Issue granting BPMWorkflowReassign role to user BPEL 10.1.3.1 / OID
Hi ,
I can see user under BPMWorkflowReassign group from oiddas application but when we see that user attributes from worklist application I can not see that role assign to user.
Also when I ran IdentityService/GetGrantedRolesToUsers
I do not see application role of BPMWorkflowReassign assigned to that user.
I am logging to oiddas and adding that user under BPMWorkflowReassign group.
Any thing I am missing to assign BPMWorkflowReassign role to a user.
Please help.
Regards,
Jigar
So, when you have OID setup, you can setup caching, which is on by default. You can also tweak this. I set mine to a 15 minute refresh. That way, I'd only have to wait a maximum of 15 minutes for changes to appear. It is NOT advisable to turn caching off. Performance degrades significantly.
This is what I added to my jazn.xml file:
<!-- Based on input from the Oracle® Containers for J2EE Security Guide
10g (10.1.3.1.0) (B28957-01). See table 8.5. We may need to add additional settings for performance reasons. -->
<property name="ldap.cache.session.enable" value="true" />
<property name="ldap.cache.realm.enable" value="true" />
<property name="ldap.cache.policy.enable" value="true" />
<property name="ldap.cache.initial.capacity" value="1000" />
<property name="ldap.cache.purge.initial.delay" value="900000" />
<property name="ldap.cache.purge.timeout" value="900000" />
Good luck!
BradW
Similar Messages
-
Oracle 10.2.05
Linux environment
I just granted a role to a user, but the user does not have privileges base on the role.
Here is what I did:
First create a user (db_user) using system id
Second, create role schema_admin_role
Then run the script to grant privileges to the role
(SELECT 'grant select, insert, update, delete on ' ||owner|| '.'||table_name || ' to schema_admin_role;' from dba_tables WHERE OWNER = 'another_schema';
Then run
grant schema_admin_role to db_user;
The problem:
When db_user tries to update table X own by another_schema, he gets not sufficent privileges
But when I run (select owner, table_name,privilege from dba_tab_privs where grantee = 'SCHEMA_ADMIN_ROLE'; ), I see all the privileges owned by this role.
Any solution from your end will be appreciated.sb92075 wrote:
did db_user start a new session after GRANT was issued?Yes he did - also when I try to list all privileges granted to db_user, I get no row seleted. On the other hand, when I query privileges granted to role schema_admin_role, I see all privileges granted earlier
example
select owner, table_name,privilege from dba_tab_privs where grantee = 'SCHEMA_ADMIN_ROLE'; ---Here we get all privileges
select owner, table_name,privilege from dba_tab_privs where grantee = 'DB_USER'; --No row seleted -
We have granted everyone all roles on our TfsReports site. However, all users (except for 2 who are TFS Admins) still get the following errors when attempting to manage the reports:
The permissions granted to user Domain\UserName are insufficient for performing this operation. (rsAccessDenied)
These are the roles we've granted to all "Domain Users": Browser, Content Manager, My Reports, Publisher, Report Builder, Team Foundation Content Manager.
We can't seem to figure out what else might be missing.
Please help.The issue was reported by one of the Application Support team stating that they have problems with accessing reports in Reporting Services from Team Foundation Server (TFS)
side. By default certain users are part of local domain group having LOCAL ADMINISTRATOR privileges on TFS server, which is by default no issues for those users. Somehow there was a change in the role of certain users where ADMIN access was revoked. However
the users are still part of SYSADMIN group, they were reported the error as follows:
“The
permissions granted to user ''DOMAIN\UserName'' are insufficient for performing this operation. (rsAccessDenied)”
By default the text clarifies that no permission to access the reports and further we have set of roles defined on the Reporting
Services, as follows:
http ://servername/Reports/
Root
BUILTIN\Administrators No
access
DOMAIN\TfsAdmins Content
Manager
DOMAIN\ReportAdmins
Content Manager
More
details
Ahsan Kabir Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread. http://www.aktechforum.blogspot.com/ -
How can use Oracle Developer2000 Form6 to grant priveledge and role to user in database (oracle 8i) from Trigger of Form6. Is there any built-in about this statement?
PL/SQL doesn't allow you to issue DDL commands directly, but it does provide a utility package called DBMS_SQL. This allows you to create dynamic SQL statements at runtime and execute them. The code you would need are as follows:
In declaration section -
v_sql varchar2(200);
v_cursor number;
v_result number;
In the code body -
v_sql := 'GRANT <ROLES> TO <USER>';
v_cursor := dbms_sql.open_cursor;
dbms_sql.parse(v_cursor, v_sql, dbms_sql.native);
v_result := dbms_sql.execute(v_cursor);
You can ignore the value of v_result as it is not a DML statement. Also you could build your SQL string up dynamically using variables from your form ie:
v_sql := 'GRANT '||:FORM.ROLE||' TO '||:FORM.USER;
Hope that helps!
Ian -
Dear all,
I have a role called ets_manager. How can i grant it to my user steve in forms 6i? I mean what is the script? I have a button when button pressed i want the role be granted to a user
Thanks in advance.
regardsTry out FORMS_DDL Built-in
http://www.oracle.com/webapps/online-help/forms/10g?topic=formsddl_html -
Database Vault Owner Grant Any Role Permission
So I just noticed that the role DV_OWNER has the system privilege to GRANT ANY ROLE assigned to it by default. I was wondering if this is necessary for something. If not I would like to remove it. We would prefer the Database Vault owner person to not have any permissions execept for logging into the Data Vault console to modify realms and rules and stuff, and as well as looking at audit logs. The DV_OWNER role also has ADMINISTER DATABASE TRIGGER and ALTER ANY TRIGGER privileges which I would like to remove as well. Any body have any opinions on this?
Oracle EE 11.2.0.2 on Windows 2008 R2
Thanks.Sysdba can issue powerful statements such as create user, drop user, alter user, create profile .. and so on... can be done only if it is allowed so by modifying the Can maintain accounts/profiles rule set.
You can also login with dvsys account but that account is locked after installation. So unlock it with
alter user username account unlock; command. And be aware that ANY system privileges are blocked in protected schemas. You can try to grant the following roles in DB Vault := DV_OWNER, DV_REALM_OWNER, DV_REALM_RESOURCE, DV_ADMIN, DV_PUBLIC, DV_ACCTMGR, DV_SECANALYST
Following can help you
SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
Regards
Karan -
Strange behavior after granting a role associated to an access policy.
Greetings.
I am using OIM 11.1.1.3 and I am using also the DBUM Adapter 9.1.0.4.
I Defined 3 roles in OIM after that I defined three access policies with the purpose of provision roles at a database.
Every policy is associated to a role and a DBUM resource.
At the end I have the following policies.
Policy Name OIM Role Database Role
1. Policy Role A - Role A - DBRoleA
2. Policy Role B - Role B - DBRoleB
3. Policy Role B - Role C - DBRoleC.
When a role is granted to OIM User using the Administration Console the correct database role is provisioned at the specified database. But If I revoke a Role from the user and grant the same role again the specified role is not provisioned to the specified database.
Example: An user have "Role A", "Role B" ,"Role C" at the database the user have DBRoleA, DBRoleB, DBRoleC.
After revoking "Role A" from the user the database have the correct roles DBRoleB and DBRoleC.
But if the "Role A" is granted again to the user the DBRoleA is not provisioned at the database.
I enabled the dbum log file and it looks like the wrong role was chosen and the DBRoleB is the database role to be provisioned. Because we see at the log file when the "Role A" is granted to the user:
[WLS_OIM1] [TRACE] [] [OIMCP.DBUM] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 0000JDjSF5i9h^5prOt1iY1EgfQX0000lD,0] [SRC_CLASS: com.thortech.util.logging.Logger] [APP: oim#11.1.1.3.0] [dcid: 4506c477d760fc7e:26c2d53a:1336a1dbc64:-7ffd-0000000000000d45] [SRC_METHOD: debug] oracle.iam.connectors.dbum.integration.DBUMProvisionManager : getChildFormData : Form Value2011-11-04[2011-11-04T11:37:14.392-05:00] [WLS_OIM1] [TRACE] [] [OIMCP.DBUM] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 0000JDjSF5i9h^5prOt1iY1EgfQX0000lD,0] [SRC_CLASS: com.thortech.util.logging.Logger] [APP: oim#11.1.1.3.0] [dcid: 4506c477d760fc7e:26c2d53a:1336a1dbc64:-7ffd-0000000000000d45] [SRC_METHOD: debug] oracle.iam.connectors.dbum.integration.DBUMProvisionManager : getChildFormData : Child form data map received:- {UD_DB_ORA_R_VERSION=0, UD_DB_ORA_R_KEY=3180, UD_DB_ORA_R_UPDATE=2011-11-04, UD_DB_ORA_R_CREATE=2011-11-04, Process Instance.Key=5916, UD_DB_ORA_R_UPDATEBY=6, UD_DB_ORA_R_ROLE=102~*DBRoleB*, Access Policies.Key=183, UD_DB_ORA_R_CREATEBY=6}
The question is somebody has experienced the same issue?
Is there another way to provisioning database roles after granting OIM Roles?
Thanks!
Ramiro OrtízFinally we opened a Service Request to solve this issue, and it was a bug "OIM SENDING WRONG ENTITLEMENT NAME TO TARGET DURING ADD ENTITLEMENT OPERATION" and Oracle generated the patch 13499465 for DBUM Connector. Oracle had to provide us a new Readme to apply this patch because it wasn't well explained. So far the patch seems to work, we are making some tests now to be sure that the issue is solved. I just want to share that with the OIM community.
Ramiro Ortiz -
Error while granting BPMOrganizationAdmin role to SOAOperator.
Error Starting While starting SOA server. Please advise.
<Mar 5, 2015 12:56:08 PM EST> <Error> <oracle.bpm.services.organization> <BEA-000000> <Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.
ORABPEL-10513
Cannot get application roles from application identified by "{0}".
An error occurred while getting application roles from application identified by "soa-infra".
The underlying APIs threw an exception. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:920)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10510
Application role not found.
Application role "BPMOrganizationAdmin" could not be found for application identified by "soa-infra".
Check if the application role exists in the repository associated with the application. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
at oracle.tip.pc.services.identity.jps.JpsProvider$9.run(JpsProvider.java:2338)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRoleEntry(JpsProvider.java:2333)
at oracle.tip.pc.services.identity.jps.JpsProvider.access$000(JpsProvider.java:169)
at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:917)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
>
<Mar 5, 2015 12:56:08 PM EST> <Error> <oracle.bpm.common> <BEA-000000> <Exception
BPM-70692
Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:324)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:29)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10513
Cannot get application roles from application identified by "{0}".
An error occurred while getting application roles from application identified by "soa-infra".
The underlying APIs threw an exception. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:920)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10510
Application role not found.
Application role "BPMOrganizationAdmin" could not be found for application identified by "soa-infra".
Check if the application role exists in the repository associated with the application. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
at oracle.tip.pc.services.identity.jps.JpsProvider$9.run(JpsProvider.java:2338)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRoleEntry(JpsProvider.java:2333)
at oracle.tip.pc.services.identity.jps.JpsProvider.access$000(JpsProvider.java:169)
at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:917)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
>Hi user,
Can you give us some information on the version you are using and your security setup? Are you using an external security provider? Because to me it sounds that you are using an external LDAP server.
Antonis -
How can I see which roles or users have access to a table?
How can I see which roles or users have access to a table?
For a given table, how can I see the grants, who and what?
Many thanksdba_tab_privs.
Grantee can be a role or an user, as roles are fake users.
Sybrand Bakker
Senior Oracle DBA -
Assigning roles to users programmatically
Hi,
I want to programmatically create roles, assign roles to users etc.
I saw at this thread
ADF Security Policy Store
the folowing scriptlet by Frank Nimphius
try {
IdentityStore idstore = JpsCommonUtil.getValidIdStore("idstore.xml.provider").getIdmStore();
try {
UserManager userManager = idstore.getUserManager();
RoleManager roleManager = idstore.getRoleManager();
Role adminRole = idstore.searchRole(Role.SCOPE_APPLICATION,"admin");
// create user
//TODO check for empty username and password
User newUser = userManager.createUser(this.username,this.password.toCharArray());
roleManager.grantRole(adminRole,newUser.getPrincipal());
} catch (IMException e) {
// TODO
} catch (JpsException e) {
// TODO
return null;
this is a TP3 scriptlet, is it still working on the 11g production?
I try it and i get a JpsException
oracle.security.jps.JpsException
at oracle.security.jps.internal.common.util.JpsCommonUtil.getValidIdStore(JpsCommonUtil.java:1004)
do I have to replace "idstore.xml.provider" with something else depending on my configuration?
thanks
TilemahosHi Frank thanks for the answer,
I check this functionality at WLS embeded LDAP and I shaw your "How-to configure OID for authentication in WebLogic Server" post.
I manage to add users and assign them roles that i created at my application.
But what if I want to have a super user that can create new roles and assign them member roles?
eg.
Developer created roles (policy store):
accessPage1 ( granted all the necesery principals to access page1 )
accessPage2 ( granted all the necesery principals to access page2 )
Super user created roles
Role1 member roles :accessPage1,accessPage2
If i want my application to have that functionallity i must create roles programmatically wont I?
If there another way?
By the way I followed the advices at the following useful links
Chris Muir: http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html
Frank Nimphius's How-to configure OID for authentication in WebLogic Server
Edwin Biemond's Using OpenLDAP as security provider in WebLogic
Andrejus Baranovskis: Practical ADF Security Deployment on WebLogic Server
And I manage to add users of the Microsoft LDAP at the WLS
but I could't mekae them group members of my application groups (roles)
is this possible?
Thanks -
Differences between Roles, Schemas, Users and Logins.
I need differences between Roles, Schemas, Users and Logins. Can anyone help me. Thanks in advance
Roles:
I think of creating roles in the database to group users of like
function. Roles are granted certain permissions in the database. You
should become familiar with the fixed database roles since these will be
utilized once you start creating users within the database. Also, once
you see the type of permissions that are granted to each role, is makes
more sense.
Schema: there can be several schemas in a database,
which will house different types of objects such as tables, indexes,
stored procedures, functions, etc. Users own schemas. Looking into
the AdventureWorks database illustrates this concept, with several
schemas like HR, Production, etc.
Login: Think about login as
gaining access to the SQL Server instance. If a user account is not
granted any permissions within the instance, you basically just were
able to unlock the door and enter the room, by creating a user you then
grant access to the database objects or principals, and can begin to
work with them.
Users: Users own schemas, and as such will be
able to manipulate the objects they own. Some of the manunipulations
are very permissive, such as creating tables, indexes, stored
procedures, functions, etc. These are developers and administrators.
Users
are created and granted permissions for application use, which will
have select, update, insert, and delete and execute permissions to a
finite set of objects in the schema, for which the application will need
to function properly.
In a client server database, as an
example, of the structure. Roles were defined which provides the
permissions to the database objects in the database, which only has one
schema 'dbo'. One SQL server login was created with the same username,
and dbo is the assigned default schema, and the roles assigned to that
username.
In the application, each specific user is given there own
"application" login which is mapped to the one defined sql server
login.
Ahsan Kabir Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread. http://www.aktechforum.blogspot.com/ -
Sales Agreement workflow errored on 3205: is not a valid role or user name.
Hi experts,
We're currently on EBS R12.1.2 We're running into an issue that seems like a very general issue that other businesses would have encountered before. We have a business user who creates most of sales agreements. When this business user left the company, we set active end date on the particular userid. Now, when we go into these sales agreements originally created by this particular userid, and put in the expiration date to expire these sales agreement. We're seeing the sales agreement workflow erroring out in the pre-notification workflow email with error 3205: is not a valid role or user name.
It seems to be this is a very typical business scenario. If you have encountered this problem, please share how you resolved this issue within your oracle apps environment.
Thank you in advance for your help,
JenniferHello,
We have the same problem in 11.5.10.2. If we want use this blanket sales agreement I have to skipped this notification by sysadmin and after this I can extend end date and another user can use this BSA.
Look at Extend The Expiration Date For Closed Non-Active Expired BSA Blanket Sales Agreement [ID 1394888.1]
Regards,
Luko -
Grant Privileges to another user
Hi,
I am new to plsql. In course of my learning. I created two tables BOOKS and AUTHORS in orcl database(10g) through SYSDBA.
Again i logged in to SCOTT user account and am unable to see the BOOKS and AUTHORS tables.
Please let me know how do i grant administrative privileges(to edit,delete,insert,update) to SCOTT user for these tables.
Thanks & Regards,
Amrutha.808099 wrote:
1. Got now that SYSDBA is a role and SYS is user.
2. I was able to login to sqlplus through giving "/ as SYSDBA" as the username. Hence i thought it as user."/ as sysdba" connects to the database as the SYS user using operating system authentication with the SYSDBA role enabled.
3. Secondly, I dont know which schema does my BOOKS table belong to. Because i just ran a create table script in scott/tiger@orcl. PLease suggest how i can know which schema it belongs to.If you connected to the database as the SCOTT user and ran the script to create the table, the table would almost certainly be owned by SCOTT. If you connected to the database as the SYS user and ran the script to create the table, the table would most likely be owned by SYS. If the script specified the schema owner, i.e.
CREATE TABLE library.book ...the table would be created in the specified schema. But you need to have very powerful privileges in order to create objects in other user's schemas and SCOTT does not have those privileges unless you've specifically granted them.
4. Thirdly, I will delete the BOOKS and AUTHORS from SYS and create them in SCOTT user. But thought if GRANT privileges can be an alternative.Not really. It's much better to have the tables owned by the correct schema in the first place. You use grants to allow other users to access (or modify) tables but other users are not going to have the same level of privileges (for example, they're not going to be able to run DDL against the table).
Justin -
How to restrict a schema owner from granting privileges to other users.
How can we restrict a schema owner from granting privileges to other users on his objects (e.g. tables). Lets say we have user called XYZ and he has tables in his schema TAB1, TAB2 an TAB3. How can we restrict user XYZ from granting privileges on TAB1, TAB2 and TAB3 to other users in the database. Is it possible in Oracle 10g R2? Any indirect or direct way to achieve this? Please help on this.
Thanks,
ManoharWhenever someone is trying to prevent an object owner from doing something, that's generally a sign of a deeper problem. In a production database, the object owner shouldn't generally have CREATE SESSION privileges, so the user shouldn't be able to log in, which would prevent the user from issuing any grants.
As a general rule, you cannot stop an object owner from granting privileges on the objects it owns. You can work around this by creating a database-level DDL trigger that throws an exception if the user issuing the statement is XYZ and the DDL is a GRANT. But long term, you probably want to get to the root of the problem.
Justin
Edited by: Justin Cave on Nov 6, 2008 9:52 PM
Enrique beat me to it. -
CUA sync with child client issue for indirect role assignment.
Hello Security experts,
we have a indirect role assignment set up in our ECC environment. there is a syncronization issue from the parent CUA to the chlild client. The role assignments have been made to role although they are not always reaching target system without having to sync up either the role or the IDu2019s position # manually. This has been an ongoing issue CUA has on any role or user from time to time. any hint on fixing this issue. please help..Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
CUA has its own pros -
Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
Rakesh
Maybe you are looking for
-
SAP XLR Sales per Customer by Item report that published in the portal doesn't include document discount. This is a reason for the differences between XLR and B1 sales analysis report. How can I calculate discount from the document in XLR when the re
-
No output Spool for my Z-program in Background
Hi All, The custom program which I developed giving the following Error message (The program getting executed successfully in Background but without the Output Spool ) : ' There is no list No. BT175 message diagnosis Spool No order has been found for
-
My new ipad mini does not do anything
I have a new ipad mini that does nothing. Tried reseting still nothing. Any ideas?
-
Hi, I extracted data from two datasources a FI data source and 2LIS_03_BF. I matched these two data sources through: MBLNR-----AWREF = 0REF_DOC_NR MJAHR-----AWGJA = 0DOC_YEAR When the data is merged in the cube its a outer join and the data isnt matc
-
I dropped my phone down the toilet then turned it off and left it in rice over night now it's saying battery dead and needs to be charged but I've read charing it is the worst thing to do, help please?