Hierarchy of Roles

Similar Messages

• BW Security - transport hierarchy in role. What if....

  Hi All
  This Query is related to BW Security .
  The Process we flow is that we create a Hierarchy and we transport it to the production system
  We then create a role and we link the Hierarchy to the object within the role.
  What suppose if there is no Hierarchy structure for the particular customer maintained in dev and it is maintained in Production .
  Is it possible to transport the hierarchy from Dev without its hierarchy structure maintained in Dev?
  Is it possible that since data is existing in Production , so as an when this data sits in the UM of the production server , this automatically picks data from the UM?
  Please Advice
  Edited by: Julius Bussche on Feb 16, 2010 9:44 AM
  Subject title improved slightly

  These 3 threads of yours are starting to look like a series of interview questions.
  Please follow up and provide feedback / results of your search, otherwise I will lock them.
  Cheers,
  Julius

• Assigning roles to users by code without SecurityAdministration permission

  Hello!
  I'm a begginer working with VS Lightswitch and all the ASP.NET stuff. 
  Here is my problem:
  I have an application where users follow a certain hierarchy: we have employees, Area Managers, Department Managers, ...
  When creating a new employee he will be assigned a role automatically according to his level on the hierarchy: employee role, area manager role, and so on...
  None of the application users is going to have the SecurityAdministration privilege, so how could I handle this by code?
  The only thing that I've tried until now is trying to access this data through SecurityData, but it's not possible without the SecurityAdministration permission...
  I have read a little about creating custom membership, role and profile providers but I'm not sure if this is gonna work in my case, and if it's neccesary to do it this way.
  Any help will be appreciated! :) 

  It was just as simple as addind this code into a method that runs on the server side (_deleted, _deleting, _inserted, _inserting, ...):
  if (!Application.Current.User.HasPermission(Permissions.SecurityAdministration))
  Application.Current.User.AddPermissions(Permissions.SecurityAdministration);
  And then do whatever that needed the SecurityAdministration permission to get done.
  Once the method finishes, the permissions return to their original values.
  The article where I get the info:
  http://blogs.msdn.com/b/lightswitch/archive/2011/04/07/how-to-elevate-permissions-in-server-code-ravi-eda.aspx

• Hide parents in a parent-child hierarchy with dynamic rights

  Hi all,
  I'm facing the following issue with dynamic rights on a parent-child hierarchy:
  scenario:
  - a cube with a company parent-child hierarcy
  - dynamic security on through a role on dimension data based on a list with user (login names) and their
  departments, with Enable
  Visual Total is switched ON 
  - Multiple facts connected to this hierarchy.
  When a user connects to the cube (in this case with Excel or through a dashboard in Performance Point services) he/she is allowed to see the facts belonging to theirs departments and all child departments, so far so good. But the totals of the facts are
  repeated for all higher parents. Now i know thats nog 'wrong' but our users think thats very confusing in some cases, so is there a way
  - to hide the parents in the hierarhcy
  - or to set all the parent measures to null/empty?
  I prefer to make a solution in the cube so that all client programs can benefit from this solution.
  thanx in advance for all input!

   so that User A have scope: [Dimension_Name].[Attribute XYZ] and User B: [Dimension_Name].[Attribute ABC] ?
  Hi Wilfred,
  If I understanding correctly, you want different user can see different dimension attributes based on the different right on role, right? 
  Based on my research, it seems that there is no a directly way to achieve this requirement. What we can do is that "Deselect all members" for each attribute of the dimension in Dimension Data tab, which will hide all members of the dimension for the role.
  Even the dimension metadata is visible in the cube in clients, its members can't be seen. Here are some useful links for your reference.
  http://saysmymind.wordpress.com/2013/01/15/hide-a-specific-attribute-hierarchy-in-role-playing-dimension-ssas-multidimensional/
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/e2596eec-7c2d-48c0-8e81-538a8c632360/hide-dimension-based-on-roles
  Hope this helps.
  Regards,
  Charlie Liao
  TechNet Community Support

• Dynamicaly manage role permissions using JAAS

  Hi All,
  I'm pretty much a newbie to JAAS and I need your help with the following requirement we have in our application.
  We have a set of predefined permissions that we know in development time and we can assign to EJBs. We need to be able to assign those permissions to roles in the organization through API in the application.
  We can't use simple role based security as the most granular actors in our application are roles, so we need to assign the permissions to the roles and not directly to the users (which are eventually assigned a role - managed in the customer user store).
  As I mentioned before, the permissions are a closed set and are not configurable. The only configuration is who gets those permissions, and that ability should be given to the Admin of our application.
  We considered using an hierarchy of roles, giving each logical role a set of permission-roles and use the standard role-based EJB security. For that we consider a custom login module to flatten the list of roles.
  Let me know what you think and if there's any best practice for such scenario.
  Just on thing. We want to stay in the JAAS realm as much as possible and avoid using some other security framework.
  Thanks,
  Eyal

  JHeadstart uses roles and permissions only for maintenance reasons (for example, to quickly assign a number of permissions to a user). In runtime, differences between roles and permissions are discarded and both are treated the same. So, it is then comparable to JAAS, which only distinguishes between users and roles (called groups in OID).
  The actual setup of the OID and JAAS is not part of JHeadstart. JHeadstart just uses the JAAS provider (when in JAAS mode) to check for the required roles (= permissions) for the current group.
  Paco van der Linden,
  JHeadstart Team.

• Defining security on a dimension based on a role

  Hi,
  I'm using SSAS 2008 R2 with reports on it with Panorama NovaView 6.2. I need to hide a few dimensions and measure groups from a certain group of users. When I'm defining the new role for them I see the only options for dimension set is either "read"
  or "read/write". I've tried entering the dimension data tab for the role, choosing an attribute from the dimension I want to hide, and enabling the user to see just the "all" member for that attribute. But when I browse the cube through
  SSMS, I see both the attribute and the measure next to it as showing blank and not the total with the "all" member.
  I saw older posts proposing to use perspectives, but they're not really security. I already have views based on the entire cube in Panorama and would like to re-use them. Any suggestions?...
  With thanks in advance,
  Ella

  Hi Ella,
  According to your description, you want to define security on a dimension, so that different users can see different dimension attributes or hierarchies, right?
  As you said, there is no "read" and 'read/write" option on the dimension tab, we cannot set "deny" option for the dimension when creating a role. Based on my research, it seems that there is no a directly way to achieve this requirement. What we can do is
  that "Deselect all members" for each attribute of the dimension in Dimension Data tab, which will hide all members of the dimension for the role. Even the dimension metadata is visible in the cube in clients, its members can't be seen. Here are some useful
  links for your reference.
  http://saysmymind.wordpress.com/2013/01/15/hide-a-specific-attribute-hierarchy-in-role-playing-dimension-ssas-multidimensional/
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/e2596eec-7c2d-48c0-8e81-538a8c632360/hide-dimension-based-on-roles
  If you have any concern about this behavior, you can submit a feedback at
  http://connect.microsoft.com/SQLServer/Feedback and hope it is resolved in the next release of service pack or product. Your feedback enables Microsoft to make software and services the best that they can be, Microsoft might consider to add this feature
  in the following release after official confirmation.
  Thank you for your understanding.
  Regards,
  Charlie Liao
  If you have any feedback on our support,
  please click here.
  Charlie Liao
  TechNet Community Support

• Multiple hierarchy in one dimension

  hi ,
  i have a dimension with 4 levels and 2 hierarchy . one hierarchy uses all 4 levels (default hierarchy) and one uses 3 levels .
  i have 2 cubes , one cube needs to use hierarchy 1 from that dimension and there is no problem on validation time .
  one cube needs to use hierarchy 2 of that dimension when i uses 'deploy all ' as deployment option , OWB says to me that i have to use last level of that dimension . I use relational implementation .
  can i use diffrent hierarchy of 1 dimension in diffrent cubs ?
  thank u in advance for your advise
  Padideh

  Hi Sankar,
  You can define <b>Employee</b>, <b>Organization</b>, <b>Physical</b>, <b>Customer</b> & <b>Product</b> as navigational attributes of <b>Role</b> and in the query enable the hierarchy for Role. Then pull <b>Employee</b>, <b>Organization</b>, <b>Physical</b>, <b>Customer</b> & <b>Product</b> under <b>Role</b> this way you will be able to display, the hierarchies of Employee, Organization, Physical, Customer & Product under the nodes of Role hierarchy in the order in which you place them in the report.
  Hope this helps.
  Regards
  Kumar

• Multiple Hierarchies in one Hierarchy ?

  Hello all,
  How r u ?
  We have a scenario like we should have many hierarchies under one hierarchy and in multiple combinatinons like,
  <b>Role,
  Employee,
  Customer,
  Organizational,
  Physical &
  Product Hierarchies</b>
  all these hierarchies are interlinked like
  Role -> Employee -> Organizational -> Physical -> Customer -> Product.
  and like this each of these shall be in the root and we have to drill down to the next levels.
  Eg: Employee at the top and his role, his organizational & physical location authorized, customers assigned to him,....
  Our requirement is to show the enduser like this, he may select any of the above and accordingly the report has to be shown.
  How to approach this scenario ? any clues ?
  Best Regards....
  Sankar Kumar
  +91 98403 47141

  Hi Sankar,
  You can define <b>Employee</b>, <b>Organization</b>, <b>Physical</b>, <b>Customer</b> & <b>Product</b> as navigational attributes of <b>Role</b> and in the query enable the hierarchy for Role. Then pull <b>Employee</b>, <b>Organization</b>, <b>Physical</b>, <b>Customer</b> & <b>Product</b> under <b>Role</b> this way you will be able to display, the hierarchies of Employee, Organization, Physical, Customer & Product under the nodes of Role hierarchy in the order in which you place them in the report.
  Hope this helps.
  Regards
  Kumar

• How to understand the hierarchy structure of 0PLANT io?

  how to understand the hierarchy structure of 0PLANT io ?
  i can understand the hierarchy structure of PRODUCT io,
  well, i hope someone could explain the hierarchy structure of 0PLANT io
  thanks.

  Hi
  You can use following hierarchy tables
  RSTHIERNODE - Texts of Non-Postable Hierarchy Nodes
  RSEHIERNODE - Master Data: Hierarchy Nodes that Cannot Be Posted To
  RSMHIERNODE - Master data: Hierarchy nodes that cannot be posted to
  RSHIEDIR - Hierarchy Catalog
  RSHIEDIRT - Hierarchy directory texts
  RSREQHIER - Data Request hierarchy
  RSROLEHIERARCHY - Role hierarchy
  In addition to these have a look at K table & I table for 0PLANT.
  K table - Hierarchy SID table
  I table - Hierarchy structure table
  Hope this will help..!!
  Thanks,
  Vikrant

• Publishing issue with BOE XI 3.1 and SAP IK

  Hi There,
  this issue has been posted a few times before and I see other people are running into it as well. Nonetheless I have not found a satisfying answer in the Forum.
  I have the problem that I can only publish a Crystal Report based on SAP BI if the publishing role is an Admin in BOE. that is not how it is supposed to work.
  I followed all the guidelines and required settings and as soon as the publisher is no administrator I get an error. Publishing to BI works fine.
  The error I get is:
  An error occurred while saving and/or publishing. The return code 1 was returned from the server. An error occurred when synchronizing folder hierarchy for role:......
  Here is the publishing log:
  essage
  [Thu Nov 20 10:06:33 2008]     2664     1688     Entering CPubReqPublishReport::Process(1)
  [Thu Nov 20 10:06:33 2008]     2664     1688     Entering CPubBWConnector::GetQueryLocation()
  [Thu Nov 20 10:06:33 2008]     2664     1688       SAP_LANGUAGE set to EN (got from rfc handle)
  [Thu Nov 20 10:06:33 2008]     2664     1688     SAP Publisher BW Binding: 1 roles returned. Deduced active system id to be 00001 from the first row [role: Y:BI_PROG_MGR]
  [Thu Nov 20 10:06:33 2008]     2664     1688     System 00001: Name: base_folder Value /SAP/2.0/
  [Thu Nov 20 10:06:33 2008]     2664     1688     System 00001: Name: ce_aps_nam Value cepvsabob81:6400
  [Thu Nov 20 10:06:33 2008]     2664     1688     System 00001: Name: ce_lang_list Value D E
  [Thu Nov 20 10:06:33 2008]     2664     1688     System 00001: Name: ce_path_pr Value SAP
  [Thu Nov 20 10:06:33 2008]     2664     1688     System 00001: Name: ce_protcl Value http
  [Thu Nov 20 10:06:33 2008]     2664     1688     System 00001: Name: ce_server Value cepvsabob81.gov.edmonton.ab.gov:8080
  [Thu Nov 20 10:06:33 2008]     2664     1688     System 00001: Name: ce_viewer Value reportView.do
  [Thu Nov 20 10:06:33 2008]     2664     1688     System 00001: Name: folder_policy Value FCT
  [Thu Nov 20 10:06:33 2008]     2664     1688     System 00001: Name: report_policy Value FCT
  [Thu Nov 20 10:06:33 2008]     2664     1688     Running job synchronously
  [Thu Nov 20 10:06:33 2008]     2664     1688     Entering job processor CPubJobGetRoleMetaData(Y:BI_PROG_MGR)
  [Thu Nov 20 10:06:33 2008]     2664     1688     Entering CopyRfcHandle(1)
  [Thu Nov 20 10:06:33 2008]     2664     1688     Starting up callback server at 162.106.114.62 sapgw16 with prog-id SEGIDDC806AA2A01688
  [Thu Nov 20 10:06:33 2008]     2664     1688     GetRfcHandle() returned with handle 2
  [Thu Nov 20 10:06:33 2008]     2664     1688     Leaving job processor CPubJobGetRoleMetaData(Y:BI_PROG_MGR)
  [Thu Nov 20 10:06:33 2008]     2664     1688     Logging on to Crystal Enterprise
  [Thu Nov 20 10:06:35 2008]     2664     1688     Logged on to CMS "cepvsabob81:6400" as user "BIX~001/DUMMY" with id 1815
  [Thu Nov 20 10:06:35 2008]     2664     1688     Generating Enterprise token "cepvsabob81.COE.ADS:6400@1897JkHE9ilGJ2Hgcinp1895JceHlHlYrNTzUBPQ" for use with repository linked reports.
  [Thu Nov 20 10:06:35 2008]     2664     1688     Worker thread created. Placing in active queue.
  [Thu Nov 20 10:06:35 2008]     2664     1688     Base folder hierarchy: /SAP/2.0/BIXCLNT001
  [Thu Nov 20 10:06:35 2008]     2664     1688     FindFolder Query: SELECT SI_ID, SI_PATH FROM CI_INFOOBJECTS WHERE SI_NAME='BIXCLNT001' AND SI_PROGID='CrystalEnterprise.Folder'
  [Thu Nov 20 10:06:35 2008]     2664     6784     Entering job processor CPubJobCompositeReport
  [Thu Nov 20 10:06:35 2008]     2664     6784     Running job synchronously
  [Thu Nov 20 10:06:35 2008]     2664     6784     Entering job processor CPubJobDownloadReport(4BW89NXFO63ORDK4YMDSU0GN2)
  [Thu Nov 20 10:06:35 2008]     2664     6784     Reused connection 2
  [Thu Nov 20 10:06:36 2008]     2664     1688     FindFolder returned 1 items from query SELECT SI_ID, SI_PATH FROM CI_INFOOBJECTS WHERE SI_NAME='BIXCLNT001' AND SI_PROGID='CrystalEnterprise.Folder'
  [Thu Nov 20 10:06:36 2008]     2664     1688     Base folder id is 1465
  [Thu Nov 20 10:06:36 2008]     2664     1688     Worker thread created. Placing in active queue.
  [Thu Nov 20 10:06:36 2008]     2664     1688     CPubReqPublishReport::force_mode string()
  [Thu Nov 20 10:06:36 2008]     2664     6784     Downloaded report 4BW89NXFO63ORDK4YMDSU0GN2 with master langugage E in the following languages: D E
  [Thu Nov 20 10:06:36 2008]     2664     1688     CPubReqPublishReport::force_mode_bool(false)
  [Thu Nov 20 10:06:36 2008]     2664     6784     Adjusted language list for report 4BW89NXFO63ORDK4YMDSU0GN2 is "E"
  [Thu Nov 20 10:06:36 2008]     2664     1688     About to start publishing reports to CE. Waiting for folders and report metadata.
  [Thu Nov 20 10:06:36 2008]     2664     6784     Leaving job processor CPubJobDownloadReport(4BW89NXFO63ORDK4YMDSU0GN2)
  [Thu Nov 20 10:06:36 2008]     2664     6784     Running job synchronously
  [Thu Nov 20 10:06:36 2008]     2664     6784     Entering job processor CPubJobProcessReport
  [Thu Nov 20 10:06:36 2008]     2664     6784     Reused connection 2
  [Thu Nov 20 10:06:36 2008]     2664     2448     Entering job processor CPubJobCEFolders(Y:BI_PROG_MGR)
  [Thu Nov 20 10:06:36 2008]     2664     2448     CPubLocFolderHierarchy::ParseRoleFolderInfo:l_sText:[Projektcontroller]
  [Thu Nov 20 10:06:36 2008]     2664     2448     CPubLocFolderHierarchy::ParseRoleFolderInfo:l_sText:[Program Manager]
  [Thu Nov 20 10:06:36 2008]     2664     2448     CPubLocFolderHierarchy::ParseRoleFolderInfo:l_sText:[BOBJ_Test_1]
  [Thu Nov 20 10:06:36 2008]     2664     2448     FindObjects query: SELECT SI_NAME, SI_LOC_NAMES, SI_LOC_ORIGINAL_LOCALE FROM CI_INFOOBJECTS WHERE SI_PROGID='CrystalEnterprise.Folder' AND SI_PARENT_FOLDER='1465' AND SI_SAP_FOLDER_ID='Y:BI_PROG_MGR                 0000000000'
  [Thu Nov 20 10:06:36 2008]     2664     2448     FindObjects returned 1 items from query SELECT SI_NAME, SI_LOC_NAMES, SI_LOC_ORIGINAL_LOCALE FROM CI_INFOOBJECTS WHERE SI_PROGID='CrystalEnterprise.Folder' AND SI_PARENT_FOLDER='1465' AND SI_SAP_FOLDER_ID='Y:BI_PROG_MGR                 0000000000'
  [Thu Nov 20 10:06:36 2008]     2664     2448     FindObjects query: SELECT SI_PATH FROM CI_INFOOBJECTS WHERE SI_ID='1808' AND SI_PROGID='CrystalEnterprise.Folder'
  [Thu Nov 20 10:06:36 2008]     2664     2448     FindObjects returned 1 items from query SELECT SI_PATH FROM CI_INFOOBJECTS WHERE SI_ID='1808' AND SI_PROGID='CrystalEnterprise.Folder'
  [Thu Nov 20 10:06:36 2008]     2664     2448     FindObjects query: SELECT SI_ID FROM CI_SYSTEMOBJECTS WHERE SI_NAME='BIX~001@Y:BI_PROG_MGR'
  [Thu Nov 20 10:06:36 2008]     2664     2448     FindObjects returned 0 items from query SELECT SI_ID FROM CI_SYSTEMOBJECTS WHERE SI_NAME='BIX~001@Y:BI_PROG_MGR'
  [Thu Nov 20 10:06:36 2008]     2664     2448     ERROR: ..\..\src\ce_folder_hierarchy.cpp [328]: E_NOINTERFACE failed with return code l_hr = -2147467262
  [Thu Nov 20 10:06:36 2008]     2664     2448     COM Exception caught in CCEFolderHierarchy::RelateFolderToUserGroup. HRESULT = -2147467262
  [Thu Nov 20 10:06:36 2008]     2664     2448     ERROR: .\ce_folders.cpp [226]: m_objBaseHierarchy.RelateFolderToUserGroup(l_sFullUserGroupName, l_nRoleRootFolderId) failed with return code l_hr = -2147467262
  [Thu Nov 20 10:06:36 2008]     2664     2448     Leaving job processor CPubJobCEFolders(Y:BI_PROG_MGR)
  [Thu Nov 20 10:06:36 2008]     2664     1688     error happened when synchronizing role folder
  [Thu Nov 20 10:06:36 2008]     2664     1688     Leaving CPubReqPublishReport::Process(1)
  [Thu Nov 20 10:06:36 2008]     2664     1688     Dispatch returned with code 0 and message [See RFC trace file or SAP system log for more details]
  [Thu Nov 20 10:06:36 2008]     2664     6784     Content marker: 0
  If someone ran into this issue and fixed it could you please give me your steps so I can check with what I did?
  Thanks,
  Stephan

  Hi,
  - the user that is supposed to publish a report needs to be part of a role that has been imported
  - that role needs to have the rights to view, edit, add, modify object as part of the role folder (or higher in the folder structure like the SAP system ID Folder).
    detailed list of rights :
       Add objects to the folder that the user owns
       Add objects to the folder
       Copy objects to another folder that the user owns
       Copy objects to another folder
       Delete objects that the user owns
       Delete objects
       Edit objects
       Edit objects that the user owns
       Modify the rights users have to objects
       View objects
       View objects that the user owns
  - you then need to assign a principal to the user group in BOE (CMC > Users and Groups > select the group > add principal) and assign the same rights
  - then go to the Access Levels and use the Manage > user security option and give the role the following rights :
       View objects
       View objects that the user owns
       Edit Objects
       Edit objects that the user owns
       Use Access level for security assignment
  Ingo

• Defining logicals on VMS

  Actually we put a mechanism in just to do this very thing. On unix when
  you set an env variable it is only seen by the children and we wanted to
  get this exact behavior on vms. So we created a new logical name table
  Forte_prctable. This is a process level logical name table but when we
  issue the run command we create a com file that contains a define statement
  for every logical in this table. Then when the sub/detached process executes
  it first runs the command file defining local logicals as inherited by the
  parent. Note that asyncronous commands actually run a detached process and so
  the job table will not work for these.
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>

  Hi Ella,
  According to your description, you want to define security on a dimension, so that different users can see different dimension attributes or hierarchies, right?
  As you said, there is no "read" and 'read/write" option on the dimension tab, we cannot set "deny" option for the dimension when creating a role. Based on my research, it seems that there is no a directly way to achieve this requirement. What we can do is
  that "Deselect all members" for each attribute of the dimension in Dimension Data tab, which will hide all members of the dimension for the role. Even the dimension metadata is visible in the cube in clients, its members can't be seen. Here are some useful
  links for your reference.
  http://saysmymind.wordpress.com/2013/01/15/hide-a-specific-attribute-hierarchy-in-role-playing-dimension-ssas-multidimensional/
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/e2596eec-7c2d-48c0-8e81-538a8c632360/hide-dimension-based-on-roles
  If you have any concern about this behavior, you can submit a feedback at
  http://connect.microsoft.com/SQLServer/Feedback and hope it is resolved in the next release of service pack or product. Your feedback enables Microsoft to make software and services the best that they can be, Microsoft might consider to add this feature
  in the following release after official confirmation.
  Thank you for your understanding.
  Regards,
  Charlie Liao
  If you have any feedback on our support,
  please click here.
  Charlie Liao
  TechNet Community Support

• Portal ivews order - sortering

  Greetings
  I have a portal rol with a couple of worksets and iviews inside and I want to order them.
  I have used the sort priority and I made appear the ivew I want the first before workset that should be second. Also I set the Entry point option to true on the ivew I want the first.
  I see things right and the ivew its on the first position on, nevertheless when I send the portal content to production the ivew doesnt get to the first position.
  thanks on advance for helping me of pointing me out on the resolution.
  Jean Carlo

  If you are dealing with iView, WS all under one role then I think Sort priority is not needed.
  Check the hierarchy in Role Editor. Simply add the iView before the WS in your Role and whenever you click that Role in portal, the iView will be 1st and will be opened by default.
  Sort priority makes sense when you have Multiple Roles say A & B and you want that B should precede A.
  Chintan

• SAP Authentication not available

  Hello together!
  on a BOE-System (XI 3.1, SP3, FP 3.5) is the SAP Authentication for the InfoView- and the CMC-logon not available. I think the problem is that they haven't installed the SAPJCO correct or did some other mistakes during the installation and configuration process. Until now I tried the following because to install and configurate the system new is not really a opportunity:
  check if in the CMC the SAP Authentication is enable
  check in the web.xml if the authentication.visible is set to true
  copied the sapjco.jar into the Tomcat55\shared\lib and Tomcat55\common\lib
  copied the two *.dll from the SAPJCO to the windows\system32 folder
  set the classpath
  redeployed the Apps: InfoViewApp, InfoviewAppActions, CmcApp, CmcAppActions, PartnerPlatformServices, SAP, OpenDocument and dswsbobje
  run the partnercafinstall.bat
  and restart the tomcat and the Server Intelligence Agent
  Btw the Integration Kit for SAP works - it's just the problem with the missing authentication method.
  Another question depending on that problem (maybe) regards  the BW Publisher: There is a role for publishing content, this role have the essential rights and the role is added to the corresponding SAP system folder under the SAP structure in the CMC. But if you want to piblish a Crystal Reports report as a BW-User that is a member of the role but is not imported in the CMC you get the error EAS 30001(An error occurred when synchronizing folder hierarchy for role) which means that the user does not have sufficient rights to publish reports. If I put the role to the administrator group everything works fine except that the reports creates a folder structure SAP\2.0\*SYSTEM\New Object11552\New Object11553\REPORT*. Why are the folder "New Object11552" and "New Object11553" created and what's the problem with the rights?
  I appreciate any hints what else I can do - because as I mentioned above a complete new-install is not really a opportunity.
  Thanks in advance!

  Thanks Heiko and Ingo for your responses!
  @Heiko
  Hi Heiko, I couldn't find the SAP JCO 2.1.9 version to download - so I tried the 2.1.10 version; but still the same problem
  @Ingo
  Hi Ingo,
    >>so the SAP Authentication in the CMC is available and you are able to import the SAP Roles ?
  yes, the SAP Authentication in the CMC is available and I'm able to import SAP roles - that works absolutely fine; it's just that users can't select the SAP-Authentication method for the logon.
    >>EAS 30001
  ok, that was also my idea that it is important that the sap user who want's to publish content is imported in the cmc - but because of the problem that the sap authentication is not available at logon that's currently not possible. So, I think if this problem is solved - the problem with EAS 30001 is also gone.
    >>Make sure the role as descriptions in transaction PFCG in all the languages that you use for publishing
  you're absolutely correct - that was the problem! Thanks Ingo! Could you explain what are the steps I have to do to translate the description of a role in transaction SE63 after I created the role in the transaction PFCG or do you have a link with the HowTo for me? Hope we'll also find a solution for the missing SAP-Authentication method.
  Mario

• DIT Design -- Handling users in overlapping & changing groups/institutions

  Hi Folks-
  [My Apologies if there are duplicates, the forum doesn't show any sign of accepting this]
  I've been working on a DIT Design to solve a set of business requirements which conflicts with most traditional approaches. I've got some (overly) complicated ideas, but I'm wondering if anyone has encountered a similar situation, and if so did you find a good solution.
  Key Requirements:
  (1) We have a collection of users from various institutions and groups within them.
  (2) (THE MAIN WRINKLE) A certain amount of overlap and movement between institutions is expected (group overlap will be common). A user who is in overlapping institutions or moves between them MUST use a single, shared identity and SHOULD maintain a stable identity (i.e. no DN changes).
  (3) Much of the user administration should be decentralized and done at the group level (within each specific institution). An administor of GroupA in Foo Institution should only be able to administer the users in GroupA at Foo, but must be able to control membership within GroupA. Special precautions are permitted to keep a Group-A/Foo administrator from hijacking an arbitrary user by adding the target user to Group-A/Foo.
  (4) The number of institutions is expected to be start around 40-50, and could scale to the thousands. The number of people will probably be around 5-20 times the number of institutions. The design should accomodate that scale.
  Additional Notes:
  (A) I don't see any alternative to keeping any organizational information out of the users' DN's, essentially flattening the users out (I've currently got them all in one container).
  (B) I can obviously setup a hierarchy of roles/groups in institutional containers to handle membership and group administrator lists. All Directory Server administration will be done by a small central team and everything can be in containers under a common root suffix.
  (C) We currently have the necessary skillsets to develop scripts and programs as needed. But 2 different application families (incompatible foundations -- Java vs. Cobol+Perl) are already scheduled for deployment against this (hopefully more will follow). This means it's not very practical to use one "LDAP Superuser" id and rely on the application to enforce security policies. We really want to put as much of the security into the Directory as possible (calling for individual LDAP admins w/ the appropriate rights), but we can supplement it where we need to.
  (D) It looks like I'll have to rely heavily on filters based on the values of particular attributes of each user (whether in ACI's, Filtered Roles, or the like). Unfortunately, I don't see many ways that I can actually build those filters to be dependent on attributes/values of different entries. But I'm still working on that.
  (E) Because of the number of institutions (and probable continous growth), writing a master upper-level ACL which has each institution & group explicitly coded is probably unwise due to size and stability. If I have to I could have a helper program custom-code each user's ACL differently and change it as needed. But that doesn't seem like a good solution.
  Right now the designs I'm tossing around are calling for combinations of (all/most of) Roles (Filtered & Nested), Groups, CoS Template & Password Policies (yeah, we need those too), Macro ACI's, and a small amount of helper scripts and programs. We're running 5.2 but can probably upgrade to 6.0 if I can cite a good enough reason.
  My current design is pretty ugly and complicated but probably attainable. If people are interested enough I'll post a cleansed summary once it's working.
  Has anyone tackled anything like this before, and does anyone see any cleaner approach I've missed?
  Thanks,
  -Scott-

  Hi-
  We're basically putting all the users in one big container making a flat space.
  We then create lots of roles, each of which corresponds to a particular combination of institution, application, and access type/level (the user is implicit as it contains the nsRole). If a user has multiple types of access to an application for a given institution then they will be in multiple corresponding roles.
  We have the roles grouped together in a subtree which is divided by institution (and could be further subdivided by application within each institution or placed in the reverse order). But because of the scoping restrictions on nsRole's only a nsNestedRoleDefinition can be placed at this location (using nsRoleScopeDN), the Managed and Filter "working roles" must be in a branch of the tree above all things which will be contained within them (we put it at the top of that naming suffix).
  According to the docs, queries will ignore a ldapSubEntry (which all of the nsRoleDefinition's are) unless specifically requested, so the fact that there are hundreds or thousands of roles defined at the top shouldn't matter. However, all of the GUI's I've tried displayed all the roles.
  Currently the application code parses the DN of the role names from the user's nsRole entry, NOT the nsRoleDN entry. There end up being a lot of intermediate roles which get ignored. It uses this to determine the access type(s) to be granted. This is really convenient since one query for the user gets everything. However it builds dependencies into the DN format which arguably probably shouldn't be depended on. I've considered defining custom schema attributes which would contain the application/institution/access tuples (which could also be helpful for building nsFilteredRoleDefinition's), but that represents another round of queries and more substantial code changes for the pilot application.
  Once in place, the roles can easily be nested and combined in various ways (such as "roll-up" roles containing all users of an application). They can also be used for password policies, CoS templates, and building ACI's. The last should be very helpful in enabling decentralized administration, but that's going to be pretty dependent on your security policy.
  An issue with decentralized administration and Managed Roles is that normally anyone who can modify a user's nsRoleDN attribute can place any role in there, which isn't desirable in this environment. I haven't moved forward with the ACI work yet, but it appears that the "targattrfilters" ACI keyword may allow this problem to be solved (possibly in conjunction with Macro ACI's). Using some custom attributes with filtered roles might make this easier.
  So, we could have something like this very incomplete LDIF (not checked for errors), only the really important attributes are shown. Also similar entities with the same naming patterns have been omitted.
  dn: cn=appusers,ou=webmail,ou=inst01,ou=institutions,o=naming-suffix
  objectClass: nsNestedRoleDefinition
  nsRoleDN: cn=managed-webmail-inst01-appusers,o=naming-suffix
  nsRoleDN: cn=filtered-webmail-inst01-appusers,o=naming-suffix
  nsRoleScopeDN: o=naming-suffix
  dn: cn=managed-webmail-inst01-appusers,o=naming-suffix
  objectClass: nsManagedRoleDefinition
  dn: cn=filtered-webmail-inst01-appusers,o=naming-suffix
  objectClass: nsFilteredRoleDefinition
  nsRoleFilter: (customAppInstAccess=webmail:inst01:user)
  dn: uid=jsmith,ou=users,o=naming-suffix
  nsRoleDN: cn=managed-webmail-inst01-appusers,o=naming-suffix
  nsRoleDN: cn=managed-webmail-inst01-appadmins,o=naming-suffix
  dn: uid=jappleseed,ou=users,o=naming-suffix
  nsRoleDN: cn=managed-webmail-inst01-appusers,o=naming-suffix
  customAppInstAccess: blogger:inst03:user
  customAppInstAccess: webmail:inst03:userSo jsmith's nsRole attribute would contain the following values (the ones above the blank line are the main entries, the others are intermediate role to be ignored):
  cn=appusers,ou=webmail,ou=inst01,ou=institutions,o=naming-suffix
  cn=appadmins,ou=webmail,ou=inst01,ou=institutions,o=naming-suffix
  cn=managed-webmail-inst01-appusers,o=naming-suffix
  cn=managed-webmail-inst01-appadmins,o=naming-suffixAnd jappleseed's nsRole attribute would contain the following values (the ones above the blank line are the main entries, the others are intermediate role to be ignored):
  cn=appusers,ou=webmail,ou=inst01,ou=institutions,o=naming-suffix
  cn=appusers,ou=blogger,ou=inst03,ou=institutions,o=naming-suffix
  cn=appusers,ou=webmail,ou=inst03,ou=institutions,o=naming-suffix
  cn=managed-webmail-inst01-appusers,o=naming-suffix
  cn=filtered-blogger-inst03-appusers,o=naming-suffix
  cn=filtered-webmail-inst03-appusers,o=naming-suffixIf that doesn't make sense, then you can email me details of what you're trying to do at <[email protected]>, but it may take some time before I can respond.
  -Scott-

• How to understand the embeded src

  What for example does this mean:
  <embed src="
  http://www.clip4e.com/clip4e.swf
  " width="400" height="320" type="application/x-shockwave-flash"
  pluginspage="
  http://www.macromedia.com/go/getflashplayer"
  flashvars="cl_id=1505&guid=c71f4b9df28b7594"/>

  Hi
  You can use following hierarchy tables
  RSTHIERNODE - Texts of Non-Postable Hierarchy Nodes
  RSEHIERNODE - Master Data: Hierarchy Nodes that Cannot Be Posted To
  RSMHIERNODE - Master data: Hierarchy nodes that cannot be posted to
  RSHIEDIR - Hierarchy Catalog
  RSHIEDIRT - Hierarchy directory texts
  RSREQHIER - Data Request hierarchy
  RSROLEHIERARCHY - Role hierarchy
  In addition to these have a look at K table & I table for 0PLANT.
  K table - Hierarchy SID table
  I table - Hierarchy structure table
  Hope this will help..!!
  Thanks,
  Vikrant