GRC BO AC 10.0 Risk Analisys & Role management from SRM

Similar Messages

• GRC AC 10.0  Risk Analysis -Risk Terminator Vs BRM-Role Management

  Hi All,
  After having seen the configuration for Risk Analysis- Risk Terminator and Role Management , I observed that there is very little difference  for eg parameters 1085 and 3011 ,3014 .  If we configure all three parameters to TRUE which one would take effect ?Can anyone let us know under what circumstances we must configure RT and Role Management . BRM to has a whole lot of new features which supercede RT. 
  Best Regards,
  Vishal

  Hi Vishal,
  The parameters will be invoked in different scenarios. 1085 is specific to when roles are generated in the SAP Backend system using risk terminator and therefore this will have no impact if you are using BRM to generate the roles.
  3011 & 3014 are specific to BRM and govern different behaviours. 3011 will facilitate the risk analysis prior to triggering the generation steps in the methodology and 3014 will allow the roles to be generated despite any permission risks that are returned.
  They are not exclusive and actually work together. For instance, you may want to have a block on generation of roles when there are open conflicts identified and therefore you should have 3011 set to YES and 3014 set to NO. If both are set to YES, then you could propagate conflicts in the roles.
  You can use Risk Terminator if you wish to continue to develop roles within the SAP system itself rather than to rely on the GRC BRM system wholly.
  There are still wide discussions and differing opinions about which represents the best approach for this and so it depends on your organisation as to which process you follow.
  The parameter descriptions in question are:  
  1085 - Stop Role Generation if violations exist
  3011 - Conduct Risk Analysis before Role Generation
  3014 - Allow role generation with Permission Level violations
  Regards, Simon

• 500   Internal Server Error in GRC 5.3 Enterprise Role Management

  Hi All;
  We've installed Sap GRC Access Control 5.2 on Sap Netweaver 7.0.
  We installed SAP NetWeaver 7.0 (2004s)
  SAP Internet Graphics Service (SAP IGS)
  VIRCC00_0.SCA -SP15
  VIRAE00_0.SCA -SP15
  VIRRE00_0.SCA -SP15
  VIRFF00_0.SCA -SP15
  VIRSANH  -SP15
  VIRACCNTNT.SAR-SP15
  Our sp levels are for abap side;
  SAP_ABA     700     0014
  SAP_BASIS     700     0014
  PI_BASIS     2005_1_700     0014
  SAP_BW     700     0016
  VIRSANH     530_700     0015
  When we started to configure the components according to the Configuration Guide,In Enterprise Role Management part,i want to do the Configuring Risk Analysis Integration with RAR but on the CONFIGURATION tab when i navigate to the Miscellaneous,the page gives me the error message :
  "500   Internal Server Error
    SAP J2EE Engine/7.00 
    Application error occurred during request processing.
    Details:   java.lang.NullPointerException: null
  The logs are;
  #1.5 #0050568C003D006800000011000026540004A12E73AF8A7C#1303120788268#com.sap.ip.collaboration.sync.impl.scf.usermanagement.SCFSystemManager#sap.com/irj#com.sap.ip.collaboration.sync.impl.scf.usermanagement.SCFSystemManager.addDefaultAlias#J2EE_GUEST#0##n/a##98478fc069a211e0cef50050568c003d#Thread[ConfigurationEventDispatcher,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error##Plain###
  [BEGIN] Exception -
  javax.naming.NameNotFoundException: Child not found: Collaboration_Integration_WebEx at portal_content [Root exception is javax.naming.NameNotFoundException: Child not found: Collaboration_Integration_WebEx at portal_content]
       at com.sapportals.portal.pcd.gl.PcdFilterContext.filterLookup(PcdFilterContext.java:407)
       at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1248)
       at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
       at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookupLink(PcdProxyContext.java:1353)
       at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookup(PcdProxyContext.java:1300)
       at com.sapportals.portal.pcd.gl.PcdProxyContext.lookup(PcdProxyContext.java:1067)
       at com.sapportals.portal.pcd.gl.PcdGlContext.lookup(PcdGlContext.java:68)
       at com.sapportals.portal.pcd.gl.PcdURLContext.lookup(PcdURLContext.java:238)
       at javax.naming.InitialContext.lookup(InitialContext.java:347)
       at com.sap.ip.collaboration.sync.impl.scf.usermanagement.SCFSystemManager.addDefaultAlias(SCFSystemManager.java:239)
       at com.sap.ip.collaboration.sync.impl.scf.usermanagement.SCFSystemManager.doAliasOperations(SCFSystemManager.java:111)
       at com.sap.ip.collaboration.sync.impl.scf.config.ServiceRegistryConfiguration.refreshCache(ServiceRegistryConfiguration.java:203)
       at com.sap.ip.collaboration.sync.impl.scf.config.ServiceRegistryConfigEventListener.refreshConfigCache(ServiceRegistryConfigEventListener.java:13)
       at com.sap.ip.collaboration.sync.impl.scf.config.AbstractConfigEventListener.configEvent(AbstractConfigEventListener.java:28)
       at com.sapportals.config.event.ConfigEventService.dispatchEvent(ConfigEventService.java:227)
       at com.sapportals.config.event.ConfigEventService.configEvent(ConfigEventService.java:112)
       at com.sapportals.config.event.ConfigEventDispatcher.callConfigListeners(ConfigEventDispatcher.java:308)
       at com.sapportals.config.event.ConfigEventDispatcher.flushEvents(ConfigEventDispatcher.java:251)
       at com.sapportals.config.event.ConfigEventDispatcher.run(ConfigEventDispatcher.java:110)
  Caused by: javax.naming.NameNotFoundException: Child not found: Collaboration_Integration_WebEx at portal_content
       at com.sapportals.portal.pcd.gl.xfs.XfsContext.getChildAtomicName(XfsContext.java:431)
       at com.sapportals.portal.pcd.gl.xfs.XfsContext.lookupAtomicName(XfsContext.java:235)
       at com.sapportals.portal.pcd.gl.xfs.BasicContext.lookup(BasicContext.java:919)
       at com.sapportals.portal.pcd.gl.PcdPersContext.lookup(PcdPersContext.java:387)
       at com.sapportals.portal.pcd.gl.PcdFilterContext.filterLookup(PcdFilterContext.java:403)
       ... 18 more
  [END] Exception -
  Exception id: [0050568C003D007500000039000026540004A12E88C68DAE]"
  #1.5 #0050568C003D006D000000A7000026540004A12E79B6901C#1303120889408#System.err#sap.com/tc~kw_tc#System.err#J2EE_GUEST#0##n/a##9ea951f069a211e0c6f00050568c003d#SAPEngine_Application_Thread[impl:3]_39##0#0#Error##Plain###Apr 18, 2011 1:01:29 PM      com.sap.kw.framework.FrontController [SAPEngine_Application_Thread[impl:3]_39] Info: FrontController: app init failed ...
  #1.5 #0050568C003D006D000000A8000026540004A12E79B6925E#1303120889408#System.err#sap.com/tckw_tc#System.err#J2EE_GUEST#0##n/a##9ea951f069a211e0c6f00050568c003d#SAPEngine_Application_Thread[impl:3]_39##0#0#Error##Plain###Apr 18, 2011 1:01:29 PM      com.sap.kw.framework.FrontController [SAPEngine_Application_Thread[impl:3]_39] Path: Caught java.lang.NullPointerException: FATAL ERROR: Could not load E:
  usr
  sap
  MGD
  DVEBMGS00
  j2ee
  cluster
  server0
  apps
  sap.com
  tckw_tc
  servlet_jsp
  SAPIKS2
  root
  WEB-INF
  ApplConfig.xml
       at com.sap.kw.framework.XMLConfiguration.<init>(XMLConfiguration.java:53)
       at com.sap.kw.actions.ApplConfig.init(ApplConfig.java:83)
       at com.sap.kw.framework.FrontController.init(FrontController.java:222)
       at com.sap.engine.services.servlets_jsp.server.runtime.context.WebComponents.addServlet(WebComponents.java:139)
       at com.sap.engine.services.servlets_jsp.server.container.ApplicationThreadInitializer.loadServlets(ApplicationThreadInitializer.java:386)
       at com.sap.engine.services.servlets_jsp.server.container.ApplicationThreadInitializer.run(ApplicationThreadInitializer.java:110)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  #1.5 #0050568C003D007200000021000026540004A12E7AD53183#1303120908190#com.sap.slm.exec.message.SLMApplication#sap.com/tcslmslmapp#com.sap.slm.exec.message.SLMApplication#J2EE_GUEST#0##n/a##a061141069a211e0890c0050568c003d#SAPEngine_Application_Thread[impl:3]_32##0#0#Error##Java###"CfgObjectLoadVisitor" cannot load com.sap.slm.util.config.objects.CfgSDTServer from SLM configuration. Cannot read configuration in path ''SLM''##
  #1.5 #0050568C003D001B00000002000026540004A12E7B3058F9#1303120914164#com.sap.sl.ut##com.sap.sl.ut####n/a##e362b43069a211e0c20e0050568c003d#SAPEngine_System_Thread[impl:5]_29##0#0#Info#1#/System/Server#Plain### Location :<com.sap.sl.ut> is initialized!#
  #1.5 #0050568C003D001B00000004000026540004A12E7B3059B1#1303120914164#com.sap.sl.ut##com.sap.sl.ut####n/a##e362b43069a211e0c20e0050568c003d#SAPEngine_System_Thread[impl:5]_29##0#0#Info#1#/System/Server#Plain### Cotegory :</System/Server> is initialized and bound to Location: <com.sap.sl.ut>#
  #1.5 #0050568C003D001B00000006000026540004A12E7B3076F4#1303120914172#com.sap.sl.ut##com.sap.sl.ut####n/a##e362b43069a211e0c20e0050568c003d#SAPEngine_System_Thread[impl:5]_29##0#0#Info#1#/System/Server#Plain###Establishing db connection...#
  #1.5 #0050568C003D002400000297000026540004A12E7CC1E87F#1303120940477#com.sap.portal.prt.sapj2ee.error##com.sap.portal.prt.sapj2ee.error####n/a##39c1422069a211e08b030050568c003d#SAPEngine_System_Thread[impl:5]_86##0#0#Error#1#/System/Server#Java###Exception while starting: sap.com/ccxsysbgear
  [EXCEPTION]
  #1#com.sap.engine.services.deploy.container.DeploymentException: <Localization failed: ResourceBundle='com.sap.engine.services.deploy.DeployResourceBundle', ID='Exception while starting: SAPJ2EE::sap.com/grc~ccxsysejbear', Arguments: []> : Can't find resource for bundle java.util.PropertyResourceBundle, key Exception while starting: SAPJ2EE::sap.com/grc~ccxsysejbear
       at com.sap.portal.prt.sapj2ee.SAPJ2EEPortalRuntime.getAndStartSAPJ2EEApplicationItem(SAPJ2EEPortalRuntime.java:876)
       at com.sap.portal.prt.sapj2ee.PortalRuntimeContainer.prepareStart(PortalRuntimeContainer.java:511)
       at com.sap.engine.services.deploy.server.DeployServiceImpl.startApplicationLocalAndWait(DeployServiceImpl.java:4361)
       at com.sap.engine.services.deploy.server.ReferenceResolver.processReferenceToApplication(ReferenceResolver.java:589)
       at com.sap.engine.services.deploy.server.ReferenceResolver.processMakeReference(ReferenceResolver.java:399)
       at com.sap.engine.services.deploy.server.ReferenceResolver.beforeStartingApplication(ReferenceResolver.java:328)
       at com.sap.engine.services.deploy.server.application.StartTransaction.beginCommon(StartTransaction.java:162)
       at com.sap.engine.services.deploy.server.application.StartTransaction.beginLocal(StartTransaction.java:141)
       at com.sap.engine.services.deploy.server.application.ApplicationTransaction.makeAllPhasesLocal(ApplicationTransaction.java:356)
       at com.sap.engine.services.deploy.server.application.ParallelAdapter.runInTheSameThread(ParallelAdapter.java:132)
       at com.sap.engine.services.deploy.server.application.ParallelAdapter.makeAllPhasesLocalAndWait(ParallelAdapter.java:250)
       at com.sap.engine.services.deploy.server.DeployServiceImpl.startApplicationLocalAndWait(DeployServiceImpl.java:4450)
       at com.sap.engine.services.deploy.server.DeployServiceImpl.startApplicationsInitially(DeployServiceImpl.java:2610)
       at com.sap.engine.services.deploy.server.DeployServiceImpl.clusterElementReady(DeployServiceImpl.java:2464)
       at com.sap.engine.services.deploy.server.ClusterServicesAdapter.containerStarted(ClusterServicesAdapter.java:42)
       at com.sap.engine.core.service630.container.ContainerEventListenerWrapper.processEvent(ContainerEventListenerWrapper.java:144)
       at com.sap.engine.core.service630.container.AdminContainerEventListenerWrapper.processEvent(AdminContainerEventListenerWrapper.java:19)
       at com.sap.engine.core.service630.container.ContainerEventListenerWrapper.run(ContainerEventListenerWrapper.java:102)
       at com.sap.engine.frame.core.thread.Task.run(Task.java:64)
       at com.sap.engine.core.thread.impl5.SingleThread.execute(SingleThread.java:81)
       at com.sap.engine.core.thread.impl5.SingleThread.run(SingleThread.java:152)
  Caused by: com.sapportals.portal.prt.runtime.PortalRuntimeException: [ExternalApplicationItem.prepare]: SAPJ2EE::sap.com/grc~ccxsysejbear
       at com.sapportals.portal.prt.core.broker.ExternalApplicationItem.prepare(ExternalApplicationItem.java:188)
       at com.sapportals.portal.prt.core.broker.SAPJ2EEApplicationItem.prepare(SAPJ2EEApplicationItem.java:232)
       at com.sapportals.portal.prt.core.broker.SAPJ2EEApplicationItem.start(SAPJ2EEApplicationItem.java:192)
       at com.sapportals.portal.prt.service.sapj2ee.Mediator.getAndStartExternalApplication(Mediator.java:132)
       at com.sap.portal.prt.sapj2ee.StartPortalApplication.coreRun(StartPortalApplication.java:59)
       at com.sap.portal.prt.sapj2ee.StartPortalApplication.run(StartPortalApplication.java:36)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Caused by: com.sapportals.portal.prt.core.broker.PortalApplicationNotFoundException: Could not find portal application ccxsysbgear
       at com.sapportals.portal.prt.core.broker.PortalApplicationItem.prepare(PortalApplicationItem.java:415)
       at com.sapportals.portal.prt.core.broker.ExternalApplicationItem.prepare(ExternalApplicationItem.java:180)
       ... 9 more
  #1.5 #0050568C003D00750000003B000026540004A12E88C693CF#1303121142088#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl#sap.com/grc~reear#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl#J2EE_ADMIN#117##YDSAPGRC_MGD_2172750#J2EE_ADMIN#4bfa377069a311e0b9230050568c003d#SAPEngine_Application_Thread[impl:3]_1##0#0#Error#1#/System/Server/WebRequests#Plain###application [RE] Processing HTTP request to servlet [REController] finished with error.
  The error is: java.lang.NullPointerException: null
  Exception id: [0050568C003D007500000039000026540004A12E88C68DAE]#
  waiting for your responses as soon as possible because the system has to be up and running till wednesday.
  Tahnx in advance

  Hi Bilge,
  did you put your text in a blender before sending it?
  I understood everything works fine except the miscellaneous menu item in the configuration tab of ERM?
  Have you already tried to clear all browser cache, close all browsers and try it again?
  Best,
  Frank

• IDM GRC Business Role managment

  Hi experts,
  We integrated SAP IDM with GRC,
  Now our requirement is creating a business in IDM/GRC, request for business role is raised for IDM and approved by role owner in GRC after risk analysis.
  But SAP said business roles and portal groups are not supported between the systems.
  Kindly suggest how to accomplish this.
  Regards,
  Jaya

  Hi Jaya,
  Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
  Try this URL, but perhaps your GRC consultant should read it instead of you.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
  After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
  I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
  Cheers,
  Chenyang Xiong

• What would be convenient way to backup mass roles details from GRC ?

  Hello SCN folks,
  For a GRC 10.1 environment where in, there are 100k plus roles maintained, what would be an ideal & convenient way to backup the roles details, periodically? Since the volume is high a direct export would result in timeout and huge overhead in the system.
  Following is the generic steps to export one or multiple role details from GRC:
  Access Management work center-> Role Management->Role maintenance screen -> Choose one or multiple roles as per search parameter, Landscapes -> Click on to "Role Details Export" -> Select all attributed to be exported -> Click on "Export"
  Regards,
  Suvonkar

  Hi Colleen,
  To maintain a backup of all the changes made to the Role & profile attributes periodically in the large & dynamic SAP environment. And for backing up new roles & attributed getting added-up in GRC for provisioning & risk simulation.
  Approver details changes: the backup also acts as a repository for reference for previous approvers.
  Role Name
  Landscape
  Role Type
  Description
  Business Process
  Subprocess
  Project Release
  Role Status
  Critical Level
  Sensitivity
  Profile Name
  Profile Description
  Functional Area
  Company
  Assignment Approver
  Role Content Approver
  Certification Period
  Reaffirm Period
  Etc
  Regards,
  Suvonkar

• GRC AC 10.0: Info about rejected roles in the CUP Email

  Hello all,
  the GRC componetent CUP seems to be technically mature in comparison to Role Management component, but there is one thing where I am not sure, is it an error or did I miss some config parameters:
  When the CUP Request ist closed, the user gets an email (Template ID: GRAC_AR_CLOSE). Not all of the roles were approved, some of the roles were rejected. But the user gets an email where only the approved roles are listed:
  We would like to inform the user about the status of all roles in the CUP requests: which roles were approved and which roles were rejected. Is it possible to configure in MSMP Workflow?
  Right now we have the following setting:
  Thanks,
  regards Sabrina

  Hi Sabrina,
  To notify the requester for the roles which got rejected, you can try with Email notification template: GRAC_MSMP_ERM_REJECTED for the for the message class.
  You can create custom version of this template. For more understanding on how to customize the Email notification template, you can refer to: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/605077fc-3577-2e10-e1a6-a743514d4eb3?QuickLink=index&…
  Hope this helps, Let us know if you face any issues.
  Regards,
  Ameet

• GRC 10 Role Management - Mass Role Derivation

  Hi All - 
  Does anyone know if it is possible to propagate the authorization data from multiple parent roles to their relevant child derived roles in mass in GRC 10? 
  Using the standard 'Role Management -> Role Maintenance' feature you can propagate one parent role's auth data to all it's children derived roles; or alternatively if accessing one child role you can copy the auth data from the parent role.  Either of these options would require you to open each parent role or each child role to push/pull auth data from a parent role to a child role. 
  If this is not possible, it seems to leave a gap in the process of creating derived roles in mass?
  Via the 'Role Mass Maintenance -> Role Derivation' feature you can create derived roles in mass across multiple parent roles with multiple levels of derivation from each using Org Maps.  This will crate my derived roles and populate the organizational values only in PFCG. You can also update the derived role's org values in mass if they change by updating your Org Maps and using the 'Role Mass Maintenance -> Derived Role Org values Update' feature. 
  However these features do not propagate the non-org authorizations from the parent roles.  Without a way to push/pull the non-org authorizations from the parent to the child, creating all the derived roles in mass doesn't quite actually create usable roles. 
  I've noticed when propagating authorization on a one-by-one basis, GRC creates a background job "Auth Data Propagate".  I'm really just hoping there is a way to do this in mass and I am just missing the obvious.  I also know it would be possible via an eCATT script directly in SAP, but I'm looking specifically for options via the GRC tool.
  Thanks for the help!

  Nick -
  I actually just received a "final" response from SAP OSS support on this one.  Had a note open for the past 9 months or so where apparently the product management & development teams were discussing this issue.  The last update I received was about 10 days ago and essentially said this is not currently part of the tool:
  "This is an enhancement and is not currently supported. We will take it up in a future release. Please log this in the ideaplace under Access Controls"
  While I respect the decision, I can't necessarily say I agree that a "Mass Derivation" tool is working as intended if it cannot push / copy authorizations from a parent to a child role. If it can't create roles that are actually usable it would seem to be an issue with the current solution rather than a future enhancement imo. 
  The best workaround to this, is to utilize an eCATT script to go through all your derived roles you create in mass via GRC and have it go into PFCG and 'copy from' the parent authorizations and then regenerate the profiles.  That will give you actually complete & usable roles in a semi-automated fashion.

• What BAPI's use the ERM of the SAP GRC AC 5.3 to create the roles in the R/

  Hello,
  Does somebody knows what BAPI's use the ERM of the SAP GRC AC 5.3 to create the roles in the R/3?
  Thank you in advance.
  Pablo Mortera.

  Pablo,
     I don't have access to the system right now. Go to SE38 and search for 'Virsa' BAPIs...it will list all the ERM BAPIs under RE. The naming convention is pretty straightforward so you will be able to find a create role BAPI. If you open this BAPI, you will be able to find the SAP delivered BAPI which is being used in PFCG.
  Alpesh

• GRC AC 5.3 - Role Expert / Enterprise Role Management Dev Environ Connect

  We are looking to start using Role Expert/Enterprise Role Management.  As I am working through the planning process, I am looking at where to connect our ERM DEV/QA/PROD environments.  We want the ERM Production environment to our R/3 Development environment, so we can transport the roles from R/3 DEV to Q/A to PROD.  So, if our production ERM system is connected to the R/3 DEV, where do I connect the ERM DEV and QA environments?  I still think it's important to have those environments, so we can test support pack upgrades as well as use for the initial deployment/connections.  Any suggestions?  How have others done this?

  Found Answer - SAP provided Access Control Landscape Diagram on SAP.com.

• OBIEE 11g - Application role migration from DEV to UAT or to PROD

  Hello All,
  there are blogs which mentioned about application role migration from dev to UAT or Prod..
  Kindly provide the correct path of below two files which we use for application Role migration
  1. system-jazn-data.xml
  2. jps-config.xml
  I have searched these files but noticed there are 3 or 4 files with same name under different paths.
  Kindly help. TIA
  Regards

  if you mess up these files, your system will get corrupted.
  You need to take proper back up and then get it done.
  another way where you can avoid this risk is to manually enter the roles. Creating roles is one time effort unless you keep deleting and creating new roles. If you manually do it you will have more control on migration and you can fix if there an issue easily. Note, the migration of roles does not map the groups to roles . You still have to manually map them.
  OBIEEHOME\user_projects\domains\bifoundation_domain\config\fmwconfig
  1. system-jazn-data.xml
  2. jps-config.xml

• Error in oim Role creation using Role Manager Service API from Standalone Java client

  Hi,
    Facing the following error when trying to create Role using Role Manager Service API from a standalone java client .
  Tried with the solution of changing ,
  Login into the Web Logic Admin Console --> Servers --> OIM Server --> Protocols --> Modify the Maximum Message from 100000000 to 1000000000, but still the problem persists.
  Exception in thread "main" org.omg.CORBA.BAD_PARAM:   vmcid: 0x0  minor code: 0  completed: No
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
  at java.lang.reflect.Constructor.newInstance(Unknown Source)
  at java.lang.Class.newInstance0(Unknown Source)
  at java.lang.Class.newInstance(Unknown Source)
  at com.sun.corba.se.impl.protocol.giopmsgheaders.MessageBase.getSystemException(Unknown Source)
  at com.sun.corba.se.impl.protocol.giopmsgheaders.ReplyMessage_1_2.getSystemException(Unknown Source)
  at com.sun.corba.se.impl.protocol.CorbaMessageMediatorImpl.getSystemExceptionReply(Unknown Source)
  at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.processResponse(Unknown Source)
  at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.marshalingComplete(Unknown Source)
  at com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.invoke(Unknown Source)
  at org.omg.CORBA.portable.ObjectImpl._invoke(Unknown Source)
  at com.sun.org.omg.SendingContext._CodeBaseStub.meta(Unknown Source)
  at com.sun.corba.se.impl.encoding.CachedCodeBase.meta(Unknown Source)
  at com.sun.corba.se.impl.io.IIOPInputStream.getOrderedDescriptions(Unknown Source)
  at com.sun.corba.se.impl.io.IIOPInputStream.inputObjectUsingFVD(Unknown Source)
  at com.sun.corba.se.impl.io.IIOPInputStream.simpleReadObject(Unknown Source)
  at com.sun.corba.se.impl.io.ValueHandlerImpl.readValueInternal(Unknown Source)
  at com.sun.corba.se.impl.io.ValueHandlerImpl.readValue(Unknown Source)
  at com.sun.corba.se.impl.encoding.CDRInputStream_1_0.read_value(Unknown Source)
  at com.sun.corba.se.impl.encoding.CDRInputStream.read_value(Unknown Source)
  at oracle.iam.identity.rolemgmt.api._RoleManager_ogut7n_RoleManagerRemoteRIntf_Stub.createx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
  at $Proxy2.createx(Unknown Source)
  at oracle.iam.identity.rolemgmt.api.RoleManagerDelegate.create(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at Thor.API.Base.SecurityInvocationHandler$1.run(SecurityInvocationHandler.java:68)
  at weblogic.security.subject.SubjectProxy.doAs(SubjectProxy.java:64)
  at weblogic.security.subject.SubjectManager.runAs(SubjectManager.java:262)
  at weblogic.security.Security.runAs(Security.java:48)
  at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
  at Thor.API.Base.SecurityInvocationHandler.invoke(SecurityInvocationHandler.java:79)
  at $Proxy3.create(Unknown Source)
  at com.idm.role.CreateRole.createRole(CreateRole.java:113)
  at com.idm.role.CreateRole.main(CreateRole.java:167)
  Thanks In Advance

  Hi , I have used OIM 11g  R2.
  Please find below the code we have used,
  package com.idm.role;
  import java.util.HashMap;
  import java.util.HashSet;
  import java.util.Hashtable;
  import java.util.Iterator;
  import java.util.Set;
  import java.util.logging.Logger;
  import javax.security.auth.login.LoginException;
  import oracle.iam.identity.exception.NoSuchRoleException;
  import oracle.iam.identity.exception.RoleAlreadyExistsException;
  import oracle.iam.identity.exception.RoleCreateException;
  import oracle.iam.identity.exception.RoleLookupException;
  import oracle.iam.identity.exception.RoleModifyException;
  import oracle.iam.identity.exception.SearchKeyNotUniqueException;
  import oracle.iam.identity.exception.ValidationFailedException;
  import oracle.iam.identity.rolemgmt.api.RoleManager;
  import oracle.iam.identity.rolemgmt.api.RoleManagerConstants;
  import oracle.iam.identity.rolemgmt.vo.Role;
  import oracle.iam.platform.OIMClient;
  import oracle.iam.platform.authz.exception.AccessDeniedException;
  public class CreateRole {
  private final static Logger LOGGER = Logger.getLogger(CreateRole.class .getName());
  OIMClient oimClient = null;
  public OIMClient connectToOIM() {
    LOGGER.info("In connectToOIM ");
    Hashtable env = new Hashtable();
    env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
      "weblogic.jndi.WLInitialContextFactory");
    env.put(OIMClient.JAVA_NAMING_PROVIDER_URL,
      "t3://V-hydidm1.itig.co.in:14000");
    System.setProperty("java.security.auth.login.config",
      "F:\\Projects\\IDM\\Team\\Env_setup\\OIM_Setup\\designconsole\\config\\authwl.conf");
    System.setProperty("java.security.policy",
      "F:\\Projects\\IDM\\Team\\Env_setup\\OIM_Setup\\designconsole\\config\\xl.policy");
    System.setProperty("OIM.AppServerType", "wls");
    System.setProperty("APPSERVER_TYPE", "wls");
    System.setProperty("weblogic.Name", "oim_server1");
    oimClient = new OIMClient(env);
    try {
     oimClient.login("xelsysadm", "Passw0rd".toCharArray());
    } catch (LoginException e) {
     e.printStackTrace();
    System.out.println("Connected");
    return oimClient;
  public void readRoleMetadata() {
    LOGGER.info("in readRoleMetadata ");
    RoleManager roleManagerService = oimClient
      .getService(RoleManager.class);
    try {
     Role roleVo = roleManagerService.getDetails(
       RoleManagerConstants.ROLE_DISPLAY_NAME, "API Role1", null);
     Set attributeNameSet = roleVo.getAttributeNames();
     Iterator it = attributeNameSet.iterator();
     while (it.hasNext()) {
      System.out.println("Attribute Name :: " + it.next());
     // roleVo.setAttribute("ADentitlements", "Security Admin access");
     String adEntitlements = "" + roleVo.getAttribute("ADentitlements");
     System.out.println("AD Entitlements :: " + adEntitlements);
     System.out.println("DB Entitlements :: " + ""
       + roleVo.getAttribute("DBEntitlements"));
     System.out.println("Unix Entitlements :: " + ""
       + roleVo.getAttribute("UnixWindows"));
     System.out.println("VPN :: " + "" + roleVo.getAttribute("VPN"));
    } catch (SearchKeyNotUniqueException e) {
     e.printStackTrace();
    } catch (NoSuchRoleException e) {
     e.printStackTrace();
    } catch (RoleLookupException e) {
     e.printStackTrace();
    } catch (AccessDeniedException e) {
     e.printStackTrace();
  public void createRole() {
    LOGGER.info(" in Create role ");
    RoleManager roleManagerService = oimClient
      .getService(RoleManager.class);
    HashMap<String, Object> roleCreationAttrMap = new HashMap<String, Object>();
    roleCreationAttrMap.put(RoleManagerConstants.ROLE_NAME, "API Role1");
    roleCreationAttrMap.put(RoleManagerConstants.ROLE_DESCRIPTION,
      "This Role is created using API Role1");
    roleCreationAttrMap.put(RoleManagerConstants.ROLE_DISPLAY_NAME,
      "API Role1");
    roleCreationAttrMap.put("ADentitlements", "API Role1 AD Entitlements");
    roleCreationAttrMap.put("DBEntitlements", "API Role1 DB Entitlements");
    roleCreationAttrMap.put("VPN", "No");
    roleCreationAttrMap.put("UnixWindows", "API Role1 Unix Entitlements");
    Role roleVo = new Role(roleCreationAttrMap);
    try {
     System.out.println(" Before Create role *********************************************");
     roleManagerService.create(roleVo);
     System.out.println("Role Created .. ");
    } catch (ValidationFailedException e) {
     e.printStackTrace();
    } catch (RoleAlreadyExistsException e) {
     e.printStackTrace();
    } catch (RoleCreateException e) {
     e.printStackTrace();
    } catch (AccessDeniedException e) {
     e.printStackTrace();
  public void modifyRole() {
    LOGGER.info(" in modifyRole ");
    RoleManager roleManagerService = oimClient
      .getService(RoleManager.class);
    Role roleVo;
    try {
     roleVo = roleManagerService.getDetails(
       RoleManagerConstants.ROLE_DISPLAY_NAME, "API Role1", null);
     String roleKey = roleVo.getEntityId();
     HashMap<String, Object> roleCreationAttrMap = new HashMap<String, Object>();
     roleCreationAttrMap.put("ADentitlements",
       "Updated API Role1 AD Entitlements");
     Set roleKeySet = new HashSet<String>();
     roleKeySet.add(roleKey);
     Role roleVoNew = new Role(roleCreationAttrMap);
     roleManagerService.modify(roleKeySet, roleVoNew);
     System.out.println("Role Modified ..");
    } catch (SearchKeyNotUniqueException e) {
     e.printStackTrace();
    } catch (NoSuchRoleException e) {
     e.printStackTrace();
    } catch (RoleLookupException e) {
     e.printStackTrace();
    } catch (AccessDeniedException e) {
     e.printStackTrace();
    } catch (ValidationFailedException e) {
     e.printStackTrace();
    } catch (RoleModifyException e) {
     e.printStackTrace();
  public static void main(String args[]) {
    CreateRole miscObj = new CreateRole();
    miscObj.connectToOIM();
    miscObj.createRole();
    //miscObj.readRoleMetadata();
  Thanks In Advance .

• SUN ROLE MANAGER INSTALLATION HASSLE

  I am installing Sun Role Manager 5.0 on Tomcat 6.0.2
  I am facing context initialization error when i deploye rbacx.war filerbacx.log file's content is as shown below. (This log file gets created in log folder of the tomcat server after deployment)
  12:19:34,289 ERROR [ContextLoader] Context initialization failedorg.springframework.beans.factory.BeanCreationException: Error creating bean with name 'certificationEventListener' defined in ServletContext resource [WEB-INF/idc-context.xml]: Cannot resolve reference to bean 'rbacxIDCService' while setting bean property 'rbacxIDCService'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'rbacxIDCService' defined in ServletContext resource [WEB-INF/idc-context.xml]: Cannot resolve reference to bean 'rbacxIDWService' while setting bean property 'rbacxIDWService'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'rbacxIDWService' defined in ServletContext resource [WEB-INF/idw-context.xml]: Cannot resolve reference to bean 'mLRbacxRoleMiningService' while setting bean property 'roleMiningService'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'mLRbacxRoleMiningService' defined in ServletContext resource [WEB-INF/rolemining-context.xml]: Cannot resolve reference to bean 'roleMiningServiceTarget' while setting bean property 'target'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'roleMiningServiceTarget' defined in ServletContext resource [WEB-INF/rolemining-context.xml]: Cannot create inner bean 'mLRbacxRoleMiningServiceImpl' of type [com.vaau.rbacx.rolemining.service.impl.MLRbacxRoleMiningServiceImpl] while setting bean property 'rbacxRoleMiningService'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'mLRbacxRoleMiningServiceImpl' defined in ServletContext resource [WEB-INF/rolemining-context.xml]: Cannot resolve reference to bean 'roleMiningConfigurationManager' while setting bean property 'roleMiningConfigurationManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'roleMiningConfigurationManager' defined in ServletContext resource [WEB-INF/rolemining-context.xml]: Error setting property values; nested exception is org.springframework.beans.PropertyBatchUpdateException; nested PropertyAccessExceptions (1) are:
  PropertyAccessException 1: org.springframework.beans.MethodInvocationException: Property 'normalize' threw exception; nested exception is com.thoughtworks.xstream.io.StreamException: : only whitespace content allowed before start tag and not \u0 (position: START_DOCUMENT seen \u0... @1:1)
       at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:275)
       at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:104)
       at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1245)
       at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1010)
       at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472)
       at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
       at java.security.AccessController.doPrivileged(Native Method)
       at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
       at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
       at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
       at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
       at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
       at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
       at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:308)
       at org.springframework.context.support.AbstractApplicationContext.getBeansOfType(AbstractApplicationContext.java:947)
       at org.springframework.context.support.AbstractApplicationContext.registerListeners(AbstractApplicationContext.java:701)
       at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:377)
       at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255)
       at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199)
       at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45)
       at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3934)
       at org.apache.catalina.core.StandardContext.start(StandardContext.java:4429)
       at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
       at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
       at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
       at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:850)
       at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:724)
       at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:493)
       at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1206)
       at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:314)
       at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
       at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
       at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
       at org.apache.catalina.core.StandardService.start(StandardService.java:516)
       at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
       at org.apache.catalina.startup.Catalina.start(Catalina.java:583)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
       at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
  Edited by: chhavi.saluja on Jan 25, 2010 2:35 AM

  is com.thoughtworks.xstream.io.StreamException: : only whitespace content allowed before
  start tag and not \u0 (position: START_DOCUMENT seen \u0... @1:1) Well, looks like one of these xml thingies is broken.

• Problems with the installation of Oracle Role Manager

  Hello everyone;
  I have a problem with the deployment of Jboss 4.05GA; just can not load the Role Manager Administrative Console (http://localhost:8080/ormconsole)
  Probe load the Jboss and that if I load the console this APPSERVER (http://localhost:8080)
  Also probe load the Role Manager Web UI and I had no problems (http://localhost:8080/webui)
  Use the method of installation Install Software Only then can make the integration with the IOM.
  Any suggestions for solving this problem.
  Part of the Log:
  14:17:02,953 ERROR [URLDeploymentScanner] Incomplete Deployment listing:
  --- Incompletely deployed packages ---
  org.jboss.deployment.DeploymentInfo@40e1e159 { url=file:/C:/jboss-4.0.5.GA/serve
  r/default/deploy/server.ear }
  deployer: org.jboss.deployment.EARDeployer@873723
  status: Deployment FAILED reason: URL file:/C:/jboss-4.0.5.GA/server/default/t
  mp/deploy/tmp18940server.ear-contents/ormconsole-exp.war/ deployment failed
  state: FAILED
  watch: file:/C:/jboss-4.0.5.GA/server/default/deploy/server.ear
  altDD: null
  lastDeployed: 1228418189671
  lastModified: 1228418186515
  mbeans:
  --- MBeans waiting for other MBeans ---
  ObjectName: jboss.web.deployment:war=ormconsole.war,id=-1206236729
  State: FAILED
  Reason: org.jboss.deployment.DeploymentException: URL file:/C:/jboss-4.0.5.GA/
  server/default/tmp/deploy/tmp18940server.ear-contents/ormconsole-exp.war/ deploy
  ment failed
  --- MBEANS THAT ARE THE ROOT CAUSE OF THE PROBLEM ---
  ObjectName: jboss.web.deployment:war=ormconsole.war,id=-1206236729
  State: FAILED
  Reason: org.jboss.deployment.DeploymentException: URL file:/C:/jboss-4.0.5.GA/
  server/default/tmp/deploy/tmp18940server.ear-contents/ormconsole-exp.war/ deploy
  ment failed
  14:17:03,281 INFO [Http11BaseProtocol] Starting Coyote HTTP/1.1 on http-0.0.0.0
  -8080
  14:17:03,718 INFO [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8009
  14:17:03,781 INFO [JkMain] Jk running ID=0 time=0/94 config=null
  14:17:04,015 INFO [Server] JBoss (MX MicroKernel) [4.0.5.GA (build: CVSTag=Bran
  ch_4_0 date=200610162339)] Started in 1m:35s:859ms
  Thank you

  HI JLK,
  i think i have solved the problem. Try to install the Oracle Role Manager with the installer and select the "Install Software and Configure" and install the "Standard Model" to the Database. Don't deploy the standard.car file.
  I hope i could help you.
  Thomas

• Multi Value Recertification in Role Manager

  Hi Everybody,
  Is there anything(feature) called multi valued recertification in role manager(OIA).
  Regards,
  Ravindra

  Hi Rav,
  When you talk about 'radio buttons' and right side/left side, It sounds like you're using SRM 4.x instead of OIA 11g am I correct, if not then can you tell us what version you're using?
  In SRM you see on the left-hand side the attribute, then attribute values assoicated to that attribute on the right hand side
  (In OIA its all grouped together in step 2)
  Simple answer, YES, you can bring an attribute as multiple values, and also bring in, what I believe is that you want, attribtue values assoicated to that attribute
  Example below, Attribute 1 has 'multiple values', Attribute 2 has multiple values associated to that attribute
  Application
  .....|______ Attribute 1 = Value 1
  .....|______ Attribute 1 = Value 2
  .....|______ Attribute 2
  .........................|_____ Attribute Value 1
  .........................|_____ Attribute Value 2
  To get Attribute 2 results, you need to bring in the data as a XML to get that hierarchal structure as a CSV will only give you that 1 depth.
  Regards,
  Daniel
  Edited by: Daniel Redfern on 12-Jun-2011 02:01
  Edited by: Daniel Redfern on 12-Jun-2011 02:03

• Custom Distribution Group management role (manager excpeiton)

  My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
  By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
  technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
  Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
  words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
  sufficient permissions. this operation can only be performed by a manger of the group”.
  New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
  New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
  New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
  When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
  group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
  Below confirms by scope.
  Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
  Name DisplayName SamAccountName GroupType
  distro1 distro1 distro1 Universal, SecurityEnabled
  distro2 distro2 distro2 Universal, SecurityEnabled
  distro3 distro3 distro3 Universal, SecurityEnabled
  On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
  Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
  Name
  Add-DistributionGroupMember
  Disable-DistributionGroup
  Enable-DistributionGroup
  Get-ADServerSettings
  Get-AcceptedDomain
  Get-DistributionGroup
  Get-DistributionGroupMember
  Get-DomainController
  Get-DynamicDistributionGroup
  Get-Group
  Get-MailUser
  Get-Mailbox
  Get-OrganizationalUnit
  Get-Recipient
  Get-ResourceConfig
  Get-User
  New-DistributionGroup
  New-DynamicDistributionGroup
  Remove-DistributionGroup
  Remove-DistributionGroupMember
  Remove-DynamicDistributionGroup
  Set-ADServerSettings
  Set-DistributionGroup
  Set-DynamicDistributionGroup
  Set-Group
  Set-OrganizationConfig
  Update-DistributionGroupMember
  Write-AdminAuditLog

  Hello,
  I understand that you have create custom management scope for each group and assigned a custom role to it.
  But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
  You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
  Check below link. http://exchange2010cmd.blogspot.de/
  You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
  You can either use existing default policy or create new policy and assign this management role to it.
  Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
  NOTE: If you are creating new policy , place that name instead of default policy name".
  I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
  Now, regarding your second concern, that your custon role has to many role entries.
  You can remove unwanted role entries.
  Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
  Before linking management role to email policy, remove unwanted role entry from role.
  I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer.