Group-Group & Role-Group Mapping

Hi Experts,
Please provide the format of an ume script to Create a New Group and simultaneously assign an existing Group to the new one under Parent Groups.
I am using the below format, but the existing Group is being assigned under Child Groups.
[group]
gid=Group1
group=GroupA
[group]
gid=Group2
group=GroupB
[group]
gid=Group3
group=GroupC
Also, Please provide the format of an ume script to assign an existing role to an existing Group.
The below format doesnot work.
[role]
rid=Role1
group=Group1
[role]
rid=Role2
group=Group2
[role]
rid=Role
group=Group3
Please suggest on this. It would be really helpful.
Thanks!
Regards,
Divya

Divya,
Divya pk wrote:
Please provide the format of an ume script to Create a New Group and simultaneously assign an existing Group to the new one under Parent Groups.
A "script" means something functional, this funcionality doesnt exists in that form in EP. What you mean are the descriptors produced by the UME through the export function
There is no need for providing any examples to you, you can easily create a descriptor for whatever scenario you need simply by using UME export. Due my experience there are only 2 things you need to know about that:
1.)try to avoid the description field, it will cause problems
2.)the import engine is handling your definitions in the order they are comming, if any entities are missing, the import process will fail
regards

Similar Messages

Role grouping

Hi Xperts
Role group has been created and couple of roles assigned to it.But when creating
Org and Group, my role grouping is not displayed in the drop down list.At the same time it is available in the list if trying to create Person.
Can somebody throw some light on this
Thanks
Jessy

Hi Jessy,
Just check the roles u have assigned in ur BP role gouping are valid for all the BP categories.
For this goto:
SAP Implementation Guide-> Cross-Application Components->SAP Business Partner->Business Partner->Basic Settings->Business Partner Roles->Define BP Roles
1. View the Roles u have added in BP Role Grouping and check their BP role category.
2. Now In BP Role category , check if in Possible Bussiness partner category the all the Bussiness partner categories are selected (Person, Organization, Group)
In case in ur BP role category, u have a role which is valid for just one BP category say person, even ur BP role grouping will be visible in Person category.
Regards,
Shalini Chauhan

How to access the mapping of Groups and Roles in the JAVA Application

We have mapped the EJB roles with the groups through the Visual Administrator. We have developed the SSO. We have developed the application through which we are creating the user and role and mapping that role with the created user. The created role is saved in some LDAP directory. The second application in which ejb methods are mapped with some security roles.The LDAP roles we are getting in Netweaver as groups and we can perform the mapping of the deployed ejb roles with the group.Now for the logged in user we want to get the roles mapped with it so that we can give/deny the access to the methods from EJB as per the role of that user .How we will get the access to the mappings of the roles with the group in the application, if I know the LDAP roles mapped with the user (since these roles are accessible as groups in the NetWeaver)
For e.g. From application created the user with the role as "manager". This role is stored in iPlanet directory.
This directory is mapped in the Netweaver.The manager role is displayed as the group in the Netweaver.
Created the EJB application with the method "displayTheAccountDetails() with the role as "ManagerRole"
This role is mapped with the manager group. Now we are having the details about the logged in user and the LDAP roles mapped to it (maneger role). How I will get the access to the details that for this group which ejb role is mapped in the application. So depending on that I can allow/deny the access to the ""displayTheAccountDetails()" method to the logged in user.

Do you, guys, work together?
See the last answer in this thread: How database works in UCM?

Assign role, group to Human Task when initiated

Hi all,
Currently, when user login to BPM and create new task instance, i can get roles and groups of that user by programming. I want to assign roles of user to that task instance dynamically when user click SUBMIT button (Because i want to restrict users belong role are able to do this task, each user belong to a role and group can do it).
Somebody help?
Thanks.

Hi Ming
1. If you want to intercept any Actions from a Task like Save, Submit, Approve, Reject etc, you can create your own class like MyAppTaskValidationCallback that implements oracle.bpel.services.workflow.task.ITaskValidationCallback and in this overwrite one method named validateTaskOperation(bunch of parameters). See APIs for this.
In this method, you can get the action performed on the task. Also you can get the complete Payload of the Task including your custom payload and the standard Task Payload stuff like History, Attachments, Comments etc. You can write some simple XML Parser utility methods to get and set attributes in the Payload xsd schema. So in your case, in this method, get Roles, Groups of the logged in user. Check the action performed. If he is not allowed to do that operation, throw the error from this method. Else continue with your logic. To begin with create java class like above, add this code snippet and just explore the data.
Now, just curious. If your requirement is really to control the actions based on User Role/Groups, did you try to use the out of box functionality and avoid this custom logic. Say for BPM Applications, we have Swimlanes / Roles. Only users belonging to that Role, can work on that Tasks. Try to use out of box stuff as much as possible, unless you really need custom assignment logic.
Thanks
Ravi Jegga
Just giving the code snippet to get an idea. But do refer the online APIs for more information.
public void validateTaskOperation(ITaskValidationCallback.TaskAction taskAction, IWorkflowContext iWorkflowContext, Task task, Map<String, Object> parameters, Locale locale, List<String> errors) {
try {
Element taskPayload = task.getPayloadAsElement();
String taskTitle;
String taskOutcome;
SystemAttributesType taskSystemAttributes = task.getSystemAttributes();
taskTitle = task.getTitle();
System.out.println("MyAppTaskValidationCallback::validateTaskOperation() Begin For TaskTitle: " + taskTitle + " -> TaskAction: " + taskAction + " -> Parameters:\n" + parameters);
if(taskAction == TaskAction.ACQUIRE) {
      System.out.println("Inside ACQUIRE");
      //parameters.put("AcquiredBy", iWorkflowContext.getUser());
} else if(taskAction == TaskAction.OUTCOME_UPDATE) {
    System.out.println("Inside OUTCOME_UPDATE");
} catch (Exception anException) {
anException.printStackTrace();
}

Simple (dumb) role/group question

Hi all,
I see in a number of places where I can define roles using a
"principal-name". Can I use a realm group here as well as a single user?
What I'm looking for is a method where I can set up my roles in my web appps
and ejbs and then on the fly grant users rights by adding them to a group.
Certainly seems possible but I must be missing something.
Consider the following example (from the weblogic documentation) and let me
know if I can use realm groups for the section attributed to the
weblogic.xml file. (I marked it with ***).
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureOrdersEast</web-resource-name>
<description>
Security constraint for resources in the orders/east directory
</description>
<url-pattern>/orders/east/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>constraint for east coast sales</description>
<role-name>east</role-name>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role> <description>east coast sales</description>
<role-name>east</role-name></security-role>
<security-role> <description>managers</description>
<role-name>manager</role-name></security-role>
weblogic.xml entries *** Can these come from the realm????????***
<security-role-assignment> <role-name>east</role-name>
<principal-name>tom</principal-name>
<principal-name>jane</principal-name>
<principal-name>javier</principal-name>
<principal-name>maria</principal-name> </security-role-assignment>
<security-role-assignment> <role-name> manager </role-name>
<principal-name>peter</principal-name>
<principal-name>georgia</principal-name></security-role-assignment>

I am not sure what exactly you are looking for. Here is what I can tell you.
For EJBs you can defind a group in NDS and map this group to a role in EJB deployment
descriptor xml file. Then every one in the group will be authenticated to access
the EJB by WLS.
Yong
"Ilango Maragathavannan" <[email protected]> wrote:
>
I am facing the same problem. To add the version of Weblogic it is WLS6.0sp1.
I would appreciate any help.
"Kent Mitchell" <[email protected]> wrote:
Hi all,
I see in a number of places where I can define roles using a
"principal-name". Can I use a realm group here as well as a singleuser?
What I'm looking for is a method where I can set up my roles in my web
appps
and ejbs and then on the fly grant users rights by adding them to agroup.
Certainly seems possible but I must be missing something.
Consider the following example (from the weblogic documentation) and
let me
know if I can use realm groups for the section attributed to the
weblogic.xml file. (I marked it with ***).
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureOrdersEast</web-resource-name>
<description>
Security constraint for resources in the orders/east directory
</description>
<url-pattern>/orders/east/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>constraint for east coast sales</description>
<role-name>east</role-name>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role> <description>east coast sales</description>
<role-name>east</role-name></security-role>
<security-role> <description>managers</description>
<role-name>manager</role-name></security-role>
weblogic.xml entries *** Can these come from the realm????????***
<security-role-assignment> <role-name>east</role-name>
<principal-name>tom</principal-name>
<principal-name>jane</principal-name>
<principal-name>javier</principal-name>
<principal-name>maria</principal-name> </security-role-assignment>
<security-role-assignment> <role-name> manager </role-name>
<principal-name>peter</principal-name>
<principal-name>georgia</principal-name></security-role-assignment>

NWA 7.1 - User Administration with regards to Roles/Groups

Hello,
Environment = NWA 7.1 , Java Stack Only , No Central User Administration
Situation      = One group of individuals responsible for developing and maintaining Java Roles & Groups
                      (Permissions). Another group of individuals responsible for maintaining Users and
                      allocating the above Roles & Groups to the Users.
In accordance with various documentation (ie. http://help.sap.com/saphelp_nwpi711/helpdata/en/4a/e06f429c789041e10000000a1550b0/frameset.htm) I have set up a Role which includes the actions: UME.Manage_Roles, UME.Manage_Groups, UME.Manage_Users, UME.Manage_All_User_Passwords & UME.Read_All. This Role is intended for the second group of individual mentioned above.
The problem is however that with the mentioned actions they can not only allocate an user to a Role or Group but also delete the Role/Group from the system. Without the above actions in the Role it is not possible to assign Users to a Role/Group.
This leads me to the question if it is possible to split these two various areas of responibility or does NWA 7.1 view both activities as residing in only group (documentation to this effect would be helpful). If not, which actions will ensure that only Users can be administered but the rights to the system (Roles/Groups) can not be tampered with.
Many thanks in advance,
Jay

Hi Jay,
UME.Manage_All Provides permissions required by an overall user administrator.
These include:
u2022 Administration of users belonging to any company and
possibility of assigning users to companies
(In a multitenant portal, even if a tenant user is assigned this
action, he or she will still only have access to users, groups,
and roles in his or her tenant.)
u2022 Group management
u2022 Role assignment
u2022 User mapping
u2022 Import and export of user data
u2022 Manual replication of user data
To set up delegated user administration, overall user administrators
must belong to a role to which the UME.Manage_All action is
assigned.
In portal installations, any role that includes the UME.Manage_All
action automatically has Role Assigner permissions on all portal roles in the portal installation.
Try this.
Regards,
Gowrinadh

Defualt group and role size

What is the default size or number of charachters allowed while creating a group or role in Oracle Identity Manager?

Default it is 30.
See Formmetadata.xml
<Attribute name="-30" label="UserGroupAdmin.message.groupName" displayComponentType="TextField" variantType="String" dataLength="30" map="Groups.Group Name" />
You can modify it. If you want to increase it then you'll have to increase it at the database level also.
alter table UGP modify UGP_NAME varchar2(2000 char);
Don't forget to restart the server.

11g Groups of Roles & Data filters

Hi Guys,
In 11g OBIEE, when we create 3 applications roles ,
Role_A
Role_B
Role_DataFilter (Fact1 = 'XYZ') (* this role is mapped to other two application roles Role_A & Role_B)
Two without no datafilters and one with a datafilter.
When one user get assign to Role_A & Role_B , we found the Fact1='XYZ' gets applied twice (with or clause).
However in the My Account -> Roles and groups shows only 3 roles which assigned.
Is this the expected behavior or a bug?
Seems we can not overlap different data-filters in roles.
Thanks!
Nils.

I encounterd the simliar issue on setting the presentation table permissions.
Take the original Sample Sales Lite model for example.
I set the permissions of TIME table to "No Access" for all default application roles: Everyone, BIAdministrator, BIAuthor, BIConsumer, BISystem and weblogic. Then I login with weblogic account, but I still could see the TIME table in the Subject area.
I'm very confused why there's nothing happened. Is there is any other configuration need to be enable to the Security Control?

GRC CUP - How to add a custom field in "Select Roles/Groups" form

Hi Forum,
I created a custom field "REGION" in CUP configuration. I used this field in "Role Attributes"
In "New Account" workflow, when i click on Select Roles/Groups" a screen for Select Roles/Groups will display to select the roles by different combinations.
I need this "REGION" field in the above selection creria to select roles by REGION.
How to make this field "REGION" appear in above selet cretiria.
Thanks,
RAM
Edited by: Ram.Sathish on Apr 21, 2011 3:46 PM

you can not add custom fields in the search, have you thought about using the company field as the fied for location?
Regards,
Chinmaya

LDAP/AD Role group user login issue in sharepoint 2010 FBA with LDAP

Hi.
I created sharepoint 2010 site with LDAP FBA.If I add the AD user as form based user and try to login to my site its working very well but if I add a AD Group in to my site and try to login with one of the AD user of this group its say "Access
Denied".
In my project we want add AD group in sharepoin Groups not a individual AD users.
Can anyone help me with this please its urgant?

I added both LDAP membership and LDAP Role provider.And I can also find groups in people picker in my Central Admin and FBA Web app site colleciton.
<add name="ADMembers"
type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="company.com"
port="389"
useSSL="false"
userNameAttribute="sAMAccountName"
userContainer="DC=company,DC=com"
userObjectClass="person"
userFilter="(|(ObjectCategory=group)(ObjectClass=person))"
userDNAttribute="distinguishedName"
scope="Subtree"
enableSearchMethods="true"
otherRequiredUserAttributes="sn,givenname,cn"
/>
<add name="ADRoles"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="Company.com"
port="389"
useSSL="false"
groupContainer="DC=Company,DC=com"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(ObjectClass=group)"
userFilter="(ObjectClass=person)"
scope="Subtree" />

MDG-S BP Grouping,BP Role,BP Categeory and ERP Vendoe Account Group

Hi
Can anybody explains me releationship between MDG-S BP Grouping,BP Role,BP Categeory and ERP Vendoe Account Group?
It seems there is no requried field except Change Request Description.If we input value for CR Description only, we can still able to sumbit and activate CR and Bussiner Partner ID (Which is internally generated) will be stored in MDG stagging table for entity type BP_HEADER.
My question is then what is use of BP Grouping,BP role in this as it contains blank value? Also it observed that for new ERP Vendor the Account Group field is always in non editable mode,Any reason for this? Same issue with Company Code after selecting CC it displayed as non editable field before submitting CR as well.

Hi Sanjay,
When you select New -> Organization, below screen comes, In Grouping drop down you need to select Vendor Account Group and in Role list enter role.
Follow same procedure when you want to create next vendor.
Under new pushbutton, you will get three options:
Organization means when you want to create vendor.
Person means you are creating person not vendor, these person you can assign as a contact person to the vendor in Relationship tab.
Regards,
Sudhir

Assign SQ03 Abap Query User Group to role

Please advise how to assign SQ03 Abap Query User Group to a role. Thanks.
Moderator message: please do more research before asking.
[Rules of engagement|http://wiki.sdn.sap.com/wiki/display/HOME/RulesofEngagement]
[Asking Good Questions in the Forums to get Good Answers|/people/rob.burbank/blog/2010/05/12/asking-good-questions-in-the-forums-to-get-good-answers]
Edited by: Thomas Zloch on May 12, 2011 5:40 PM

Hello Sunil,
The problem is that I have hundreds of users to maintain user groups.
found out that it is possible to assign user group to role and role to user groups. implementing hr authorization with in-direct assignment of auth. So if I could use sq10, user groups could also be link to position in the org chart.
sq10 does allow you to assign a user group to a role but when you assign the role to a user and the user runs a query, it reports that no user group has been assigned.
Suspect that there must be a parameter or switch that is not turned on
Regards

Custom Distribution Group management role (manager excpeiton)

My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
sufficient permissions. this operation can only be performed by a manger of the group”.
New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
Below confirms by scope.
Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
Name DisplayName SamAccountName GroupType
distro1 distro1 distro1 Universal, SecurityEnabled
distro2 distro2 distro2 Universal, SecurityEnabled
distro3 distro3 distro3 Universal, SecurityEnabled
On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
Name
Add-DistributionGroupMember
Disable-DistributionGroup
Enable-DistributionGroup
Get-ADServerSettings
Get-AcceptedDomain
Get-DistributionGroup
Get-DistributionGroupMember
Get-DomainController
Get-DynamicDistributionGroup
Get-Group
Get-MailUser
Get-Mailbox
Get-OrganizationalUnit
Get-Recipient
Get-ResourceConfig
Get-User
New-DistributionGroup
New-DynamicDistributionGroup
Remove-DistributionGroup
Remove-DistributionGroupMember
Remove-DynamicDistributionGroup
Set-ADServerSettings
Set-DistributionGroup
Set-DynamicDistributionGroup
Set-Group
Set-OrganizationConfig
Update-DistributionGroupMember
Write-AdminAuditLog

Hello,
I understand that you have create custom management scope for each group and assigned a custom role to it.
But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
Check below link. http://exchange2010cmd.blogspot.de/
You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
You can either use existing default policy or create new policy and assign this management role to it.
Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
NOTE: If you are creating new policy , place that name instead of default policy name".
I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
Now, regarding your second concern, that your custon role has to many role entries.
You can remove unwanted role entries.
Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
Before linking management role to email policy, remove unwanted role entry from role.
I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer.

Flex Connect Groups - WLAN to VLAN mapping

I have a question about configuring WLAN to VLAN mapping on FlexConnect Groups.
Do the mappings that are configured in the FC Group get inherited by the APs when they are placed in the group?
It seems like they do not.
I am playing around in a lab with a virtual WLC running 7.5 and an old 1131 AP.
If I configure the WLAN to VLAN mapping on the individual AP, it works as expected.
If I configure the WLAN to VLAN mapping within the FC group and add the AP to the group, it does not.
The AP does not inherit the settings from the Group.
I am wondering how you would deploy a lot of APs without having to configure each AP individually.
Thanks

Yes, you are correct. It is not like normal AP groups where it will map WLAN to AP belong to that AP group.
Anyway since you have to convert each AP manually to FlexConnect mode, you should do the WLAN mapping at that point as additional step.
FlexConnect Group is mainly to give fast roaming feature for FC APs in brach deployment solution (typically not so many APs). Also keep in mind you can have maximum 25 APs in FlexConnect AP group for WiSM2 or 5508 & you can go upto 100 in 7500 WLC. (see table 7.3 in below link)
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/ch7_HREA.html#wp1108090
HTH
Rasika
**** Pls rate all useful responses *****

User= Group= SubGroup= Role: Now working when this link is used

Hai,
We are using EP 5.0 with LDAP 7.6 When a user id created it is attached to a group and the group is attached to a role. I introduced a nested group in this link as userid is attached to group, group is attached to sub group and subgroup is attached to role. When i did like this and login to the portal system the roles are not seen in the portal.
Below are the things which i did,
When a user id(Ex : MYTEST1) is created it is attached to a group(Ex : ESS_GE) by the below code.
       String group = "ESS_GE";
       String groupdn = "cn=" + group.toUpperCase() + "," + groupsRoot;
       String userdn = "cn=" + userid.toUpperCase() + "," + peopleRoot;
      // modifications for group and user
      LDAPModification[] modGroup = new LDAPModification[2];
      LDAPModification[] modUser = new LDAPModification[2];
   // Add modifications to modUser
   LDAPAttribute membership = new LDAPAttribute("groupMembership", groupdn);
   modUser[0] = new LDAPModification( LDAPModification.ADD, membership);
   LDAPAttribute security = new LDAPAttribute("securityEquals", groupdn);
   modUser[1] = new LDAPModification( LDAPModification.ADD, security);
    // Add modifications to modGroup
    LDAPAttribute member = new LDAPAttribute("uniqueMember", userdn);
    modGroup[0] = new LDAPModification( LDAPModification.ADD, member);
    LDAPAttribute equivalent = new LDAPAttribute("equivalentToMe", userdn);
    modGroup[1] = new LDAPModification( LDAPModification.ADD, equivalent);
   // Modify the user's attributes
   lc.modify( userdn, modUser);
   // Modify the user's group attributes
    lc.modify( groupdn, modGroup);
Group is attached to a role(EP_GE_USER_ROLE). So the link is User =>Group=>Role which is MYTEST1=>ESS_GE=>EP_GE_USER_ROLE. This linke is working perfectly
I introduced a nested group and changed the link as User=>Group=>Sub_Group=>Role which is MYTEST1=>ESS_GE=>ESS_GE_ONLINE=>EP_GE_USER_ROLE.
After this when I login with the user id MYTEST1 the Roles which are attached to ESS_GE_ONLINE is not shown. Any idea why the roles which are attached to group ESS_GE_ONLINE is not transferred to ESS_GE group. Should I have to add any other LDAP attributes apart from the one which are coded below.
String group1 = "ESS_GE";
String group2 = "ESS_GE_ONLINE";
String groupdn1 = "cn=" + group1.toUpperCase() + "," + groupsRoot;
String groupdn2 = "cn=" + group2.toUpperCase() + "," + groupsRoot;
//Add ESS_GE_ONLINE group to ESS_GE group
LDAPAttribute membership1 = new LDAPAttribute("uniqueMember", groupdn2);
modGroup1[0] = new LDAPModification( LDAPModification.ADD, membership1);
LDAPAttribute security1 = new LDAPAttribute("equivalentToMe", groupdn2);
modGroup1[1] = new LDAPModification( LDAPModification.ADD, security1);
//Add ESS_GE group to ESS_GE_ONLINE group
LDAPAttribute membership2 = new LDAPAttribute("uniqueMember", groupdn1);
modGroup2[0] = new LDAPModification( LDAPModification.ADD, membership2);
LDAPAttribute security2 = new LDAPAttribute("equivalentToMe", groupdn1);
modGroup2[1] = new LDAPModification( LDAPModification.ADD, security2);
lc.modify( groupdn1, modGroup1);
lc.modify( groupdn2, modGroup2);
Thanks & Regards,
H.K.Hayath Basha.

change that to the following and retest:
Joshua Fowler wrote:
I think you're correct. Under the Publish settings of the document, that's what "Class" points to.
Here's the first main section of the code:
package com.anselmbradford
import flash.display.MovieClip;
import flash.events.TimerEvent;
import flash.utils.Timer;
public class Main extends MovieClip
* Create a new CountDown object, listen for updates and pass it the date to countdown to.
public function Main()
var cd:CountDown = new CountDown();
cd.addEventListener( CountDownEvent.UPDATE , _updateDisplay );
cd.init( new Date(2015,3,9,20,00) );
* Update the display.
private function _updateDisplay( evt:CountDownEvent ) : void
Does this look correct?
Thanks again!

Group-Group & Role-Group Mapping

Similar Messages

Maybe you are looking for