Granting Global Roles
I'm trying to assign global roles to enterprise users via the ESM but it doesn't seem to work. I'm able to connect to the database and I can see that I'm correctly authenticated using sys_context('userenv','external_name'),sys_context('userenv','session_user'), but I don't get any global roles associated with the enterprise role I'm assigned to.
Ideas? Anyone has an idea how can I debug this or set a trace to see if I'm even really associated with the Enterprise Role?
Edited by: [email protected] on Dec 9, 2008 10:53 PM
You can't unless you use a DDL event trigger
http://www.psoug.org/reference/ddl_trigger.html
or write a stored procedure that allows the user to grant privileges presented as input parameters and contains a hard coded list of those privs that can be granted.
Personally I find the idea of giving anyone, other than a DBA or trusted security officer, the ability to grant privs a violation of governance and security practices and would discourage you from doing so except within the context of a procedure as described above.
Similar Messages
-
Hi, i have experienced many time that when you give dba role to any schema it should get the privilege of Create any on all object. but it is not the case after giving dba privilege to schema i have to give create any privilege to that schema though DBA role have that Facility, why is it so.
Regards
Vikas ChopkarAre you talking about the default role named DBA? If so, that role should rarely be granted to anyone. Either way, on my database it has the privileges you say it doesn't.
SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='DBA' ORDER BY PRIVILEGE;
GRANTEE PRIVILEGE ADM
DBA ADMINISTER ANY SQL TUNING SET YES
DBA ADMINISTER DATABASE TRIGGER YES
DBA ADMINISTER RESOURCE MANAGER YES
DBA ADMINISTER SQL TUNING SET YES
DBA ADVISOR YES
DBA ALTER ANY CLUSTER YES
DBA ALTER ANY DIMENSION YES
DBA ALTER ANY EVALUATION CONTEXT YES
DBA ALTER ANY INDEX YES
DBA ALTER ANY INDEXTYPE YES
DBA ALTER ANY LIBRARY YES
DBA ALTER ANY MATERIALIZED VIEW YES
DBA ALTER ANY OUTLINE YES
DBA ALTER ANY PROCEDURE YES
DBA ALTER ANY ROLE YES
DBA ALTER ANY RULE YES
DBA ALTER ANY RULE SET YES
DBA ALTER ANY SEQUENCE YES
DBA ALTER ANY SQL PROFILE YES
DBA ALTER ANY TABLE YES
DBA ALTER ANY TRIGGER YES
DBA ALTER ANY TYPE YES
DBA ALTER DATABASE YES
DBA ALTER PROFILE YES
DBA ALTER RESOURCE COST YES
DBA ALTER ROLLBACK SEGMENT YES
DBA ALTER SESSION YES
DBA ALTER SYSTEM YES
DBA ALTER TABLESPACE YES
DBA ALTER USER YES
DBA ANALYZE ANY YES
DBA ANALYZE ANY DICTIONARY YES
DBA AUDIT ANY YES
DBA AUDIT SYSTEM YES
DBA BACKUP ANY TABLE YES
DBA BECOME USER YES
DBA CHANGE NOTIFICATION YES
DBA COMMENT ANY TABLE YES
DBA CREATE ANY CLUSTER YES
DBA CREATE ANY CONTEXT YES
DBA CREATE ANY DIMENSION YES
DBA CREATE ANY DIRECTORY YES
DBA CREATE ANY EVALUATION CONTEXT YES
DBA CREATE ANY INDEX YES
DBA CREATE ANY INDEXTYPE YES
DBA CREATE ANY JOB YES
DBA CREATE ANY LIBRARY YES
DBA CREATE ANY MATERIALIZED VIEW YES
DBA CREATE ANY OPERATOR YES
DBA CREATE ANY OUTLINE YES
DBA CREATE ANY PROCEDURE YES
DBA CREATE ANY RULE YES
DBA CREATE ANY RULE SET YES
DBA CREATE ANY SEQUENCE YES
DBA CREATE ANY SQL PROFILE YES
DBA CREATE ANY SYNONYM YES
DBA CREATE ANY TABLE YES
DBA CREATE ANY TRIGGER YES
DBA CREATE ANY TYPE YES
DBA CREATE ANY VIEW YES
DBA CREATE CLUSTER YES
DBA CREATE DATABASE LINK YES
DBA CREATE DIMENSION YES
DBA CREATE EVALUATION CONTEXT YES
DBA CREATE EXTERNAL JOB YES
DBA CREATE INDEXTYPE YES
DBA CREATE JOB YES
DBA CREATE LIBRARY YES
DBA CREATE MATERIALIZED VIEW YES
DBA CREATE OPERATOR YES
DBA CREATE PROCEDURE YES
DBA CREATE PROFILE YES
DBA CREATE PUBLIC DATABASE LINK YES
DBA CREATE PUBLIC SYNONYM YES
DBA CREATE ROLE YES
DBA CREATE ROLLBACK SEGMENT YES
DBA CREATE RULE YES
DBA CREATE RULE SET YES
DBA CREATE SEQUENCE YES
DBA CREATE SESSION YES
DBA CREATE SYNONYM YES
DBA CREATE TABLE YES
DBA CREATE TABLESPACE YES
DBA CREATE TRIGGER YES
DBA CREATE TYPE YES
DBA CREATE USER YES
DBA CREATE VIEW YES
DBA DEBUG ANY PROCEDURE YES
DBA DEBUG CONNECT SESSION YES
DBA DELETE ANY TABLE YES
DBA DEQUEUE ANY QUEUE YES
DBA DROP ANY CLUSTER YES
DBA DROP ANY CONTEXT YES
DBA DROP ANY DIMENSION YES
DBA DROP ANY DIRECTORY YES
DBA DROP ANY EVALUATION CONTEXT YES
DBA DROP ANY INDEX YES
DBA DROP ANY INDEXTYPE YES
DBA DROP ANY LIBRARY YES
DBA DROP ANY MATERIALIZED VIEW YES
DBA DROP ANY OPERATOR YES
DBA DROP ANY OUTLINE YES
DBA DROP ANY PROCEDURE YES
DBA DROP ANY ROLE YES
DBA DROP ANY RULE YES
DBA DROP ANY RULE SET YES
DBA DROP ANY SEQUENCE YES
DBA DROP ANY SQL PROFILE YES
DBA DROP ANY SYNONYM YES
DBA DROP ANY TABLE YES
DBA DROP ANY TRIGGER YES
DBA DROP ANY TYPE YES
DBA DROP ANY VIEW YES
DBA DROP PROFILE YES
DBA DROP PUBLIC DATABASE LINK YES
DBA DROP PUBLIC SYNONYM YES
DBA DROP ROLLBACK SEGMENT YES
DBA DROP TABLESPACE YES
DBA DROP USER YES
DBA ENQUEUE ANY QUEUE YES
DBA EXECUTE ANY CLASS YES
DBA EXECUTE ANY EVALUATION CONTEXT YES
DBA EXECUTE ANY INDEXTYPE YES
DBA EXECUTE ANY LIBRARY YES
DBA EXECUTE ANY OPERATOR YES
DBA EXECUTE ANY PROCEDURE YES
DBA EXECUTE ANY PROGRAM YES
DBA EXECUTE ANY RULE YES
DBA EXECUTE ANY RULE SET YES
DBA EXECUTE ANY TYPE YES
DBA EXPORT FULL DATABASE YES
DBA FLASHBACK ANY TABLE YES
DBA FORCE ANY TRANSACTION YES
DBA FORCE TRANSACTION YES
DBA GLOBAL QUERY REWRITE YES
DBA GRANT ANY OBJECT PRIVILEGE YES
DBA GRANT ANY PRIVILEGE YES
DBA GRANT ANY ROLE YES
DBA IMPORT FULL DATABASE YES
DBA INSERT ANY TABLE YES
DBA LOCK ANY TABLE YES
DBA MANAGE ANY FILE GROUP YES
DBA MANAGE ANY QUEUE YES
DBA MANAGE FILE GROUP YES
DBA MANAGE SCHEDULER YES
DBA MANAGE TABLESPACE YES
DBA MERGE ANY VIEW YES
DBA ON COMMIT REFRESH YES
DBA QUERY REWRITE YES
DBA READ ANY FILE GROUP YES
DBA RESTRICTED SESSION YES
DBA RESUMABLE YES
DBA SELECT ANY DICTIONARY YES
DBA SELECT ANY SEQUENCE YES
DBA SELECT ANY TABLE YES
DBA SELECT ANY TRANSACTION YES
DBA UNDER ANY TABLE YES
DBA UNDER ANY TYPE YES
DBA UNDER ANY VIEW YES
DBA UPDATE ANY TABLE YES -
Error while granting BPMOrganizationAdmin role to SOAOperator.
Error Starting While starting SOA server. Please advise.
<Mar 5, 2015 12:56:08 PM EST> <Error> <oracle.bpm.services.organization> <BEA-000000> <Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.
ORABPEL-10513
Cannot get application roles from application identified by "{0}".
An error occurred while getting application roles from application identified by "soa-infra".
The underlying APIs threw an exception. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:920)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10510
Application role not found.
Application role "BPMOrganizationAdmin" could not be found for application identified by "soa-infra".
Check if the application role exists in the repository associated with the application. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
at oracle.tip.pc.services.identity.jps.JpsProvider$9.run(JpsProvider.java:2338)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRoleEntry(JpsProvider.java:2333)
at oracle.tip.pc.services.identity.jps.JpsProvider.access$000(JpsProvider.java:169)
at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:917)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
>
<Mar 5, 2015 12:56:08 PM EST> <Error> <oracle.bpm.common> <BEA-000000> <Exception
BPM-70692
Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:324)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:29)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10513
Cannot get application roles from application identified by "{0}".
An error occurred while getting application roles from application identified by "soa-infra".
The underlying APIs threw an exception. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:920)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10510
Application role not found.
Application role "BPMOrganizationAdmin" could not be found for application identified by "soa-infra".
Check if the application role exists in the repository associated with the application. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
at oracle.tip.pc.services.identity.jps.JpsProvider$9.run(JpsProvider.java:2338)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRoleEntry(JpsProvider.java:2333)
at oracle.tip.pc.services.identity.jps.JpsProvider.access$000(JpsProvider.java:169)
at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:917)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
>Hi user,
Can you give us some information on the version you are using and your security setup? Are you using an external security provider? Because to me it sounds that you are using an external LDAP server.
Antonis -
How to retrieve Global Roles in a the current security realm?
Is there a WLS API available that obtains a list of mapped global roles (defined in a security realm) from an application?
I want to be able to do a getRoles call against an authenticated user. So far, I'm only able to use isUserInRole. What I need is a list of all global roles mapped to a user's group.
Thanks all...
Message was edited by:
raymondngYou can refer to the api
http://e-docs.bea.com/wls/docs81/javadocs/weblogic/management/security/authorization/RoleReaderMBean.html#getRoleExpression
-Ramkumar -
Hi friends,
I created a role in oracle 10 and can be granted to user one by one. it works.
But I try to grant the role to all users and get error.
my code as (copy and modify from OTN)
====
DECLARE
l_schema VARCHAR2(30) := 'SCHEMA_OWNER';
BEGIN
FOR i IN (SELECT USERNAME
FROM all_users
WHERE username not in ('SYS','SYSTEM','OUTLN','DMSYS','TSMSYS','XDB','CTXSYS','WMSYS','DBSNMP','DIP','OLAP','OLAPSYS','MDSYS','EXFSYS','MDSYS'))
LOOP
BEGIN
EXECUTE IMMEDIATE 'GRANT USERS_SELECT ||' TO i.USERNAME;
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
END LOOP;
END;
ORA-06550: line 10, column 41:
PLS-00103: Encountered the symbol "TO" when expecting one of the following:
* & = - + ; < / > at in is mod remainder not rem return
returning <an exponent (**)> <> or != or ~= >= <= <> and or
like LIKE2_ LIKE4_ LIKEC_ between into using || multiset bulk
member SUBMULTISET_
The symbol "* was inserted before "TO" to continue.
SQL>
I double check syntax is OK. what is wrong?
Thanks for help!
JimTry:
EXECUTE IMMEDIATE 'GRANT RAC_SELECT TO '|| i.USERNAME;And remove this part, which is for 99.99% a bug:
EXCEPTION
WHEN OTHERS THEN
NULL;
ENDOnly catch errors you expect... -
Configure global roles in weblogic express
Weblogic Express 8.1 sp2 does not allow you to configure global roles using the
Admin console.
I know this is the expected functionality. How do you configure these global
roles without the use of the Admin Console.As far as i know you could never create roles via WLST offline, only via WLST online.
Thanks,
-satya
BEA Blog: http://dev2dev.bea.com/blog/sghattu/ -
Creating a Global Role using weblogic.Admin command
Hi,
Does anyone have an example of creating a global role using the weblogic.Admin commands? I think I have to use the INVOKE command with the DefaultRoleMapper and createRole method, but I'm not quite sure what the rest of the syntax is.
Thanks,
GabrielGabriel,
The following works for me:
weblogic.Admin -url t3://localhost:80 -username weblogic -password weblogic INVOKE -mbean "Security:Name=myrealmDefaultRoleMapper" -method createRole "" "MyGlobalRole" "Grp(Administrators)" ""
The null first parameter identifies this role as a global role.
The second param is the name of the role.
The third parameter is the policy expression. Here, I've mapped the role to the Administrators group. You can also map it to users or a combo of the two. For example, to map it to the "weblogic" user, use "Usr(weblogic)" as the policy expression. If you leave this parameter empty, the role will be created but will not be mapped to anything.
I'm not sure what the fourth parameter is for. It's not defined in the RoleEditorMBean docs but not including it causes an error. I suspect it's a description field because WLS does not seem to care what you put there.
HTH,
Mike -
Migrate 8.1 Global roles include Role Conditions
Hi all,
have one question. I want migrate Global Role conditions from one WebLogic 8.1 server to another. When I export DefaultRoleMapper provider, I can see in exported file list of Global Roles only. I cannot see any mapping item in this file. Please, know someone how migrate Global Roles including mapping ?
TY very much,
LadaHi,
I export DefaultRoleMapper through Security-Realms-myrealm-Providers-Role Mapping-DefaultRoleMapper/Migration-Export in WL console.
In exported file I can see only list of defined Global Roles, for example:
dn: cn=::AbortTaskRole,ou=ERole,ou=@realm@,dc=@domain@
objectclass: top
objectclass: ERole
cn: ::AbortTaskRole
createTimestamp: 201000261052Z
creatorsName: cn=admin
EExpr:: fALDp01DQWRtaW5Hcm91cArDp01DU3BBZG1pbkdyb3VwCg==
wlsCreatorInfo: mbean
modifyTimeStamp: 201000261147Z
modifiersName: cn=admin
dn: cn=::CancelTaskRole,ou=ERole,ou=@realm@,dc=@domain@
objectclass: top
objectclass: ERole
cn: ::CancelTaskRole
createTimestamp: 201000261053Z
creatorsName: cn=admin
EExpr:: fALDp01DQWRtaW5Hcm91cArDp01DU3BBZG1pbkdyb3VwCg==
wlsCreatorInfo: mbean
modifyTimeStamp: 201000261148Z
modifiersName: cn=admin
But in this file I dont see any conditions which are bound to these Roles (myrealm-Global Roles-<concrete role>-Conditions). I cannot find these conditions in any other files generated through export wholes security realm.
TY for your help,
Lada -
Hi Experts,
I am currently facing an issue where I am unable to see any roles when I "Browse Global Scoped Roles" under "Search for Roles Entitled to this Resource
". I have defined all the global roles under "Home >Summary of Security Realms >myrealm >Realm Roles" on the weblogic server 10.3.0.0.
Even the default roles defined under Visitor Roles
- Visitor Entitlement RoleAnonymousVisitor
- Visitor Entitlement RoleAuthenticatedVisitor
are missing in this environment.
Any help will be highly appreciated.
Cheers
Edited by: user551247 on 25-May-2011 01:37
Just to add, I tried to look into the table P13N_ENTITLEMENT_ROLE and could see that all the roles defined are already present. I tried to create a new role and this role is being added to this table.
But I am not able to view any of these roles on the portal.Have you tried this ?
http://weblogic-wonders.com/weblogic/2010/06/04/how-to-modify-weblogic-default-roles-and-policies/ -
Creating Global Roles in 9.1 using WLST
Hi,
Did anyone try creating Global Roles in Weblogic 9.1 ?
Since in Weblogic 9.1, the Authorizer and Role Mapper providers are XACML based, I am not sure if we can use WLST offline to create global roles.
Can someone please shed some light on this.
Thanks -agreddyAs far as i know you could never create roles via WLST offline, only via WLST online.
Thanks,
-satya
BEA Blog: http://dev2dev.bea.com/blog/sghattu/ -
Role grants to roles being deprecated
I have just read with concern in the release notes for Oracle Database 10.1 (paragraph 7.1) that the ability to grant "application role to another role will not be allowed in future Oracle database releases". Why will we be unable to nest roles in the way we have been doing for years? I can see many problems with this loss of functionality, or is there a cleverer way of organising security being introduced to replace roles?
I cannot find it online either. It is in the README that comes with the download of 10G from OTN. The document part number is B12304-01 and it is the README for Oracle Database 10G Release 10.1 dated January 2004. It is in the section on Database Security, paragraph 7.1. The exact text of the bullet point is, "Grants of password protection or application role to another role will not be allowed in future Oracle Database releases".
-
Database Vault Owner Grant Any Role Permission
So I just noticed that the role DV_OWNER has the system privilege to GRANT ANY ROLE assigned to it by default. I was wondering if this is necessary for something. If not I would like to remove it. We would prefer the Database Vault owner person to not have any permissions execept for logging into the Data Vault console to modify realms and rules and stuff, and as well as looking at audit logs. The DV_OWNER role also has ADMINISTER DATABASE TRIGGER and ALTER ANY TRIGGER privileges which I would like to remove as well. Any body have any opinions on this?
Oracle EE 11.2.0.2 on Windows 2008 R2
Thanks.Sysdba can issue powerful statements such as create user, drop user, alter user, create profile .. and so on... can be done only if it is allowed so by modifying the Can maintain accounts/profiles rule set.
You can also login with dvsys account but that account is locked after installation. So unlock it with
alter user username account unlock; command. And be aware that ANY system privileges are blocked in protected schemas. You can try to grant the following roles in DB Vault := DV_OWNER, DV_REALM_OWNER, DV_REALM_RESOURCE, DV_ADMIN, DV_PUBLIC, DV_ACCTMGR, DV_SECANALYST
Following can help you
SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
Regards
Karan -
Hi,
Is there a way to set global roles through weblogic ant tasks or command line utilities ?
I am using weblogic 8.1SP5
Thanks,
Manish
Edited by manish25 at 02/02/2007 1:24 PMHi,
There certain things you need to check
1. Did you do user comparsion?
2. Did you check the SCUL log?
SCUL ->choose (error,unconfirmed & warning) user / roles / profiles execute -> you will get list of users
Priority of resolving would be the same order 1. Error (red) 2. Unconfirmed (Gray) and 3. Warnings.(Yellow).
based on the error you can re distrubute the idoc.
Procedure :
Select the user which you would like to re-distribute for a particular system -> it will display user / roles / profile ->
Let stay roles are Grayed -> highlight on the role -> click on F7 button or cross mark(Distrbution) . You will receive new window with selection of IDOC type. Select appropriate IDOC type -> choose roles -> continue.
3. Text comparsion
To get a newly created role to a system quickly avoiding Text Comparison to all systems i.e from CUA. Instead you can do text comparsion from child systems.
Finallly your SCUM settings are correct.
Thanks,
Sri -
Select Granted By Role Doesn't Work
Oracle 11.1.0.7.0 running on AIX
This is crazy I don't know why it is happening or even how it is happening but when I grant a role to a user they still cannot select from the granted tables & views.
CREATE ROLE RETROMAN_USERS NOT IDENTIFIED
GRANT SELECT ON YBP.DDA_STATUS_CODES TO RETROMAN_USERS
GRANT SELECT ON YBP.DEMAND_DRIVEN_ACTIVITY TO RETROMAN_USERS
GRANT SELECT ON YBP.V_DDA_STATUS_CODES TO RETROMAN_USERS
GRANT SELECT ON YBP.V_DEMAND_DRIVEN_ACTIVITY TO RETROMAN_USERS
GRANT RETROMAN_USERS TO SABEL WITH ADMIN OPTION
GRANT RETROMAN_USERS TO CKING
GRANT RETROMAN_USERS TO FCROWELL
GRANT RETROMAN_USERS TO HCAMPBELL
GRANT RETROMAN_USERS TO LJOHNSON
GRANT RETROMAN_USERS TO RWILLIAMS
GRANT RETROMAN_USERS TO LMONTCALM
When I try to Select * from ybp.Demand_Driven_Activity as hcampbell I get a "table or view does not exist" error. where other users can get results using the same query. Any ideas? I am completely out of them. I am not a DBA and our company doesn't employ a DBA - scary huh. Any help would be greatly appreciated.
ScottOK, the user cannot select from the table...
$ sqlplus hcampbell@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 07:51:33 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from ybp.demand_driven_activity;
select * from ybp.demand_driven_activity
ERROR at line 1:
ORA-00942: table or view does not exist-----
Let's grant the role and verify that the role is assigned and what privileges it has.
oracle@qa:/home/oracle
$ sqlplus sabel@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 07:53:21 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> grant retroman_users to hcampbell;
Grant succeeded.
SQL> select * from DBA_ROLE_PRIVS where grantee = 'HCAMPBELL';
GRANTEE GRANTED_ROLE ADM DEF
HCAMPBELL YBPREGUSER NO YES
HCAMPBELL OOPS NO YES
HCAMPBELL YBPENDUSER NO YES
HCAMPBELL RETROMAN_USERS NO NO-----
The role does exist (I think) and has the following permissions
SQL> set linesize 132
SQL> Select * from role_tab_privs Where role = 'RETROMAN_USERS';
ROLE OWNER TABLE_NAME COLUMN_NAME
PRIVILEGE GRA
RETROMAN_USERS YBP DEMAND_DRIVEN_ACTIVITY
SELECT NO
RETROMAN_USERS YBP V_DEMAND_DRIVEN_ACTIVITY
SELECT NO
RETROMAN_USERS YBP DDA_STATUS_CODES
SELECT NO
ROLE OWNER TABLE_NAME COLUMN_NAME
PRIVILEGE GRA
RETROMAN_USERS YBP V_DDA_STATUS_CODES
SELECT NO
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options-----
sys can't see the role though - but that may be normal...
$ sqlplus sys@devorcl as sysdba
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:30:34 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> Select * from role_tab_privs Where role = 'RETROMAN_USERS';
no rows selected-----
The user still cannot select from the table
$ sqlplus hcampbell@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:39:46 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from ybp.demand_driven_activity;
select * from ybp.demand_driven_activity
ERROR at line 1:
ORA-00942: table or view does not exist-----
let's try to make it a default role....
$ sqlplus sabel@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:42:59 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> ALTER USER HCAMPBELL DEFAULT ROLE YBPREGUSER, OOPS, YBPENDUSER, retroman_users;
User altered.
SQL> exit-----
after the user logs out and then back on, now user can access the table.
oracle@qa:/home/oracle
$ sqlplus hcampbell@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:47:57 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> Select Count(1) from ybp.demand_driven_activity;
COUNT(1)
161295If I remove the retroman_users from the default role I can still access the table until I log out and then back in so it must have something to do with default roles. I don't know why I didn't see this before but the other users that were granted the retroman_users role and could access the table had their default role set to ALL. Sorry, I didn't give you all the information that you needed to help me, this might have helped:
CREATE USER HCAMPBELL
IDENTIFIED BY h
DEFAULT TABLESPACE DATASMALL
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK
-- 4 Roles for HCAMPBELL
GRANT YBPREGUSER TO HCAMPBELL
GRANT OOPS TO HCAMPBELL
GRANT YBPENDUSER TO HCAMPBELL
GRANT RETROMAN_USERS TO HCAMPBELL
ALTER USER HCAMPBELL DEFAULT ROLE YBPREGUSER, OOPS, YBPENDUSERI guess I need to read more about Default Roles. Sorry for my belligerent responses. -
WLST 92 - How to Create Global Role and Role Condition?
I'm currently using WLS 9.2 and trying to use WLST to create a global role and defining a role condition. Anyone know how to do so using WLST for WLS 9.2?
Trying to:
- create Global Role, testRole
- create condition where 'username = testuser'
thanks!Did you find out a solution for this?
Maybe you are looking for
-
Using a mac formatted ipod on a PC iTunes
My iPod is synchronised to my Mac at home but I want to be able to use it at work (PC environment) on iTunes on my PC. However, when I plug it in using a USB connector, it does not show on iTunes at all. Is this possible or is there a problem crossin
-
Need Number fields to be right aligned in ADF table.
Hi All, I have af:outputtext in the column of ADF read only table and view attribute which is associated to this field is fetching numbers (type is Number). But by default in my page data (numbers) is displaying with left aligned. But my requirement
-
Best way to implement active directory in multiple locations
Hi, Currently we don't have an active directory domain and looking in to configuring a test setup for it. We have 6 countries and in some countries we have 2 to 3 sites. There is a constant VPN connection between all the locations. Our users are trav
-
Regarding select Statement in Partition
Hi Friend, I have one doubt about Partition. CREATE TABLE list_part ( deptno NUMBER(10), deptname VARCHAR2(20), quarterly_sales NUMBER(10,2), state VARCHAR2(2)) PARTITION BY LIST (state) ( PARTITION q1_northwest VALUES ('OR', 'WA') TABLESPACE part1,
-
Strange font rendering in firefox
I have an svg file which has a very strange rendering in firefox the letters seem to be above each other while they're next to each other. kindly check the link I attached, it includes: 1- the svg file 2-How it shows on firefox 3-How it shows on chro