Instance Based Authorization

Similar Messages

• Row-/instance-based authorization

  Hi,
  I'm looking for ways to implement row-/instance-based authorization using Toplink 9.0.4+ and Oracle DB 9.204. The domain objects are represented by standard Java objects (POJO's) not entity-beans.
  My question: what are well-know working approaches to implement this? How did you do that in a project using Toplink and POJO's?
  I guess Label security/Virtual Private Databases would be interesting to consider. But I wonder if it's possible to use that with Toplink. Issues that I see right now:
  - how to propagate the credentials of the user to the database and still use connectionpooling?
  - can Toplink generally make use of Label Security
  Another approach would be to implement a JAAS extension following the lines of the article "Extending JAAS for class-instance authorization" http://www-106.ibm.com/developerworks/java/library/j-jaas/
  I expect this can easily result in a separate query per object. Which probably results in atrocious performance.
  Or this could be implemented by an aspect. But still this would probably necessitate n+1 queries for n objects. In other words: this would still let the appserver do the constraining of results while that is right task for the database of course.
  Your comments and advice are highly appreciated,
  Joost de Vries
  the Netherlands

  The main decision to make is whether to handle the instance level security in the application, or the database.
  As you mentioned there are many ways to handle security in the application.
  Oracle database supports VPD and OLS for row level security. The TopLink 10g 10.0.3 preview has added support for this refer to:
  http://otn.oracle.com/products/ias/toplink/preview/index.html

• Resource Based Authorization sample program and application

  Recently i have studied about the types of authorization and i also did some samples for role based authorization. Now i am looking for Resource based authorization, the sad thing is that i could not able to understand the concept.
  So i am looking for the sample application and C# program. 
  I just want to know the concept of resource based authorization and also the sample application file and c# coding file.
  Please provide me the sample.
  Thanks in Advance. 

  Hi,
  Technet forums are dedicated by technologies. Since you are more looking for concept, you should check for blogs on the Internet (try google...).
  Otherwise please refer to TechNet forums homepage and look for your technology (C# for instance).
  Hope this helps.
  Guillaume Rouyre - MBA, MCP, MCTS

• User based authorization to create Purchase Orders out of Purchase Req.?

  Hello,
  I have the following requiment for my client:
  User based authorization to create Purchase Orders out of Purchase Req.?
  I am told the same can be achieved using same standard menu path in IMG/Customizing.
  Please advise with the menu path and detials, Usefull answers will be rewarded.
  Thanks

  Using OMET Function Authorization, you can restrict users to create Purchase orders without Purchase Reqn.
  Using OMET trxn code Create one Function Authorixation Called pr and in General Parameters tab Select the Field Selection and in Possible reference Objects Tab Mark the With ref to Prs check box and save.
  Next, you've got to associate via SU01 
  Click Parameters, insert a new parameter id EFB to the authorization code. 
  Type in Parameters value you want e.g. XX 
  You have to assign the control for ALL the SAP buyers via thier SAP users id.
  Logoff and login again. Then try to create a Purchase Order without a reference.
  From Next time whenever you try to create with out referring PR it will not allow you to Save PO.
  Regards,
  Ashok

• Custom security JHeadstart 11gTP1 -Use Role-based Authorization is missing

  In JHeadstart 11g TP1 the option Use Role-based Authorization is missing.
  Will this option only be available in de production release of JHeadstart 11g? What is the reason why this is missing? Is it still possible to use CUSTOM authorization in JHeadstart 11g TP1?

  It is not missing.
  If you turn on custom authorization, you can specify your own roles against groups to access them, and use role names in the insert allowed/update allowed and delete allowed expressions.
  Steven Davelaar,
  JHeadstart Team.

• How to set role based Authorization in JAAS

  how to set role based Authorization in JAAS
  i had user name , password and role in FileLogin
  thanks
  arun .v.

  http://dev2dev.bea.com/pub/a/2003/04/Kemp_Helton.html?page=last

• Person responsible based Authorization in Projects is not working for me

  Hi,
  Does 'Person responsible' based authorization for WBSE works for the WBS element only, or for the hierarchically sub-ordinate non-WBS objects (meaning Networks, Activities, Materials etc) as well?
  Details:
  (Authorization objects: C_PROJ_VNR and C_PRPS_VNR)
  -- User1 is assigned with role TESTROLE1. This role has the Project manager based WBS & project authorization objects, with person number 101.
  -- User2 is assigned with role TESTROLE2. This role has the Project manager based WBS & project authorization objects, with person number 102.
  Following sample project is created by a super-user:
  PROJ123 (Details: person responsible - 101)
    WBS-1 (Details: person responsible - 101)
      WBS-1/1 (Details: person responsible - 101)
        NETWORK1
        ACTIVITY11
        MATERIAL111
        MATERIAL112
      WBS-1/2 (Details: person responsible - 102)
        NETWORK2
        ACTIVITY21
        MATERIAL211
        MATERIAL212
  Now the requirement of super-user is that WBS-1/1 and its subordinate elements (Activities, Materials etc) should be editable only by User1. And similarly, WBS-1/2 and its subordinate elements should be editable by User2 only.
  My issue:
  Although WBS-1/1 is not accessible to User2, BUT User2 can edit the subordinate elements (NETWORK1, ACTIVITY11, MATERIAL111, MATERIAL112) of WBS-1/1. I do not want User2 to have edit access to subordinate elements of WBS-1/1.
  Above issue is with User1 for WBS-1/2 as well.
  Hope I am clear in explaining my issue. Can anyone please help me understand the standard authorization concept of Person responsible based roles. I suspect that I am going wrong somewhere but I am not able to identify the problem.
  I want to allow access of a part of project to one user, and another part to some other user. And I do not want to go for an ABAP option if I can do above using basis authorizations.
  (Above mentioned problem is not just with part of projects, but with a complete project as well.)
  Hope to see some quick replies. Thanks in anticipation.

  Thanks for the inputs Sreenivas.
  Are you aware of any authorization objects which can restrict access to Networks, Activities, Material components and Milestones, using 'Person responsible' or any other suitable field? I hope you got what I am looking for.
  Restricting WBSE based on 'Person responsible' without restricting sub-ordinate elements is not much useful according to me. It helps only with simple project structures (having only WBSE) and nothing much. Right?
  Thanks again

• Time-Based Authorization

  I would like to know if is't posible deploy time-based authorization commands. In order to rescrict the operator modify the configuration router only in windows maintenance. ACS 4.1

  Please refer to this link,
  Setting Default Time-of-Day Access for a User Group
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMgt.html#wp478788
  Regards,
  ~JG
  Do rate helpful posts

• User based authorization

  I have a question about role based authorization. Guess we have 100 transactions and 100 users. I know we have to create a new role for a new combination of transaction list. Ex: 1,2,3,4,14,15 is RoleA and 1,4,25,34 for RoleB and so on. What will it be If we have a really mixed authorization combination. Guess 15 users use A Role and 20 B Role. But we have a three new user. They mustn't use only two transaction in A Role. Now we came subject of my question. I don't want to create a new role for these users. Is it possible to restrict authorization? As if in same role but restricted to use these transactions. (without abap coding) In a clear expression user based transaction authorization, not role based.

  Hi,
  in my opinion that isn't possible without coding.
  Sorry ;-(
  Regards
  Bernd

• Can't use role-based authorization

  We can't use role-based authorization because the permissions
  and their assignments change frequently. Is there any alternative
  where we can still use WLS to handle security?

  Dave,
  If you're using WLS6 the console supports dynamic user updates so you could
  change each users configuration as needed.
  Alex
  Dave <[email protected]> wrote in message
  news:3a672c81$[email protected]..
  >
  We can't use role-based authorization because the permissions
  and their assignments change frequently. Is there any alternative
  where we can still use WLS to handle security?

• Re: Permission-based authorization with JAAS

  Actually, I am struggling on this topic also. Probably someone else could help
  on this. If you only deal with WLS, one solution could be write your own RoleMapper.
  When the RoleMapper is called, the subject/principal should be available, at that
  time you could do DB search to find roles the principal belongs to and return
  all the roles to WLS security manager. WLS take over from there to enforce the
  access control defined in ejb-jar.
  -John
  "Natasha" <[email protected]> wrote:
  >
  That is very helpful, thank you very much, John!
  What about dynamic role definition? Any thoughts on how I should go
  about authorizing
  based on specific permissions a user has? What I need, essentially,
  is to have
  only the relevant parts of a given page visible to a user with certain
  permissions,
  so I want to use JAAS to have a system that would check if the current
  instance
  of Subject is authorized for a particular action.
  Natasha
  "John Zhu" <[email protected]> wrote:
  One thing you could do is to have all the client logs in through JNDI
  lookup API.
  And client's principal will be passed to the bean. Inside the bean's
  method call
  principal.getName() to retrieve the principal. After that you couldsearch
  DB
  to get ACL related to the principal, then enforce the security.
  Principal principal = context.getCallerPrincipal();
  logger.info("The principal name: "+principal.getName());
  [email protected] (Natasha) wrote:
  I need to implement an authorization model in which a user can be
  authorized to view a certain page or a part of a page based on their
  permissions. The trick is that the role definition is dynamic, andI
  can not make a policy file ahead of time. Instead, I would like to
  simply retrieve the users permissions and then allow access (or, say,
  use a jsp tag to check if a certain part of the page should be
  displayed) based of whether the user has the permission required, and
  have a configuration file that defines the access policy by mapping
  actions to permissions. I am trying to figure out whether I can use
  JAAS and the Subject class for this, because all of the examples I
  could find map actions to roles, rather than individual permissions.
  Also, I am confused as to whether or not I would have to implement
  my
  own LoginModule if I need to authenticate against a database, in my
  case, probably via using Weblogic entity beans. Sun tutorial states
  that developers do not need to implement a LoginModule, but I do not
  understand how I can do all that without it. I am using Weblogic 7.0
  and Struts.
  Any help will be greatly appreciated.
  Natasha

  Did u think about implementing your own AuthorizationProvider and using it in your
  security realm. The AuthorizationProvider does the trick of verifying which resource
  is being accessed and who can access it.
  My only problem is that I am unable to find out how to make the Resource know
  what instance it is...
  "Natasha" <[email protected]> wrote:
  >
  I guess I have to see if anyone suggests an alternative, and then decide
  whether
  it is worth adapting JAAS instead of a quick homegrown solution, as it
  seems like
  in our case the biggest reason to adopt JAAS is it being the standard.
  Thank you very much for your help, John!
  Natasha.
  "John Zhu" <[email protected]> wrote:
  Actually, I am struggling on this topic also. Probably someone elsecould
  help
  on this. If you only deal with WLS, one solution could be write your
  own RoleMapper.
  When the RoleMapper is called, the subject/principal should be available,
  at that
  time you could do DB search to find roles the principal belongs to and
  return
  all the roles to WLS security manager. WLS take over from there to enforce
  the
  access control defined in ejb-jar.
  -John
  "Natasha" <[email protected]> wrote:
  That is very helpful, thank you very much, John!
  What about dynamic role definition? Any thoughts on how I should go
  about authorizing
  based on specific permissions a user has? What I need, essentially,
  is to have
  only the relevant parts of a given page visible to a user with certain
  permissions,
  so I want to use JAAS to have a system that would check if the current
  instance
  of Subject is authorized for a particular action.
  Natasha
  "John Zhu" <[email protected]> wrote:
  One thing you could do is to have all the client logs in through JNDI
  lookup API.
  And client's principal will be passed to the bean. Inside the bean's
  method call
  principal.getName() to retrieve the principal. After that you couldsearch
  DB
  to get ACL related to the principal, then enforce the security.
  Principal principal = context.getCallerPrincipal();
  logger.info("The principal name: "+principal.getName());
  [email protected] (Natasha) wrote:
  I need to implement an authorization model in which a user can be
  authorized to view a certain page or a part of a page based on their
  permissions. The trick is that the role definition is dynamic, andI
  can not make a policy file ahead of time. Instead, I would like
  to
  simply retrieve the users permissions and then allow access (or,say,
  use a jsp tag to check if a certain part of the page should be
  displayed) based of whether the user has the permission required,and
  have a configuration file that defines the access policy by mapping
  actions to permissions. I am trying to figure out whether I can
  use
  JAAS and the Subject class for this, because all of the examplesI
  could find map actions to roles, rather than individual permissions.
  Also, I am confused as to whether or not I would have to implementmy
  own LoginModule if I need to authenticate against a database, in
  my
  case, probably via using Weblogic entity beans. Sun tutorial states
  that developers do not need to implement a LoginModule, but I donot
  understand how I can do all that without it. I am using Weblogic7.0
  and Struts.
  Any help will be greatly appreciated.
  Natasha

• Two IBR instances based on doc type.

  Hi, I've got two IBR instances (11g) on differents machines (one on Unix and the other on Windows), and they works fine with UCM. But what I want is that UCM choose the IBR in order to send documents, and the choice must be based on the de doc type. For example, if it's a MS Office file, I want this document to be sended to Windows IBR. In other case, documents goes to Unix IBR.
  Could this be possible to do?
  Thanks.

  Hi Sai,
  Documents can be viewed and controlled based on document types etc.While you search documents all documents will be displayed.
  If the user doesn't av the authorization for a particular document type when he tries to double click on document it shows an error message as  " No authorization for that document type".
  CV04N:Find documents is a std report where you cannot change it.
  Regards
  Bhanu

• Instance-level authorization...

  Hi, i'm working on an application using Toplink. We connect to the database using an internal connection pool with a common user/password. We need to filter any results returned to the client based on the requesting user's authorizations, probably using an ACL with privileges, principals, etc. So for instance, a query might return a list of Report objects but the user can only see a subset of the list. This application is not using EJB. Has anyone implemented something like this? i was thinking of either a custom built solution within this application or extending JAAS.
  Any suggestions would be greatly appreciated.
  -Tim Watson

  Yes, without VPD you will need to engineer some way to filter the data at the database level.
  Potentially other Fine Grained Access control is available ( database dependant), or you could create TopLink queries that filter directly based on the user that is executing them. For example you could add an extra field to the selection criteria and provide the user specific value in the row passes to executeQuery
  ReadObjectQuery roQuery = new ReadObjectQuery(IsolatedClass.class);
  ExpressionBuilder builder = roQuery.getExpressionBuilder();
  Expression expression = builder.get("name").equal(builder.getParameter("NAME"));
  expression = expression.and(builder.getField("SEC_ROLE").equal(builder.getParameter("Sec_Role")));
  roQuery.addArgument("NAME");
  roQuery.addArgument("Sec_Role");
  Vector arguments = new Vector(2);
  arguments.set(0, "Bob");
  arguments.set(2, currentUser.getSecurityRole());
  clientSession.executeQuery(roQuery, arguments);--Gordon                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

• Using filter in PAPI-WS to search instances based on project variables

  Hi All
  I wanted to search the BPM instances from my external application. Used PAP-WS to do that.
  To be precise, I was using the filterbean, and have set the process scope, status scope, and the variable on which I want to filter.
  However, I noticed that if the variable specified in the filter is a 'project' variable instead of the 'instance' variable for the process, then BPM does not
  search the instances and throws an exception.
  The code works fine if the variable in filterbean is an instance variable in the process.
  Is it possible to search for the processes based on the values of project variables?
  Below is the code snippet and the exception details.
  Code snipppet:
  PapiWebService port = initializePapiWS(participantId); //private method, dont bother about this
  ProcessIdSetBean b = new ProcessIdSetBean();
  List<String> processids = b.getProcessIds();
  processids.add("/MYPROCESS");
  FilterBean fb = new FilterBean();
  SearchScopeBean ssb = new SearchScopeBean();
  ssb.setParticipantScope(ParticipantScope.ALL);
  ssb.setStatusScope(StatusScope.ALL);
  fb.setSearchScope(ssb);
  List<FilterAttributeBean> fabList = fb.getAttributes();
  FilterAttributeBean fab =new FilterAttributeBean();
  fab.setVariableId("messageNo");
  fab.setComparison(Comparison.IS);
  fab.setValue("123");
  fab.setIsParametric(false);
  fabList.add(fab);
  InstanceInfoBeanList iabl = null;
  try{
  iabl = port.processesGetInstancesByFilter(b, fb);
  catch (OperationException_Exception ex)
  Exception:
  An exception occurred while executing a transaction. Details:
  An error occurred while accesing the database.
  Detail:SQL statement: 'unknown'
  Caused by: Syntax error: Encountered "null" at line 1, column 575.
  fuego.transaction.DatabaseException: An error occurred while accesing the database.
  Detail:SQL statement: 'unknown'
       at fuego.server.persistence.jdbc.JdbcProcessInstancePersMgr.getInstancesByFilter(JdbcProcessInstancePersMgr.java:527)
       at fuego.server.persistence.Persistence.getInstancesByFilter(Persistence.java:329)
       at fuego.server.ProcessInstanceManager.getInstancesByFilter(ProcessInstanceManager.java:132)
       at fuego.server.AbstractProcessBean$34.execute(AbstractProcessBean.java:1666)
       at fuego.server.execution.DefaultEngineExecution$AtomicExecutionTA.runTransaction(DefaultEngineExecution.java:304)
       at fuego.transaction.TransactionAction.startBaseTransaction(TransactionAction.java:470)
       at fuego.transaction.TransactionAction.startTransaction(TransactionAction.java:551)
       at fuego.transaction.TransactionAction.start(TransactionAction.java:212)
       at fuego.server.execution.DefaultEngineExecution.executeImmediate(DefaultEngineExecution.java:123)
       at fuego.server.execution.DefaultEngineExecution.executeWithoutComponentImmediate(DefaultEngineExecution.java:199)
       at fuego.server.execution.EngineExecution.executeWithoutComponentImmediate(EngineExecution.java:95)
       at fuego.server.AbstractProcessBean.getInstancesByFilter(AbstractProcessBean.java:1660)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at fuego.lang.JavaClass.invokeMethod(JavaClass.java:1410)
       at fuego.lang.JavaObject.invoke(JavaObject.java:227)
       at fuego.component.Message.process(Message.java:585)
       at fuego.component.ExecutionThread.processMessage(ExecutionThread.java:780)
       at fuego.component.ExecutionThread.processBatch(ExecutionThread.java:755)
       at fuego.component.ExecutionThread.doProcessBatch(ExecutionThread.java:142)
       at fuego.component.ExecutionThread.doProcessBatch(ExecutionThread.java:134)
       at fuego.fengine.FEngineProcessBean.processBatch(FEngineProcessBean.java:244)
       at fuego.component.ExecutionThread.work(ExecutionThread.java:839)
       at fuego.component.ExecutionThread.run(ExecutionThread.java:408)

  Hi Mikael,
  Thank you for your input. Sorry for my delayed response, I was not alerted that anyone had replied. Anyway, the code you show above, as far as I know, will sort the results by a formula, but not limit results to that formula. For now we've temporarily settled
  on this approach of sorting by distance as this still gives value to the end user. We can also write some JavaScript to display the distance for each item using the longitude and latitude values for each item.
  In my mind that query above needs something similar to "between dates" (i.e. Range) syntax whereas we would need "within a geolocation distance".
  I admit that my knowledge of refiners is not great so I might just need to spend some time with them to understand this all better but at the moment I still don't see how you limit the result set. You could limit the results in JavaScript after the search
  has run (i.e. hide items that aren't within the given distance) but this would break the interaction with the other refiners on the page, especially if they are displaying counts (that are based on the original query). Unless there is an event
  we can hook into and filter the search results as a last step before they (and the refiners) are rendered on the page?
  Thanks for your input,
  James.

• Table Maintenance - field based authorization.

  Hi,
  I have created a ztable and generated a table maintenance for the same.
  There are a few fields that have to be input enabled or disabled, based on authorization objects; some users should be able to enter values and some, not.
  Need some direction, kindly advise.
  Thanks,
  Sheldon

  Hi Sheldon,
  You can achieve the above mentioned functionality by checking the AUTHORIZATION assigned to the user. You have to check the AUTH OBJECT in the PBO Module and then you have to make the Screen Fields Input enable or disabled.
  But, in the generated screens, you have to do your own module pool programming and you have to do the same in your own set of INCLUDE Programs. The INCLUDE Programs generated by the TMG as READ ONLY and hence you cannot modify them. Also, make sure that you take a complete backup of your code as any change and modification will lead to regeneration of the screens and hence will delete all the user code.
  Hope this helps.
  Thanks,
  Samantak.