Hyperion Security User Group

Similar Messages

• Built-In Users-group is suddenly gone on folder security tab.

  Dear forum-members,
  I have got a problem with folder-permissions (acl) on a Windows 2003 Server with Terminal Services (Citrix).
  The application "Sybase" is installed on the D-drive (disk). A thrid party application needs Sybase to communicate through the sql.ini with the database. All terminal server users needs read permissions on the Sybase install directory to
  use the sql.ini.
  Normally every new folder on a server has the Builtin Administrators-group and System account "Full-Control" permissions and the Builtin Users-group had "Read en List" permissions. Now on the Sybase folder only the Builtin Administrators-group
  en System account are at the security tab, but
  not the Builtin Users-group.
  When I manually set the Builtin Users-group with read permissions it okay, but after a while the Builtin Users-group is gone/deleted/removed. There is no signal that a person, proces or action removes the permissions for the Builtin Users-group. I set
  Auditing on the folder, but with no result. I know for sure there is no GPO (Group Policy) that removes this group.
  For now I have a dirty solution to run a scheduled task every 10 minutes that run xcalcs to set the permissions. A tried a GPO to set the permissions, after a reboot the group policy doesn't apply (only after a gpupdate /force).
  Does some one of you has another proper/nice solution to force the read permissions on the Sybase folder for the Builtin Users-group?
  Thanks in advance.
  Greetings, Sidney

  Hi Shaon,
  Thank you for your reply.
  The 'third party app' is APP-V sequenced and not in production yet, so only some test users are using the app.
  I did a test today to use Domain Users instead of Builtin Users, but the same problem. After a reboot only the Builtin Administrators and SYSTEM has permission on the Sybase installation folder and Domain Users (& Builtin Users) were automatically
  removed again.
  We have 6 terminal (citrix) servers and all of them has the same problem, so it's not server related.
  Could it be an issue with the way how Sybase is packaged (it's a silence install through our deployment application)?
  Before I do the next test: Will it help to force the rights (replace permissons) from the upper folder to the sub-folder(s)? (force the inheritance)
  Greetings, Sidney

• AD security groups listed in user groups in Config Manager however not listed when selecting values for the "System Resource - System Group Name" query

  Morning All,
  We are in the process of setting up our SCCM 2012 infrastructure and are experiencing issues with our device collection querys based on AD security groups.
  I can see the security groups are being updated per adsgdis.log - i can see the computers that are members of the groups in AD are being recorded in the same log. Issue is when we build the device collection query - click the value button for the string,
  only 2 of the 18 AD security groups are displayed.  These are 2 AD groups we setup initially to test.
  We have since added several additional yet they only appear to populate as user groups in config manager.
  The same goes for additional OUs that we have created with AD.
  When i click the value button only the initial 10 OUs that were created are populating in the list of applicable OUs.
  We have the discovery methods Group Discovery & System Discovery enabled and set to search the parent OU recursively
  I'm wondering if there might be an SQL issue with this as it initially worked but stopped...
  Additionally we added an OU recently that now appears in in the Values options in the query but the ones added previously and additionally after are not showing up....
  Any help is appreciated.
  Thanks,
  Jeff

  Given the adsgdis.log lists the new pc and the group it's assigned to it appears the AD group discovery is working.
  Have the following excert from the adsgdis.log
  INFO: Processing discovered group object with ADsPath = 'LDAP://************.****.COM/CN=Software - Microsoft Project Professional 2010 x64,OU=Software,OU=US-West,DC=*****,DC=com' SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT 10/4/2012 7:08:13 AM 8180
  (0x1FF4)
  INFO: DDR was written for group '*****\Software - Microsoft Project Professional 2010 x64' - E:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\userddrsonly\asg8ud94.DDR at 10/4/2012 7:8:12. SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT 10/4/2012
  7:08:13 AM 8180 (0x1FF4)
  INFO: DDR was written for system 'THURMANWIN7VM' - E:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\adhh8419.DDR at 10/4/2012 7:8:12. SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT 10/4/2012 7:08:13 AM 8180 (0x1FF4)
  Here you can see it processes the new members in the Software - Microsoft Project Professional 2010 x64 group and captures Thurmanwin7vm as a member.
  I did find some log entries that reference permission issues with objects in the SQL database and have opened a case with MS to get that looked into.  Hopefully that will be where the issue lies.

• Cannot view the folder security after removed the default "users" group from folder

  Hi guys
  Due to the domain change, I am doing a windows 2003 server migration to windows 2012 for a file server.
  Tones of data have been copied from the old 2003 server to the new setup 2012 server.
  We need remove the "builtin\users" group from the folder security to maintain correct rights access of user to network folder.
  Once the "builtin\users" group has been removed, the account in domain admin group can no longer read the folder security.
  Has anyone faced the similar situation? 
  Or, is there any change in folder security rights of Windows 2012?
  Thanks in advance
  KC@ITL

  Hi,
  Glad to hear that the issue has been resolved.
  If you need any assistance in the future, please do not hesitate to post in our forum.
  Regards,
  Mandy
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• LDAP- When importing a Group it goes into Security Users and not Groups.

  Hello,
  I created a new LDAP Server
  cn=GroupBI,OU=Groups,OU=Systems,OU=Milan,OU=Italy,OU=Countries,DC=u,DC=a,DC=g
  Connection Test was ok.
  The problem is on importing members of my group, on Security Import window instead of having the group drop-down list populated I have the user drop-down list populated with "GroupBI".
  If I import this group (considered as a user by BI) it goes into Security > Users and not Security > Groups.
  This does not make sense.
  I'm sure this "GroupBI" is a group and not a user and the atribute type used is sAMAccountname
  Any help?
  Cheers

  Let me tell how we did Authentication using LDAP
  I havent imported any groups or users once the LDAP is set up and connection was successfull. I simply created the session variables USER DISPLAYNAME EMAIL and mapped to LDAP Variables uid, displayname, mail.
  Authentication is done in this way by mapping the OBIEE variables to LDAP variables instead of importing the groups.
  Now for Authorization I created the groups populated using some db tables and captured the group name and loglevel and applied filters on the group in the rpd for data level and permissions on the group in webcat for object level.
  So just for Authentication purposes I think we can authenticate with out really importing groups as long as you map OB variables to LDAP
  hope it helps
  Prash

• CC&B User group Security

  Hi,
  When a user is attached to multiple User groups (User group 1, User group 2), if User group 1 has access to change premise and User group 2 does not have access to change premise then the User has no access to change Premise. This is the current behavior of CC&B. Anyway to change this ? User group 1 has Change access to Premise application service and User group 2 does not have change access to Premise application service. User is linked to both User group 1 and User group 2
  it appears to be only when there is custom security
  Requirement is to set up like even if one User group has access then allow the user to make changes in premise. How to accomplish this ? Suggestions please
  Edited by: user8861524 on Jun 3, 2013 4:31 PM

  Hi
  First have you maintained the usergroup authorisations for that Z table? first do that.
  Then in the at selection-screen event you have to write the code:
  If R1 = 'X'.   " when one of the radiobutton is selected
    if R_main = 'X'.    " when pressed the Maintain button
       <write a select or other check for User group authrisation for Z table>
  endif.
  endif.
  Reward points if useful
  Regards
  Anji

• Interesting Information about Hyperion User Groups and Conferences

  Ed Roske has an interesting post on his blog, including a letter from John Kopcke (SVP of EPM at Oracle). There is a lot of content discussing the disbandment of the Hyperion User Groups and the absorption by OAUG with the new Hyperion SIG (Special Interest Group). In addition there is discussion of conference's focusing on Hyperion content.
  Take a look at http://looksmarter.blogspot.com/2008/06/john-kopckes-letter-to-hyperion.html
  Best Regards,

  Gary,
  Thanks for nice post

• Forms security - "Not Available" user / group

  Hi,
  In form security I have a user / group with the name "Not Available". I don't know how it got there and I can't remove it (An error occurred while processing this page. Check the log for details.) I have very restricted access so I can't run tomcat in window mode to check the log.
  Any tips to remove this users? (Planning 9.2)
  Regards

  I have found whats causing this problem. When I use the deprovisioning option in HSS on this users they become "Not Available" in the Assign Access option of the form. Why, I don't know. I thought they would be automaticaly removed. The planning database was copied from development environment to production environment while the Planning service was stopped and then started after database copy, after that do I have to make any kind of registration?

• Security permission to user Group for menuitem in ax 2012

  Hi experts,I have a query,
  Query is that i want to give menu item level permission to user group,for e.g i want to show accounts Payable
  all set up parameter to Finance Group,so how it can be done? i don't want to use Roles--->Duties------->Privileges method,
  I want to just create two groups for one ACount Payable set up parameters will be showed on main ,and for
  other group it was disable?
  is that possible with out creating new roles ,duties and then privileges procedure?

  Hi Munsifuv. You might get more help on this and your other AX questions on an AX-specific forum. We can help with connecting Power Query to data sources, but aren't necessarily experts on configuring those sources.
  Thanks,
  Ehren

• Restricting certain users groups to read only for certain folders

  Hi
  I'm not sure if this is the correct forum, but hey, hopefully someone might now the answer or direct me to the correct one.
  I'm writing a VB program to amend ACLs for specific user groups.
  Effectively, I make all prior year folders read only, whereas the default for the group is Modify, Delete etc.  This means they can continue to work in the "new year folders", but historic years is List/read only.
  I've got to the point the program does everything I want, i.e. stops folder creation7deletion, file & folder name changes, copying for the historic years, but does not prevent deletion of files in the folder.  Effectively I set Deny access on the
  historic folders.
  Testing using the Windows GUI would appear to resolve the problem is I change the Deny Special Permission (for the group) from "This folder only" to "This folder & files".
  Question then is how to I set this in VB, the default appearing to be "This folder only"
  Here's extract of my code
  Thanks
  IfvarDirectoryName.IndexOf("\"&
  Date.Now.Year) = -1
  Then
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.Modify,
  AccessControlType.Deny))
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.DeleteSubdirectoriesAndFiles,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ReadAndExecute,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ListDirectory,
  AccessControlType.Deny))
  Dim FileInfo3 As IO.FileInfo = New IO.FileInfo(varDirectoryName)
  Dim FileAcl3 As New FileSecurity
  If varDirectoryName.IndexOf("\" & Date.Now.Year) = -1 Then
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.Modify, AccessControlType.Deny))
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.DeleteSubdirectoriesAndFiles, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ReadAndExecute, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ListDirectory, AccessControlType.Deny))
  FileInfo3.SetAccessControl(FileAcl3)
  End If

  Ho Rohn
  Your right, when I added the flags I got the following error at execution
  {"No flags can be set. Parameter name: inheritanceFlags"}
  I've developed a work around, which gives me exactly - subject to further testing - what I want.  I simply mark each file in the relevant folders with a Deny Delete option.
  I will however explore the DirectorySecurity class option, but initial review of the www seems a little shy on VB examples.
  Thanks
  Perry
  You should be able to use FileSecurity and DirectorySecurity the same way (they have identical methods). Since this is a scripting forum, I'll provide a PowerShell example (which is fairly close to C# and VB; they all use the exact same classes):
  $varDirectoryName = "c:\folder"
  $GroupAdmin = "Admin Group"
  $FileInfo3 = New-Object System.IO.DirectoryInfo $varDirectoryName
  $FileAcl3 = $FileInfo3.GetAccessControl()
  $FileAcl3.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule (
  $GroupAdmin,
  [System.Security.AccessControl.FileSystemRights]::Modify,
  ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
  [System.Security.AccessControl.PropagationFlags]::None,
  [System.Security.AccessControl.AccessControlType]::Allow
  $FileInfo3.SetAccessControl($FileAcl3)
  I could have taken a lot of shortcuts when using the enumerations, but I think keeping it verbose helps show how similar the code can be.
  Does that make sense?

• What is the Advantage of creation of user group through SUGR?

  Hello Masters,
  As per audit requirement I have maintained user groups for different sets of users through SUGR, but I am not getting except differenciating users (based on group), is there any other advantage? Can we assign role to a user group instead of assigning to list of users  or can we do any mass changes to an user group by giving only user group name.
  Regards,
  Nilutpal.

  Dear Neels,
  Apart from maintaining user group for Differnciation purpose you can also take the advantage on the following sectors:
  1. Follow the http://help.sap.com/saphelp_nw04/helpdata/en/ce/17533e5ff4d064e10000000a114084/content.htm link . From this you will come to know the use of user group in the authorisation area.
  2. User Groups also allow segregation of user maintenance, this is especially useful in a large organisation as you can control who your user admin team can maintain - an example would be giving a team leader the authority to change passwords for users in their team. 
  3. The authorization user group is used in conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in group SUPER, etc... 
  In case any issue, please feel free to reply.
  Regards,
  Nilutpal.

• ISE / Active Directory: issue to get users group

  Hello,
  We have a strange issue:
  - ISE 1.2 patch 8
  - no WLC, autonomous AP
  In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.
  We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.
  In one more rules to grant authentication from APs to register in WDS: user in local database.
  In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.
  (so 3 rules), and one more to authorise the internal base for WDS.
  We have something strange:
  - sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.
  Exemple:
  1- OK:
  Authentication Details
  Source Timestamp
  2014-05-15 11:43:19.064
  Received Timestamp
  2014-05-15 11:43:19.065
  Policy Server
  radius
  Event
  5200 Authentication succeeded 
  All the GROUPS of user are seen:
  false
  AD ExternalGroups
  xx/users/admexch
  AD ExternalGroups
  xx/users/glkdp
  AD ExternalGroups
  x/users/gl revue écriture
  AD ExternalGroups
  xx/users/pcanywhere
  AD ExternalGroups
  xx/users/wifidata
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa informatique
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa entreprises et cités
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa campus
  AD ExternalGroups
  xx/users/aiga_creches
  AD ExternalGroups
  xx/users/admins du domaine
  AD ExternalGroups
  xx/users/utilisa. du domaine
  AD ExternalGroups
  xx/users/groupe de réplication dont le mot de passe rodc est refusé
  AD ExternalGroups
  xx/microsoft exchange security groups/exchange view-only administrators
  AD ExternalGroups
  xx/microsoft exchange security groups/exchange public folder administrators
  AD ExternalGroups
  xx/users/certsvc_dcom_access
  AD ExternalGroups
  xx/builtin/administrateurs
  AD ExternalGroups
  xx/builtin/utilisateurs
  AD ExternalGroups
  xx/builtin/opérateurs de compte
  AD ExternalGroups
  xx/builtin/opérateurs de serveur
  AD ExternalGroups
  xx/builtin/utilisateurs du bureau à distance
  AD ExternalGroups
  xx/builtin/accès dcom service de certificats
  RADIUS Username
  xx\cennelin
  Device IP Address
  172.25.2.87
  Called-Station-ID
  00:3A:98:A5:3E:20
  CiscoAVPair
  ssid=CAMPUS
  ssid
  campus 
  2- NO OK later:
  Authentication Details
  Source Timestamp
  2014-05-15 16:17:35.69
  Received Timestamp
  2014-05-15 16:17:35.69
  Policy Server
  radius
  Event
  5434 Endpoint conducted several failed authentications of the same scenario
  Failure Reason
  15039 Rejected per authorization profile
  Resolution
  Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
  Root cause
  Selected Authorization Profile contains ACCESS_REJECT attribute 
  Only 3 Groups of the user are seen:
  Other Attributes
  ConfigVersionId
  5
  Device Port
  1645
  DestinationPort
  1812
  RadiusPacketType
  AccessRequest
  UserName
  host/xxxxxxxxxxxx
  Protocol
  Radius
  NAS-IP-Address
  172.25.2.80
  NAS-Port
  51517
  Framed-MTU
  1400
  State
  37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
  cisco-nas-port
  51517
  IsEndpointInRejectMode
  false
  AcsSessionID
  radius/189518899/49890
  DetailedInfo
  Authentication succeed
  SelectedAuthenticationIdentityStores
  AD1
  ADDomain
  xxxxxxxxxxx
  AuthorizationPolicyMatchedRule
  Default
  CPMSessionID
  b0140a6f0000C2E15374CC7F
  EndPointMACAddress
  00-xxxxxxxxxxxx
  ISEPolicySetName
  Default
  AllowedProtocolMatchedRule
  MDP-PC-PEAP
  IdentitySelectionMatchedRule
  Default
  HostIdentityGroup
  Endpoint Identity Groups:Profiled:Workstation
  Model Name
  Cisco
  Location
  Location#All Locations#Site-MDP
  Device Type
  Device Type#All Device Types#Cisco-Bornes
  IdentityAccessRestricted
  false
  AD ExternalGroups
  xx/users/ordinateurs du domaine
  AD ExternalGroups
  xx/users/certsvc_dcom_access
  AD ExternalGroups
  xx/builtin/accès dcom service de certificats
  Called-Station-ID
  54:75:D0:DC:5B:7C
  CiscoAVPair
  ssid=CAMPUS 
  If you have an idea, thanks so much,
  Regards,

  To configure debug logs via the Cisco ISE user interface, complete the following steps
  :Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.
  You can use the Filter button to search for a specific node, particularly if the node list is large.
  www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750

• OIM 10g Event Handler : Integrated with User Groups.User Members

  I have created custom event handler and integrated it with User Groups.User Members data object.
  here is my code od event handler class:
  public class GroupEventHandler extends tcBaseEvent {
       public GroupEventHandler() {
            this.setEventName("Event Handler Sample");
       protected void implementation() throws Exception {
            System.out.println("============@@@@@@@@ IN EVENT HANDLER ");
            try
            String groupKey = this.getDataObject().getString("Groups.Key");
            writeToFile(groupKey);
            catch (Exception e)
                 e.printStackTrace();
  But I am getting this exception :
  ERROR [ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)' XELLERATE.SERVER - Class/Method: tcTableDataObj/getString encounter some problems: Column 'GROUPS.KEY' not found
  com.thortech.xl.dataaccess.tcDataSetException: Column 'GROUPS.KEY' not found
       at com.thortech.xl.dataaccess.tcDataSet.getColumnIndex(Unknown Source)
       at com.thortech.xl.dataaccess.tcDataSet.getString(Unknown Source)
       at com.thortech.xl.dataobj.tcTableDataObj.getString(Unknown Source)
       at oim.GroupEventHandler.implementation(GroupEventHandler.java:19)
       at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.eventPostInsert(Unknown Source)
       at com.thortech.xl.dataobj.tcUSG.eventPostInsert(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
       at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
       at com.thortech.xl.ejb.beansimpl.tcGroupOperationsBean.addMemberUsers(Unknown Source)
       at com.thortech.xl.ejb.beans.tcGroupOperationsSession.addMemberUsers(Unknown Source)
       at com.thortech.xl.ejb.beans.tcGroupOperations_ejm77u_EOImpl.addMemberUsers(tcGroupOperations_ejm77u_EOImpl.java:1671)
       at Thor.API.Operations.tcGroupOperationsClient.addMemberUsers(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.security.Security.runAs(Security.java:41)
       at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
       at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
       at $Proxy66.addMemberUsers(Unknown Source)
       at com.thortech.xl.webclient.actions.UserGroupMembersAction.assignMemberUsers(Unknown Source)
       at com.thortech.xl.webclient.actions.UserGroupMembersAction.assignGroupMembers(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
       at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
       at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
       at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
       at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
       at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
       at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
       at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3592)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2202)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2108)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1432)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)

  Anyone have idea about why "Groups.Key" not found exception thrown here..
  I have assigned this event handler at postinsert event of User Groups.User Members Data Object.

• LDAP user groups not visible for configuring a Group Portal

  Hi,
  We have created a Custom Security Realm(myRealm) on WebLogic 7.0 SP2 in which
  I've added the Novell LDAP Authentication provider as the authentication provider
  and then set "myRealm" as the default realm for the domain. I am able to start
  the WLS server instance and login to portalAppTools with the "administrator" account.
  We would like to configure a Group Portal. In Portal Administration interfaces,
  when I click on Group Administartion, I am unable to see any of my external LDAP
  groups. I know that we cannot create/delete users or groups in the external LDAP
  repository thru the Admin UI but the documentation says that I should be able
  to view the users/groups in the Admin UI. Authentication against the external
  LDAP repository works fine. Can anybody suggest the reason why we are unable to
  view any of the Users or Groups in our external LDAP repository thru the User
  Administration interfactes.
  Appreciate any feedback.
  Thanks
  Vikram

  Hi Jim,
  I've configured a default LDAP V2 Compatibility Realm by modifying the Config.xml
  file. I was able to restart Weblogic and see the LDAP Groups and Users thru the
  WLS console. In our project we've a unique requirement wherein all Application
  Groups and User Accounts would be stored in an LDAP repository and all BEA SERVICE
  level accounts and groups are stored in a Database (groups like AdminEligible,
  Administrators etc.). We need to be able to look at the groups in both the Database
  and LDAP repositories in order to administer and configure a Group Portal. On
  the outset it looks like we will not be able to do what we want to with the current
  portal framework. Please suggest if there are any alternatives in order to implement
  this solution. I am sure there are lot of other Clients who cannot create groups
  like Administrators, AdminEligible etc in their LDAP repositories and will be
  forced to think of alternatives.
  I would appreciate if you can reply back at your earliest convenience.
  Thanks
  Vikram
  Jim Litton <replyto@newsgroup> wrote:
  The Weblogic 7.0 Authentication Providers (new JAAS Framework) is not
  supported with Portal 7.0. You will need to configure the Compatibility
  Security CustomRealm for Novell to try to get Portal working.
  see defaultLDAPRealmForNovellDirectoryServices at
  http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1083149
  In addition, remember to test functionality through the Weblogic
  Console. If you can see groups and users there okay it is very likely
  that Portal will operate.
  -- Jim
  Vikram wrote:
  Hi,
  We have created a Custom Security Realm(myRealm) on WebLogic 7.0 SP2in which
  I've added the Novell LDAP Authentication provider as the authenticationprovider
  and then set "myRealm" as the default realm for the domain. I am ableto start
  the WLS server instance and login to portalAppTools with the "administrator"account.
  We would like to configure a Group Portal. In Portal Administrationinterfaces,
  when I click on Group Administartion, I am unable to see any of myexternal LDAP
  groups. I know that we cannot create/delete users or groups in theexternal LDAP
  repository thru the Admin UI but the documentation says that I shouldbe able
  to view the users/groups in the Admin UI. Authentication against theexternal
  LDAP repository works fine. Can anybody suggest the reason why we areunable to
  view any of the Users or Groups in our external LDAP repository thruthe User
  Administration interfactes.
  Appreciate any feedback.
  Thanks
  Vikram

• How to set user/group in BIEE11G by the information stored in DB

  Hi everyone,
  I'm using OBIEE11.1.1.6,
  I'd like to ask are there any way to achive this requirment:
  I have stored user/group information in DB,the format as follow:
  ID USER GROUP
  1 A G1
  2 B G2
  so can we obtain the information from DB,then we set these information into BIEE security?
  i.e we can access BIEE by the USER stored in DB. and the GROUP can be used in BIEE security.
  thank you in advance!

  Hi,
  I am able to open the below link.
  http://www.varanasisaichand.com/2011/09/external-table-authenticationorder-of.html
  Follow the steps:
  Order of Authentication:
  The Oracle BI Server populates session variables using the initialization blocks in the desired order that are specified by the dependency rules defined in the initialization blocks.
  If the server finds the session variable USER, it performs authentication against an LDAP server or an external database table, depending on the configuration of the initialization block with which the USER variable is associated.
  Authentication against the identity store configured in Oracle WebLogic Server Administration Console occurs first, and if that fails, then initialization block authentication occurs.
  If you configure your external table authentication as in OBIEE 10g when the session variable USER is associated to the initialization block and LDAP server fails to get the respective user then the user's will authenticate(Identify store) over database(table).
  Dont forgot to create Catalog group as we do normally in 10g
  In 11g Analytics - Administration- Security - Manage Catalog groups -- (+) to add new groups and set permissions to the catalog folders w.r.t groups/users.
  Please refer this link you will get more information
  http://www.orastudy.com/oradoc/selfstu/fusion/bi.1111/e10543/legacy.htm
  Award points it is useful.
  Thanks,
  satya
  Edited by: Satya Ranki Reddy on May 3, 2012 12:53 PM