IsUserInRole fails if user has multiple roles

Similar Messages

• Checking if a user has a role (FGAC)

  Hi!
  I am implementing Fine Grained Access Control on a table and in my policy function I do not want to restrict the amount of result data on a select if the current user has a certain role (otherwise I want to).
  My idea was to check USER_ROLE_PRIVS/ROLE_ROLE_PRIVS for the role, but the stored procedure runs with definer-rights, so that won't help.
  Running the procedure with invoker-rights won't help either, since not the current user is the invoker of the policy function but the DB system (user sys?).
  And finally, the definer of the policy function does not have DBA privs, so I can't select the DBA_* views to check if the current user has the role.
  Is there another way to check if the current user that is known inside the policy function by the USER variable has a certain role?
  Thanks for your help!
  Marcus

  Hi Frank,
  thanks for your answer!
  Frank Kulash wrote:
  Policy functions are run by the user who queries or tries to do DML on the table.I don't see that this is happening. Here's my test case:CREATE OR REPLACE FUNCTION CU_is_member_of
  (v_role IN VARCHAR2) RETURN NUMBER
  AUTHID CURRENT_USER
  is
  v_res VARCHAR2(255);
  begin
  SELECT COUNT(*)
  INTO v_res
  FROM
  (SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS
  UNION
  select GRANTED_ROLE from role_role_privs)
  WHERE UPPER(GRANTED_ROLE)=UPPER(v_role);
  RETURN to_number(v_res);
  end;
  CREATE OR REPLACE FUNCTION POLIFUNC_PARTTYPES_WRITE
  (p_schemaname IN varchar2, p_tablename IN varchar2)
  RETURN VARCHAR2
  IS
  BEGIN
  IF USER=p_schemaname
  THEN RETURN '';
  ELSE
  BEGIN
  if SYSWM_TOOL.CU_is_member_of('#ACT#WMT_MANAGE_PARTTYPES')=1
  THEN RETURN ''; -- *****
  ELSE
  BEGIN
  RETURN '1=0';
  END;
  end if;
  end;
  END IF;
  END;
  CALL SYS.DBMS_RLS.ADD_POLICY('SYSWM_TOOL', 'TBL_PARTTYPES', 'POL_PARTTYPES', 'SYSWM_TOOL', 'POLIFUNC_PARTTYPES_WRITE', 'select'); --TODO: SELECT->UPDATE,INSERT,DELETE
  If the policy function is run by the user who queries, then I would expect that a user who has the role querying table TBL_PARTTYPES would see all entries since he would run into the line marked with *****.
  SQL> select SYSWM_TOOL.CU_is_member_of('#ACT#WMT_MANAGE_PARTTYPES') FROM DUAL;
  SYSWM_TOOL.CU_IS_MEMBER_OF('#ACT#WMT_MANAGE_PARTTYPES')
  1
  SQL> SELECT COUNT(*)
  2 FROM
  3 (SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS
  4 UNION
  5 select GRANTED_ROLE from role_role_privs)
  6 WHERE UPPER(GRANTED_ROLE)=UPPER('#ACT#WMT_MANAGE_PARTTYPES');
  COUNT(*)
  1
  So, the current user has the role and the stored function CU_IS_MEMBER_OF works correctly. However:
  SQL> select count(*) from syswm_tool.tbl_parttypes;
  COUNT(*)
  0
  What am I missing here?
  Marcus

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• Visual Totals and users in multiple roles

  Hello,
  I have a few questions regarding dimension security and visual totals enabled.
  The infrastructure:
   - multiple roles
   - users are members of multipe roles
  1) if I have multiple roles and the user is member of multiple roles  - if I set "Visual Totals" to true on one role it does not work?
  2) same as "1" but if I set the visual totals on all roles it does not work?
  is this the intended behavior? - does it only work if the user is only in one role? or do I do something wrong?
  We want to have on two roles visual totals and on the others not - if possible. And if the users is member of other roles it would be OK if he sees all values..
  3) How would Visual Totals work if I allow some nodes but deny all children of the node?
  4) Is there some advanced documentation - which extens the information from "ms-help://MS.VSCC.v80/MS.VSIPCC.v80/MS.SQLSVR.v9.en/uas9/html/b028720d-3785-4381-9572-157d13ec4291.htm"
  Thanks for your help.
  HANNES

  Years after I am going to search for the same answer I was looking 7 years ago....
  Maybe someone out there can answer them now?
  http://www.hmayer.net/

• System needs to approve automatically when the same user has different role

  Hi Gurus,
  My issue relates to approval in Shopping cart.
  Say this is my Issue.
  This is the Approval detemined by the system.
  1 - X
  2 - Y
  3-  Z
  4-  X
  5- Y
  X & Y are the Same user but with different role in the Approvals.
  First time 'X' would get the cart to approve it manually but second time system should automatically approve it. Same should happen for 'Y' as well. So now both X & Y needs to approve the cart only once.
  Please advice me how to approach this issue or If anyone experience the same kind of issue please let me know how to resolve.
  Thanks for your time to spend on it.
  Thanks,
  SNMPkumar

  Hi,
  You can handle it with N-Step BADI Workflow.
  Regards,
  Masa

• Check if a user has a specific role

  Hello,
  Is it possible to check if a user has a specific role in MII 12.0?
  For example if the user has the role "xmii Developers" I would do something more in a transaction than if the user doesn't have this role.
  Thank you for your help.
  Regards,
  Matthias

  Hi Matthias Pröller ,
  Are u finding difficulty to trace which role user is assigned to? If so, then u can refer Abesh's Blog.
  OR
  If you are writing Transaction to get user list based on Role , then u can do following
  Create XML query.
  Configure above XML Query in Transaction, in links map (XML Query) URL like given below
  "https://Server:Port/XMII/Illuminator?service=admin&Mode=UserList&Content-Type=text/xml&group=XMII Administrators&IllumLoginName=loginId&IllumLoginPassword=pwd"
  Regards,
  Padma
  Edited by: Rao on Mar 31, 2009 11:52 AM

• (104) RFC_ERROR_SYSTEM_FAILURE: User has no RFC authorization

  Hello Guru's
  I am getting the followong error when trying to open the BI reports.
  The initial exception that caused the request to fail was:
  User has no RFC authorization for function group SDIFRUNTIME.
  com.sap.mw.jco.JCO$Exception: (104) RFC_ERROR_SYSTEM_FAILURE: User has no RFC authorization for function group SDIFRUNTIME.
  at com.sap.mw.jco.MiddlewareJRfc.generateJCoException(MiddlewareJRfc.java:455)
  at com.sap.mw.jco.MiddlewareJRfc$Client.execute(MiddlewareJRfc.java:1442)
  at com.sap.mw.jco.JCO$Client.execute(JCO.java:3979)
  at com.sap.mw.jco.JCO$Client.execute(JCO.java:3416)
  at com.sap.mw.jco.JCO$Repository.execute(JCO.java:20471)
  I have no clue what is the reason I am getting the error.
  Please help me out in this.
  Regards,
  Pramod

  Hi,
     This is due to BI system authorization issues. You need to give/get proper authorizations to the BI user id with which you are connecting to back end via JCO connection. You have to assign additional roles to this user id to resolve this issue.
        If you are working on client environment you have to contact back end (BI) security administrator to get more authorizations. If you provide the error message to them, they will know which role to assign.
       If you are working in sandbox environment assign SAP_ALL. This will resolve the issue.
      I hope it helps..

• Login error: user has expired

  Hello!
  I just install solaris 11.1 on my server and wanna go to install Sun Ray Software install. I`m twice reboot my server while installing soft. And after last reboot I can`t login into my account. I catch message error what my user account has expired. I can`t find any info about this trouble. Can you help me, please?

  Helios- Gunes EROL wrote:
  Hi;
  As mention please share how you create your user, What is os and DB version? your other user has same problem? The user has any role?
  Also see:
  How to Keep the Same Password when Expiry Time is Reached and Change is Required [ID 98481.1]
  Regard
  Helioscreate user abc identified by abc default tablespace USERS temporary tablespace TEMP;
  Linux 2.6.18-238.el5 #1 SMP Sun Dec 19 14:22:44 EST 2010 x86_64 x86_64 x86_64 GNU/Linux
  Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit
  Other users don't have problem at this moment.
  He has the roles which granted him select privilges on some tables.

• Multiple roles assigned to an user

  Hi folks,
  My question sounds to be something weird, but wanted to be cautious. I see a lot of users in my environment with multiple roles assigned to them. When i checked the roles of an user who has three roles assigned to him, i noticed that all the roles have some tables in common with the same grants in all the three roles, and all these three roles are assigned to the same user. Will there be any problem?
  An example to explain my senerio...
  User scott has three roles A,B and C assigned to him. All the three roles have execute on xy.abc procedure and select,insert,update,delete on xy.xyz table. Will there be any problem to the user who is assigned all these three roles. Will there be any confusion from oracle to chooose from which role?
  Thanks

  This sounds to be something new. So When a oracle
  tries to hold all the privileges does it do a
  distinct on the table grants, so that i will have
  just one entry of the privilege of an object, though
  it exists in all the roles assigned to that user.No, the table objauth$ looks like this,
    1* select * from objauth$ where rownum < 100
  SYS@etest> /
        OBJ#   GRANTOR#   GRANTEE# PRIVILEGE#  SEQUENCE# PARENT                OPTION$       COL#
         133          0          5          0          1
         133          0          5          3          2
         133          0          5          5          3
         133          0          5          6          4
         133          0          5          9          5
         133          0          5         10          6
         133          0          5         11          7
         135          0          5          0          8
         135          0          5          3          9
         135          0          5          5         10
         135          0          5          6         11
        OBJ#    GRANTOR#  GRANTEE# PRIVILEGE#  SEQUENCE# PARENT                OPTION$       COL#
  ---------- ---------- ---------- ---------- ---------- ------------------ ---------- ----------where
  OBJ# is object ID, could be any object not only table,
  GRANTOR# is user# , ROLE is also considered a special USER internally in Oracle.
  SYS@etest> select user#, name from user$
    2  /
       USER# NAME
           0 SYS
           1 PUBLIC
           2 CONNECT
           3 RESOURCE
           4 DBA
           5 SYSTEM
           6 SELECT_CATALOG_ROLE
           7 EXECUTE_CATALOG_ROLE
           8 DELETE_CATALOG_ROLE
           9 EXP_FULL_DATABASE
          10 IMP_FULL_DATABASE
  ..............So different roles will have different records in objauth$. Even it's same privilege of same object granted to same user.
  a GRANTEE# can have same privilege to the same object from different GRANTOR#

• What happens if we assign multiple roles to one user

  Hi Experts,
  what is the outcome of the scenerio where multiple roles are assigned to one user in MDM
  example : role A has execute command for field X and another role B has read only command for the same field X, what happens if both the roles are assignes to user John?
  Thanks in advance
  Sharma.

  hello Abhishake,
  Thanks for the reply,
  so does that mean the user will have the execute role even though the second role was read only?
  Thanks,
  sharma

• We have multiple devices in our family.  On each iPad/iPhone each user has their own apple id for iMessage, Facetime and icloud, but we all sign in to the same apple id for itunes.  When one of my kids comments on my shared photostream, it shows my name??

  We have multiple devices in our family.  On each iPad/iPhone each user has their own apple id for iMessage, Facetime and icloud, but we all sign in to the same apple id for itunes.  When one of my kids comments on my shared photostream, it shows my name and not theirs as the commenter.  How do I fix that?

  CREATE A NEW USER
  Go to System Preferences --> Create a New User in Users & Groups
  Decide on whether to setup as Admin or Standard User.
  Switch to the New User by logging out under the Apple in the Menu Bar or use Fast User Switching
  Fast User Switching allows other users to leave current applications and windows open. Depending on RAM, you might need to log out rather than use FUS.

• Job scheduling failed because the user has no permission to access this rep

  Hi. I've OBIP 10.1.3.4.1.
  When I launch a print with the scheduler I see this error:
  oracle.apps.xdo.servlet.scheduler.ProcessingException: Job scheduling failed because the user has no permission to access this report. [REPORT_URL]=[folderreport/report/report.xdo], [USERNAME]=[administrator]
       at oracle.apps.xdo.servlet.ui.scheduler.SchedulerServlet.scheduleJob(SchedulerServlet.java:1140)
       at oracle.apps.xdo.servlet.ui.scheduler.SchedulerServlet.doPost(SchedulerServlet.java:295)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
       at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
       at oracle.apps.xdo.servlet.security.SecurityFilter.doFilter(SecurityFilter.java:100)
       at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:621)
       at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:368)
       at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:866)
       at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:448)
       at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:216)
       at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:117)
       at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:110)
       at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
       at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:239)
       at oracle.oc4j.network.ServerSocketAcceptHandler.access$700(ServerSocketAcceptHandler.java:34)
       at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:880)
       at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
       at java.lang.Thread.run(Thread.java:595)
  In this env. I've a LDAP Security Model and all the report and all the users work.

  Please check whether you have assigned below responsibility to the user trying to schedule report.
  XMLP_SCHEDULER

• How to restrict login for multiple users having same Role

  Our Web Application is deployed on Tomcat 5.5
  The requirement is ?
  There are roles in application like "operator", "admin"?
  There are multiple users created for each of the above role.
  When one user of "operator" role is logged in, then
  It should not allow to login for another user of "operator" role.
  Also, if user did not log out & application gets close, then
  It should not allow to login for another user of "operator" role.
  Also, it should not allow to login for multiple requests of same user
  (using another browser instance...)
  Is it possible using session object?
  But, using session object, it will create separate objects for different users,
  So here I will not be able to restrict session object creation rolewise.
  Also, how to retrieve these multiple session objects created for different users on server?
  If anyone is having the solution please reply as soon as possible,
  Thank you.

  To tell you the truth, this is a stupid requirement. It must be an extremely fragile application.
  In any case, you will have to write your stuff for that. Probably a filter that on login, logout, and session expiration checks, makes, or removes entries in a DB (using a synchronized resource to prevent race conditions) or possibly even simply in an application context object.

• How to see, if some user has done multiple login at the same time

  Hi,
  i'm looking for a tcode to see, if some user has done multiple login in a date-range.
  Regards, Dieter

  It is also dependent on your license type, as it is populated at logon - prior to any Z-coding option - which will cause a lockout if attempted an access that way.
  I recently found a cool way to detect DB triggers and updates - very obscure...
  However I also "move around" during support in projects and don't always want to kick myself out. I guess SAP can "work-it-out" from the various fields of the table to map the user behaviour.
  Personally I dont believe that all of such information is appropriate for public domain, as all the SAP_ALLers out there combined with the types of authentication options are not always responsible with the information either.
  Thankfully, SAP has added a "salt" to the password hashes now. They offer RZ11 login/password_downwards_compatibility as a workaround...
  Take a look in your system!
  Cheers,
  Julius

• How to check if a user has a particular role in sql server

  Is it possible to check to see if a user has a particular role in sql server? For instance, I need to check to see if the user logging in has wite ability to the database. Thanks in advance.

  To answer your question from a Java-perspective, since this is a Java-forum: No.
  The JDBC 3.0 specification does not state that the driver has to implement a user credential mechanism.
  However, the DriverManager will throw an SQLException if user credentials are not met at all and the Connection should throw you a SQLException when trying to create or execute a statement that you are not alowed to do.