Group-Role Mapping OBIEE 11.1.1.6

Scenario:
I have created some groups in console. Let the groups be
A, B, C and D.
Now I want to create a role call it Manager and map A,B, C and D groups to Manager role in EM. And then give permissions (like Dashboard access) on Manager role.
Issue:
When I try to map A,B,C and D to Manager role and check for user that belongs to group A, in his My Account, I don't see Manager role listed there.
But if I create roles A,B,C and D and map them to groups A,B,C and D respectively. And then map A,B,C and D role to Manager role, then in the user's My Account, I see Manager role.
Question:
1) What could be the problem? Is it necessary that group name and the role name to which it is mapped be same?
2) Is there any way to automate mapping group from console to role in EM? We are planning to populate groups from a database table (around 2000 groups) and mapping them to roles would be very time consuming.
Please help.

Hi,
When you are adding permissions to policies in "Add permission" window select "Permissions" and "Permission Class" = oracle.security.jps.ResourcePermission (filter leave empty) and click search. You will find required permissions on the list.

Similar Messages

  • Scripting Enterprise Groups-Application Roles mapping

    Hi All,
    For my WebCenter Portal, I have local Application Roles that need to be mapped to Enterprise Groups. I know this can be done from the Portal Administration console using "Add Groups". This doesn't seem to persist across re-deployments.
    I tried doing this via the Security Editor in JDeveloper. For this I had to first create the same Enterprise Roles in jazn-data and then map them to the Application Roles. However, on deployment, this causes the existing users on weblogic to lose their respective Enterprise Groups assignments.
    Is there a way to script the group-role mapping using WLST or other so that I can run the script as a deployment step?
    Best Regards,
    Bijesh

    Hi,
    The following links explains different ways to achieve your desired goals.
    1)http://weblogic-wonders.com/weblogic/2010/11/10/wlst-script-to-add-users-groups-and-modify-roles/
    2)http://www.orastudy.com/oradoc/selfstu/fusion/core.1111/e10043/apadvadmin.htm
    3)http://middlewaremagic.com/weblogic/?p=4981
    Hope it helps you.
    Regards,
    Hoque

  • Problem with Security Role mapping and LDAP

    Hi,
    In Oracle Internet Directory I've created a group called OIDGroup1.OIdGroup1 has 2 users : OIDuser1 and OIDuser2.
    OIDGroup1 is mapped to EjbRole1 (is a security role defined in ejb-jar.xml, EjbRole1 can do everything in the application).Now if I login as OIDuser1 or OIDuser2, application said that the user does not
    have authorization to execute some method. The mapping in my orion-application.xml is :
    <security-role-mapping name="EjbRole1">
    <group name="admin/OIDGroup1"/>
    </security-role-mapping>
    <jazn provider="LDAP" location="ldap://myhost:4032"><jazn-web-app auth-method="SSO"/></jazn>
    if I modified orion-application.xml like this :
    <security-role-mapping name="EjbRole1">
    <group name="admin/OIDGroup1"/>
    <user name="admin/OIDuser1"/>
    </security-role-mapping>
    then login as OIDuser1, it works. But it does not work with OIDuser2.
    That's is a problem for me because our customer can not manage the user/group
    easily : each time they have a a new user, instead of simply adding this user
    in the OIDGroup1 (with graphic interface of OIDAS), they have to modify
    orion-application.xml.
    Do you have any idea ?
    Thanks in advance
    regards

    I found the bug : in LDAP I've got a user also called OIDGroup1 (the same as group's name).

  • Active Directory LDAP integration; can not see the XMLP_ groups/roles

    We have configured XMLP 10.1.3.3 to use "LDAP" as the Security model. The LDAP server is Active Directory running under Windows Server 2003.
    It is working to a certain extent:
    Users can log on to the XML Publisher using login/password as defined in AD.
    -When logged in as administrator, groups (roles) are visible in Admin/Roles and Permissions and can have assigned folders and data sources.
    Problems/questions:
    The required roles ("XMLP_ADMIN, etc) can not be seen in Admin/Roles and Permissions. Is this as expected or is it an error?
    -When logging in as a user who is member of the group/role XMLP_ADMIN, I do not get any administrator privileges (I have not tested the other XMLP_* roles defined in AD yet). So all administration has to be done as the local superuser.
    Is there any way to monitor the login process to try and see what goes wrong?
    -Roald
    -Roald

    The problem has been solved, it was self inflicted, typo in the config file:
    <property name="LDAP_PROVIDER_USER_DN" value="Cn=Users;dc=company,dc=com"/>
    (semicolon instead of comma after Users).
    It is a little surprising that this typo lead to problems with group matching, though. It took some time before this part of the config got enough attention.
    -Roald

  • How to add Administrative Groups(Roles) in 11g

    Hi,
    I am migrating the 9i query to 11g query. In 9i query I saw gpp table join to get the group owners. In 11g I didn't find the Administrative Groups(Roles) tab or section to assign administarive group to the group(Role in 11g). Where we can find this tab, if tab is not avilable then how can we assign the same group(role)? when data will populate into gpp table in 11g? Please guide me on this.
    Thanks
    Kishore T

    hi,
    are you saying you want to add custom Roles to 11G?
    it's either on the Advanced page or the Administration where you can add new custom Roles.
    there is also the RoleManager Service (API) that can add them programatically.

  • What is the use of Webcat,What is its role in obiee 10.1.3.3.4

    Hi ,
    I m new to OBIEE and I want to know more about Webcat.Could somebody explain in detail about webcat and its role in obiee.Thanks in advance.

    Have you tried looking at the documentation first?
    http://download.oracle.com/docs/cd/E10415_01/doc/nav/portal_booklist.htm
    "Answers, Delivers, and Interactive Dashboards User Guide"
    "Definitions of Common Terms in Oracle BI Answers"
    Presentation Catalog

  • Is it possible to modify the tag structure tree and the role map via scripting?

    We use unstructured FrameMaker to produce training materials which we distribute as tagged PDF to meet accessibility requirements.
    When FrameMaker creates a tagged PDF, it does a fairly good job of populating the structure based on the PDF setup information for the paragraph formats in the FrameMaker documents. However, there are some limitations in the support that FrameMaker provides. For example, almost all paragraphs are assigned to the P role even if they are headings and should be mapped to H1-H6.
    We want to be able to easily post-process a PDF that has been generated from FrameMaker to fix some of the tag structure issues (including tag names and the role map) so that the PDF will provide the optimum experience for a user of the JAWS screen reader.
    I spent some time reading the SDK documentation but didn't find much information about manipulating a tagged PDF via the API, especially via scripting.
    Does anyone have any examples or references which explain how to do it?

    AFAIK, it's not possible with a script. You might want to ask in the SDK forum, as it could be possible with a plugin.

  • Structural Authorisation & Position Based Role Mapping ( Indirect Roles)

    Hi
    I have few queries on Structural Authorization & Position Based Role Mapping (Indirect Role Assignment).
    This is a public sector implementation. We are migrating from the traditional based (assigning roles to users) to Indirect role assignment.
    1. Can we integrate both structural authorizations and position based role mapping in one system?
    2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
    3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
    4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
    Any help or suggestions on the above would be appreciated.
    Thanks and Regards
    Arun R

    Hi
    1. Can we integrate both structural authorizations and position based role mapping in one system?
    Yes you can.  Structural authorisations and position based role mapping can be assigned to the same org plan in SAP.
    2. If we implement structural authorizations and position based role mapping in a single system, then do we need to assign the role to the chief position or it would automatically have the authorizations which are assigned to the users below chief position.
    No, the SAP role is unique to the postion it is assigned to. But remember not all employees will be assigned to a position - in this case you have to assign the sap role directly to the user in SU01/SU01
    3. First step do we need to create the users in SU01 / SU10 or can we create the entries in PA30. Which one comes first or both independent.
    Create user in SU01.SU10 first before creating infotype 105 in PA30.
    4. If the user moves from one position to the another position then there would need to be a grace period of shift over of Roles. Where do we maintain the shift over value of days. Do we need to maintain in both.
    *When a users assignment in the org structure changes then you must run RHRPROFL0 to update the user assignment to the new position.   
    Also the number of days an employee can have access to their previous data is controlled by the parameter is called ADAYS - tx OOAC .  SAP currently defaults this to 15 days and this is used  to control the number of days that the employee can still access the data they created even though they are assigned to a different organisation with different authorisations.
    Hope this helps.
    Charmaine

  • Search Users by Group(Role) Name

    In OIM 9g, I can search users by group name like below:
    searchFor.put("Groups.Group Name", "my group");
    tcResultSet users = userOp.findUsers(searchFor);
    But it does not work in 11g, change "Groups.Group Name" to ""Groups.Role Name", don't work neither.
    Does anyone know how to search users by Role name in 11g?

    Use RoleManager Class and the following API
    criteria = new SearchCriteria(RoleManagerConstants.ROLE_NAME, "*", SearchCriteria.Operator.EQUAL);
    roles = roleManager.search(criteria, attrNames, mapParams);http://download.oracle.com/docs/cd/E14571_01/apirefs.1111/e17334/oracle/iam/identity/rolemgmt/api/RoleManager.html#getRoleMembers_java_lang_String__boolean_
    HTH,
    BB

  • OID First Time Full Reconciliation - group/role reconciliation question

    My client has some roles/groups created in OID. The initial set of users lies over there. I have to bring the initial load of users into OIM. The existing set of users is around 5000. But some users belong to different groups/roles. Now if I want to do a first time reconciliation to bring all these initial set of user profiles and accounts into OIM; where do I need to specify the groups/roles in OID resource object?
    I went through the OID connector guide. But in there, in the section "3.1 Performing First-Time Reconciliation", it doesn't mention anywhere to create any multivalued attribute/child form or anything. What are the steps that are needed to be taken? If I just reconcile the group/role lookup values, will it populate those values within the user process form? If so, which fields will co-relate with that?
    Thanks,
    - oidm.

    Thanks Raj. But I think I am a bit lost over here.
    So you mean to say I don't need to run the scheduled tasks which are related to populating the groups/roles lookups for first time full reconciliation? And also you mean to say that we only need these lookups at the time of provisioning user profiles to target system?
    I have to create identities within OIM from OID so I have to run the 'OID User Trusted Recon Task' and not 'OID User Target Recon Task'.
    Basically, my question is how will the roles/groups be depicted in the user account when I will do a trusted source reconciliation? If so, which fields in process form will hold those values? Do I need to run the lookup reconciliation tasks for the same or not?
    Thanks,
    - oidm.

  • Nesting of Rules for Auto Group (Role) Membership Rules in OIM 11gR2

    Does anyone know how to nest rules for auto group (role) membership in OIM 11gR2. The General rules in Design Console are no longer used for auto group membership and the rules that can be configured in the Role properties cannot be nested as far as I can see.
    Any info is appreciated.
    Thanks!

    My mistake... this is possible in the web ui.

  • Role Mapping For Portal Role Assignment and ABAP Role Assignment

    Summary:
    - Under the GRC configuration of Roles> Role Mapping we are trying to utilize the  role mapping feature in GRC for associating a dependent role to a main role.
    - We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.
    - We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.
    Problem Description:
    Our Scenarios we tested:
    Scenario 1:
    Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
    Dependent Role:  Attached to Initiator B & workflow B (routes to auto approval or no approval)
    *Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role. 
    Scenario 2:
    Main Role:  Attached to Initiator A & workflow A (routes to single approver based on role)
    Dependent Role:  Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)
    *Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.
    Questions:
    1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?
    2.  If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC
    Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

    I tested this set up.
    1.  Defined ABAP role as Manin role
    2.  Defined Non-ABAP role as dependednt role
    3. ABAP role  is set up in initiator requiring business approval.
    4.  Non-ABAP role is set up in initiator with no approval required.
    Results Where Business Approver approves the ABAP Role
    1. Only the ABAP role is displayed in approver view which is desirable.
    2.  ABAP role is approved and Non-ABAP role and ABAP role is provisioned.
    Results Where Business Approver rejects the ABAP Role
    1. Only the ABAP role is displayed in approver view which is desirable.
    2.  ABAP role is rejected but  Non-ABAP role is provisioned which is not what we want.  We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.
    Thanks again for your help.

  • Does idm support maintenance of access manager's group/role/filtered role

    The xml of Access Manager Realm Resource Adapter has object types group, role and filtered role with object feature list,create, update and delete. Does that mean with the adapter installed, we can make use the idm to maintain the access manager's group/role/filteredrole? Is there any customization/configuration needed in order to provision these features in idm?
    Thanks,

    1. The AM agent can return ldap attributes after authentication. What you can do is use Sun Directory Server Proxy to provide a virtual view of both LDAP and your DB to AM.
    2. Sun Role Manager is a tool for role mining and attestation, ie it helps with compliancy verifications which is required by many businesses these days. Sun Identity Manager does not need Sun Role Manager if you just want to provision roles for your users, however, as it appears to be the case in your envirionment, the roles created by IDM are exported to SRM for compliance verifications.

  • BRM: What is the use of Role Mapping???

    Hi All,
    This seems to be very stupid query. However, I am stuck with this simple understanding.
    In BRM document located in SCN, it says that:
    a.  Role mapping allows related roles mapped to a Single Role
    b.  These roles are provisioned when the Single Role is provisioned
    May I know:
    1. If different single roles can be mapped to the single role being created using BRM?
    2 As far point#b above, does it mean that as soon as the single role is assigned to a user, all the "mapped" roles are also assigned in the back end system?
    3. I tried point#2 above, however, the mapped role is not assigned to the user. By the way, I assigned the role in the backend system through PFCG.
    How it is different from Business Role?
    Please help me understand this concept and the system behavior.
    Regards,
    Faisal

    Hi Faisal,
    Your understanding is perfect and that's how role mapping works. I just tested in my system and it is working fine and we are on GRC SP13.
    Please check if you could request roles XYZ & TEST directly (just to be sure they are in BRM).
    If yes, please attach screenshot how you have mapped those roles.
    Regards,
    Madhu.

  • E-Commerce for ERP role mapping to UME

    Experts,
    We have successfully configured the ECO module to use the UME in addition to SU01.  We are able to create users in both systems in ISAUSERADMIN.  However, the newly created users in UME have no roles assigned to them.  We found one SAP Note that seems to be relevant ([891151|https://service.sap.com/sap/support/notes/891151]).  Unfortunately, it is very vague on how to setup the user mapping.  We have tried several permutations of the role assignments to no avail.
    Has anyone done this before, and if so could you provide some examples?

    We discovered the problem.  We were updated the right file for the wrong application.  The file ume-config.xml needs to updated from the application crm~isauseradm.  Once we discovered this, the UME role mapping worked.  We are now able to assign UME roles to a new user when they are created or updated in ISAUSERADMIN.
    - Andrew

Maybe you are looking for