LDAP authenication with authorization roles

Similar Messages

• Config transparent Proxy with LDAP authen with L4 switch?

  How to config policy based routing on L4 switch if wsa run in transparent mode with LDAP authentication?
  Async OS: 5.1.0-420
  Thank you,
  Thanapol

  Ezekiel,
  I wanted to add some clarification to your comments:
  1) Network TAP connected to T1/T2.
  This will work good. You will need to tap one direction of traffic to the T1 port and the other direction in to the T2 interface.
  2) L4 switch connected to P1.
  This will NOT work. Further explaination below. What you can do is use a switch that supports port spanning / port mirroring. You'll need to send a COPY of all traffic going to gateway to the T1 interface.
  The L4TM will need to be in 'duplex' mode - Configurable in the GUI.
  3) WCCP v2 connected to P1.
  WCCP cannot be used at all with the L4TM, because WCCP doesn't 'copy' the traffic, it redirects it.
  L4TM information
  The L4TM can be thought of as a completely seperate appliance that operates primarily via the t1 / t2 interfaces.
  The L4TM is a sniffer application, meaning that you cannot redirect traffic to it (such as L4 switching PBR or WCCP), but you can send a copy of traffic to it (port mirroring or physical tap).
  If you are blocking with the L4TM, the WSA will use M1/P1 to send the TCP RST packets. This is the ONLY use for the M1/P1 interfaces that the L4TM will use.
  The P1 interface is intended to be used for Web proxy traffic and the L4TM does not listen on this interface.

• After BI 7.0 Upgrade, Authorization Roles and profiles are not visible

  Hi Gurus,
  We have an issue with authorization roles and profiles are not visible for all end users with new Bex Analyzer (BI 7.0) tool. But still they can see these roles with old Bex Analyzer ( Bex 3.5) tool.
  As a developer I have SAP_ALL acces and I can see all authorization roles in new BEx Analyzer (BI 7.0).
  I verified in SU01 for user access and every are assigned there roles and they are green.
  Do we need to add any new authorization object to fix this issue, please let me know
  Thanks and appreciate your help.
  Thanks
  Ganesh Reddy.
  Edited by: Ganesh Reddy on Oct 26, 2009 4:41 PM

  Hi Ganesh,
  check the behaviour, if you assign
  S_USER_AGR                          
     ACT_GROUP = "..name of the assigned role.."
     ACTVT = 03 (for "display")    
  b.rgds,
  Bernhard

• Use of default XACML with custom role mapper and authorization provider

  Hi,
  Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
  My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
  Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?

  I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
  Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
  The chosen approach depends on where you're getting the role information from.

• Mapping LDAP Groups to SAP Roles

  Hi there,
  i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
  My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
  In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
  In Web AS ABAP it seems impossible to assign roles to groups.
  <b>The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?</b>
  Or is there another way to administrate users in different systems?
  Thanks alot for your answers,
  stefan

  Hi
  in this case u have to use the concept of central user administration. use the following links
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
  hope this helps u to get fair bit of idea
  don,t forget to give points
  With regards
  subrato kundu

• Authorization  -- Roles

  Hi All,
  We are moving our applicaiton from Oracle Forms to Apex. I am basically a forms developer and I didnt understand the authorization/roles in Apex.
  For eg in our database we have 2 roles app_lookup ( privs - insert,update, delete, select) and app_guest( privs select) . And we use the database authentication for forms. If we have 2 end users Super with role app_lookup and operator with role app_guest, and if I want to implement the database role, how can it be done in Apex.
  End user Super ( with all privs) need to update/delete/insert/select in apex
  End user Operator( with only priv select) need to select particular table/pages in apex.
  Could someone throw lights on how this can be done in Apex.
  thank you
  rajesh

  "user596620",
  You can go to your control panel and give us your real name, or at least something easier than "user596620".
  Why do I think Database Authentication is a dying trend?
  - LDAP directories were designed from the ground-up to store information like Authentication and Authorization data.
  - Almost every technology out there can use LDAP as an Authentication source.
  - There are only a few technologies that can use the DB for an authentication source. What if your users don't want to have a separate username / password for their APEX apps than their email account? You're out of luck.
  - Databases were never designed as user repositories. It's a square peg in a round hole.
  - Mixing data schemas and user accounts in a database is mess to maintain. It's often difficult to tell them apart. Which ones contain sensitive data, which ones are just users?
  - There are only a few attributes that you can store in a database "user". If you want to store phone, email, certificate, etc, you have to create your tables for it.
  - If end users have accounts in a database, it's that much easier for them to connect with third-party tools and start poking around.
  - There is no concept of delegated administration with a database. How do you give someone the ability to manage all users in a particular group?
  - Managing roles and privs for thousands of database user accounts is a nightmare. It's much easier in a web environment to assign select / execute privs to the account used by the web application, vs all of the users accessing the application.
  - Onboarding / off-boarding / auditing accounts scattered throughout a bunch of databases is impossible vs creating / deleting / auditing all accounts and groups (roles) in a single LDAP directory.
  I'm probably missing a lot of points here, so I may ask someone one the Identity Management side of things to chime-in.
  Tyler

• LDAP user to application role mapping

  Hi All,
  OBIEE 11.1.1.5
  I have a table with ldap username and role. I have also configured external LDAP server in RPD. Users are able to login to portal.
  Can some one guide me, how to make sure that when user login to OBIEE automatically by table the role will be fetched and mapped with application role created?
  Or, In simple words,
  How can I assign an external ldap user to be mapped to application role? One by one?? or Via table as mentioned above?
  Anyone can help? All documents are not giving this simple picture to me.
  It was easy in 10g, In 11g is it rocket science so that my company can loose the hope to go ahead with 11g?

  Hi,
  1. Create block to initialize USER variable with user name from LDAP
  2. Create block to initialize GROUP variable with role name from external table
  3. In initializtion block for GROUP variable add precedence with User init block to make sure that USER variable have value
  4. If one user can have few roles you should check row-wise-initialization oprion
  Hope it's helpful

• LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)

  I have 2 questions and these are very urgent :-
  1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
  2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
  contractactors and employess. How do I map LDAP group contractors to weblogic security
  Role contractors? Similarly for employees ?
  2. I have not defined contarctors and employeees under People container in IPlanet.
  e.g. The RDN for contractor is
  uid=1234,ou=dir,dc=orams,dc=com
  Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
  under People ) OR I have to write my own custom code ?
  3. I am planning to use Roles insetad of groups to manage the logical grouping in
  iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
  parameters ?)
  This is very urgent ....so if any of you can throw any hints that will be greatly
  appreciated.
  --Sunita

  Hi Ariel,
  The driver is bundled with the product in WLS 6.1sp1. you don't have to
  download any additional driver. Use it as you normally would only thing to
  remember is if you are trying to write standalone java code then you have to
  have weblogic.jar in your classpath. For the rest of the info follow the wls
  docs for 6.1
  HTH
  sree
  "Ariel" <[email protected]> wrote in message
  news:3bb4a643$[email protected]..
  We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
  downloaded the JDriver from bea.com, but all the istructions that camewith
  it are for WLserver 5.1.
  What has to be done to do this with 6.1 sp1?
  Thanks,
  Ariel

• Authorizations & Roles in ISA

  Hi,
  FIRST PART - USER ADMINISTRATION
       I have a requirement where in I have to add a new authoization (fo providing "User is approver" role) . What are all the necessary things to be done to add a new role/authorization to pop up in role list while creating a new user?
  What is to be added in Customizingr3.xml and INITCUST.xml.
  Does ISA_USER_CREATE or any other RFC call which is made while creating a user validates these customized role?
  If Yes, then i will be thrown some backend exception which i am anticipating !!
  If NO, what is that i need to do or ask ABAP folks here to check in backend and to implement some kind of validation on all the Roles that are getting assigned while creating a user.
  SECOND PART - B2B Shopping Site
  Once a newly created User logs into Shopping site, from where are these roles/authorizations of that user being accessed?
  I mean to say, how can i check for User specific settings(permissions,auth,role). Please advise me with the RFC / BusinessObjects used to find User specific data.

  Hi Dev,
              We are trying to build a B2B solution using ISA. I may be very dumb in my questions, but please please try to make some point out of my questions.
  We are trying to look at all the files under R3 and not using anything from CRM (in terms of folder structure and files from OOB code of ISA). so i think we are using SAP-ERP as per your previous reply. I hope i make some sense. We are building application on version 7.0
  Now coming to procedure of creating a user from User Administration, i do have the idea of what is being mentioned in your steps.
  Now in the "Assigned Roles" table displayed in "Create New User" screen, i need to add a new role (like Can Approve Orders - means user is an approver). Now in order to create a new role with new description (in addition to Full b2b, view only orders et.,) what are all the necessary things i need to do?
  By modifying the CustomizingR3.xml and INITCUST.xml, i was able to get another new row for role/description in "Customizing" link. When i add some new role/description, they get populated in the "create new user" screen. Now when i save all the details assigning the new role, a new user is created with new role assigned.
  But if we observe, Full B2B authorization for instance, when we assign them, in the backend, few sub roles like :
  SAP_ISA_B2B_FULL     SAP_ISA_SUB_BILLING_VIEW
                                       SAP_ISA_SUB_CATDISPLAY
                                       SAP_ISA_SUB_CATPRICE
                                      SAP_ISA_SUB_CONTRACT_UI
                                       SAP_ISA_SUB_CUSTOMER_READ
                                       SAP_ISA_SUB_ORDER_MAINTAIN
                                       SAP_ISA_SUB_QUOTATION_UI
                                       SAP_ISA_SUB_QUOT_DISPLAY_UI
                                       SAP_ISA_SUB_RFC
                                        SAP_ISA_SUB_TEMPLATE_MAINTAIN
  In similar fashion, i need to create new authorization SAP_ISA_B2B_APPROVE_ORDERS. so what is all that i need to do? just modifying the xmls, adding this auth in "customizing" link and assigning them in create user screen are enough?
  If this process is enough, then i need to know, how can we validate such a new role in backend when a new user is created. Should i ask the ABAP folks here to create a new auth with same string and assign some SUB roles which in future will help me authenticate approval flow?
  Finally, how are the roles visible in frontend while user creation and roles in sap backend validated/mapped against eachother?
  I have put forward what all i could. Please do guide me.
  Thanks,
  Abhiram

• How to achieve logical operator on [Authorize(Roles = ] in MVC

  For example, I need to make a controller accessible a user with two roles; role "Admin" and "Editor". How to achieve it.
     [Authorize(Roles = "Admins")]
      public class SampleController : BaseController
  How to do logical operator, such as AND and OR (maybe || and &&)
  Thanks!
    

  Hello klouapple,
  Please post your question to ASP.NET forum instead of here.
  Best regards,
  Barry
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Replicating authorization roles via HR replication from ECC 6 to SRM 5.0

  Hi,
  I'm interested in knowing whether anyone has used the distribution model to copy roles (AG objects) between ECC 6 and SRM 5.0.
  Someone said that it's possible so I would like to validate that statement as I don't know whether it is possible and practical.
  If you have any knowledge or experience could you please share it?
  Regards,
  Jerry

  Hello Yann,
  I was told that it can be done but I don't know enough about the HR replication process to acknowledge or challenge, hence the question.
  Are you implying that it's not possible or simply that it's not done?
  I had an earlier post regarding assigning roles to positions in SRM Replicating authorization roles via HR replication from ECC 6 to SRM 5.0 that you replied to but never replied to my subsequent question. It can be done because one of my other clients is doing it. We're however unable to get it work at my current client's site. Do you have any experience with this subject?
  Regards,
  Jerry

• Red Light with Authorization Object in PFCG

  Hello All - I have a question with authorization objects, there are three roles with red lights 'ON' in authorization object screen in our PRD. However users who are using these roles have no auth issues, standard procedure is to make all lights green in PFCG by maintaining these auth objects.
  Big question is "what is the down fall by leaving these objects RED, I need to support my theory when I say all lights green with auth objects.
  Why best practise says maintain all lights to green?
  Please suggest, appreciate your suggestions.
  Thanks.
  Edited by: AJ on May 12, 2009 9:44 PM

  Hi,
  > "What will be the difference between leaving that red lights 'ON' vs "disabling" these red objects? (I am bit confused on this).
  Red Object: As you know that authorization Objects comprises of Authorization fields. There are certain fields, which are known as "Organization Level" fields and need to be maintained Centrally. If you miss this fields, then the traffic light icon is RED. For all other authorization fields, light will be Yellow if you miss any blank field to maintain. During check, these fields will provide missing authorization (but you may not get error if same object is present in the role with all fields maintained status).
  Disabled Object: If you make any Object Disable, then during check, this Object will not be treated for checking Authorizations. But profile generator will keep this in mind, so you don't get Standard Objects repeatedly (if already present in Deactivated status also) whenever you go to "..Merge with New Data".
  You all other questions are very nicely answered already.
  Regards,
  Dipanjan

• Rules for AD Groups mapping with ECC roles in GRC

  Hi All,
  I'm actually looking at an option to define the Rules in GRC where i can map AD (LDAP) groups to ECC roles. Is it possible? Could you please let me know if i can achieve this with Rule Architect in GRC 5.3 OR by any other mean.
  Regards
  - V

  Gurus,
  Any thoughts on this?
  Regards
  Vaib

• How to create authorization role for just displaying query prefix Q and X.

  Hi Expert,
  I hope someone can help me on how to create authorization role for just displaying and executing  BEX  Queries prefix Q and X. I'm currently using SAP BI 7.1.
  Actually, I already created one role called : Z_FORINDO_ONLYDISPLAY_QX
  where I only put in the Authorization Component (in the Role Maintenance - Tcode 'pfcg'):
  -->Manually Business Information Warehouse
      --> Manually Business Explorer - Components
  Activity : Display, Execute, Enter, Include, Assign
  InfoArea : *
  InfoCube : *
  Name(ID) of a reporting component : *
  Type of a reporting component : Calculated key figure, Restricted key figure, Template structure
      --> Manually Business Explorer - Components
  Activity : Display, Execute
  InfoArea : *
  InfoCube : *
  Name(ID) of a reporting component : Q* , X*
  Type of a reporting component : Query
  But, the problem is I still can make changes on that queries (Q* and X*). Even, I still can run query with prefix Z. I use S_RS_RREPU Tamplete for Query Display and execution.
  Please assist. Very much appreciate your help. Thanks.
  Edited by: nadiyah salleh on Mar 18, 2008 11:22 AM

  Question close. This issue has been resolved.

• Display users with authorization objects assigened to them

  Hi,
      How can I display list of users with company code assigned to them?

  hello Rajesh,
  What you want is not straightforward. There is no SAP report for this as such. You need to find roles assigned to the user first then go to table agr_1252 anf give the value $BUKRS along with the role names.
  You will find out the company codes assigned to the user.
  This is not a very efficient way really and will involve too much of effort. If I needed such an information I would have written a simple ABAP report using joins of table AR_DEFINE and AGR_1252. Also check tables UST12 and AGR_1251.
  Hi Ben,
  Company code is present in several authorization objects other than F_BKPF_BUK. Check F_SKA1_BUK..There are several of them. So we need to check on basis of field BUKRS.
  Regards.
  Ruchit.