin roles using SPML in IdM 7.1.
  But i am able to get the Roles of the user using the attribute "Role"; For Admin role i tried with the attributes "AdminRole", "adminRole", "AdminRoles", "adminRoles". But I am not able to get the values.
  What is the attribute name where we can fetch the values of admin roles assigned to a user using SPML.
  Please let me know for any queries.
  Thanks and regards,
  Dinesh.

  Hi Dinesh,
  Try using waveset.adminRoles
  Thanks

• Get all roles from an organization

  Hello,
  i want to get all roles 'AMRoles) from an organizations. I have Portal Server 2005Q4 on a machine and Access Manager and Directory on another and i want to extract all display profiles from all roles in different files (more than 100).
  I found the dpadmin command line to extract a Display Profile from a dn but, how can i get the list of roles with the amadmin command line tool ?
  thanks for help.
  Philippe

  Hello,
  I take a look, found differents xml files but : no help, no "howto", no thing very interesting.
  I try this command :
  /opt/SUNWam/bin/amadmin -u "cn=Directory Manager" -w ******* -e "dc=isere-savoie,dc=fr" -o /export/home/jes/test.xmland with other values in the -e parameter but always the same message :
  Erreur 9 : �chec de l'op�ration : Failed to export entityDescriptor to a file.Any idea ?
  any link to some help on this command other than Access Manager amadmin Command Line ?
  a complement : in the debug files, I have this errors :
  ==> /var/opt/SUNWam/debug/amFederation <==
  01/30/2008 04:40:59:324 PM CET: Thread[main,5,main]
  ERROR: FSAllianceManager::getEntity entityID: dc=isere-savoie,dc=fris invalid
  ==> /var/opt/SUNWam/debug/amMeta <==
  01/30/2008 04:40:59:510 PM CET: Thread[main,5,main]
  ERROR: Failed to export entityDescriptor to a file
  --------------------------------------Got Federation Exception
  Message: Invalid Provider ID.
          at com.sun.identity.federation.alliance.FSAllianceManager.getEntity(FSAllianceManager.java:1815)
          at com.sun.identity.liberty.ws.meta.LibertyMetaHandler.SMToMeta(LibertyMetaHandler.java:109)
          at com.iplanet.am.admin.cli.Main.outputLibertyData(Main.java:889)
          at com.iplanet.am.admin.cli.Main.runCommand(Main.java:730)
          at com.iplanet.am.admin.cli.Main.main(Main.java:1124)thanks
  Philippe
  Edited by: beutin on Jan 30, 2008 4:43 PM

• How do get the role from ldap session.

  i am using the follwing getting the role from the request in openldap and j_security_check:
  f(request.isUserInRole("manager")){
  how can i use this in the session:

  You might wanna change permissions for that attribute ...
  Change it from Admin to OWNER and you should be able to then get it for any user ...
  HTH ..

• You can get Roles but can you get the Role of the user

  Can you display or hide items dependant on the roles of the logged in user is assigned too.
  I know you can do this for the menu using menu.json
  "visible": true,
          "applyIf": {
              "userHasRoles": ["Administrators"]
  But what about for other elements inside the app. Is there a way to get the roles of the user logged in.
  Is this missing as a feature or am I missing some pieces.

  I just want to hide or remove a page element ie if(adminUserRole != 'Admin') {$('#element').remove}. Just some way to see the roles of the admin user that is logged. But yes early days.
  On a side note BC are looking to launch the project and advertise the store on the 17th is this not a bit ahead of themselves if there is a potential that apps functionality may be reduced because of new policies, restrictions etc even if only temporarily. Once apps hit the masses this may cause some tension when people loose functions they once had.
  Edit :Ok BC have already changed the date of the launch. I jumped the gun in saying this as they have it all under control.

• XPRESS code to find all users with a specific Admin Role

  I've been playing around for a while with a way to get a list of all users that have been assigned a particular Admin Role. I have a role for which I want a specific subset of users to be approvers on it, and I want to greate a Rule that will check for people with a particular Admin Role and then return that list as people to be approvers on the role.
  I haven't been able to find an easy way to write this code. Anyone run across this before or have another suggestion???
  Thanks.

  Below is the code to find user based on condition.
  <set name='adminList'>
  <invoke name='getObjectNames' class='com.waveset.ui.FormUtil'>
  <ref>:display.session</ref>
  <s>User</s>
  <map>
  <s>conditions</s>
  <list>
  <new class='com.waveset.object.AttributeCondition'>
  <s>AdminRoles</s>
  <s>contains</s>
  <s>adminRoleName</s>
  </new>
  </list>
  </map>
  </invoke>
  </set>
  Edited by: Jay on Mar 7, 2012 4:03 AM

• Dynamic Admin Role Problems - IDM7.1

  Hi Everyone. I'm having problems getting a dynamic admin role to work correctly. No matter what I do I always get the error at logon that the user controls no organizations and has no capabilities. Here is how the admin role is configured.
  General:
  Type = Identity Objects
  Assigners = blank (I have also tried configurator)
  Organizations = Top
  Scope of Control:
  Controlled Organizations = Top
  None for everything else.
  Capabilities:
  All caps assigned, no cap rule.
  Assign to users:
  Has the rule below assigned to it. If I check a user that is in the AD group mentioned in the rule, it gives me a '1', if I check one that doesn't have the group, a '0'
  Rule:
  <?xml version='1.0' encoding='UTF-8'?>
  <!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'>
  <!--  MemberObjectGroups="#ID#Top" authType="UserIsAssignedAdminRoleRule" id="#ID#Rule:IAM Admin Admin Role Rule" lastMod="26" lastModifier="Configurator" name="IAM Admin Admin Role Rule"-->
  <Rule authType='UserIsAssignedAdminRoleRule' id='#ID#Rule:IAM Admin Admin Role Rule' name='IAM Admin Admin Role Rule' createDate='1239044336520' lastModifier='Configurator' lastModDate='1248287397906' lastMod='26'>
    <RuleArgument name='context'/>
    <RuleArgument name='runAsUser'/>
    <isTrue>
      <contains>
        <rule name='my_rulelibrary:get_DownCaseList'>
          <argument name='dnlist' value='$(runAsUser.accounts[AD].groups)'/>
        </rule>
        <downcase>
          <rule name='my_Configuration:IAM Admin Group Name'/>
        </downcase>
      </contains>
    </isTrue>
    <MemberObjectGroups>
      <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
    </MemberObjectGroups>
  </Rule>I have also added the item below to the system configuration and reset the app server
  <Attribute name='authz'>
              <Object>
                <Attribute name='checkDynamicallyAssignedAdminRolesAtLoginTo'>
                  <Object>
                    <Attribute name='Administrator Interface'>
                      <Boolean>true</Boolean>
                    </Attribute>
                    <Attribute name='Service Provider User Interface'>
                      <Boolean>false</Boolean>
                    </Attribute>
                    <Attribute name='User Interface'>
                      <Boolean>true</Boolean>
                    </Attribute>
                  </Object>
                </Attribute>
              </Object>
            </Attribute>Any ideas?

  Hi,
  the view handed to these kind of rules is created with the noFetch option set to true. As a result the AD groups of the user are not available during rule evaluation.
  You could solve your task by doing a search using the FormUtil class.
  I would however advise you to only do this in a small or demo environment as the usage of usermember rules does not scale at all. This is a pure sales feature that will quickly bring down a production environment with high CPU utilization and horrible response times. Unlike what one might guess these rules are not only evaluated during login but almost all the time, often multiple times for each click. Even if the rule as such only performs cheap operations the AuthCache class hogs more and more CPU time with each rule of this kind you add to the system.
  Regards,
  Patrick

• How to Add Active Directory user to Admin Role

  Hi All,
  I am trying to figure out how to add a AD user to the Admin Role..
  I am connected to AD and can see the user (myself), however, when I try to add myself to the admin role, it says user not found.
  I go to Security Realms > myreals > Roles and Policies > Global Roles > Roles > Admin > View Role Condition.
  I see that the Administrators Group is already added. Now I click "add Conditions" and select "User" from the Predicate List and type in the user " Doe' John".
  On the next screen I get "user: John or Dow" does not exist.
  Another option could be to add the user to the Administrator group, but I couldnt figure out how to do that as well. When I navigate to the user under Users or Groups, I dont see an option to add that user to the Administrator group.
  Is it that you can only add users created in Weblogic to the Admin group?
  Any help on this will be very appreciated.
  Thanks in advance.

  I think I got it. I had to add the AD group the user is part of to the Admin role.

• Exclude a Resource from scope of control of a Admin role??????

  Hi,
  I need to exclude a resource from the scope of ADMINROLE for a particular form. This i m able to achive by Admin role form. but i need to do this in backed .(not through that form). I am able to create Admin Role in a workflow .I m even able to addign controlled Sub organisatons,member organisations,capabilities.But can anyone tell me how to limit the scope of control of a Resource of a particular organisation under his control.i.e Exclude or Include Resources for this child organisation from a workflow.
  Any help will be highly appriciated.......
  Thanks and Regards,
  Ashi

  The site swallowed my first reply to this. Attempt 2.
  nantucket wrote:
  AndrewThompson64 wrote:
  nantucket wrote:
  ..Where the method getCodeBase() of the Applet instance returns the url of the directory from which the applet originated.No. It is the URL of the codebase. ......I made my response based upon what I saw in the API
  http://java.sun.com/j2se/1.5.0/docs/api/java/applet/Applet.html#getCodeBase()
  public URL getCodeBase()
  "Gets the base URL. This is the URL of the directory which contains this applet."So try the experiment. See where it leads you..
  [http://pscode.org/test/codebase/applet.html] - two different (in the codebase) calls to the same applet.
  import javax.swing.*;
  public class CodeBaseApplet extends JApplet {
       public void init() {
            add(new JLabel(getCodeBase().toString()));
  My wording may have been confusing. But I thought "which contains this applet" and "from where the applet originated" referred to the same thing.This is not the first time I have discovered JavaDocs that are misleading.
  I generally don't work with the applet tag when I do develop applets as the tag has been deprecated for a number of years.Same difference with <object> (or <embed>). The codebase is the codebase, not the directory of any Jar (necessarily).
  Think about it this way. An applet loads one Jar from my site, one Jar from yours, and another from any other site. What is the codebase then? (Answer: the codebase defined in the applet element.)
  *OTOH it is quite typical to have the codebase point to the single directory that contains all the applet Jars - so often that advice is true. But the devil is in the details.*

• How to get BI role in portal 2004s

  is there any delevered roles of BI/IP in portal 2004s ?
  do we have to download Business Package from SAP site to get more roles as we do not see any delivered roles for BI and IP in user admin of portal

  For BI specifically, there is the
  1. Business Explorer Role
  2. Business Intelligence Role
  3. Business Planning Role
  These are delivered roles and are installed with the BI-JAVA usage type. There is an additional role for admin cockpit called BI Administration Role. This role requires the Business Package for the Admin Cockpit to be downloaded and installed on your portal.

• Weblogic Console Access Denied - Admin Role group question

  I need to grant access to a user that is authenticated via OAM.
  My authentication is succeeding and I am getting the following back as my Principal:
  <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 3
       Principal = class weblogic.security.principal.WLSUserImpl("IdentityGuardAppID")
       Principal = class weblogic.security.principal.WLSGroupImpl("cn=FUNC-LDAP-Browse,ou=secure,o=admin")
       Principal = class weblogic.security.principal.WLSGroupImpl("cn=FUNC-IDV-APP,ou=secure,o=admin")
  My authorization is failing and I think it's because I cannot figure out how to add the groups returned above to the Admin role in WLS.
  Normally, this is a breeze - I simply add it from the Realm Role under the Roles and Policies tab in myrealm.
  In this case, my group looks like a subject DN (i.e., it contains commas).
  Does anyone know how to add a group that contains a comma to the Admin Role?

  Hi Sameer Gawde,
  Would you please let me know complete error messages when use RSAT and PowerShell?
  In addition, the RSAT is based on MMC console. Please check if you have enabled group policy setting to restrict
  MMC snap-ins? In GPME, please refer to the path: User Configuration-> Policies-> Administrative Templates-> Windows Components-> Microsoft Management Console-> Restrict users to the explicitly permitted list of snap-ins. Meanwhile, please check
  if you configure the Don't run specified Windows applications setting (path:
  User Configuration-> Policies-> Administrative Templates-> System-> configure) to limit RSAT and apply to the domain admin group. This issue is really strange. Just please check and confirm. Thanks for understanding.
  Please logon DC via Admin account, then navigate to: ADUC-> Users. Please select and right click Domain
  Admins group and select Properties. Please select Member Of tab and check which did this group member of.
  Meanwhile, please open Component Services and expand “Component Services-> Computers-> My Computer”. 
  Then right click My Computer and select Properties. In COM Security tab, under Access Permissions, please check how configure the “Edit Limit”.
  By the way, please navigate to Event Viewer and check if can find some related clues.
  Hope this helps.
  Best regards,
  Justin Gu

• Delegated Admin roles

  Hello
  I have 5 delegated admin roles assigned to a group.
  How do i get a list of delegated admin roles defined for that group in workshop( not through the admin portal )? Is there any API?
  Also do users of a group inherit the delegated admin roles defined for a group?
  Any help would appreciated.
  Thanks
  Vijay

  com.bea.p13n.security Package may gibve you some clue.
  Also, as a general rule, Roles are 'above' Groups. So if a user is a member of a group (which has a role defined), the user 'gets' that role.
  Thanks,
  Puneet

• After installing contribute 6.5, I establish FTP connection, set admin role and the system crashes

  I've been using Contribute for over 9 years now.
  I am currently using Contribute 6.5 version.
  After installing, creating a connection with the FTP, setting up Admin roles, an error message appears and then the system crashes.
  Why is this happening?
  It has never happened before!

  Hi There,
  Can you confirm your Operating System ?
  What error message are you getting?
  Regards,
  Ajit

• Problem with using the import tool under User Admin role

  Hello,
  I have created a role through the import facility under the User Admin role:
  [role]
  ridpcd:portal_content/content....
  rdesc=my role
  Although I have recieved a successful message I couldn't locate this role, not when I was searching it in User Admin or under the pcd location where I asked to create it.
  I then imported a transport package from another portal that contains a role in the exact same pcd location, this time an actual role has been created.
  The problem is that when I try to use the import facility again to assign a group to this role I get: Error: Role found, but unique name "pcd:portal_content/..."  is not unique!
  When I search User admin for this role I get only one and when I go to this pcd location I only see one role so I don't understand this message  and how can a unique pcd location cannot be not unique.
  Any ideas...?

  Try performing the import again, but this time do not use the fully qualified pcd path. Just specify the rid without the pcd definition. In otherword if you did a search in the user admin for the role ID you would not use the full pcd:rid just the rid value.
  The alternative is to first delete the role and then import again. The reason you are gettign the problem is that the pcd generates a unique sid entry for the role and thus the manner in which you are performing the update using the full pcd path is not allowed. For this reason drop the fully qualified pcd path.

• Add ldap user to Delegate Admin role programmatically

  Dear all,
  I have problem with
  @Control
  private DelegationRoleManagerControl roleControl;
  roleControl.addUserToRole(EWPConstants.USER_DA_ROLE_NAME,username,ResourceContext.createResourceContext(getRequest(),false));
  I used that control to add user to delegate admin role. It is working fine on admin server.
  But after we deploy on managed server (stand-alone), we get this exception intermittently.
  15 Sep 2009 12:59:40 [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] ERROR ewp.control.pageflow.login.LoginController - login():
  com.bea.p13n.entitlements.common.PolicyMgmtAccessException: Attempt to access Entitlement Policy Mgmt API by user in invalid role. Entitlement Policy operation attempted by disallowed user ["principals=[ewpwlpuser01]"].
  at com.bea.p13n.entitlements.management.internal.SecurityHelper.isWLPAdminRole(SecurityHelper.java:881)
  at com.bea.p13n.entitlements.management.internal.RolePolicyDelegate.roleExists(RolePolicyDelegate.java:387)
  at com.bea.p13n.entitlements.management.internal.RDBMSRolePolicyManager.getGlobalRoleExpression(RDBMSRolePolicyManager.java:1702)
  at com.bea.p13n.entitlements.management.internal.RDBMSRolePolicyManager.addGlobalRoleUser(RDBMSRolePolicyManager.java:1421)
  at com.bea.p13n.entitlements.management.internal.RDBMSRolePolicyManager.addGlobalRoleUser(RDBMSRolePolicyManager.java:1388)
  at com.bea.p13n.entitlements.management.RolePolicyManager.addGlobalRoleUser(RolePolicyManager.java:514)
  at com.bea.p13n.delegation.management.internal.DelegationRolePolicyDelegate.addPredicatesToGlobalDARole(DelegationRolePolicyDelegate.java:614)
  at com.bea.p13n.delegation.management.internal.DelegationRolePolicyDelegate.updateRole(DelegationRolePolicyDelegate.java:254)
  at com.bea.p13n.delegation.management.DelegationRoleManager.updateRole(DelegationRoleManager.java:431)
  at com.bea.p13n.delegation.management.DelegationRoleManager.updateRole(DelegationRoleManager.java:398)
  at com.bea.portal.tools.da.controls.DelegationRoleManagerControlImpl.addUsersToRole(DelegationRoleManagerControlImpl.java:76)
  at com.bea.portal.tools.da.controls.DelegationRoleManagerControlImpl.addUserToRole(DelegationRoleManagerControlImpl.java:223)
  at com.bea.portal.tools.da.controls.DelegationRoleManagerControlBean.addUserToRole(DelegationRoleManagerControlBean.java:295)
  at ewp.control.pageflow.login.LoginController.login(LoginController.java:126)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)

  hi
  it should work even if the managed server is not part of the cluster.
  Again do you get this error randomly or can you replicate it?
  Its possible that your Database / LDAP is out of sync. Can you access portal admin console and can you see if the default two visitor entitlements show and you dont get any error saying PortalSystemAdministrator is not valid?
  Also you can just delete the managed server directory (under the domain/servers) it should recreate the LDAP (assuming admin server is running)
  regards
  deepak