IManager error editing Role Based Entitilements

Similar Messages

• Error in Role Based security using weblogic 9

  Hi All,
  Currently I am working with Weblogic Server 9. I am trying to use role based security. Below is the entries for web.xml.
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>Success</web-resource-name>
            <url-pattern>/form.jsp</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
            <role-name>admin</role-name>
       </auth-constraint>
       <user-data-constraint>
  <transport-guarantee>INTEGRAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>myrealm</realm-name>
  </login-config>
  <security-role>
       <role-name>admin</role-name>
  </security-role>
  When I am calling form.jsp from the browser it is asking for the username and password, but after giving the username and password it is showing the followig error:
  Error 403--Forbidden
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.4 403 Forbidden
  The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
  So can any one provide me the solution for the above problem.
  Thanks in advance.
  By,
  Sandip Pradhan

  Here is a blog post for the backend (WebLogic Admin GUI) http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-role.html and a blog post for the web.xml in your project http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-ear.html.

• IManager & Role Based Entitlements

  I'm re-posting this here as I didn't get any response from the original post linked below:
  https://forums.novell.com/showthread...-Entitilements
  Hi,
  A while back we had to re-create our Organisational CA and server certificates. (Don't ask why...) Everything seemed to go well except for one issue I've been having since.
  We have OES2 SP3 (eDir 8.8 SP6) running on SLES 10 SP3.
  iManager version is 2.7.4
  Identity Manager Version is 3.6.1
  When I try to edit a role based entitlement I get the error:
  "Unable to obtain an LDAP context. Possible causes: the LDAP server is not running, or the LDAP server is for a tree other than the one iManager was originally set up for, and SSL has not been set up between the iManager server and the LDAP server. Either start the LDAP server, or set up SSL by importing a trusted certificate. "
  I have tried deleting the iMKS file and importing the certificate manually as detailed here:
  https://www.novell.com/documentation...a/bx8g5g8.html
  There are plenty of other pages showing the same method of resolving this issue but none have worked.
  Any ideas?
  Thanks.

  For some reason I cannot find your old post via NNTP, though I see it on
  the web interface. Perhaps the gateway had a problem, which would have
  limited your responses. Either way, for future reference, you may want to
  post questions on the RBE features in the iManager or IDM forums, both
  located on https://forums.netiq.com/ (same looking page, same account,
  just focused on the NetIQ products, including those moved over from
  Novell). Also, for iManager problems, same thing: try the iManager forum
  specifically on the NetIQ site. Considering you've been with Novell for a
  while, it's definitely understandable that you'd look here for those
  forums, though, as they used to be on this site.
  The vast majority of iManager functions use NCP exclusively; adding users,
  modifying them, associating with groups, setting up file services
  (CIFS/SMB/AFP/NSS), managing most of IDM, configuring LDAP services
  provided by eDirectory, etc.. eDirectory, after all, is NCP-based and
  LDAP is an interface added to it to do things that work better via LDAP.
  Thus, most things work just fine no matter what you do via LDAP.
  In your case you are describing one of the few services where iManager
  actually needs to work with eDirectory via LDAP. Other examples including
  working with Universal Password (UP) under the Passwords role. In these
  cases iManager uses eDirectory to find appropriate LDAP services and then
  connects to those as well for specific operations. As a result, we look
  at LDAP as it sounds like you have already done. TID# 7008836 seems to
  have very similar instructions to the documentation link you posted, but
  you may find it useful in some way.
  You mentioned recreating your CA and server certificates (Key Material
  Objects, or KMOs). Doing this SHOULD have made it so all certificates you
  created (presumably after the CA change) would be minted by the new CA, so
  if you browse to those certificates you should see them with a Trusted
  Root of the new CA, which should have (by default) an expiration ten years
  from its creation (individual KMOs expire by default two years after
  creation). With this verified, your LDAP Server object (for which there
  is usually one per NCP/eDirectory server) will also have a link to one
  KMO. If you did not delete old certificates, it is very possible that the
  LDAP Server is still pointed to an old KMO and using it happily even
  though the rest of the tree is using new data, and the old KMO may be
  expired causing issues with clients (like iManager). Be sure to check
  that. If pointed to an old KMO, point it to a new one and then restart
  eDirectory (or maybe just the LDAP module).
  Other things you may try include setting up iManager Workstation 2.7 SP7;
  it runs on your workstation and then otherwise acts like the server in
  most areas. Getting old IDM 3.6.1 plugins on there may be the hardest
  part, but really should not be that hard if you have the IDM media
  somewhere. With this you can test pointing to your enviornment to see if
  anything works there, ruling in/out a weird iManager problem.
  Also, is it safe to assume that eDirectory 8.8 SP6 is the latest version
  in your tree? If 8.8 SP8 exists there is a change in LDAP configuration
  data, specifically the ldapInterfaces attribute on the LDAP Server object,
  which can cause LDAP-using plugins to have a hard time finding 8.8 SP8
  servers specifically.
  Lastly, especially if you have iManager Workstation or if you have
  iManager on a non-eDirectory box, getting a LAN trace could help us see
  exactly what iManager is doing on the wire, and then isolate better why it
  is failing.
  Good luck.
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• Xml form...editing on role based

  Hi ,
  I want to put edit button in show form which is generated by xml form builder. but the problem is , this button should work on role based. Is this possible....?
  regadrs
  Ram

  Hi Ram,
  > searched for proxy iview but couldnt find detail documentation
  There is no "detailed documentation" (there is in the meantime, my slides from TechEd 2006; but these are not public, I think). Anyhow, you can find a short description more than one time here in the forum, I'll repeat it once again:
  Implement an AbstractPortalComponent, implement an empty doContent method, overwrite doOnNodeReady, and at the end of this method call <i>request.redirect(...)</i> with the navigation component (com.sap.km.cm.navigation, you can get this from the KM URLGenerator) as the new target, passing the component parameters as URL parameter (so, among others, "rndLayoutSet=YourLayoutSet1" or the second, dependent on the role the user has got, which is the logic to be implemented in your method). The isloation level of the iView built out of this component must be URL isolated (otherwise the redirect does not work).
  Hope it helps
  Detlev
  PS: Please consider rewarding points for helpful answers on SDN. Thanks in advance!

• JHeadStart Security problem-error page cannot be found- role based security

  JHeadStart Security problem-error page cannot be found- role based security
  Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
  Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

  Thand you very much for your reply! Unfortunately there is a specific restriction-convention in the project I work in. I am supposed to perform role based security with my own tables and no by the jheadstart’s ones. Could you find out what is my fault with the steps I follow trying to perform the process?
  To remind you my steps I paste the following again:
  JHeadStart Security problem-error page cannot be found- role based security
  Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
  Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

• To run OHS at port 80 using solaris role based access control

  Hi.
  I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
  On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
  /etc/user_attr:
  oracle::::type=normal;defaultpriv=basic,net_privaddr
  Change OHS httpd.conf Listen from port 8888 to port 80.
  However, opmnctl startproc process-type=OHS
  failed as below with nothing showing in the diag logs:
  opmnctl startproc: starting opmn managed processes...
  ================================================================================
  opmn id=truffle:6701
  0 of 1 processes started.
  ias-instance id=asinst_1
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  ias-component/process-type/process-set:
  ohs1/OHS/OHS/
  Error
  --> Process (index=1,uid=187636255,pid=25563)
  failed to start a managed process after the maximum retry limit
  Thx,
  Ken

  Just to add my two cents here.
  The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
  # usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
  Restart the opmnctl daemond.
  After that OHS/Apache user can bind to lower TCP ports.
  Regards.
  Edited by: Tuelho on Oct 9, 2012 6:05 AM

• Role based data visibility is not working in Round manager

  I am looking for role based data visibility in Syclo round manager application where technician will see the data which is assigned to his name only (not all the data)  I have created one custom role in SAP system and it's working fine .It's showing the below message :
  Now I want to implement the same in syclo round manager .So I went to the SAP configuration panel and set the same user role on the security setting in class handler .Z_SYCLO_RM_ROLE is the custom role which I mentioned earlier .I tried with different option in this tab but it's not working .
  Please let me know if I missed something to mention or is there any other process I need to follow .
  Tags edited by: Michael Appleby

  is not working Insufficient information. In what way is it "not working"? The page doesn't render as required? There's an error message? The browser crashes? The server room has been trampled into dust by a herd of buffalo?
  >
  I am unable to make it as page form / report.
  v1 := v1 || ' ' ||'<input inline type =submit style="color:BLUE;background-color:RED" value='||c2.plot_id||'>';
  ...It is not possible to generate form elements in an APEX page in this way. The [APEX_ITEM API|http://download.oracle.com/docs/cd/E14373_01/apirefs.32/e13369/apex_item.htm#CACEEEJE] is the only way to create APEX items in PL/SQL. However it contains no procedures to generate button items, so an alternative design is required in this case, e.g. a report with links.
  (Also what is the intention of "inline" in the above code? [There is no *inline* attribute|http://www.w3.org/TR/1999/REC-html401-19991224/interact/forms.html#h-17.4].)

• Role-Based CLI Views with AAA method

  Hi,
  I'm configuring Role-Based CLI Views on a router for limiting access to users.
  My criteria:
  - There should be a local user account on the router that has the view 'service' attached to it
  - If the router is online and can reach the radius server, people in the correct group are assigned the view 'service'
  My configuration:
  aaa new-model
  enable secret 1234
  username service view service secret 1234
  aaa group server radius my_radius
  server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key 0 1234
  server-private 10.1.1.2 auth-port 1645 acct-port 1646 timeout 2 retransmit 1 key 0 1234
  aaa authorization console
  aaa authentication login mgmt group my_radius local
  aaa authorization exec mgmt group my_radius local
  line con 0
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  line vty 0 4
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  transport input ssh
  The ERROR
  Now I want to go configure the cli view 'service'...
  # enable view
  Password: 1234
  *Jun  1 08:00:02.991: AAA/AUTHEN/VIEW (0000000D): Pick method list 'mgmt'
  *Jun  1 08:00:02.991: RADIUS/ENCODE(0000000D): ask "Password: "
  *Jun  1 08:00:02.991: RADIUS/ENCODE(0000000D): send packet; GET_PASSWORD
  *Jun  1 08:00:21.011: RADIUS: Received from id 1645/13 10.1.1.1:1645, Access-Reject, len 20
  The Questions
  Why does the 'enable view' try to pick a method list when you have to supply the enable secret to access the root view?
  Can you change this behaviour to always use the enable secret?
  The TEMP Solution
  If you're logged on to the router via telnet or SSH, the solution or workaround to this issue is:
  aaa authentication login VIEW_CONFG local
  line vty 0 4
  login authentication VIEW_CONFG
  Do your configuration of the view and re-configure the line to use the correct (wanted) method of authentication.
  Thanks so much for the suggestions
  /JZN

  hi,
  You have the following configured:
  aaa  authentication login mgmt group my_radius local
  aaa authorization  exec mgmt group my_radius local
  line  con 0
  authorization exec mgmt
  logging synchronous
  login  authentication mgmt
  line vty 0 4
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  transport  input ssh
  Hence every time you try to login to the console or try the ssh the authentication will head to the radius server because of the following command "login  authentication mgmt".
  You cannot make it locally. Whatever defined on the method list mgmt first will be taking the precedence.
  enable seceret will be locally defined. but you have the following configured:
  aaa  authorization  exec mgmt group my_radius local
  line  con 0
  authorization exec mgmt
  line  vty 0 4
  authorization exec mgmt
  Hence exec mode will also be done via radius server.
  when you configure:
  aaa  authentication login VIEW_CONFG local
  line vty 0 4
  login  authentication VIEW_CONFG
  You are making the authentication local, hence it is working the way you want.
  In short, whatever authentication is defined 1st on the method list will take precendence. the fallback will be checked only if the 1st aaa server is not reachable.
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• Role based authorisations in the Integration Directory

  We have built a new PI landscape (Pi 7.11) and worked with our security teams to perfect the various roles. I am now attempting to implement role based authorisations in the ESR & ID so that objects in our QAS and PRD environments can be configured but not deleted or created.I have implemented role based authorsations as per the SAP standard process performing the following actions
  Exchange profile com.sap.aii.ib.util.server.auth.activation was set to true and the Java Stack Restarted.
  I created a role in the ID that allowed editing of any object.
  I assigned the role to my userid in NWA useradmin
  I am unable to edit ANY object in the ID
  When I set the Exchange profile parameter to false I found I was able to edit any object in the ID.
  So its obvious that the Exchange Profile Parameter does make a difference. However, it doesn't appear as if the role I created is being referenced, even though I assigned it to my account in NWA user admin. I looks like I may be missing some exchange profile parameters. I have the following exchange profiles set:
  IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.util.server.auth.activation (string) = true
  IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.ib.server.acl.enable (boolean) true
  IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.util.server.auth.activation (string) = true
  IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.ib.server.acl.enable (boolean) true
  Any advice you can offer would be appreciated

  Resolved this issue.
  The documentation is confusing but finally found the answer by referring to the SAP XI 3.0 documentation.

• Reseeding cache for users with role based security

  I have role based security and trying to set up cache by purging all cache and later seeding cache by query. The query would be different for different users. What is the best way to purge all cache and reseed cache for administrator as well as all users. The EPT would purge cache based on updated tables. But how do I next go about reseeding cache for better performance to all the users. Thanks.

  I have created an ibot with the following:
  General - Normal Priority, Personalized (recipient's data visibility)
  Conditional Request - example_report
  Schedule - some schedule
  Recipients - Me(administrator) and User1
  Destinations - Oracle BI Server cache
  when the ibot runs 2 cache entries are created (for the 2 recipients).
  I have the report (example_report) on the dashboard (1 dashboard, 1 page, 1 report).
  After the ibot runs:
  When the administrator logs in first, there is a cache hit on the report. Followed by when the User1 logs in there is NO cache hit.
  On the other hand when the User1 logs in first, there is a cache hit on the report. Followed by when the administrator logs in there is no cache hit. The query log creates a Query issued to the database instead of cache hit on query.
  The User1 has a data level security.
  Please let me know where was I making an error in setting the ibot and how to get the cache seeding work for the different users with different role based security.
  Thanks for your inputs.

• ERM error: Field ROLE not a member of INPUT

  Hi Experts,
  After upgrade to 11.2 I'm having this error.
  It appears at the Define Authorization stage after I chose transactions and clicking continue.
  The connectors and JCos are working.
  Please assist.
  Thx,
  Vit V
  edit: All XMLs reloaded and system restarted.
  2010-04-20 11:59:05,575 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Current Module: |RE| Conversation: |cnvRole| Screen: |scrSearchTransaction|
  2010-04-20 11:59:05,575 [SAPEngine_Application_Thread[impl:3]_39] DEBUG  Module#RE#Conversation#cnvRole#Screen#scrManageAuthorization#Action#continueTCodeSearch#
  2010-04-20 11:59:05,575 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Changing Screen: FROM: scrSearchTransaction TO scrManageAuthorization
  2010-04-20 11:59:05,575 [SAPEngine_Application_Thread[impl:3]_39] DEBUG com.virsa.framework.Context : clearScreenRep :   : 6 entries cleared from screen repositiory
  2010-04-20 11:59:05,575 [SAPEngine_Application_Thread[impl:3]_39] DEBUG Handler found:class com.virsa.re.role.actions.AuthAuthorizationDataAction
  2010-04-20 11:59:05,575 [SAPEngine_Application_Thread[impl:3]_39] DEBUG SAPConnectorDAO.java@365:com.virsa.comp.connectors.dao.jdbc.SAPConnectorDAO.findByConnectorName()connectorId: 5; lngId: 1
  2010-04-20 11:59:05,590 [SAPEngine_Application_Thread[impl:3]_39] DEBUG SAPConnectorDAO.java@365:com.virsa.comp.connectors.dao.jdbc.SAPConnectorDAO.findByConnectorName()connectorId: 5; lngId: 1
  2010-04-20 11:59:05,590 [SAPEngine_Application_Thread[impl:3]_39] DEBUG com.virsa.service.sap.SAPConnectorHelper : getClientFromSLD :   : INTO the method SapConnectorDTO :com.virsa.service.sap.dto.SapConnectorDTO@3e0a2020[conClass=,system=COD200,appId=COD200,host=consit-sap,systemNo=00,client=200,userId=codcom,SystemLang=EN,sysId=cod,messageServerGrp=default,messageServerHost=consit-sap,password=xxxxx,type=ECC600,userName=,description=COD200,isSLD=true,isActive=true,isHRSystem=false]
  2010-04-20 11:59:05,590 [SAPEngine_Application_Thread[impl:3]_39] ERROR Field ROLE not a member of INPUT
  java.lang.Throwable: Field ROLE not a member of INPUT
       at com.sap.mw.jco.JCO$MetaData.indexOf(JCO.java:9534)
       at com.sap.mw.jco.JCO$Record.setValue(JCO.java:14923)
  Edited by: Vit Vesely on Apr 20, 2010 12:10 PM

  Hi guys,
  The problem is finally resolved.
  1. Implement SNOTE 1441463
  2. Implement SNOTE 1443612
  3. Register key for object /VIRSA/RE_OBJ_INFO
  4. In SE03 >> Administration >> Set System Change Option. Change /VIRSA/ to modifiable
  5. In Se11 open data type /VIRSA/RE_OBJ_INFO in change mode with the key from p. 3
  6. Edit structure according to Note 1452772. Save and activate.
  7. Implement SNOTE 1452772
  8. Restart grc~reear (or the server)
  ...or wait for VIRSANH patch 12
  Hopefully it will work for you aswell.
  Kind Regards,
  Vit

• Role-based view commands missing from config

  Hi All,
  I set up a 2960G with IOS 12.2(44)SE6 and created a role-based view to be used by our helpdesk.  One of the things they need to do is add rules to a MAC ACL on the switch.  I've successfully created a view for them and can include and exclude most commands, however, when I try to include the "commands mac-enacle include all permit" command, I get no syntax error, and there is no line in my configuration reflecting the change. As it stands, from the helpdesk view (named smco) I can get into mac acl configuration mode, but I can't issue any of the sub commands.
  Any advice would be greatly appreciated.  I tried upgraded to 12.2(55)SE and had the same result.
  The current configuration for the parser view is as follows:
  parser view smco
  secret 5 hashed_pw
  commands configure include mac access-list extended
  commands configure include all mac access-list
  commands configure include mac
  commands exec include configure terminal
  commands exec include configure

  After I issue the command "commands mac-enacl include all permit" there is no line in my startup or running configuration that says: "commands mac-enacl include all permit" or anything that closely resembles that.
  I've tested with multiple local accounts.  After authenticating, I issue the "enable view smco".

• Role Based workflows & Sync Options

  Hi Team,
  I would like to know if the system allows for role based rights in authoring the content. Eg: teachers have right to edit content while the student can only view or download the content.
  What are the Sync options available. Does the content automatically get updated when moving from offline to online mode?

  Hello and welcome to the forum,
  Are you a newbie with Captivate? The published version (either SWF or HTML5) cannot be edited, only the 'raw' unpublished CPTX or CPVC files can be edited. So, your teachers should need to have Captivate installed and then they can edit cptx/cpvc files and republish them. For students you upload published output to a LMS or a webserver.
  Lilybiri
  Sorry forgot about sync, no, since you have to republish when file has been edited.

• Privileges and Roles Based Views

  Hello,
  I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great.  I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view.  I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
  Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!!  fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
  How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
  I hope someone can help with the config:
  Below is the config I use on the 2960's and 3750's and also what I use on the radius servers.  I guess I would need ot use a priv 15 setup and a custom view called priv3?
  Priv3 radius user settings
  cisco av-pair cli-view-name=priv3
  Priv 15 or root user settings
  cisco av-pair shell:priv-lvl=15
  cisco av-pair shell:cli-view-name=root
  Config:
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname 3750
  boot-start-marker
  boot-end-marker
  logging buffered 64000
  logging console informational
  logging monitor informational
  enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
  username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
  username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication enable default line
  aaa authorization console
  aaa authorization exec default group radius local
  aaa session-id common
  clock timezone GMT 0
  clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
  switch 1 provision ws-c3750g-12s
  switch 2 provision ws-c3750g-12s
  system mtu routing 1500
  udld aggressive
  no ip domain-lookup
  ip domain-name CB-DI
  login on-failure log
  login on-success log
  crypto pki trustpoint TP-self-signed-3817403392
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3817403392
  revocation-check none
  rsakeypair TP-self-signed-3817403392
  crypto pki certificate chain TP-self-signed-3817403392
  certificate self-signed 01
    removed
    quit
  archive
  log config
    logging enable
    logging size 200
    notify syslog contenttype plaintext
    hidekeys
  spanning-tree mode rapid-pvst
  spanning-tree extend system-id
  spanning-tree vlan 10 priority 8192
  vlan internal allocation policy ascending
  ip ssh version 2
  interface GigabitEthernet1/0/1
  interface GigabitEthernet1/0/24
  interface Vlan1
  description ***Default VLAN not to be used***
  no ip address
  no ip route-cache
  no ip mroute-cache
  shutdown
  interface Vlan10
  description ****
  ip address 10.10.150.11 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  ip default-gateway 10.10.150.1
  ip classless
  no ip http server
  ip http secure-server
  logging trap notifications
  logging facility local4
  logging source-interface Vlan10
  logging 10.10.21.8
  logging 172.23.1.3
  access-list 23 permit 10.10.1.65
  snmp-server community transm1t! RO
  snmp-server trap-source Vlan10
  radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
  radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
  exec-timeout 60 0
  logging synchronous
  line vty 0 4
  access-class 23 in
  exec-timeout 60 0
  logging synchronous
  transport input ssh
  line vty 5 14
  access-class 23 in
  no exec
  transport input ssh
  parser view priv3
  secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
  ! Last configuration change at 16:34:56 BST Fri Apr 13 2012
  commands interface include shutdown
  commands interface include no shutdown
  commands interface include no
  commands configure include interface
  commands exec include configure terminal
  commands exec include configure
  commands exec include show ip interface brief
  commands exec include show ip interface
  commands exec include show ip
  commands exec include show arp
  commands exec include show privilege
  commands exec include show interfaces status
  commands exec include show interfaces Vlan10 status
  commands exec include show interfaces Vlan1 status
  commands exec include show interfaces GigabitEthernet2/0/12 status
  commands exec include show interfaces GigabitEthernet2/0/11 status
  commands exec include show interfaces GigabitEthernet2/0/10 status
  commands exec include show interfaces GigabitEthernet2/0/9 status
  commands exec include show interfaces GigabitEthernet2/0/8 status
  commands exec include show interfaces GigabitEthernet2/0/7 status
  commands exec include show interfaces GigabitEthernet2/0/6 status
  commands exec include show interfaces GigabitEthernet2/0/5 status
  commands exec include show interfaces GigabitEthernet2/0/4 status
  commands exec include show interfaces GigabitEthernet2/0/3 status
  commands exec include show interfaces GigabitEthernet2/0/2 status
  commands exec include show interfaces GigabitEthernet2/0/1 status
  commands exec include show interfaces GigabitEthernet1/0/12 status
  commands exec include show interfaces GigabitEthernet1/0/11 status
  commands exec include show interfaces GigabitEthernet1/0/10 status
  commands exec include show interfaces GigabitEthernet1/0/9 status
  commands exec include show interfaces GigabitEthernet1/0/8 status
  commands exec include show interfaces GigabitEthernet1/0/7 status
  commands exec include show interfaces GigabitEthernet1/0/6 status
  commands exec include show interfaces GigabitEthernet1/0/5 status
  commands exec include show interfaces GigabitEthernet1/0/4 status
  commands exec include show interfaces GigabitEthernet1/0/3 status
  commands exec include show interfaces GigabitEthernet1/0/2 status
  commands exec include show interfaces GigabitEthernet1/0/1 status
  commands exec include show interfaces Null0 status
  commands exec include show interfaces
  commands exec include show configuration
  commands exec include show
  commands configure include interface GigabitEthernet1/0/1
  commands configure include interface GigabitEthernet1/0/2
  commands configure include interface GigabitEthernet1/0/3
  commands configure include interface GigabitEthernet1/0/4
  commands configure include interface GigabitEthernet1/0/5
  commands configure include interface GigabitEthernet1/0/6
  commands configure include interface GigabitEthernet1/0/7
  commands configure include interface GigabitEthernet1/0/8
  commands configure include interface GigabitEthernet1/0/9
  commands configure include interface GigabitEthernet1/0/10
  commands configure include interface GigabitEthernet1/0/11
  commands configure include interface GigabitEthernet1/0/12
  commands configure include interface GigabitEthernet2/0/1
  commands configure include interface GigabitEthernet2/0/2
  commands configure include interface GigabitEthernet2/0/3
  commands configure include interface GigabitEthernet2/0/4
  commands configure include interface GigabitEthernet2/0/5
  commands configure include interface GigabitEthernet2/0/6
  commands configure include interface GigabitEthernet2/0/7
  commands configure include interface GigabitEthernet2/0/8
  commands configure include interface GigabitEthernet2/0/9
  commands configure include interface GigabitEthernet2/0/10
  commands configure include interface GigabitEthernet2/0/11
  commands configure include interface GigabitEthernet2/0/12
  ntp logging
  ntp clock-period 36028961
  ntp server 10.10.1.33
  ntp server 10.10.1.34
  end
  Thanks!!!!

  DBelt --
  Hopefully this example suffices.
  Setup
  SQL> CREATE USER test IDENTIFIED BY test;
  User created.
  SQL> GRANT CREATE SESSION TO test;
  Grant succeeded.
  SQL> GRANT CREATE PROCEDURE TO test;
  Grant succeeded.
  SQL> CREATE ROLE test_role;
  Role created.
  SQL> GRANT CREATE SEQUENCE TO test_role;
  Grant succeeded.
  SQL> GRANT test_role TO test;
  logged on as Test
  SQL> CREATE OR REPLACE PACKAGE definer_rights_test
    2  AS
    3          PROCEDURE test_sequence;
    4  END definer_rights_test;
    5  /
  Package created.
  SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
    2  AS
    3          PROCEDURE test_sequence
    4          AS
    5          BEGIN
    6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
    7          END;
    8  END definer_rights_test;
    9  /
  Package body created.
  SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
    2  AUTHID CURRENT_USER
    3  AS
    4          PROCEDURE test_sequence;
    5  END invoker_rights_test;
    6  /
  Package created.
  SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
    2  AS
    3          PROCEDURE test_sequence
    4          AS
    5          BEGIN
    6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
    7          END;
    8  END invoker_rights_test;
    9  /
  Package body created.
  SQL> EXEC definer_rights_test.test_sequence;
  BEGIN definer_rights_test.test_sequence; END;
  ERROR at line 1:
  ORA-01031: insufficient privileges
  ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
  ORA-06512: at line 1
  SQL> EXEC invoker_rights_test.test_sequence;
  PL/SQL procedure successfully completed.
  SQL> SELECT test_seq.NEXTVAL from dual;
               NEXTVAL
                     1

• True Role-Based Administration?

  I'm sure this has been asked and answered many times, but are there any plans to make the ZCC more iManager-y in terms of Role-Based Administration? I'm trying to create a Report Viewer Role for the Help Desk, and I simply don't want them to be able to click through the rest of the Admin interface. Easy in iManager, why not in ZCC?
  Thanks,
  Holly

  Hnewman,
  we've had quite a few enhancement requests for this -
  http://support.novell.com/enhancement you might want to add your
  "voice"...
  Shaun Pond