Grant app role programmatically

Hi all,
we're running soa suite 11.1.1.5.0 and we'd like to embed application role manipulation into a custom web app, in order to grant and revoke app roles without logging into EM gui.
The only way we found to do such job is through a python wlst script. If we call such a script in java embedded interpeter we got a command not found error (wrong wlst.sh executable is piked up, not the soa-suite one). Is there a way to accomplish this job in java? Calling a pubblic api, a ws, a mbean, an ejb, anything??
(ps we sorted out how to create, delete, etc users and how to search roles, and enlist granted roles to principals, this is our last challange)
pps our last chance would be call the shell command from java, but it stinks!
Tnx in advance.

Hi,
From my understanding the way wlst works is calling mbeans via jython, so theoretically it would be possible to instance the same mbeans in java and do the same work as in wlst...
The hard work is to figure out the classpath and how to instantiate the right mbeans...
Cheers,
Vlad

Similar Messages

App Role Not Granting Access

Hello,
We are currently using OBIEE 11.1.1.6.2 BP1, I had to create a new dashboard and created a custom app with open access (read and execute). After setting this up I added it to catalog permissions however this app role grants access to everything but the dashboard. The end user can open the catalog and navigate to folder location where the reports are stored but is unable to see the dashboard. I have veried the app role is properly created in the Enterprise Manager. The custom app role granting full control for my power users works as expected.
Has anyone seen this type of issue? Any help would be greatly appreciated.

Yes everything is good in this regard and did not need to change anything. I am unsure of what was happening but this group all of a sudden started working. It have never taken that long for permissions to take effect before.

Strange behavior after granting a role associated to an access policy.

Greetings.
I am using OIM 11.1.1.3 and I am using also the DBUM Adapter 9.1.0.4.
I Defined 3 roles in OIM after that I defined three access policies with the purpose of provision roles at a database.
Every policy is associated to a role and a DBUM resource.
At the end I have the following policies.
Policy Name OIM Role Database Role
1. Policy Role A - Role A - DBRoleA
2. Policy Role B - Role B - DBRoleB
3. Policy Role B - Role C - DBRoleC.
When a role is granted to OIM User using the Administration Console the correct database role is provisioned at the specified database. But If I revoke a Role from the user and grant the same role again the specified role is not provisioned to the specified database.
Example: An user have "Role A", "Role B" ,"Role C" at the database the user have DBRoleA, DBRoleB, DBRoleC.
After revoking "Role A" from the user the database have the correct roles DBRoleB and DBRoleC.
But if the "Role A" is granted again to the user the DBRoleA is not provisioned at the database.
I enabled the dbum log file and it looks like the wrong role was chosen and the DBRoleB is the database role to be provisioned. Because we see at the log file when the "Role A" is granted to the user:
[WLS_OIM1] [TRACE] [] [OIMCP.DBUM] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 0000JDjSF5i9h^5prOt1iY1EgfQX0000lD,0] [SRC_CLASS: com.thortech.util.logging.Logger] [APP: oim#11.1.1.3.0] [dcid: 4506c477d760fc7e:26c2d53a:1336a1dbc64:-7ffd-0000000000000d45] [SRC_METHOD: debug] oracle.iam.connectors.dbum.integration.DBUMProvisionManager : getChildFormData : Form Value2011-11-04[2011-11-04T11:37:14.392-05:00] [WLS_OIM1] [TRACE] [] [OIMCP.DBUM] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 0000JDjSF5i9h^5prOt1iY1EgfQX0000lD,0] [SRC_CLASS: com.thortech.util.logging.Logger] [APP: oim#11.1.1.3.0] [dcid: 4506c477d760fc7e:26c2d53a:1336a1dbc64:-7ffd-0000000000000d45] [SRC_METHOD: debug] oracle.iam.connectors.dbum.integration.DBUMProvisionManager : getChildFormData : Child form data map received:- {UD_DB_ORA_R_VERSION=0, UD_DB_ORA_R_KEY=3180, UD_DB_ORA_R_UPDATE=2011-11-04, UD_DB_ORA_R_CREATE=2011-11-04, Process Instance.Key=5916, UD_DB_ORA_R_UPDATEBY=6, UD_DB_ORA_R_ROLE=102~*DBRoleB*, Access Policies.Key=183, UD_DB_ORA_R_CREATEBY=6}
The question is somebody has experienced the same issue?
Is there another way to provisioning database roles after granting OIM Roles?
Thanks!
Ramiro Ortíz

Finally we opened a Service Request to solve this issue, and it was a bug "OIM SENDING WRONG ENTITLEMENT NAME TO TARGET DURING ADD ENTITLEMENT OPERATION" and Oracle generated the patch 13499465 for DBUM Connector. Oracle had to provide us a new Readme to apply this patch because it wasn't well explained. So far the patch seems to work, we are making some tests now to be sure that the issue is solved. I just want to share that with the OIM community.
Ramiro Ortiz

Error while granting BPMOrganizationAdmin role to SOAOperator.

Error Starting While starting SOA server. Please advise.
<Mar 5, 2015 12:56:08 PM EST> <Error> <oracle.bpm.services.organization> <BEA-000000> <Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.
ORABPEL-10513
Cannot get application roles from application identified by "{0}".
An error occurred while getting application roles from application identified by "soa-infra".
The underlying APIs threw an exception. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
        at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:920)
        at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
        at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
        at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
        at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
        at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy307.postDeployInit(Unknown Source)
        at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
        at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
        at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
        at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10510
Application role not found.
Application role "BPMOrganizationAdmin" could not be found for application identified by "soa-infra".
Check if the application role exists in the repository associated with the application. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
        at oracle.tip.pc.services.identity.jps.JpsProvider$9.run(JpsProvider.java:2338)
        at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRoleEntry(JpsProvider.java:2333)
        at oracle.tip.pc.services.identity.jps.JpsProvider.access$000(JpsProvider.java:169)
        at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:917)
        at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
        at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
        at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
        at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
        at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy307.postDeployInit(Unknown Source)
        at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
        at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
        at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
        at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
>
<Mar 5, 2015 12:56:08 PM EST> <Error> <oracle.bpm.common> <BEA-000000> <Exception
BPM-70692
Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.
        at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:324)
        at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:29)
        at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
        at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy307.postDeployInit(Unknown Source)
        at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
        at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
        at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
        at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10513
Cannot get application roles from application identified by "{0}".
An error occurred while getting application roles from application identified by "soa-infra".
The underlying APIs threw an exception. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
        at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:920)
        at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
        at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
        at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
        at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
        at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy307.postDeployInit(Unknown Source)
        at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
        at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
        at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
        at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10510
Application role not found.
Application role "BPMOrganizationAdmin" could not be found for application identified by "soa-infra".
Check if the application role exists in the repository associated with the application. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
        at oracle.tip.pc.services.identity.jps.JpsProvider$9.run(JpsProvider.java:2338)
        at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRoleEntry(JpsProvider.java:2333)
        at oracle.tip.pc.services.identity.jps.JpsProvider.access$000(JpsProvider.java:169)
        at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:917)
        at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
        at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
        at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
        at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
        at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
        at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy307.postDeployInit(Unknown Source)
        at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
        at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
        at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
        at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
>

Hi user,
Can you give us some information on the version you are using and your security setup? Are you using an external security provider? Because to me it sounds that you are using an external LDAP server.
Antonis

Dynamic grant user role issue

Hi friends,
I created a role in oracle 10 and can be granted to user one by one. it works.
But I try to grant the role to all users and get error.
my code as (copy and modify from OTN)
====
DECLARE
l_schema VARCHAR2(30) := 'SCHEMA_OWNER';
BEGIN
FOR i IN (SELECT USERNAME
FROM all_users
WHERE username not in ('SYS','SYSTEM','OUTLN','DMSYS','TSMSYS','XDB','CTXSYS','WMSYS','DBSNMP','DIP','OLAP','OLAPSYS','MDSYS','EXFSYS','MDSYS'))
LOOP
BEGIN
EXECUTE IMMEDIATE 'GRANT USERS_SELECT ||' TO i.USERNAME;
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
END LOOP;
END;
ORA-06550: line 10, column 41:
PLS-00103: Encountered the symbol "TO" when expecting one of the following:
* & = - + ; < / > at in is mod remainder not rem return
returning <an exponent (**)> <> or != or ~= >= <= <> and or
like LIKE2_ LIKE4_ LIKEC_ between into using || multiset bulk
member SUBMULTISET_
The symbol "* was inserted before "TO" to continue.
SQL>
I double check syntax is OK. what is wrong?
Thanks for help!
Jim

Try:
EXECUTE IMMEDIATE 'GRANT RAC_SELECT TO '|| i.USERNAME;And remove this part, which is for 99.99% a bug:
EXCEPTION
WHEN OTHERS THEN
NULL;
ENDOnly catch errors you expect...

Oracle Apps roles in BO security

Hi,
I need help in understanding if we can import and use Oracle Apps roles of a user in BO security directly.
Requirement is that roles which are presnt in Oracle apps for an oracle user can directly be imported to BO.
We are using Oracle ebiz as a source to create our DWH and than we are doing reporting on this DWH.
We have oracle apps ebiz roles defined in erp system, the same we want to use for BO user.
Do we have to define all the users again with there security in BO or it can be imporrted directly by any means from Oracle Apps.
I dont know how to achieve this.
Can somebody help?
Regards,
Gaurav

You can import users from OID Oracle Internet Directory LDAP server, and in theory any LDAP v 3 LDAP directory can be used (although a limited list or most common LDAP servers are tested and supported on our product).
You can access the LDAP plugin from the CMC > authenitcation and configure the options based on your LDAP server.
Regards,
Tim

Changing LDAP roles programmatically

Does anyone know if it´s possible to change a LDAP user role programmatically? I´ve searched for hours, but I didn´t find any information about it. I Only found classes on weblogic api to change user attributes.
Is there any api on weblogic to do that? Or any documentation that talks about it?
Thanks in advance.
Hevert Brito
Edited by: user12966611 on 09/04/2010 15:16
Edited by: user12966611 on 09/04/2010 15:16
Edited by: user12966611 on 09/04/2010 15:17

Faisal,
I´m trying to use the method createRole the same way you´re doing in you example but i´m getting this error:
Caused by: java.lang.NoSuchMethodException: createRole(java.lang.String,java.lan
g.String,java.lang.String,) for Security:Name=myrealmDefaultAuthenticator
... 117 more
When I use the method createUser as you did in your example it works perfectly.
Do you have any idea why is that happening?
This is my code:
try{
     System.out.println("Creating role : testrole");
     wls.invoke(roleEditor,"createRole",new Object[] {null,"testrole",null},new String[] {"java.lang.String", "java.lang.String","java.lang.String"});
     System.out.println("Created role : testrole");
catch(Exception e){
     e.printStackTrace();
}

Role grants to roles being deprecated

I have just read with concern in the release notes for Oracle Database 10.1 (paragraph 7.1) that the ability to grant "application role to another role will not be allowed in future Oracle database releases". Why will we be unable to nest roles in the way we have been doing for years? I can see many problems with this loss of functionality, or is there a cleverer way of organising security being introduced to replace roles?

I cannot find it online either. It is in the README that comes with the download of 10G from OTN. The document part number is B12304-01 and it is the README for Oracle Database 10G Release 10.1 dated January 2004. It is in the section on Database Security, paragraph 7.1. The exact text of the bullet point is, "Grants of password protection or application role to another role will not be allowed in future Oracle Database releases".

Database Vault Owner Grant Any Role Permission

So I just noticed that the role DV_OWNER has the system privilege to GRANT ANY ROLE assigned to it by default. I was wondering if this is necessary for something. If not I would like to remove it. We would prefer the Database Vault owner person to not have any permissions execept for logging into the Data Vault console to modify realms and rules and stuff, and as well as looking at audit logs. The DV_OWNER role also has ADMINISTER DATABASE TRIGGER and ALTER ANY TRIGGER privileges which I would like to remove as well. Any body have any opinions on this?
Oracle EE 11.2.0.2 on Windows 2008 R2
Thanks.

Sysdba can issue powerful statements such as create user, drop user, alter user, create profile .. and so on... can be done only if it is allowed so by modifying the Can maintain accounts/profiles rule set.
You can also login with dvsys account but that account is locked after installation. So unlock it with
alter user username account unlock; command. And be aware that ANY system privileges are blocked in protected schemas. You can try to grant the following roles in DB Vault := DV_OWNER, DV_REALM_OWNER, DV_REALM_RESOURCE, DV_ADMIN, DV_PUBLIC, DV_ACCTMGR, DV_SECANALYST
Following can help you
SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
Regards
Karan

Urgent -- Adding Roles Programmatically

How to add/edit roles programmatically in weblogic? I tried to use RoleEditorMBean,
RoleMapperMBean and RoleRederMBean just like the PasswordEditorMBean example given
by bea. But I find that neither the embedded ldap providers nor the open ldap
providers are implementing these MBeans as the authorizers I am getting from the
realm are not instances of these MBeans.

Hi Nitin
Thanks for your reply...
I just went to that program & activated the program...After I have to activate my object...is it what u want me to do??
ok anyway...I have 0mat_plant which is already created...with all attributes..Now I want to add a Navigational attri...
when I add & activate the 0mat_plant..I am getting the above error as I stated in my first message.
I need one more clarification...could you pls let me know..when you create an infoobject, under the GENERAL TAB, u have a option for ONLY ATTRIBUTE...What is the use of it?
ANy other ideas for my issue...????

Select Granted By Role Doesn't Work

Oracle 11.1.0.7.0 running on AIX
This is crazy I don't know why it is happening or even how it is happening but when I grant a role to a user they still cannot select from the granted tables & views.
CREATE ROLE RETROMAN_USERS NOT IDENTIFIED
GRANT SELECT ON YBP.DDA_STATUS_CODES TO RETROMAN_USERS
GRANT SELECT ON YBP.DEMAND_DRIVEN_ACTIVITY TO RETROMAN_USERS
GRANT SELECT ON YBP.V_DDA_STATUS_CODES TO RETROMAN_USERS
GRANT SELECT ON YBP.V_DEMAND_DRIVEN_ACTIVITY TO RETROMAN_USERS
GRANT RETROMAN_USERS TO SABEL WITH ADMIN OPTION
GRANT RETROMAN_USERS TO CKING
GRANT RETROMAN_USERS TO FCROWELL
GRANT RETROMAN_USERS TO HCAMPBELL
GRANT RETROMAN_USERS TO LJOHNSON
GRANT RETROMAN_USERS TO RWILLIAMS
GRANT RETROMAN_USERS TO LMONTCALM
When I try to Select * from ybp.Demand_Driven_Activity as hcampbell I get a "table or view does not exist" error. where other users can get results using the same query. Any ideas? I am completely out of them. I am not a DBA and our company doesn't employ a DBA - scary huh. Any help would be greatly appreciated.
Scott

OK, the user cannot select from the table...
$ sqlplus hcampbell@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 07:51:33 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from ybp.demand_driven_activity;
select * from ybp.demand_driven_activity
ERROR at line 1:
ORA-00942: table or view does not exist-----
Let's grant the role and verify that the role is assigned and what privileges it has.
oracle@qa:/home/oracle
$ sqlplus sabel@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 07:53:21 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> grant retroman_users to hcampbell;
Grant succeeded.
SQL> select * from DBA_ROLE_PRIVS where grantee = 'HCAMPBELL';
GRANTEE                        GRANTED_ROLE                   ADM DEF
HCAMPBELL                      YBPREGUSER                     NO YES
HCAMPBELL                      OOPS                           NO YES
HCAMPBELL                      YBPENDUSER                     NO YES
HCAMPBELL                      RETROMAN_USERS                 NO NO-----
The role does exist (I think) and has the following permissions
SQL> set linesize 132
SQL> Select * from role_tab_privs Where   role = 'RETROMAN_USERS';
ROLE                           OWNER                          TABLE_NAME                     COLUMN_NAME
PRIVILEGE                                GRA
RETROMAN_USERS                 YBP                            DEMAND_DRIVEN_ACTIVITY
SELECT                                   NO
RETROMAN_USERS                 YBP                            V_DEMAND_DRIVEN_ACTIVITY
SELECT                                   NO
RETROMAN_USERS                 YBP                            DDA_STATUS_CODES
SELECT                                   NO
ROLE                           OWNER                          TABLE_NAME                     COLUMN_NAME
PRIVILEGE                                GRA
RETROMAN_USERS                 YBP                            V_DDA_STATUS_CODES
SELECT                                   NO
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options-----
sys can't see the role though - but that may be normal...
$ sqlplus sys@devorcl as sysdba
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:30:34 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> Select * from role_tab_privs Where   role = 'RETROMAN_USERS';
no rows selected-----
The user still cannot select from the table
$ sqlplus hcampbell@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:39:46 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from ybp.demand_driven_activity;
select * from ybp.demand_driven_activity
ERROR at line 1:
ORA-00942: table or view does not exist-----
let's try to make it a default role....
$ sqlplus sabel@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:42:59 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> ALTER USER HCAMPBELL DEFAULT ROLE YBPREGUSER, OOPS, YBPENDUSER, retroman_users;
User altered.
SQL> exit-----
after the user logs out and then back on, now user can access the table.
oracle@qa:/home/oracle
$ sqlplus hcampbell@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:47:57 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> Select Count(1) from ybp.demand_driven_activity;
COUNT(1)
    161295If I remove the retroman_users from the default role I can still access the table until I log out and then back in so it must have something to do with default roles. I don't know why I didn't see this before but the other users that were granted the retroman_users role and could access the table had their default role set to ALL. Sorry, I didn't give you all the information that you needed to help me, this might have helped:
CREATE USER HCAMPBELL
IDENTIFIED BY h
DEFAULT TABLESPACE DATASMALL
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK
-- 4 Roles for HCAMPBELL
GRANT YBPREGUSER TO HCAMPBELL
GRANT OOPS TO HCAMPBELL
GRANT YBPENDUSER TO HCAMPBELL
GRANT RETROMAN_USERS TO HCAMPBELL
ALTER USER HCAMPBELL DEFAULT ROLE YBPREGUSER, OOPS, YBPENDUSERI guess I need to read more about Default Roles. Sorry for my belligerent responses.

Assign actions to roles programmatically

Hello guys,
Is possible to assign actions to roles programmatically using java? How can I do that?
I did a search on the UME Interfaces but i didn't find anything.
Regards
Joao

It was not difficult
IRole role = UMFactory.getRoleFactory().getMutableRole(uniqueid);
role.addAttributeValue("com.sap.security.core.role","actions", <STRANGE ID OF ACTION?> );
role.commit();
The <STRANGE ID OF ACTION?> field was found assigning the Action to the Role manually in the Identity Management and watching the IRole object on Debug.

Privileges granted to roles sometimes are not effective(not functioning)?

Hello,
I have experienced where roles where granted and privileges granted to the roles. The roles are they granted to certain users. But when these users try to perform dml/ddl, they get insufficient priviledges even though these users were granted the roles which do contain the correct priviledges. Why are some priviledges not functioning when they are granted to the roles? To resolve, direct grants were granted to the users. But why aren't they working through the roles? Thank you.

Hi watson2000 ,
can you send the scripts...what you have performed.
Since, I did not faced any problem with granting privliges and roles.
If you provide some information on that (little more) whjat you have done so that we can help you out..
Thanks
Pavan Kumar N

Manage Site App Permissions Programmatically?

Hello,
Is it possible to manage a site's app permissions programmatically? (site settings -> site app permissions)
I am deploying a SharePoint-Hosted App to an on-premises instance of SharePoint 2013 using server object model:
SPAppInstance instance = web.LoadAndInstallApp(stream);
The app requires some permissions (Web, Read). I would like to trust the app programmatically as well.
Thank you!
Andre

For anyone that's interested, I came across a similar requirement. The code above is a good start, but it assumes that the app principal is already created (i.e. LookupAppPrincipal). Unfortunately, when installing an app, the app principal doesn't exist
and isn't created (unless of course it was done so manually). So, the code below is a variation of the above code, for when an app principal must first be created before being assigned permissions.
SPAppInstance appInstance = web.LoadAndInstallApp(package);
char[] separators = { '|', '@' };
string appPrincipalIdentifier = appInstance.AppPrincipalId.Split(separators)[2];SPAppPrincipalPermissionsManager permissionsManager = new SPAppPrincipalPermissionsManager(web);
SPAppPrincipalManager principalManager = SPAppPrincipalManager.GetManager(web);
List<string> endpoints = new List<string>();
endpoints.Add("<EndPoint Authority>");
SecureString secureString = new SecureString();DateTime now = DateTime.Now;SPAppPrincipalCredential credential = SPAppPrincipalCredential.CreateFromSymmetricKey(secureString, now, now);SPExternalAppPrincipalCreationParameters creationParameters = new SPExternalAppPrincipalCreationParameters(
appPrincipalIdentifier,
"<Display Name>",
endpoints,
credential
SPAppPrincipal principal = principalManager.CreateAppPrincipal(creationParameters);
permissionsManager.AddAppPrincipalToWeb(principal, SPAppPrincipalPermissionKind.FullControl

How to create visitor roles programmatically

Could you please help me how to create visitor roles programmatically using weblogic portal.
Thanks in advance

Hi,
Point this method to the selectItems under selectonechoice.
        if (yourList == null) {
            (yourList = new ArrayList();
            DCBindingContainer bindings = ADFUtil.getDCBindingContainer();
            DCIteratorBinding iteratorbinding =
                bindings.findIteratorBinding("yourVO1Iterator");
            if (iteratorbinding != null) {
                Row[] rows = iteratorbinding.getAllRowsInRange();
                String value = null;
                Long key = 0L;
                for (Row row : rows) {
                    value = (String)row.getAttribute("Attrib0");
                    key = (Long)row.getAttribute("Attrib1");
                    yourList .add(new SelectItem(key.toString(), value));
        return yourList;
Thanks
Nitish

Grant app role programmatically

Similar Messages

Maybe you are looking for