Issue granting BPMWorkflowReassign role to user BPEL 10.1.3.1 / OID

Similar Messages

• Granting role to user error

  Oracle 10.2.05
  Linux environment
  I just granted a role to a user, but the user does not have privileges base on the role.
  Here is what I did:
  First create a user (db_user) using system id
  Second, create role schema_admin_role
  Then run the script to grant privileges to the role
  (SELECT 'grant select, insert, update, delete on ' ||owner|| '.'||table_name || ' to schema_admin_role;' from dba_tables WHERE OWNER = 'another_schema';
  Then run
  grant schema_admin_role to db_user;
  The problem:
  When db_user tries to update table X own by another_schema, he gets not sufficent privileges
  But when I run (select owner, table_name,privilege from dba_tab_privs where grantee = 'SCHEMA_ADMIN_ROLE'; ), I see all the privileges owned by this role.
  Any solution from your end will be appreciated.

  sb92075 wrote:
  did db_user start a new session after GRANT was issued?Yes he did - also when I try to list all privileges granted to db_user, I get no row seleted. On the other hand, when I query privileges granted to role schema_admin_role, I see all privileges granted earlier
  example
  select owner, table_name,privilege from dba_tab_privs where grantee = 'SCHEMA_ADMIN_ROLE'; ---Here we get all privileges
  select owner, table_name,privilege from dba_tab_privs where grantee = 'DB_USER'; --No row seleted                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• TFS 2013 TfsReports on SQL Server 2014 - rsAccessDenied Error even though all users are granted ALL Roles

  We have granted everyone all roles on our TfsReports site. However, all users (except for 2 who are TFS Admins) still get the following errors when attempting to manage the reports:
  The permissions granted to user Domain\UserName are insufficient for performing this operation. (rsAccessDenied)
  These are the roles we've granted to all "Domain Users": Browser, Content Manager, My Reports, Publisher, Report Builder, Team Foundation Content Manager.
  We can't seem to figure out what else might be missing.
  Please help.

  The issue was reported by one of the Application Support team stating that they have problems with accessing reports in Reporting Services from Team Foundation Server (TFS)
  side. By default certain users are part of local domain group having LOCAL ADMINISTRATOR privileges on TFS server, which is by default no issues for those users. Somehow there was a change in the role of certain users where ADMIN access was revoked. However
  the users are still part of SYSADMIN group, they were reported the error as follows:
  “The
  permissions granted to user ''DOMAIN\UserName'' are insufficient for performing this operation. (rsAccessDenied)”
  By default the text clarifies that no permission to access the reports and further we have set of roles defined on the Reporting
  Services, as follows: 
  http ://servername/Reports/
  Root
  BUILTIN\Administrators                  No
  access
  DOMAIN\TfsAdmins                        Content
  Manager
  DOMAIN\ReportAdmins
       Content Manager
  More
  details
  Ahsan Kabir Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread. http://www.aktechforum.blogspot.com/

• How to grant role to user

  How can use Oracle Developer2000 Form6 to grant priveledge and role to user in database (oracle 8i) from Trigger of Form6. Is there any built-in about this statement?

  PL/SQL doesn't allow you to issue DDL commands directly, but it does provide a utility package called DBMS_SQL. This allows you to create dynamic SQL statements at runtime and execute them. The code you would need are as follows:
  In declaration section -
  v_sql varchar2(200);
  v_cursor number;
  v_result number;
  In the code body -
  v_sql := 'GRANT <ROLES> TO <USER>';
  v_cursor := dbms_sql.open_cursor;
  dbms_sql.parse(v_cursor, v_sql, dbms_sql.native);
  v_result := dbms_sql.execute(v_cursor);
  You can ignore the value of v_result as it is not a DML statement. Also you could build your SQL string up dynamically using variables from your form ie:
  v_sql := 'GRANT '||:FORM.ROLE||' TO '||:FORM.USER;
  Hope that helps!
  Ian

• Grant role to user in form 6i

  Dear all,
  I have a role called ets_manager. How can i grant it to my user steve in forms 6i? I mean what is the script? I have a button when button pressed i want the role be granted to a user
  Thanks in advance.
  regards

  Try out FORMS_DDL Built-in
  http://www.oracle.com/webapps/online-help/forms/10g?topic=formsddl_html

• Database Vault Owner Grant Any Role Permission

  So I just noticed that the role DV_OWNER has the system privilege to GRANT ANY ROLE assigned to it by default. I was wondering if this is necessary for something. If not I would like to remove it. We would prefer the Database Vault owner person to not have any permissions execept for logging into the Data Vault console to modify realms and rules and stuff, and as well as looking at audit logs. The DV_OWNER role also has ADMINISTER DATABASE TRIGGER and ALTER ANY TRIGGER privileges which I would like to remove as well. Any body have any opinions on this?
  Oracle EE 11.2.0.2 on Windows 2008 R2
  Thanks.

  Sysdba can issue powerful statements such as create user, drop user, alter user, create profile .. and so on... can be done only if it is allowed so by modifying the Can maintain accounts/profiles rule set.
  You can also login with dvsys account but that account is locked after installation. So unlock it with
  alter user username account unlock; command. And be aware that ANY system privileges are blocked in protected schemas. You can try to grant the following roles in DB Vault := DV_OWNER, DV_REALM_OWNER, DV_REALM_RESOURCE, DV_ADMIN, DV_PUBLIC, DV_ACCTMGR, DV_SECANALYST
  Following can help you
  SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
  SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
  Regards
  Karan

• Strange behavior after granting a role associated to an access policy.

  Greetings.
  I am using OIM 11.1.1.3 and I am using also the DBUM Adapter 9.1.0.4.
  I Defined 3 roles in OIM after that I defined three access policies with the purpose of provision roles at a database.
  Every policy is associated to a role and a DBUM resource.
  At the end I have the following policies.
  Policy Name OIM Role Database Role
  1. Policy Role A - Role A - DBRoleA
  2. Policy Role B - Role B - DBRoleB
  3. Policy Role B - Role C - DBRoleC.
  When a role is granted to OIM User using the Administration Console the correct database role is provisioned at the specified database. But If I revoke a Role from the user and grant the same role again the specified role is not provisioned to the specified database.
  Example: An user have "Role A", "Role B" ,"Role C" at the database the user have DBRoleA, DBRoleB, DBRoleC.
  After revoking "Role A" from the user the database have the correct roles DBRoleB and DBRoleC.
  But if the "Role A" is granted again to the user the DBRoleA is not provisioned at the database.
  I enabled the dbum log file and it looks like the wrong role was chosen and the DBRoleB is the database role to be provisioned. Because we see at the log file when the "Role A" is granted to the user:
  [WLS_OIM1] [TRACE] [] [OIMCP.DBUM] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 0000JDjSF5i9h^5prOt1iY1EgfQX0000lD,0] [SRC_CLASS: com.thortech.util.logging.Logger] [APP: oim#11.1.1.3.0] [dcid: 4506c477d760fc7e:26c2d53a:1336a1dbc64:-7ffd-0000000000000d45] [SRC_METHOD: debug] oracle.iam.connectors.dbum.integration.DBUMProvisionManager : getChildFormData : Form Value2011-11-04[2011-11-04T11:37:14.392-05:00] [WLS_OIM1] [TRACE] [] [OIMCP.DBUM] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 0000JDjSF5i9h^5prOt1iY1EgfQX0000lD,0] [SRC_CLASS: com.thortech.util.logging.Logger] [APP: oim#11.1.1.3.0] [dcid: 4506c477d760fc7e:26c2d53a:1336a1dbc64:-7ffd-0000000000000d45] [SRC_METHOD: debug] oracle.iam.connectors.dbum.integration.DBUMProvisionManager : getChildFormData : Child form data map received:- {UD_DB_ORA_R_VERSION=0, UD_DB_ORA_R_KEY=3180, UD_DB_ORA_R_UPDATE=2011-11-04, UD_DB_ORA_R_CREATE=2011-11-04, Process Instance.Key=5916, UD_DB_ORA_R_UPDATEBY=6, UD_DB_ORA_R_ROLE=102~*DBRoleB*, Access Policies.Key=183, UD_DB_ORA_R_CREATEBY=6}
  The question is somebody has experienced the same issue?
  Is there another way to provisioning database roles after granting OIM Roles?
  Thanks!
  Ramiro Ortíz

  Finally we opened a Service Request to solve this issue, and it was a bug "OIM SENDING WRONG ENTITLEMENT NAME TO TARGET DURING ADD ENTITLEMENT OPERATION" and Oracle generated the patch 13499465 for DBUM Connector. Oracle had to provide us a new Readme to apply this patch because it wasn't well explained. So far the patch seems to work, we are making some tests now to be sure that the issue is solved. I just want to share that with the OIM community.
  Ramiro Ortiz

• Error while granting BPMOrganizationAdmin role to SOAOperator.

  Error Starting While starting SOA server. Please advise.
  <Mar 5, 2015 12:56:08 PM EST> <Error> <oracle.bpm.services.organization> <BEA-000000> <Exception
  exception.70692.type: error
  exception.70692.severity: 2
  exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
  exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
  exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.
  ORABPEL-10513
  Cannot get application roles from application identified by "{0}".
  An error occurred while getting application roles from application identified by "soa-infra".
  The underlying APIs threw an exception. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
          at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:920)
          at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
          at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
          at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
          at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
          at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
          at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
          at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
          at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
          at $Proxy307.postDeployInit(Unknown Source)
          at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
          at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
          at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
          at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
  Caused By: ORABPEL-10510
  Application role not found.
  Application role "BPMOrganizationAdmin" could not be found for application identified by "soa-infra".
  Check if the application role exists in the repository associated with the application. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
          at oracle.tip.pc.services.identity.jps.JpsProvider$9.run(JpsProvider.java:2338)
          at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRoleEntry(JpsProvider.java:2333)
          at oracle.tip.pc.services.identity.jps.JpsProvider.access$000(JpsProvider.java:169)
          at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:917)
          at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
          at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
          at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
          at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
          at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
          at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
          at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
          at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
          at $Proxy307.postDeployInit(Unknown Source)
          at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
          at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
          at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
          at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
  >
  <Mar 5, 2015 12:56:08 PM EST> <Error> <oracle.bpm.common> <BEA-000000> <Exception
  BPM-70692
  Exception
  exception.70692.type: error
  exception.70692.severity: 2
  exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
  exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
  exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.
          at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:324)
          at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
          at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
          at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:29)
          at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
          at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
          at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
          at $Proxy307.postDeployInit(Unknown Source)
          at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
          at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
          at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
          at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
  Caused By: ORABPEL-10513
  Cannot get application roles from application identified by "{0}".
  An error occurred while getting application roles from application identified by "soa-infra".
  The underlying APIs threw an exception. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
          at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:920)
          at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
          at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
          at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
          at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
          at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
          at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
          at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
          at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
          at $Proxy307.postDeployInit(Unknown Source)
          at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
          at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
          at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
          at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
  Caused By: ORABPEL-10510
  Application role not found.
  Application role "BPMOrganizationAdmin" could not be found for application identified by "soa-infra".
  Check if the application role exists in the repository associated with the application. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
          at oracle.tip.pc.services.identity.jps.JpsProvider$9.run(JpsProvider.java:2338)
          at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRoleEntry(JpsProvider.java:2333)
          at oracle.tip.pc.services.identity.jps.JpsProvider.access$000(JpsProvider.java:169)
          at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:917)
          at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
          at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
          at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
          at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
          at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
          at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
          at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
          at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
          at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
          at $Proxy307.postDeployInit(Unknown Source)
          at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
          at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
          at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
          at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
  >

  Hi user,
  Can you give us some information on the version you are using and your security setup? Are you using an external security provider? Because to me it sounds that you are using an external LDAP server.
  Antonis

• How can I see which roles or users have access to a table?

  How can I see which roles or users have access to a table?
  For a given table, how can I see the grants, who and what?
  Many thanks

  dba_tab_privs.
  Grantee can be a role or an user, as roles are fake users.
  Sybrand Bakker
  Senior Oracle DBA

• Assigning roles to users programmatically

  Hi,
  I want to programmatically create roles, assign roles to users etc.
  I saw at this thread
  ADF Security Policy Store
  the folowing scriptlet by Frank Nimphius
  try {
  IdentityStore idstore = JpsCommonUtil.getValidIdStore("idstore.xml.provider").getIdmStore();
  try {
  UserManager userManager = idstore.getUserManager();
  RoleManager roleManager = idstore.getRoleManager();
  Role adminRole = idstore.searchRole(Role.SCOPE_APPLICATION,"admin");
  // create user
  //TODO check for empty username and password
  User newUser = userManager.createUser(this.username,this.password.toCharArray());
  roleManager.grantRole(adminRole,newUser.getPrincipal());
  } catch (IMException e) {
  // TODO
  } catch (JpsException e) {
  // TODO
  return null;
  this is a TP3 scriptlet, is it still working on the 11g production?
  I try it and i get a JpsException
  oracle.security.jps.JpsException
       at oracle.security.jps.internal.common.util.JpsCommonUtil.getValidIdStore(JpsCommonUtil.java:1004)
  do I have to replace "idstore.xml.provider" with something else depending on my configuration?
  thanks
  Tilemahos

  Hi Frank thanks for the answer,
  I check this functionality at WLS embeded LDAP and I shaw your "How-to configure OID for authentication in WebLogic Server" post.
  I manage to add users and assign them roles that i created at my application.
  But what if I want to have a super user that can create new roles and assign them member roles?
  eg.
  Developer created roles (policy store):
  accessPage1 ( granted all the necesery principals to access page1 )
  accessPage2 ( granted all the necesery principals to access page2 )
  Super user created roles
  Role1 member roles :accessPage1,accessPage2
  If i want my application to have that functionallity i must create roles programmatically wont I?
  If there another way?
  By the way I followed the advices at the following useful links
  Chris Muir: http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html
  Frank Nimphius's How-to configure OID for authentication in WebLogic Server
  Edwin Biemond's Using OpenLDAP as security provider in WebLogic
  Andrejus Baranovskis: Practical ADF Security Deployment on WebLogic Server
  And I manage to add users of the Microsoft LDAP at the WLS
  but I could't mekae them group members of my application groups (roles)
  is this possible?
  Thanks

• Differences between Roles, Schemas, Users and Logins.

  I need differences between Roles, Schemas, Users and Logins. Can anyone help me. Thanks in advance

  Roles:
  I think of creating roles in the database to group users of like
  function.  Roles are granted certain permissions in the database.  You
  should become familiar with the fixed database roles since these will be
  utilized once you start creating users within the database.  Also, once
  you see the type of permissions that are granted to each role, is makes
  more sense.
  Schema: there can be several schemas in a database,
  which will house different types of objects such as tables, indexes,
  stored procedures, functions,  etc.  Users own schemas.  Looking into
  the AdventureWorks database illustrates this concept, with several
  schemas like HR, Production, etc.
  Login: Think about login as
  gaining access to the SQL Server instance.  If a user account is not
  granted any permissions within the instance, you basically just were
  able to unlock the door and enter the room, by creating a user you then
  grant access to the database objects or principals, and can begin to
  work with them. 
  Users:  Users own schemas, and as such will be
  able to manipulate the objects they own.  Some of the manunipulations
  are very permissive, such as creating tables, indexes, stored
  procedures, functions, etc.  These are developers and administrators.
  Users
  are created and granted permissions for application use, which will
  have select, update, insert, and delete and execute permissions  to a
  finite set of objects in the schema, for which the application will need
  to function properly.
  In a client server database, as an
  example, of the structure.  Roles were defined which provides the
  permissions to the database objects in the database, which only has one
  schema 'dbo'. One SQL server login was created with the same username,
  and dbo is the assigned default schema, and the roles assigned to that
  username. 
  In the application, each specific user is given there own
  "application" login which is mapped to the one defined sql server
  login.
  Ahsan Kabir Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread. http://www.aktechforum.blogspot.com/

• Sales Agreement workflow errored on 3205: is not a valid role or user name.

  Hi experts,
  We're currently on EBS R12.1.2 We're running into an issue that seems like a very general issue that other businesses would have encountered before. We have a business user who creates most of sales agreements. When this business user left the company, we set active end date on the particular userid. Now, when we go into these sales agreements originally created by this particular userid, and put in the expiration date to expire these sales agreement. We're seeing the sales agreement workflow erroring out in the pre-notification workflow email with error 3205: is not a valid role or user name.
  It seems to be this is a very typical business scenario. If you have encountered this problem, please share how you resolved this issue within your oracle apps environment.
  Thank you in advance for your help,
  Jennifer

  Hello,
  We have the same problem in 11.5.10.2. If we want use this blanket sales agreement I have to skipped this notification by sysadmin and after this I can extend end date and another user can use this BSA.
  Look at Extend The Expiration Date For Closed Non-Active Expired BSA Blanket Sales Agreement [ID 1394888.1]     
  Regards,
  Luko

• Grant Privileges to another user

  Hi,
  I am new to plsql. In course of my learning. I created two tables BOOKS and AUTHORS in orcl database(10g) through SYSDBA.
  Again i logged in to SCOTT user account and am unable to see the BOOKS and AUTHORS tables.
  Please let me know how do i grant administrative privileges(to edit,delete,insert,update) to SCOTT user for these tables.
  Thanks & Regards,
  Amrutha.

  808099 wrote:
  1. Got now that SYSDBA is a role and SYS is user.
  2. I was able to login to sqlplus through giving "/ as SYSDBA" as the username. Hence i thought it as user."/ as sysdba" connects to the database as the SYS user using operating system authentication with the SYSDBA role enabled.
  3. Secondly, I dont know which schema does my BOOKS table belong to. Because i just ran a create table script in scott/tiger@orcl. PLease suggest how i can know which schema it belongs to.If you connected to the database as the SCOTT user and ran the script to create the table, the table would almost certainly be owned by SCOTT. If you connected to the database as the SYS user and ran the script to create the table, the table would most likely be owned by SYS. If the script specified the schema owner, i.e.
  CREATE TABLE library.book ...the table would be created in the specified schema. But you need to have very powerful privileges in order to create objects in other user's schemas and SCOTT does not have those privileges unless you've specifically granted them.
  4. Thirdly, I will delete the BOOKS and AUTHORS from SYS and create them in SCOTT user. But thought if GRANT privileges can be an alternative.Not really. It's much better to have the tables owned by the correct schema in the first place. You use grants to allow other users to access (or modify) tables but other users are not going to have the same level of privileges (for example, they're not going to be able to run DDL against the table).
  Justin

• How to restrict a schema owner from granting privileges to other users.

  How can we restrict a schema owner from granting privileges to other users on his objects (e.g. tables). Lets say we have user called XYZ and he has tables in his schema TAB1, TAB2 an TAB3. How can we restrict user XYZ from granting privileges on TAB1, TAB2 and TAB3 to other users in the database. Is it possible in Oracle 10g R2? Any indirect or direct way to achieve this? Please help on this.
  Thanks,
  Manohar

  Whenever someone is trying to prevent an object owner from doing something, that's generally a sign of a deeper problem. In a production database, the object owner shouldn't generally have CREATE SESSION privileges, so the user shouldn't be able to log in, which would prevent the user from issuing any grants.
  As a general rule, you cannot stop an object owner from granting privileges on the objects it owns. You can work around this by creating a database-level DDL trigger that throws an exception if the user issuing the statement is XYZ and the DDL is a GRANT. But long term, you probably want to get to the root of the problem.
  Justin
  Edited by: Justin Cave on Nov 6, 2008 9:52 PM
  Enrique beat me to it.

• CUA sync with child client issue for indirect role assignment.

  Hello Security experts,
  we have a indirect role assignment set up in our ECC environment. there is a syncronization issue from the parent CUA to the chlild client. The role assignments have been made to role although they are not always reaching target system without having to sync up either the role or the IDu2019s position # manually.   This has been an ongoing issue CUA has on any role or user from time to time.   any hint on fixing this issue. please help..

  Whole idea of CUA is to manage your roles and users centrally, on the contrary you can manage the roles/profiles by setting up the attributes for the CUA thorugh Central user Management console - SCUM Transaction.
  CUA has its own pros -
  Central rep,Users Sync,Role Provisioning statergy - Global composites(consists of individual child roles) Distibuted model -Provisioing at individual child systems for roles, etc.Central user store,easy maintenance.
  on the contrary - change documents is always a concern ( because cua uses - interface Ids or the RFC ids to push the idocs from cua to child system), CUA maintenance while system refresh - Copied distribution models have to be deleted and re-created, system backups has to be defined per you distribution model, password maintenance if defined global then Child systems act as inactive nodes, reading the roles into cua which are created in childs so as to establish a pointer to that system.
  It also depends on the number of systems you have in your landscape so that you can calculate the overhead and then have a Go -no-Go decison on CUA.
  Overall, I consider CUA as a good approach provided we streamline the process of provisioning, de-provisioning per the cua standards.
  Rakesh