Init function to habilite dynamic roles

Hi
We want user dynamic roles at database level, we are using JAAS for security at application level, we want to habilite the roles in a database procedure in base of jaas username, but we need execute this database procedure before any other action, like an init() function, where can we execute this method ? I tried in the ApplicationModule constructor but it don't function well because I need to use the function getApplicationModule to obtain de JAAS user.
Where can I execute this method ? maybe a function at Application Module level
Thanks in advance
Liceth

Liceth,
With functionality like this you have to always remember that many things (such as Application Module instances en DB connections) are pooled and re-used, so the constructor of an ApplicationModuleImpl is definately NOT the place!
If I understood your problem correctly, it sounds very similar to the problem you would be facing when using Business Components together with the VPD (Virtual Private Database) feature of the Oracle Database. It boils down to you having to execute a PL/SQL procedure every time a database connection is obtained from the database connection pool when an ApplicationModule instance is checked out from the ApplicationModulePool for a particular user/session.
If you search OTN on the combination VPD and BC4J, you will certainly find some very useful documents that will probably help you implement your solution.
Kind regards,
Peter Ebell
JHeadstart Team

Similar Messages

Dynamic Role -- Group Mapping not working in WebLogic 10

I have an installation I am migrating from 9.2 to 10. It uses Dynamic Role Mapping:
From my Weblogic.xml within the deployment:
    <security-role-assignment>
        <role-name>EELSSystemAdministrator</role-name>
        <externally-defined/>
    </security-role-assignment>I am using SPNEGO SSO, and it is working fine, it retrieves the principles from LDAP and adds them to the subject, so everything is fine there. I have defined the deployment constraint "EELSSystemAdministrator" as a Global Role, and then Added a condition "group" and set it to the LDAP Group (SMS EELSSystemAdministrator) which is one of the three principles being returned from LDAP.
When the Role mapper runs, it returns the following in the logs:
<SecurityRoleMap> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users, SMS EELSSystemAdministrator,SMS EELSReportAnalyst]>
<SecurityRoleMap> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(SMS EELSSystemAdministrator ,[everyone,users,SMS EELSSystemAdministrator,SMS EELSReportAnalyst]) -> false>
<SecurityRoleMap> <primary-rule evaluates to NotApplicable because of Condition>
<SecurityRoleMap> <urn:bea:xacml:2.0:entitlement:role:EELSSystemAdministrator:top, 1.0 evaluates to Deny>
<SecurityRoleMap> <XACML RoleMapper: accessing role EELSSystemAdministrator: DENIEDIn my 9.2 Installation that is working I get the following in the logs:
<SecurityRoleMap> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users,SMS EELSSystemAdministrator,SMS EELSReportAnalyst]>
<SecurityRoleMap> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(SMS EELSSystemAdministrator,[everyone,users,SMS EELSSystemAdministrator,SMS EELSReportAnalyst]) -> true>
<SecurityRoleMap> <Evaluate urn:oasis:names:tc:xacml:1.0:function:or(true) -> true>
<SecurityRoleMap> <primary-rule evaluates to Permit>
<SecurityRoleMap> <urn:bea:xacml:2.0:entitlement:role:EELSSystemAdministrator:type@E@Furl@G@M@Oapplication@EEELSWeb@[email protected]@O$@S@VDSTAMP@S@W@M@OcontextPath@E@UEELS@M@Ouri@E@U, 1.0 evaluates to Permit>
<SecurityRoleMap> <XACML RoleMapper: accessing role EELSSystemAdministrator: GRANTED> I am not sure why my 9.2 deployment lists the role type as a "url" (which points to the right deployment, and 10 lists it as the word "top". Either way, it is not authenticating to my global role based on the Group returned from LDAP.
I'm pretty much out of troubleshooting idea's, having compared every config file/log file etc to find descrepancies in my setup. Anyone have any suggestions, perhaps something that has to be setup differently in 10 then in 9.2?
Thanks in Advance,
John

Update:
I checked a bunch of settings, and it seems to be working now, very odd.

GET SET function in a dynamic Class?

Is it possible to add a GET SET function in a dynamic class, like we can add properties to a dynamic class?

correction :
MyObjectProxy extends ObjectProxy{
override callProperty(
// your dyna logic
and expose new MyObjectProxy(dynaInstance)

BPM Dynamic Roles

Hi All,
I am trying to figure out how I can dynamically assign roles within BPM. So I want to be able to route the BPM process to the manager of the user that the process was assigned. I am just not sure how to dynamically do this within BPM.
Any thoughts? Any documentation on dynamic roles would be greatly appreciated.
We are using BPM 11g.
--S

So is it the call CreateResourceList that lets you actually set the user / approle for a flow?
It looks like that might be on the right track.
--S

Authorizations: Dynamic roles

Hello everybody,
We are going to migrate our authorizations from 3.x concept to BI-7.
With the new concept we are compelled to respect certain requirements like to include into the single user profile every InfoObject AuthorizationRelevant (that are also built-in into the InfoProvider, indented for the future analysis).
-     Certain users had only one dynamic role. In such a case we are able to restrict for instance:
o     0CO_AREA = a value;
o     every other InfoObject AuthorizationRelevant = * (every single values)
-     Certain users had two or more dynamic roles; in such a case we are supposed to:
o     ROLE 1: 0CO_AREA = a value; every other InfoObject AuthorizationRelevant, for instance 0COMANY_CODE = * (every single values)
o     ROLE 2: 0COMANY_CODE = a value; every other InfoObject AuthorizationRelevant, for instance 0CO_AREA = * (every single values)
In this particular case though we expect that the system will ignore our restrictions because it is adding the two roles in fact:
ROLE 1 is set: 0CO_AREA = a value;
ROLE 2 is set: 0CO_AREA = *.
Base on what we just described above, here they are our questions:
1.     Does exist a symbol (for instance :   >) that we can assigned to every InfoObject AuthorizationRelevant in order to cheat the system making it understand that it is there but not relevant for the authorizations (instead using *)?
2.     If not can you please suggest us another way to cope with the problem of having for a user more dynamic roles assigned.
Thank you very much
Matteo Mariniello

Hello,
I don't have a solution but I think I understood Matteo's goal which is not at all to authorized users to do anything they want to.
He wants to restrict certain tasks but when it comes for a user to have two or more dynamic roles the addition of them make the restriction useless.
As he said
Dynamic Role 1)
0CO_AREA = a value
0COMP_CODE= *
Dynamic Role 2)
0CO_AREA = *
0COMP_CODE= A VALUE
Therefore; the addition of them for ONE user is going to make the restrictions
0CO_AREA = a value
0COMP_CODE= a value
USELESS!!
Take Care
Domenico

Dynamic roles in Agent Assignment

Dear All
I have a requirement of assigning dynamic roles which is stored in container element. When i select the role in the agent assignment of the task all the system roles come in the drop down. How to assign the role stored in the container element in agent assignment.
Thanx in advance

You can use a simple rule that returns the agents having that role FM PRGN_READ_USERS_FOR_ONE_AGR will do the trick.
Or else I think you can just use a role as an expression (haven't done this myself). Just as you would pass in USUSERNAME, prefix it with AG. You may have an issue with data types though if the role name is longer than the standard HR object name, I haven't tried it for this very reason.

RFC FUNCTION/BAPI for derived Roles (PFCG)

Hi all,
I have found many RFC functions for Users and Roles management but nothing for create derived roles.
Any idea for creating derived roles from external applications ?
Thanks
Andrea

Hi Andrea,
check the link below.
automate update profiles by abap (without PFCG)
Re: automate update profiles by abap (without PFCG) ?
Also check if this is helpful
BAPI_JOBROLE_CLONE
Regards,
SuryaD.

Admin Server start failure-Error running init function load-modules

Hi,
run start-admin, I get:
SunONE-WebServer-Enterprise/6.0SP3 B05/14/2003 18:31
failure: server exit: status 1 (Interrupted system call)
in log file, it said:
[07/Nov/2005:12:34:12] info (215932): successful server startup
[07/Nov/2005:12:34:12] info (215932): SunONE-WebServer-Enterprise/6.0SP3 B05/14/2003 18:31
[07/Nov/2005:12:34:13] failure (215932): Configuration initialization failed: Error running init function load-modules: dlopen of /usr/users/seaie1/SEAIE/LDAPServer/bin/https/lib/libAdmservPlugin.so failed (Symbol resolution failed for /usr/users/seaie1/SEAIE/LDAPServer/lib/libadmsslutil52.so because:
Symbol ucnv_convert (number 1) is not exported from dependent
module /usr/lib/libicuuc.so.
Examine .loader section symbols with the 'dump -Tv' command.)
What's the problem?
Thanks in advance.

Never mind... the problem surfaced after renaming the web server without reinstalling the Siebel plugin. Problem was resolved by uninstalling/reinstalling the plugin.

System init function failed, Uunixerr = : msgget: No such file or directory

windows Server 2008 Enterprise
tuxedo11GR1PS1
when I run command "tmboot -y", I got the following error info at ULOG file:
105806.RNO05045.us.oracle.com!BBL.3536.5040.0: LIBTUX_CAT:681: ERROR: Failure to create message queue
105806.RNO05045.us.oracle.com!BBL.3536.5040.0: LIBTUX_CAT:248: ERROR: System init function failed, Uunixerr = : msgget: No such file or directory
What's the problem? Anyone help!!!

I have similar error on Enterprise Linux 64 Bit.
Tuxedo Version 10.3.0.0, 64-bit
075418.localhost.localdomain!PSRENSRV.4072.491399232.-2: LIBTUX_CAT:681: ERROR: Failure to create message queue
075418.localhost.localdomain!PSRENSRV.4072.491399232.-2: LIBTUX_CAT:248: ERROR: System init function failed, Uunixerr = : msgget: No such file or directory
075418.localhost.localdomain!tmboot.4023.3569636960.-2: CMDTUX_CAT:825: ERROR: Process PSRENSRV at localhost.localdomain failed with /T tperrno (TPEOS - operating system error)
075418.localhost.localdomain!tmboot.4023.3569636960.-2: tmboot: CMDTUX_CAT:827: ERROR: Fatal error encountered; initiating user error handler
075422.localhost.localdomain!BBL.4020.2558671968.0: CMDTUX_CAT:26: INFO: The BBL is exiting system
075425.localhost.localdomain!PSADMIN.4014: End boot attempt on domain fdmo91
Can someone help me please?
Edited by: user6844468 on Nov 19, 2010 8:58 AM

I have installed Grease Monkey plugin using unsafeWindow.Engine.init() function. It says unsafeWindow.Engine undefined. Please help as soon as possible.

I have installed Grease Monkey plugin using unsafeWindow.Engine.init() function. It says unsafeWindow.Engine undefined. Please help as soon as possible.

I have installed Grease Monkey plugin using unsafeWindow.Engine.init() function. It says unsafeWindow.Engine undefined. Please help as soon as possible.

Dynamic role Assignment in Portal using Web dynpro Java?

Hi All,
We have following requirement for dynamic role assignment.
1) User Login to Portal.
2) User Clicks on Home Tab in Portal, through RFC/BAPI, get Role from Backend(ECC) and compare the role ID with Portal Object ID through UME.
Role gets assigned in Portal after comparison, if it exists in Portal.
Can you please let me know what all steps I need to do to complete the above assignment.
Thank you
Ravi

Thanks Tobias.
To be precise I will explian my requirement.
1) User Login ( User ID will be input to RFC)
2) RFC will get Role for that user ID from Backend(ECC) and return that role ID to Portal.
3) Now With the help of UME API, need to search role ID in Portal, If it exists, no action.
If Role ID does not exists, then it shuld assign that role in Portal.
Sorry for tedious comment.
I am a bit new to webdyn pro.
Can you please tell me each step i need to follow to complete the above requirement.
Many Thanks,
Ravi

What does 'init functions are not allowed in this objset' mean and how can it be fixed?

We have added some init functions to the beginning of the obj.conf file so that we can proxy off to Weblogic.
However when we try to run the Web server we get an error message 'init functions are not allowed in this objset'.
The syntax seems to be correct. Has anyone any idea how this can be fixed?

You are probably using iPlanet Web Server 6.0 or higher; starting with 6.0, the web server does not allow Init directives to appear on the obj.conf file. Instead, place your Init directives in the magnus.conf file.
This is documented in the Installation and Migration Guide at http://docs.iplanet.com/docs/manuals/enterprise/50/ig/migrate.htm#20780 in the Programmer's Guide at http://docs.iplanet.com/docs/manuals/enterprise/50/pg/1-intro.htm#13565 and in the NSAPI Programmer's Guide at http://docs.iplanet.com/docs/manuals/enterprise/50/nsapi/02_objcn.htm#13097

UnsatisfiedLinkError upon System.load() of library even though the load is in the init() function of the servlet.

All,
Any help on this would be appreciated. We have a servlet that calls a native method
and we load the native library in the servlet's 'init()' method so the servlet
gets loaded only once. However, periodically, I get the following error:
java.lang.UnsatisfiedLinkError : Native Library /opt/shared2/weblogic/myserver/servletclasses/twtc/servlet/toc/toclib.so
already loaded in another classloader
It seems to bring down weblogic when this happens.
Why does this happen?
Is there a way around this?
As a test, I called System.load() 10 times outside of the init function with the
same library and it did not fail once but it does periodically in the init() function
of my servlet, which implies that the init function is being called more than
once.

Like what the error message says, you can only load a native library once per ClassLoader per VM.
You can test this by constructing two ClassLoaders and loading the same library.
The reason why a servlet will be constructed by different classloaders with a VM session is if:
1) the servlet is reloaded (hot-deployed)
2) the servlet belongs in more than one ear, since each ear has its own classloader.
Gene
"Michael" <[email protected]> wrote in message news:[email protected]..
>
All,
Any help on this would be appreciated. We have a servlet that calls a native method
and we load the native library in the servlet's 'init()' method so the servlet
gets loaded only once. However, periodically, I get the following error:
java.lang.UnsatisfiedLinkError : Native Library/opt/shared2/weblogic/myserver/servletclasses/twtc/servlet/toc/toclib.so
already loaded in another classloader
It seems to bring down weblogic when this happens.
Why does this happen?
Is there a way around this?
As a test, I called System.load() 10 times outside of the init function with the
same library and it did not fail once but it does periodically in the init() function
of my servlet, which implies that the init function is being called more than
once.

OBPM 10gR3 Dynamic Role Assignment at user login

Hi,
For all the great integration with LDAP in 10gR3, unfortunately, the system is unable to deal with dynamically-defined LDAP groups.
Our goal is to apply a BPM Role to ALL humans defined in our LDAP.
All humans happen to already be defined by a dynamically-defined LDAP group called 'AllPeople'.
It would have been perfect if we could simply assign our BPM Role, 'Employee', to the LDAP group, 'AllPeople'. Sadly you can't (one for the next release pls).
So as a workaround, what we want to do instead is assign the BPM Role 'Employee' to each individual user dynamically when they first login.
Since the FDI library is useless outside of a BPM context (you'll find that some of the familiar methods of RoleAssignment are missing), We opted to create an actual BPM process to conduct role assignments, and we would then trigger it via PAPI.
The question then was, where/when do we invoke the process such that it does the role assignment quickly and soon enough for the appropriate views and applications to appear in their workspace straight after login?
We opted for a customised implementation of the SSOWorkspaceLoginInterface class.
However, we tried making the invocation in the setupAuthenticatedSession() and the processRequest() methods but, although the role assignment was successfully done in either case, sadly the user's session was loaded without the new changes - perhaps loaded quicker than the role assignment could be fed back through the directory.
Therefore, we dumped the invocation in the actual constuctor - and this seems to work for the most part. Yet on the odd ocassion, the role assignment is not quick enough to be realised in the user's workspace session - the user has to logout and back in before the changes are realised.
We've even tried to get the execution to sleep for a second or two, while the PAPI thread goes about doing the role assignment - again not much success.
So I really have 2 questions:
1. Where during login can we make a PAPI call to do a role assignment so that it should be picked up by the time the session is created? perhaps we already are doing it in the right place.
2. How could we refresh/request a new session cookie without explicitly logging out and back in again? Note, page refresh is not enough.
Thanks for reading.

Sorry for the belated response - I don't get notified of replies.
The code for my custom SSOLoginModule class is:-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.Properties;
import fuego.workspace.security.SSOWorkspaceLoginInterface;
import fuego.papi.Arguments;
import fuego.papi.CommunicationException;
import fuego.papi.InstanceInfo;
import fuego.papi.OperationException;
import fuego.papi.ProcessService;
import fuego.papi.ProcessServiceSession;
import fuego.sso.SSOLoginException;
import fuego.sso.SSOUserLogin;
import fuego.jsfcomponents.Util;
import fuego.workspace.model.common.WorkspaceApplicationBean;
public class CustomSSOWorkspaceLogin extends SSOUserLogin implements SSOWorkspaceLoginInterface {
private ProcessService pService;
private ProcessServiceSession pServiceSession;
private Properties properties;
public SSOWorkspaceDBLogin() {
//Do the role assignment here because it works, and does not work in the ideal location of setupAuthenticatedSession method
pService = createProcessService();
pServiceSession = createProcessServiceSession();
assignDefaultRole(Util.getHttpServletRequest().getRemoteUser());
private ProcessService createProcessService() {
return WorkspaceApplicationBean.getCurrent().getProcessService();
private ProcessServiceSession createProcessServiceSession() {
return pService.createSession("yourdirectoryusername","yourdirectorypassword",null);
//This method is used to remotely invoke a BPM process to do the role assignment - no external API to do this directly!
private void assignDefaultRole(String email) {
try {
String processId = "myRoleAssignmentProcessId";
String argumentName = "argumentName"; //the name of the input argument to feed in the participant
String argumentValue = email;
Arguments arguments = Arguments.create();
arguments.putArgument(argumentName, argumentValue);
InstanceInfo instance = pServiceSession.processCreateInstance(processId, arguments);
Long waitTime = new Long(1000);
Long timeLimit = new Long(5000);
boolean roleAssigned = false;
boolean timeLimitExceeded = false;
Long startTime = System.currentTimeMillis();
//Allow role assignment thread to complete
while (!roleAssigned && !timeLimitExceeded) {
try {
Thread.sleep(waitTime);
if (pServiceSession.processGetInstance(instance.getId()).isCompleted()) {
roleAssigned = true;
if (System.currentTimeMillis() - startTime > timeLimit) {
timeLimitExceeded = true;
} catch (InterruptedException e) {
e.printStackTrace();
//close process service session
pServiceSession.close();
//Do not close the service itself as it is shared with the Workspace itself!
//pService.close();
} catch (Exception e) {
e.printStackTrace();
public void setupAuthenticatedSession(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
//Unfortunately, the below does not work here because the role assignment is not fast enough
//The result is that the user logs in but cannot see any applications because the role assignment has not been made in time.
//Therefore, we run the below statements from the constructor - ugly but functions.
//pService = createProcessService();
//pServiceSession = createProcessServiceSession();
//assignDefaultRole(httpservletrequest.getRemoteUser());
public void processRequest(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
}

Functional and Technical Administration Roles in Solution Manager

Hello
A big company has been implementing new functionality in Solution Manager during the last couple of years, they started with System Monitoring and EWA, Maintenance Optimizar, then Project Implementation, now Service Desk and ChaRM. This is company has a wide open structure in IT and a discussion has been raised about who is the owner of soluton manager in IT.
In my experience I always propose two main roles one is Technical Administrator Role and the other is Functional Administrator role. The former is more basis oriented, in charge of the installation and update of stacks in Solman, basic-initial configuration and then working mainly in setting Solutions, RFCs, System Monitoring, EWA, SAP services, OSS connections, Diagnostic, E2E Root Cause Analysis and also support in ChaRM (in setting up the transport routes, security)
On the other hand, I support a role of SolMan Functional Administrator which deals with Implemenation side, ASAP methodologies, business process definition, integration with ARIS, setting up project standards, coaching Project Managers, ensuring good application information. Also in Service Desk and ChaRM, setting the process, customizing, implementing and controlling that things are running smooth in SolMan productive.
I would like to get from you your inputs and experiences regarding how to set-up those roles, whether there are clear lines to divide responsiblities or what kind of definitions should be made.
Many thanks
Esteban Hartzstein
Director
Tebyon Consulting

As recommended by some colleagues I am also investigating Customer Center of Excelence as a reference to define roles and responsibilities, particularly in the concept of Application Lifecycle Management.
Any other input is welcome.
Regards
Esteban

Init function to habilite dynamic roles

Similar Messages

Maybe you are looking for