LDAP user to application role mapping

Hi All,
OBIEE 11.1.1.5
I have a table with ldap username and role. I have also configured external LDAP server in RPD. Users are able to login to portal.
Can some one guide me, how to make sure that when user login to OBIEE automatically by table the role will be fetched and mapped with application role created?
Or, In simple words,
How can I assign an external ldap user to be mapped to application role? One by one?? or Via table as mentioned above?
Anyone can help? All documents are not giving this simple picture to me.
It was easy in 10g, In 11g is it rocket science so that my company can loose the hope to go ahead with 11g?

Hi,
1. Create block to initialize USER variable with user name from LDAP
2. Create block to initialize GROUP variable with role name from external table
3. In initializtion block for GROUP variable add precedence with User init block to make sure that USER variable have value
4. If one user can have few roles you should check row-wise-initialization oprion
Hope it's helpful

Similar Messages

  • Error assigning users to application Role in Obiee 11.1.1.7.0

    Hello
    I installed Obiee 11.1.1.7.0 both on Windows and Linux platform and after that, I successfully set Active Directory integration. I have a problem assigning users to Application Role in EM. When I'm trying to search a user on Display name, the Principal userName returned is blank and the error is : Java Null Pointer Exception
    After that I install a fresh copy of 11.1.6.0. After AD Integration, I was able to assign users to Application Role. I made 11.1.1.7.0 upgrade and same error has come. I think this is a bug because same AD settings on 11.1.1.6.0 works.
    The error:
    ava.lang.NullPointerException
    #{viewScope.emas_pagemodel_security_EditAppRole.searchPrincipal}: java.lang.NullPointerException
         Hide Additional Trace Information
    javax.faces.FacesException: #{viewScope.emas_pagemodel_security_EditAppRole.searchPrincipal}: java.lang.NullPointerException at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:118) at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:190) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:103) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:97) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.broadcastEvents(LifecycleImpl.java:1086) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:434) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:207) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emSDK.license.LicenseFilter.doFilter(LicenseFilter.java:101) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:128) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446) at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177) at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emas.fwk.MASConnectionFilter.doFilter(MASConnectionFilter.java:41) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:180) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.AuditServletFilter.doFilter(AuditServletFilter.java:179) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.EMRepLoginFilter.doFilter(EMRepLoginFilter.java:203) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.model.targetauth.EMLangPrefFilter.doFilter(EMLangPrefFilter.java:158) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.app.perf.PerfFilter.doFilter(PerfFilter.java:141) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.ContextInitFilter.doFilter(ContextInitFilter.java:542) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119) at java.security.AccessController.doPrivileged(Native Method) at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324) at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460) at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103) at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171) at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209) at weblogic.work.ExecuteThread.run(ExecuteThread.java:178) Caused by: javax.faces.el.EvaluationException: java.lang.NullPointerException at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:51) at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) ... 67 more Caused by: java.lang.NullPointerException at oracle.sysman.emas.model.security.DialogAdminBean$1.compare(DialogAdminBean.java:567) at java.util.Arrays.mergeSort(Arrays.java:1270) at java.util.Arrays.mergeSort(Arrays.java:1281) at java.util.Arrays.sort(Arrays.java:1210) at java.util.Collections.sort(Collections.java:157) at oracle.sysman.emas.model.security.DialogAdminBean.fetchPrincipals(DialogAdminBean.java:563) at oracle.sysman.emas.pagemodel.security.identity.EditAppRolePageModel.searchPrincipal(EditAppRolePageModel.java:496) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(Unknown Source) at com.sun.el.MethodExpressionImpl.invoke(Unknown Source) at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:46) ... 68 more
    Any suggestion?
    Thx
    Gabriel
    Edited by: Gabbriel on Apr 23, 2013 10:46 PM

    We received from Oracle a work-around of this problem.
    It seems to be related to the virtualize flag set to true. I f you set it to false the problem disappear (it works for me).
    (rif. http://docs.oracle.com/cd/E28280_01/bi.1111/e10543/privileges.htm#BABDCJBH)
    There's an open BUG on this problem: Bug 16808088 - 11G JAVA.LANG.NULLPOINTEREXCEPTION ADDING USER TO ROLE AFTER UPGRADE TO 11.1.1.7.
    Hope this works.
    S.

  • Scripting Enterprise Groups-Application Roles mapping

    Hi All,
    For my WebCenter Portal, I have local Application Roles that need to be mapped to Enterprise Groups. I know this can be done from the Portal Administration console using "Add Groups". This doesn't seem to persist across re-deployments.
    I tried doing this via the Security Editor in JDeveloper. For this I had to first create the same Enterprise Roles in jazn-data and then map them to the Application Roles. However, on deployment, this causes the existing users on weblogic to lose their respective Enterprise Groups assignments.
    Is there a way to script the group-role mapping using WLST or other so that I can run the script as a deployment step?
    Best Regards,
    Bijesh

    Hi,
    The following links explains different ways to achieve your desired goals.
    1)http://weblogic-wonders.com/weblogic/2010/11/10/wlst-script-to-add-users-groups-and-modify-roles/
    2)http://www.orastudy.com/oradoc/selfstu/fusion/core.1111/e10043/apadvadmin.htm
    3)http://middlewaremagic.com/weblogic/?p=4981
    Hope it helps you.
    Regards,
    Hoque

  • Using users and groups from LDAP in ADF application

    Hi there,
    I'm using WebLogic Server 10.3.5.0 and JDev 11.1.2.3.0.
    I configured my WL server to use the users and groups defined in my LDAP server (they display when I select the Users or Groups tab). So this works fine (I think).
    Now I want to use 1 group, let's call the group ApplicationGroup, and all it's users to give them access to my ADF Application.
    But I can't find proper/up-to-date info about how to do this.
    I tried 2 major things:
    1) I configured ADF Security to use Authentication and Authorization. Defined an Enterprise Role with the same name as in my WL server (so ApplicationGroup) then defined a
    Application Role with a custom name and added the Enterprise Role to it. That Application Role I gave access to all my TF's and Web Pages. When I deploy this, It just doesn't work (Migrate Users and Groups is not checked).
    2) Used the Authentication option in the ADF Security and the rest is the same as in 1). This works +-, I can login with all users so the role mapping isn't configured right I guess?
    Any help or documentation that could help me?

    Since we aren't using EM I had to find an other way. And I found it.
    In web.xml ADF Security (I suppose) automaticly adds 'valid-users'. In my weblogic.xml I added my enterprise role as a principal to 'valid-users' and this works for me.
    Thanks for the help.

  • Application role

    I create application roles and assign them to an enterprise role at jazn-data.xml in jdeveloper.
    However, after deployment I cannot find these application roles. But I can find the enterprise role.

    Thanks for your reply. I can see application roles in EM.
    I have 2 adf applications. Application A has application role A and B. Application B has application role C and D.
    How to set the security in Jdevloper, weblogic admin console or EM that :
    users in application role A and B can only login to Application A.
    users in application role C and D can only login to Application B.
    I deploy the sample application of 048. XML Menu Model site menus protected with ADF Security and JAAS of Oracle ADF Code Corner. However, in the EM, I cannot see application roles.

  • How to map Application Roles to Enterprise Roles

    Hello,
    i am having a problem with mapping Application Roles (from ADF Security) to the corresponding Enterprise Roles. I have already seen that it is possible with a tool called Enterprise Manager, but what if i do not have it??
    Can i map the roles in WebLogic Server itself? I have searched for such ability and did not found it. Also have not seen any tutorial on the internet. Someone help me pls.
    The version i am using is 12.1.2.0.0.

    Application roles and permissions defined within WebCenter Portal are stored in its policy store and, consequently, apply to the WebCenter Portal application only.
    Application Roles : Application roles control the level of access a user has to information and services in WebCenter Spaces. Specifically, application roles determine what a user can see and do in their personal space.
    Application Permissions : Again every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in their personal Portal.
    Enterprise roles are different. Enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Portal.
    2. How and where do we create these 5 Application Roles in WC 11.1.1.8 version ?
    You can create an application role from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> Roles -> Create Role
    See : Managing Security Across Portals for more info :
    http://docs.oracle.com/cd/E29542_01/webcenter.1111/e27738/wcadm_ps_security.htm#WCADM398
    3. Last, where and how do we MAP these Application Roles TO Enterprise Roles in 11.1.1.8 version ?
    First, You can grant privileges to a specified group (say sales group) of users by granting Enterprise Roles in Enterprise LDAP.
    Next, Create custom application roles (say Contributor, Moderator, UIDesigner, Application Specialist, etc) and assign the appropriate permissions as explained above.
    Then, You can assign one or more Application Roles to a specified group (say sales group) from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> users & Groups
    I hope it helps.

  • Problem with Security Role mapping and LDAP

    Hi,
    In Oracle Internet Directory I've created a group called OIDGroup1.OIdGroup1 has 2 users : OIDuser1 and OIDuser2.
    OIDGroup1 is mapped to EjbRole1 (is a security role defined in ejb-jar.xml, EjbRole1 can do everything in the application).Now if I login as OIDuser1 or OIDuser2, application said that the user does not
    have authorization to execute some method. The mapping in my orion-application.xml is :
    <security-role-mapping name="EjbRole1">
    <group name="admin/OIDGroup1"/>
    </security-role-mapping>
    <jazn provider="LDAP" location="ldap://myhost:4032"><jazn-web-app auth-method="SSO"/></jazn>
    if I modified orion-application.xml like this :
    <security-role-mapping name="EjbRole1">
    <group name="admin/OIDGroup1"/>
    <user name="admin/OIDuser1"/>
    </security-role-mapping>
    then login as OIDuser1, it works. But it does not work with OIDuser2.
    That's is a problem for me because our customer can not manage the user/group
    easily : each time they have a a new user, instead of simply adding this user
    in the OIDGroup1 (with graphic interface of OIDAS), they have to modify
    orion-application.xml.
    Do you have any idea ?
    Thanks in advance
    regards

    I found the bug : in LDAP I've got a user also called OIDGroup1 (the same as group's name).

  • LDAP user and group configuration in ADF application

    Hi All,
    I have to use LDAP user and groups in my ADF application. I have configured the LDAP on WLS server successfully and can see all users/groups under tab "User and Groups". I have added the Enterprise Role in jazn-data.xml matching the name of groups. Created Application role in jazn-data.xml and assigned a role of Enterprise Role.
    However not added any user in jazn-data.xml. Which i guess not required because it will picked from LDAP.
    Now how to configure the JDeveloper to use those users ? What changes need to make in jazn-data.xml ? or in jps-config.xml / web.xml/ weblogic-application.xml
    Am i missing nay configuration step. i have referred ADF Security set up - step by step tutorial - quick question but not found useful
    I am using JDeveloper 11.1.1.5.
    Thanking you all in advance.
    Mukesh.

    I have below changes in files
    1] In jps-config.xml
    -- Added identity store and selected it from drop down in Security Context tab.
    2] In weblogic-application.xml
    In Security tab --> Role assignment mapped valid-users to principle name.
    <security>
    <realm-name>myrealm</realm-name>
    <security-role-assignment>
    <role-name>valid-users</role-name>
    <principal-name>DERDev</principal-name>
    </security-role-assignment>
    </security>
    3] Same thing done in weblogic.xml . I do not know the difference between weblogic-application.xml and weblogic.xml configuartion and which will work.
    4] Added security role "DERDev" along with the default/automatically added role "valid users"
    <security-role>
    <role-name>DERDev</role-name>
    </security-role>
    Still no luck ...... i am missing again ? I referred many links but found not a single document mentioning all steps
    Mukesh

  • Assigning roles to LDAP users through BIP API

    Hi.
    My customer has BIP 11g and OIM 9.1.0.2 running on the same weblogic server (11g). Both authenticate against the same LDAP server.
    One of our desired next steps is to provision from OIM the BIP roles to each LDAP user so every user gets the correct roles (and access to the correct reports) according to the groups he has on OIM.
    I've been searching for info regarding this without success. The BIP API doc does not show any info about assigning roles to users.
    We don't need to manage LDAP users, BIP roles, etc... through OIM. We only need to assign BIP roles to LDAP users.
    Is it possible to make that assignments through BIP API?
    If not, any other ideas? New ideas or different approaches are welcome.
    Thanks in advance.

    In OBIEE 11g which includes BIP the application roles are applied to LDAP users and groups using the Enterprise Manager Fusion Control.
    During the upgrade process from OBIEE 10g to OBIEE 11g the groups do get assigned to these roles transparently so there must be some API to leverage this functionality.
    I would start there, http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10541/admin_api.htm
    There are no specific instructions on accomplishing what you seek but if you have some WLST or Java Skills you should be able to get something prototyped.
    Let me know if that helps.

  • OBIEE 11g issue - same user assigned to the multiple application role

    Hi All,
    We are facing an issue when assigning a user to the multiple application role and applying the data level filter on the different column of the same table.
    For example, we have a table Department with three columns Department No, Department name, Department location.
    Application Role A1 and A2 are created.
    Data Level security Applied on the application role A1: Department Name='Finance'
    Data Level Security Applied on the application role A2: Department location='US'
    The user "User1" is created in LDAP and is assigned to both the Application roles A1 and A2.
    When logged in with "User1", none of the filters of Role A1 or A2 is applied in the report. If this user is assigned to only one role, either A1 or A2, then the filter is applied. It seems the filter will not be applied if a user belongs to multiple roles with data filter applied on the same table across these roles.
    Please reply if anyone has faced similar issue.

    Hi All,
    Regarding the above issue to update the analysis we came up that the user if assigned to the multiple group with the data filter applied on the same column of the table is getting an *"OR"* join.
    We had a requirement to get an "AND" in the query condition. Please let us know if any one faced the issue and the resolution of the same.
    Regards,
    Jyotshna

  • Setting Application Context Attributes for Enterprise Users Based on Roles

    Hello,
    We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
    I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
    -- For each record in my RoleSitePrivileges table, set
    --   an attribute named 'SITE_PRIVILEGE_<SiteID>'.
    --   If the current user has been assigned a role matching
    --   the value in the 'RoleName' field, set the corresponding
    --   attribute to 'Y'... otherwise, set it to 'N'.
    FOR iPrivRec IN (SELECT RoleName, SiteID
                       FROM RoleSitePrivileges
                       ORDER BY SiteID)
       LOOP
          SELECT COUNT(*)
            INTO roleExists
            FROM dba_role_privs
            WHERE granted_role = UPPER(iPrivRec.RoleName)
              AND grantee = USER;
          IF roleExists > 0 THEN
             DBMS_SESSION.set_context(
                         namespace   => 'my_ctx',
                         attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                         value       => 'Y');
          ELSE
             DBMS_SESSION.set_context(
                         namespace   => 'my_ctx',
                         attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                         value       => 'N');
          END IF;
       END LOOP;To finish things off, I created a security policy function for the table which returns the following:
    RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
                         FROM session_context
                         WHERE attribute LIKE ''SITE_PRIVILEGE_%''
                            AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
    I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
    I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
    So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
    Thank you!

    Hello,
    We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
    I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
    -- For each record in my RoleSitePrivileges table, set
    --   an attribute named 'SITE_PRIVILEGE_<SiteID>'.
    --   If the current user has been assigned a role matching
    --   the value in the 'RoleName' field, set the corresponding
    --   attribute to 'Y'... otherwise, set it to 'N'.
    FOR iPrivRec IN (SELECT RoleName, SiteID
                       FROM RoleSitePrivileges
                       ORDER BY SiteID)
       LOOP
          SELECT COUNT(*)
            INTO roleExists
            FROM dba_role_privs
            WHERE granted_role = UPPER(iPrivRec.RoleName)
              AND grantee = USER;
          IF roleExists > 0 THEN
             DBMS_SESSION.set_context(
                         namespace   => 'my_ctx',
                         attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                         value       => 'Y');
          ELSE
             DBMS_SESSION.set_context(
                         namespace   => 'my_ctx',
                         attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                         value       => 'N');
          END IF;
       END LOOP;To finish things off, I created a security policy function for the table which returns the following:
    RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
                         FROM session_context
                         WHERE attribute LIKE ''SITE_PRIVILEGE_%''
                            AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
    I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
    I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
    So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
    Thank you!

  • Map wls roles to application roles

    how can i map weblogic roles to my application roles ?
    already, i config db authentication in wls
    but how can i map it to jazen-data.xml file ?

    Hi,
    either you create the same roles in jazn-data.xml in which case they are automatically used after deployment or you have a look at how to map user groups (not application roles) created in jazn-data.xml to WLS groups using the weblogic.xml file
    Frank

  • Creation of Public Sector Planning application fails for LDAP user

    The environment is on Windows 2008 R2 & EPM 11.1.2.2.302 of Planning. The creation of "general" planning applications works fine, regardless of the method of creation, Native User/LDAP User or Classic/EPMA. The creation of Public Sector Planning application using Classic Administration fails when using an LDAP user.
    It works when using a Native User. It also works fine if EPMA is used, for both Native as well as LDAP users.
    Our developers are not comfortable with EPMA yet, so want/need the ability to create the applications using Classic Administration.
    Looking at the Planning sysout log, the only error message indicates a timeout with Calculation Manager:
    Calc manager rules initialization failed. Please load and deploy the rules from Calc Manager UI
    ERROR:Error while loading rules in Calc Manager. <HTML><HEAD><TITLE>Weblogic Bridge Message</TITLE></HEAD> <BODY><H2>Failure of server APACHE bridge:</H2><P><hr>No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.<hr> </BODY></HTML>
    Calculation Manager itself seems to be working fine.
    Any suggestions/thoughts anyone?
    Thanks,
    Andy

    Hi Vivek,
    The LDAP port is open to all the servers in the environment. LDAP users have no issues logging in to any of the tools that they have access to.
    I think it has something to do with how Classic Planning passes the security token to Calculation Manager for an LDAP user. For a "general" Planning app, there is no evidence of such a transfer, because the Rules are created after the app has been created. And there the user logs in directly to Calculation Manager to create the rules.
    When using EPM Architect, it would lead to reason that such a token is also passed, however, that mechanism does not seem to have any trouble.
    This is the first time I am using a pre-packaged application like PSB, and have so far worked with only with "general" Planning apps. Wanted to see if anyone else has created PSB apps using external users successfully, so I can trade environment notes and may be come to a cause/solution.
    Thanks,
    Andy

  • Sync LDAP users with ECC - Mapping required field

    Hello,
    I want to synchronize SAP ECC users with LDAP users.
    At this moment I succeed to synchronize all users existing from the LDAP to the ECC.
    But I want to filter users which need to be created by a specific attribute added in the LDAP.
    I changed the LDAP mapping to add the "required" check on the corresponding to the specific attribute field. But when I use the RSLDAPSYNC_USER program, this required attribute is not considered.
    What can I do to synchronize user which have the specific attribute filled. And not all users ?
    Thanks for regards.
    Edited by: Gaetan Bourgneuf on Jun 18, 2008 11:27 AM

    In detailled:
    - in the LDAP we have created a specific attribute name "SAP FIELD" (technical name is extensionAttribute10)
    - in the LDAPMAP transaction in the ECC I modified the following entry:
    " USERNAME    |    BAPIBNAME    |    sAMAccountName    | X | X | X | X |   | X |    |"
    By the following new:
    " USERNAME    |    BAPIBNAME    |    extensionAttribute10    | X | X | X | X |   | X |    |"
    So when I synchronize the LDAP, the LDAP specific extension is required (because linked to the SAP username). And if user doesn't has this specific attribute filled, it's not synchronized.

  • Add UME Role to LDAP User

    Hi,
    i'm having a problem with portal user management. We have a LDAP user called charlie81 in an Active Directory Server, which has a set of LDAP groups. We have also a UME Role (a role created in the portal) called "Manutenzione". Our target is to assign "Manutenzione" to charlie81 through the portal. I made it but when charlie81 is logged in, he can see only LDAP Roles; "Manutenzione" is not visible!!!! How can i resolve this problems? Do you help me, please? Thank you in advance, Carlo Paglia

    Hi,
    What kind of role did you assign to the user? A portal role (source = portal role) or a "UME role" (source = UME database)?
    If it's a portal role, is it a standard or a custom role? If it is a custom portal role, make sure an entry point is defined or your role won't be visible. Here's a link to the documentation : [Defining Entry Points|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/4e/3e703e632c7937e10000000a114084/frameset.htm].
    Regards,
    Pierre

Maybe you are looking for

  • Unable to expand...

    hi, i've just installed sqldeveloper 1.2.1-32.13 on mac os x 10.4.11. it's the first install for me, first install on this machine. when connected to a database, in the left column of the main window i'm unable to expand virtually all of those nodes

  • Confirmations report for PO line items.

    Hi All, I have a PO which contains one sinlge line item and have put the confirmation contrl.ket as 0001/Z001 and Confrimation control as LA. we have created some 10 confirmations schedules on different dates with different qty.Inbound delivery has n

  • Multiple displays, external and airplay

    I have a macbook air that I am using for a church presenation computer. We have Apple TV that is connected to our projecter, I would like to use that for the output display for my presentation. I also have an external monitor that I would like to use

  • Oracle query to get all occurences of a text in a string

    Hi Does anybody know how to write a query to get all occurences of a text in a string in different rows of the table For eg: I have a string <aa>bb</aa><aa>cc</aa><aa>ddd</aa> I have to find every occurence of <aa> and get the data between <aa> and <

  • WCV200 Camera using Adobe Flash Encoder

    Hi all, I have searched the forum for this topic and come up with no treads.  Is it possible to use the WCV200 camera with  Adobe Flash Encoder? I am hopeing to use this to feed the stream into the Flash Server so I can put it onto a website.  Thanks