Is role base security supported by WLS 5.1?

Similar Messages

• Role base security & authorization

  hi,
       i want the details about Role based security & authorization for all objects in reporting and the T.codes related to security & authorization (like RSSM ....).
  plz help me with any document and security manual

  Hi,
  I hope search inthese forums would definately hep you.
  My previous postings on the Data level security at the Reporting side:
  https://forums.sdn.sap.com/click.jspa?searchID=966335&messageID=2940809.
  https://forums.sdn.sap.com/click.jspa?searchID=966335&messageID=2783106
  And take a loook on the links:
  https://websmp107.sap-ag.de/~sapidb/011000358700000274062002
  https://websmp107.sap-ag.de/~sapidb/011000358700000972382004
  With rgds,
  Anil Kumar Sharma .P
  Message was edited by:
          Anil Kumar Sharma

• Role Base Security SSAS Tabular and PPS not working

  Hi,
  I am having SSAS (Tabular Model) with Role based Security. It is working fine with Powerview and PowerPivot.
  But when i am  using same with PPS. it is giving me error like 'Data source not accessible'.
  If i don't Provide Role while connecting and if i select
  unattended account, it is working but no security.
  Please help me out on this situation or provide any steps with snapshot(if possible), how to make pps
  working with SSAS Tabular model with Role.
  Thanks in Advance
  Pinak kakadiya

  Hi Vishal,
  According to your description, you are trying to use time intelligence functions in SQL Server Analysis Services Tabular model without success, right?
  In order to use time intelligence functions in DAX formulas, you must specify a date table and a unique identifier (datetime) column of the Date data type. Once a column in the date table is specified as a unique identifier, you can create relationships
  between columns in the date table and any fact tables. Please refer to the links below to see the details steps to use time intelligence functions in DAX formulas.
  https://msdn.microsoft.com/en-us/library/hh758415.aspx?f=255&MSPPError=-2147217396
  http://blog.gbrueckl.at/2013/02/fiscal-periods-tabular-models-and-time-intelligence/
  If the issue persists, please provide us more information about your tabular structure, so that we can make further analysis.
  Regards,
  Charlie Liao
  TechNet Community Support

• Role base Security

  Hello,
  My question is I want to create a role which should make sure through this role if a user is an authorized user, and logging from authorized server(could be IP verification).  once the condition satisfies through this role, then it should enable the for that particular user can select or update objects from that user.
  say for example,  USER "A"  has access to "TEST" schema in a test database.
  there is 1 role test_a which has select privileges on TEST schema objects, which is granted to User "A".
  Here I want to check first through another role say for example CK_TEST role which should make sure if User "A" is an authorized user, if so is user "A" logging from authorized client or server, if so then enable the TEST_A role to User 'A".
  can someone give me an example how toaccomplish this.
  Thanks a lot....

  I'm assuming that user A is a database user, not an application user.  If that's the case, what does it mean for A to be an "authorized user"?  If the session has been created, then A must be a valid database user and whoever is logging in must have provided the correct password.  If A has been granted the TEST_A role, what more is required for A to be an "authorized user"?
  Having the database verify that a client is "authorized" is a bit problematic simply because the client is providing all the information that you'd be checking in the database.  An attacker could easily spoof or change their IP address, for example.  Validating the IP address can be useful if you want to prevent people from doing things inadvertently (i.e. preventing a DBA from inadvertently logging in to prod from their laptops if that's something that you want to avoid) but isn't particularly good at preventing attackers from getting in.
  You can make TEST_A a password-protected role.  You can create a VPD policy on the objects in TEST that requires a user to call a procedure that you've defined that does whatever validation you want before setting the context to allow access to the data in those tables.  You can create a logon trigger that tries to prevent users from logging in from the "wrong" IP address (with the caveats above that this isn't particularly good at keeping attackers out).  Or you can restrict what machines can access the database at the SQL*Net layer or, preferrably, by putting a firewall in front of the database.
  Justin

• Does ADF security support sub-roles? If not are there plans to support it?

  hi,
  I have following scenario: there are dozens of regions and each region has dozen of facilities and each facility dozens of offices.
  I would like to setup Office roles to have Query permission only and create a new role OfficeUpdate role that has update permissions for this office data, and at the same time to inherit permissions from Office role (e.g. Query permissions), so if I assign a user to Office role he will be able to query only and if I assign him to OfficeUpdate role he will be able to query and update the office data because privilege will be inherited from Office role.
  User can be a member of different offices/facilities/regions. So I would like to, in order to simplify user management, to be able to assign a whole role as a member of another role. By doing this I wouldn't have to assign users to different roles all over again (all users assigned to a sub-role would automatically become members of main role as well) as this is time-consuming.
  But it seems that ADF security does not support this. It seems that ADF security can only deal with roles and not sub-roles? Roles and sub-roles are supported by oc4j container but it seems that ADF security does not support it.
  I would like first to be sure that my observation is correct, and if yes to find out if there are any plans to support sub-roles in future Jdev releases?
  And also if somebody knows, if Acegi or JsfAcegi security supports role-sub-role privilege inheritance?

  I created a testcase that excludes ADF Security and the same behavior can be reproduced, so the problem doesn't seem to be with ADF Security but JAZN.
  Need to further track this issue, but so far it appears that a member role is not sufficient to authenticate and authorize a container managed constraint as used by ADF Security for authentication. This could be a problem with the embedded OC4J only but also a general problem with settings on the system-jazn-data.xml. This is what I need to further evaluate.
  So for now I can't say that this isn't working in ADF Security because its not even getting there
  Frank

• How do I apply SAP's mantra, "Run Like a Factory" to my Basis/Security team?

  I will preface this by stating that I am a newbie to SAP, and I am not technical. Currently I manage a Basis/Security team, albeit understaffed.
  For the past 5 years I have been charged to:
  Organize the team into a highly-performing department. (Done!)
  Leverage existing SAP (and non-SAP) tools to drive up the performance and availability of our SAP landscape. (Currently on SolMan 7.1, SP12. Early Watch reports for 17 instances. Crank out CQC's like they are free candy)
  Take full advantage of our SAP Enterprise Support. (Monthly calls with our Ent. Support Advisor. Burn through our EGI's, AEI's, and Road Maps. Training curriculum built around the Ent. Support Academy offerings, etc.)
  But there is a part that is missing, and this is where I need guidance. What I am referring to is the integration and synchronization of my team with the abundance of proactive services of SAP's MarketPlace (MP) and Enterprise Support (ES). Here is what I mean:
  So I am subscribed to umpteen SAP "MP" & "ES" newsletters and RSS Feeds, I occasionally browse the Security Portal (because I can't find where to subscribe to an RSS Feed), I receive the "SAP Support Notification" email every couple of days, I am connected to their Social Media presence,and there are a few other communication channels I am connected to. But from all of this what I am missing is... Continuity!
  I have had this nagging feeling that I am missing, or not yet fully aware, of some basic elements within the "MP" or "ES" that I need to address so that the steady flow of information from these channels are relevant and substantial. Here is my best example:
  Every few days I receive the "SAP Support Notification" email. At first the email was basically empty. I figured out that I had to choose my instances within my subscription so that I receive relevant information. I accessed my instance list and found it was a mess. So I had my architect remove all obsolete instances.  The contents of the email is now more substantial, but there is more to the email that I don't understand the relevance of.
    Another example is the SAP Security Portal. I can't figure it out. Updates, announcements, etc. aren't sent out. I have to remind myself to visit the Portal.
  I have a few more examples, but this post is already too long. I need help with the manipulation of the basic elements of "MP" and "ES" to start receiving more substantial, and actionable, proactive support. Once I have this I can integrate this support into the daily administration of my SAP ecosystem, as well as define KPI's and metrics to strive for improved performance and availability.
  So what am I missing?

  Hi Pete,
  This is a great discussion item, and I am glad that you brought it up!  There is a lot of information out there, and how to syphon it so it relates to you is definitely something that is important.
  Couple points/questions on the above, and then some information that may help future wise.
  There are many notifications within the SAP Support Portal that you can subscribe to.  Some require filters, some are based on 'subscribing' to Spotlight News or to specific notes and KBAs.  Happy to set up some time with you to go through these in detail.
  What is the URL to the SAP Security Portal you mention?  Are you referring to this area: https://support.sap.com/kb-incidents/notifications/security-notes.html?
  Future direction is focusing on personalizing your experience within the portal.  Giving you what you need, when and how you prefer.  We can chat on that as well.
  Feel free to reach out to me directly.
  Cheers,
  Kristen

• RBAC / Role Based Security Set Up in R12

  We are working with a 3rd party consulting organization to implement Role Based Access Control in E-Business Suite R12. We have approximately 50 users and with 35 responsibilities today and are currently in the process of designing our role based security set up. In advance of this the consulting company has provided us with effort estimates to cutover from the current responsibility structure to RBAC. We are told this must be done while all users are off the system. The dowtime impact to the business is very high, expecially considering our small user base.
  With RBAC cutover downtime estimates such as these I can't understand how any company larger than ours could go live with it?
  Does anyone have previous Role Based Access Control implementation experience in EBS R11i or R12 and could provide some insight on their experience and recommendations, best practice for cutover to mitigate impacts to the business as we cannot accept the 90 hours of downtime outlined by the consulting company below?
  Disable users old assignments:
  *12.00 hours*
  Disable Responsibilities targeted for the elimination:
  *12.00 hours*
  Disable Responsibilities targeted for the elimination:
  *16.00 hours*
  Setup OUM options and profiles:
  *6.00 hours*
  Setup Roles and Hierarchies:
  *14.00 hours*
  Grant Permissions:
  *12.00 hours*
  Setup Functional Security and disable the obsolete responsibilities:
  *12.00 hours*
  Setup Data Security and disable the obsolete data accesses:
  *6.00 hours*
  Total *90 hours*
  Note - all activities must be performed sequentially*
  Any advice or experiences you could share would be extremely valuable for us. Thank you for taking the time advance to review & respond.

  On Srini`s comments "Creating Roles.. will have to be done manually "... I would like to know will the same approach be followed for PRODUCTION instance also. Say if we need to create 35 responsibilities and 50 roles so should this be done manually in PRODUCTION.
  I have not worked on this but I know that in my previous company this was done using scripts. Need to find more on this.

• ADF11g security in standalone WLS

  Hi ,
  We have a project requirement where security settings can get changed after application deployment. I understand we can add new application roles and secure pages/task flows from WLS console without the need to redeploy the application. In this scenario, since these run time settings in stand alone WLS are not reflected in the jazn.xml of the original application developed in Jdeveloper, how can we make sure that the security changes are not overwritten in the next deployment?
  Regards,
  Rekha

  Hi Rekha,
  In JDeveloper, Application Properties>Deployment, uncheck the Overwrite Application Policies and Credentials. Users and Groups will not be migrated in production instance application server.
  I believe it is necessary to make back-up of those production deployed application policies.
  Regards,
  Pino

• WS-Security support

  Does Apex-3.1.1 support WS-Security? We need to configure our Apex application as a client to consume a SOAP web services that is secured using the WS-Security protocol.

  Hi Drew,
  Our next release of WLS will include WS-Security support. This will include
  XML Signatures/Encryption etc.
  Thanks,
  Chris
  "Drew Haller" <[email protected]> wrote in message news:[email protected]..
  >
  Does Web Logic have (or plan to have) any libraries for handling ws-security.
  This would include token creation and parsing, XML signing, and encryption. If
  so, where? If not, when?
  Thanks,
  Drew

• HR Position Base Security Discussion

  Hello all,
  We all know the beauty of using HR position base security vs manual role assignments to user IDs.  Roles are automatically assigned and removed during a move with HR position base security.
  Recently a question came up regarding HR position base security and I have a few ideas on how to address the question but Iu2019m just curious how some of you have dealt with this issue.  This thread will be more of a discussion than a question.
  Issue/Example in regards to HR position base security:
  User-A is in position#1 and has been granted access to SAP after successfully completing SAP Accountant Training.
  Position#1 have the following roles:
  Z-Accountant
  Position#2 have the following roles:
  Z-Finance-Director
  If User-A got a promotion and is moved to position#2, he will automatically inherit Z-Finance-Director and assignment Z-Accountant will be removed. 
  How can you justify assigning Z-Finance-Director even though User-A did not take the SAP Finance Director training?
  Your response will be appreciated.
  Regards,
  John N.

  >
  Morten Nielsen wrote:
  > Hello John
  >
  > Well at the end of the day the roles are always assigned to the user.
  >
  > But what you can do is create a reletaion between the Role and an entity in you HR-OM System. Based on that, and an evaluation path, you can retrive the required role for the user and let the workflow assign it automatically. (You might need a HR consultant to help you out here).
  >
  > So infact you can decide if you want to map the roles to a Position, an organizational unit, a Job etc. (but as always it's a good idea to to decide on a strategi otherwise it can endup in a big mess )
  >
  > regards
  > Morten Nielsen
  Morten,
  If we decide to assign the roles to the HR position after the completion of the workflow it should assign the roles to the UMR (using RHPROFL0 & PFUD) automatically which is great.  But now that the roles are assigned to the position aren't we back on the same vicious cycle of a user authomatically inheriting roles on the position and at times not having training on the roles automatically assigned.
  Perhaps I just need to research the the following that you mentioned. 
  >
  Morten Nielsen wrote:
  >
  > But what you can do is create a reletaion between the Role and an entity in you HR-OM System. Based on that, and an evaluation path, you can retrive the required role for the user and let the workflow assign it automatically. (You might need a HR consultant to help you out here).
  >
  > regards
  > Morten Nielsen
  Again thanks for the suggestion.
  Regards,
  -John N.

• What is the mean of using Portal with Role Based security as entry point

  Hi Experts we have requirement of integration of Portal and MDM
  I am completely new to the MDM. So please give me some idea , what is the meanin for following points.
  1) Using the Portal with Role Based security as entry point for capacity and Routing Maintaince(These two are some modules).
  2) Additionally , Portal should have capability to enter in to the MDM for future master data maintence. Feeds of data will need to be come from  SAP 4.6c
  Please give me the clarity of what is the meanin of second point
  Regards
  Vijay

  Hi
  It requires the entire land scape like EP server and MDM server both should be configured in SLD.
  Your requirement is maintaing and updating the MDM data with Enterprise portal.We have some Business Packages to install in Portal inorder to access the functionality of MDM.
  Portal gives you a secure role based functionality of MDM through Single sign on (login into the portal access any application) to their end users.
  Please go through this link
  http://help.sap.com/saphelp_mdmgds55/helpdata/EN/45/c8cd92dc7f4ebbe10000000a11466f/frameset.htm
  You need to develope some custom applications which should be integrated into the portal to access MDM Server master data
  The estimation involves as per your requirement clearly
  Its depends upon the Landscape settings, Requirement complexity,Identify how many number of custom applications need to be developed
  Regards
  Kalyan

• Security-role and security-role-assignment not working in WL7.0

  Hello all..
  Some EJB components that worked fine in WebLogic 6.1 no longer work in
  WL7.0. It has to do with the security-role and security-role-assignment
  descriptor elements no longer allowing anonymous users to be included in the
  authorization for a bean.
  For example, in WL6.1 placing these items in ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <role-name>Employees</role-name>
  </security-role>
  <method-permission>
  <role-name>Employees</role-name>
  <method>
  <ejb-name>CustomerEJB</ejb-name>
  <method-name>*</method-name>
  </method>
  </method-permission>
  and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
  <security-role-assignment>
  <role-name>Employees</role-name>
  <principal-name>guest</principal-name>
  <principal-name>system</principal-name>
  </security-role-assignment>
  worked fine for clients creating their context using a simple
  InitialContext() constructor without specifying SECURITY_PRINCIPAL or
  SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
  the security-role-assignment element above told WebLogic that "guest" was in
  the Employees role for purposes of this EJB archive.
  Worked in WL6.1, no longer works in WL7.0. Client receives typical
  permission exception:
  java.rmi.AccessException: Security violation: insufficient permission to
  access method 'create'
  If I explicity connect as "system" things are fine, or I can create a new
  user in the default realm in WebLogic, put a matching <principal-name>
  element in the section above, and connect as that user. Note that if I leave
  off the <security-role> section completely, or set the required role name to
  "everyone", the anonymous access works fine. Apparently the anonymous user
  is a member of "everyone" behind the scenes even though "everyone" does not
  appear in the realm list of groups or roles.
  So, my question boils down to this: Is there a "magic" username in WL7 like
  "guest" was in WL6.1 that can be mapped to the required role name, or must
  every client connection use a true weblogic-created user with appropriate
  role assignments used to map it to the required role name.
  -Greg
  P.S. Note that none of the EJB examples provided with WL used
  <security-role>..
  Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
  www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

  Below are the screen shots for PFCG:

• Error in Role Based security using weblogic 9

  Hi All,
  Currently I am working with Weblogic Server 9. I am trying to use role based security. Below is the entries for web.xml.
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>Success</web-resource-name>
            <url-pattern>/form.jsp</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
            <role-name>admin</role-name>
       </auth-constraint>
       <user-data-constraint>
  <transport-guarantee>INTEGRAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>myrealm</realm-name>
  </login-config>
  <security-role>
       <role-name>admin</role-name>
  </security-role>
  When I am calling form.jsp from the browser it is asking for the username and password, but after giving the username and password it is showing the followig error:
  Error 403--Forbidden
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.4 403 Forbidden
  The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
  So can any one provide me the solution for the above problem.
  Thanks in advance.
  By,
  Sandip Pradhan

  Here is a blog post for the backend (WebLogic Admin GUI) http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-role.html and a blog post for the web.xml in your project http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-ear.html.

• Java.lang.Error: JAX-RPC 1.1 method is not supported in WLS 8.1 clients.

  We have some web services that run under OC4J 10.1.3.4. We have various JEE 'client' apps (JSF, servlets etc.) that use these web services. These JEE apps also run under OC4J.
  We started a migration project from oc4j to weblogic 10.3.2. In phase 1 we want to move these JEE 'client' apps to weblogic. In phase 2 we want to move the web services themselves to weblogic with adjustments to the JEE 'client' apps as needed.
  However we ran into an issue during this phase 1. Deploying these JEE 'client' apps to weblogic results in an error like this:
  java.lang.Error: JAX-RPC 1.1 method is not supported in WLS 8.1 clients. If you are attempting to run an OC4J 10.1.3 JAX-RPC client in WLS, please see the Web Service Migration Guide for instructions.
  We are including Oracle web services client libraries (http://download.oracle.com/otn/java/oc4j/1013/wsclient_extended.zip) in these JEE 'client' apps's war files because weblogic does not have them.
  What part of Web Service Migration Guide is the above error message talking about? Do we have to re-generate the client side proxies for all these web services using weblogic's clientgen task in 'JAXRPC' mode? Many of these web services are doc/literal jax-rpc web services. Or does the migration guide recommend we migrate the web services first to weblogic? Any other specific information on working around this error message would be greatly appreciated.

  Hi,
  I had the same issue but I just managed to fix it. You must upgrade and/or regenerate you proxy. This creates new classes (possibily in a new package) that you must use in your code. I had this error because the classes directory was not clean after the rebuild and the old classes (in the old package) were still present, so the compilation was successful with the old classes. So clean your classes directories, regenerate your proxy and use the new classes in your code.
  Regards,
  Sylvain

• Jdeveloper 11g - JAX-RPC 1.1 method is not supported in WLS 8.1 clients.

  Hi,
  I am using Jdeveloper 11g and migrating a web Service Proxy created using jdeveloper 10g.
  I imported all the proxy classes and when I try to run web service client In Jdeveloper 11g I get the following error
  "JAX-RPC 1.1 method is not supported in WLS 8.1 clients. If you are attempting to run an OC4J 10.1.3 JAX-RPC client in WLS, please see the Web Service Migration Guide for instructions."
  Please advise on how to solve this?
  which is the offending jar/library file in Jdeveloper 11g which is causing the above error?.
  Is the above problem there in the WebLogic Server Runtime also?
  Please let me know.
  2) I cannot generate web server proxies also with jdev11g because the wsdl has overloaded methods omitting the name property within the input and output message, ie, they have a null name. therefore Jdeveloper 11g is using the library which
  when called with an overloaded operation that contains null input/output message names, a duplicate error occurs because it sees other operations with the same name. so it is effectively not allowing to create the web service proxies.
  Thanks,
  Appreciate your quick response to the above

  Have you checked the 'Web Service Migration Guide' mentioned in the error message?
  Timo