Managed Role Scope

Similar Messages

• Custom Distribution Group management role (manager excpeiton)

  My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
  By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
  technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
  Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
  words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
  sufficient permissions. this operation can only be performed by a manger of the group”.
  New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
  New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
  New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
  When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
  group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
  Below confirms by scope.
  Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
  Name DisplayName SamAccountName GroupType
  distro1 distro1 distro1 Universal, SecurityEnabled
  distro2 distro2 distro2 Universal, SecurityEnabled
  distro3 distro3 distro3 Universal, SecurityEnabled
  On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
  Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
  Name
  Add-DistributionGroupMember
  Disable-DistributionGroup
  Enable-DistributionGroup
  Get-ADServerSettings
  Get-AcceptedDomain
  Get-DistributionGroup
  Get-DistributionGroupMember
  Get-DomainController
  Get-DynamicDistributionGroup
  Get-Group
  Get-MailUser
  Get-Mailbox
  Get-OrganizationalUnit
  Get-Recipient
  Get-ResourceConfig
  Get-User
  New-DistributionGroup
  New-DynamicDistributionGroup
  Remove-DistributionGroup
  Remove-DistributionGroupMember
  Remove-DynamicDistributionGroup
  Set-ADServerSettings
  Set-DistributionGroup
  Set-DynamicDistributionGroup
  Set-Group
  Set-OrganizationConfig
  Update-DistributionGroupMember
  Write-AdminAuditLog

  Hello,
  I understand that you have create custom management scope for each group and assigned a custom role to it.
  But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
  You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
  Check below link. http://exchange2010cmd.blogspot.de/
  You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
  You can either use existing default policy or create new policy and assign this management role to it.
  Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
  NOTE: If you are creating new policy , place that name instead of default policy name".
  I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
  Now, regarding your second concern, that your custon role has to many role entries.
  You can remove unwanted role entries.
  Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
  Before linking management role to email policy, remove unwanted role entry from role.
  I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer.

• Error While creating Collection Management role

  Hi
  We did a client copy and Iam getting the error "Database error UDM_PR_HEAD UDM_COLL_BUPA 5" whenever I tried to create collection management roles.
  Database error UDM_PR_HEAD UDM_COLL_BUPA 5
  Message no. UDM_WORK_LIST010
  Diagnosis
  Database instruction UDM_PR_HEAD was not successful.
  Procedure
  If you can reproduce the error message, contact SAP Support.
  Anyone knows anything about this error?
  Thanks

  Hi Ram,
  sorry for the inconvenience, can you provide the collections management(ecc6.0) configuration document.
  i am trying to learn that but i could not find any related document .
  Thanks,
  Ravi

• 2012 R2 RBA: Remove / Delete buttons greyed out Administrative users account (sec role/scope) clean up

  I am seeing something odd with one of my RBA settings.  Keep in mind I am seeing this as a 'Full Administrator'.
  I created a new test Security scope, Security Role, created a test Active Directory group and then entered that AD group as a new account name under Security>Administrative users.  I added the new Security Role under the Security Roles tab of the
  Account name (Administrative users) properties and also added the security scope that I created under the Security Scopes tab.  I was able to see all the settings I had created/exported in the RBA viewer and everything with the role worked as desired.
  I am now looking to clean that up but I don't seem to be able to.  I am starting under Administrative Users>Account name and trying to unlink the Security Roles and Security Scopes that listed in those tabs.  However, remove and deletes on this
  stuff are all greyed out.  If I add another role to the Security Role tab I can then remove that, but I cannot remove this 1 particular one.  The result is that I cannot remove the custom Security Scope, Security Role and ultimately the Administrative
  user.
  Does anyone have any idea why I can't remove the security roles and scopes from the Account Name?

  I am now looking to clean that up but I don't seem to be able to.  I am starting under Administrative Users>Account name and trying to unlink the Security Roles and Security Scopes that listed in those
  tabs.  However, remove and deletes on this stuff are all greyed out.  If I add another role to the Security Role tab I can then remove that, but I cannot remove this 1 particular one.  The result is that I cannot remove the custom Security Scope,
  Security Role and ultimately the Administrative user.
  Does anyone have any idea why I can't remove the security roles and scopes from the Account Name?
  I'm able to "delete" one admin user or group (account name) from Administrative users node (\Administration\Overview\Security\Accounts). I tried with custom security role/scope etc....even the same user was part of \Administration\Overview\Security\Accounts.
  It seems something wrong with your FULL admin account ? Do you've any other FULL Admin account? If so, can you try with that account?
  Anoop C Nair (My Blog www.AnoopCNair.com)
  - Twitter @anoopmannur -
  FaceBook Forum For SCCM

• "Discovery Manager" role cannot place a mailbox on hold

  My Company is testing Exchange 2013 and Exchange Online. We would like to have all discovery functions managed by our legal team.  We have assigned test users the “Discovery Manager” role.  That role should allow them rights to search all mailboxes
  and put search results on hold. Additionally, the discovery manager role should allow them to select a user mailbox in EAC, open the "Mailbox Features" page and enable litigation hold on the mailbox (no searching required). 
  We have found the second feature, enabling litigation hold without searching, is unavailable to discovery managers when using EAC. The "Mailbox Features" page is not exposed to discovery mangers using EAC.  The discovery manager can place a mailbox
  on hold using PowerShell but that would not be a reasonable option for our legal team.
  Please confirm if my understanding is correct, discovery manager should be able to place a mailbox on hold as well as in-place hold using EAC.
  Thanks in advance,
  Ron

  Does "Get-RoleGroup "discovery Management" | FL *role*" show that the Legal Hold role is assigned to the Discovery Mgmt role Group? If so, then  you may need to assign the "Recipient Management" or "Help Desk" role to those users as well or if you wish
  to security trim their access, create a customized RBAC role for them.
  Alternatively, see if they can simply set litigation hold via Powershell with set-mailbox
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• How to change MANAGED-BEAN-SCOPE??????

  Hi Gurus,
  How to change the managed-bean-scope? In my ADF application I have created one backing bean which has attched with the page fragment. I cant able to set the bean scope other than REQUEST....
  If I set the bean scope request, then page and the inside fragment is rendering without any error. But I need to make that bean scope to pageFlow... but if I do, getting the below error. Non of the scopes are working except request... Please help me how to set the other scope which will solve my major development issue!!!!
  Error:
  Error trying to include:viewId:/advsearch-flow-definition/advUserSearch uri:/app/advUserSearch.jsffjavax.faces.FacesException: javax.el.PropertyNotFoundException: Target Unreachable, identifier 'UserSearch' resolved to null
  My ADFC-Config.xml:
  <?xml version="1.0" encoding="ISO-8859-1" ?>
  <adfc-config xmlns="http://xmlns.oracle.com/adf/controller" version="1.2">
  <managed-bean>
  <managed-bean-name>backing_app_idm</managed-bean-name>
  <managed-bean-class>edu.syr.oim.backing.app.Idm</managed-bean-class>
  <managed-bean-scope>backingBean</managed-bean-scope>
  <!--oracle-jdev-comment:managed-bean-jsp-link:1app/idm.jspx-->
  </managed-bean>
  <managed-bean>
  <managed-bean-name>backing_app_userMgmt</managed-bean-name>
  <managed-bean-class>edu.syr.oim.backing.app.UserMgmt</managed-bean-class>
  <managed-bean-scope>backingBean</managed-bean-scope>
  <!--oracle-jdev-comment:managed-bean-jsp-link:1app/userMgmt.jspx-->
  </managed-bean>
  *<managed-bean>*
  *<managed-bean-name>UserSearch</managed-bean-name>*
  *<managed-bean-class>edu.syr.oim.backing.app.UserSearch</managed-bean-class>*
  *<managed-bean-scope>request</managed-bean-scope>*
  *</managed-bean>*
  </adfc-config>
  -kln
  Edited by: klogube on Jan 14, 2010 7:23 AM

  *public class UserSearch {*
  private RichTable searchResultTable;
  private Row currentRow;
  private String selectedNetID;
  private RichInputText inputOne;
  private RichInputText inputTwo;
  private RichInputText inputThree;
  private RichSelectOneChoice choiceOne;
  private RichSelectOneChoice choiceTwo;
  private RichSelectOneChoice choiceThree;
  private RichRegion region;
  private String choiceOneVal;
  private String choiceTwoVal;
  private String choiceThreeVal;
  DCBindingContainer bindings;
  int choiceOneRowIndex;
  int choiceTwoRowIndex;
  int choiceThreeRowIndex;
  Row choiceOnerw;
  Row choiceTworw;
  Row choiceThreerw;
  String choiceOneUserSelected = null;
  String choiceTwoUserSelected = null;
  String choiceThreeUserSelected = null;
  static String  txnTypeOne  = null;
  static String  txnTypeTwo  = null;
  static String  txnTypeThree  = null;
  String netid;
  RequestContext requestContext = RequestContext.getCurrentInstance();
  HashMap rcBackupHM = new HashMap();
  FacesContext facesContext = FacesContext.getCurrentInstance();
  Application app = facesContext.getApplication();
  ExpressionFactory elFactory = app.getExpressionFactory();
  ELContext elContext = facesContext.getELContext();
  FacesContext fc = FacesContext.getCurrentInstance();
  HttpServletRequest request = (HttpServletRequest)fc.getExternalContext().getRequest();
  HttpSession session = request.getSession();
  *public UserSearch() {*
  *public String userSelected() {*
  FacesCtrlHierNodeBinding binding = (FacesCtrlHierNodeBinding) searchResultTable.getSelectedRowData();
  currentRow = binding.getRow();
  selectedNetID = (String) currentRow.getAttribute("netid");
  requestContext.getPageFlowScope().put("netid",selectedNetID);
  return "goToDetails";
  ** Invoke this method when user double click the row in searchResult*
  *public void doDbClick(ClientEvent clientEvent) {*
  FacesCtrlHierNodeBinding binding = (FacesCtrlHierNodeBinding) searchResultTable.getSelectedRowData();
  currentRow = binding.getRow();
  selectedNetID = (String) currentRow.getAttribute("netid");
  requestContext.getPageFlowScope().put("netid",selectedNetID);
  *try{*
  FacesContext facesCtx = FacesContext.getCurrentInstance();
  NavigationHandler nh = facesCtx.getApplication().getNavigationHandler();
  nh.handleNavigation(facesCtx, "", "goDetails");
  *// Refresh the current region; advse1 is the id of the region component inside jspx page*
  AdfFacesContext.getCurrentInstance().addPartialTarget(region);
  *catch(Exception e){ }*
  *public void setSearchResultTable(RichTable searchResultTable) {*
  this.searchResultTable = searchResultTable;
  *public RichTable getSearchResultTable() {*
  return searchResultTable;
  *public void setInputOne(RichInputText inputOne) {*
  this.inputOne = inputOne;
  *public RichInputText getInputOne() {*
  return inputOne;
  *public void setInputTwo(RichInputText inputTwo) {*
  this.inputTwo = inputTwo;
  *public RichInputText getInputTwo() {*
  return inputTwo;
  *public void setInputThree(RichInputText inputThree) {*
  this.inputThree = inputThree;
  *public RichInputText getInputThree() {*
  return inputThree;
  *public void setChoiceOne(RichSelectOneChoice choiceOne) {*
  this.choiceOne = choiceOne;
  *public RichSelectOneChoice getChoiceOne() {*
  return choiceOne;
  *public void setChoiceTwo(RichSelectOneChoice choiceTwo) {*
  this.choiceTwo = choiceTwo;
  *public RichSelectOneChoice getChoiceTwo() {*
  return choiceTwo;
  *public void setChoiceThree(RichSelectOneChoice choiceThree) {*
  this.choiceThree = choiceThree;
  *public RichSelectOneChoice getChoiceThree() {*
  return choiceThree;
  *public void setChoiceOneVal(String choiceOneVal) {*
  this.choiceOneVal = choiceOneVal;
  *public String getChoiceOneVal() {*
  return choiceOneVal;
  *public void setChoiceTwoVal(String choiceTwoVal) {*
  this.choiceTwoVal = choiceTwoVal;
  *public String getChoiceTwoVal() {*
  return choiceTwoVal;
  *public void setChoiceThreeVal(String choiceThreeVal) {*
  this.choiceThreeVal = choiceThreeVal;
  *public String getChoiceThreeVal() {*
  return choiceThreeVal;
  *public void setRegion(RichRegion region) {*
  this.region = region;
  *public RichRegion getRegion() {*
  return region;
  Can you please explain how to define the 2nd bean in the pageFlowScope and injnect?...bacially my problem is I am loosing the pageFlowScope value when I navigate from first page to next page which I am setting by this above class....I need to carry forward the netid which I am losing ...any idea plz

• Manage Bean Scope in Faces Config

  Hi,
  I would like to know if its possible to bind the bean at request level if the bean data involves multiple modifications. Currently I am facing a problem with respect to manage bean scope defination. If i keep the bean scope at request level the bean data is not availabe for modification in next request as a result I need to keep the bean at session level causing heavy loading of session object.
  Can any one advice how to keep bean scope at requesat level and still the data is available for modification.
  Regrds

  Hey ! this is exactly my problem!! :)
  http://forum.java.sun.com/thread.jspa?threadID=611607&tstart=0

• Integrate IdM roles with Sun Access Manager roles

  Hi all,
  I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
  I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
  What are the important differences between static and dynamic roles in AM?
  Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
  Thanks.

  I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
  About directory server roles:
  http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
  Forum thread reference:
  http://forums.sun.com/thread.jspa?threadID=5208694
  Here are roughly the steps I followed to get this working.
  Access Manager roles setup:
  1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
  Identity Manager roles setup:
  1. Create a new role in Identity Manager: tab Roles, click New....
  2. Assign the LDAP resource to synchronize the role with.
  3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
  4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
  * In the column Value override, select Text.
  * In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
  * In the text box, enter the role DN text (ex: cn=test_role,dc=com).
  5. Save the role. You can now add the role to a user.

• Content Management Roles in SAP

  Hello Everyone,
  There are three Content Management Roles provided by SAP, but when we search for these roles in User Administration -> Roles,  only one Content Management role is shown up. Can anyone explain ??

  Hello,
  If u search for "Content Manager" in  the search tab under Content Administration role, u'll b able to see 3 Content Manager roles as follows:
  Content Manager with PCD Location   "pcd:portal_content/com.sap.pct/specialist/com.sap.km.ContentManager/com.sap.km.ContentManager"
  Content Manager with PCD Location 
  "pcd:portal_content/specialist/contentmanager/ContentManager"
  Content Manager with PCD Location "pcd:portal_content/specialist/contentmanager/com.sap.km.ContentManager"
  But if u do the same search in User Administration -> Roles, only one Content Manager role with PCD location "pcd:portal_content/specialist/contentmanager" is shown up. This was what I meant.
  Any idea on the same?

• Content Management Role missing in EP 7

  Hi Experts,
  I have to store some documents in SAP EP KM. I have noticed that Content Management Role missing. We are using EP 7. Its strange. Can you please let me know the reason. Earlier I was using Content Management role for storing documents, Collaboration etc.
  Regards,
  Gary

  Hi,
  Go to User Administration ->  Identity Management.
  Select the user and  click the modify button.
  Go to the assigned roles tab
  search for the Content Manager
  Add only pcd:portal_content/specialist/contentmanager/ContentManager role and save.
  Hope that helps.
  Raghu

• Reg: Hiring Manager role in E-Recuitment EHP4

  Hi all,
             i am working with Ehp4 . My business package for  Recruiter is Recruiter1.4.1  . I am trying to create a requisition from the recruiter login . I have a field HIRING MANAGER . Wat is the role tat we should assign for the Hiring Manager. 
  Thanks
  Priya

  Hi,
  I have the same problem on ERECRUIT604 EHP4 SP4. I cannot retrieve managers using Find Hiring Manager search on the Create Requisition page.
  I have though found out that there are 2 cases.
  On the one-instance solution with HR and ER on the same server an employee is retrieved as a Manager if there are following relationsships to his CP object:
  B     207     Is identic     BP
  B     208     Is identic     US
  B     209     Has employ     P
  B     650     Has candid     NA
  Especially the relationship CP B208 US is critical. The problem is though that this relationship is not created automatically be the system as on the one-instance solution the user is retrieved from IT105 subtype 0001 via P object, so you have to create this relationsship manually. Or am I wrong?
  On the two-instance solution with HR on one machine and ER on another the above solution does not work at all. Here the relationship CP B208 US is created via ALE, but it does not help for retrival of Hiring Managers.
  I have also added the 'manager' role to the employee, the employee is the manager in the Organizational Structure, and still I cannot retrieve him.
  Maybe it's a bug in the system. Anyway I cannot find any hints telling what are the assumptions for using this functionality.
  Waiting for an answer
  Best regards,
  Beata

• Server (Tomcat) Managed "Role-Based" Authentication (isUerInRole)

  I am using the Tomcat 5.0.27. In order to use server managed "role-based" authentication, we supply the server with two tables. One of the tables containes userID and password, and the other tables contains userID and userRole (a person can have more than one role). (We must map each user to his/her role somewhere, and it is in the $TOMCAT/conf/server.xml file)
  My difficulty stems from the tables are structured in my database. I do have a table that contains userID and password; however, I do not have a table that contains userID and userRole. In order to know a person's role, I have to navigate from one table to another using foreign key and primary key.
  Is there a way to tell the server to navigate from one table to another to find a person's role? Or we "must" create a table that contains userID and userRole for us to use the isUserInRole() method for security check?

  check out the tomcat docs
  http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html#JDBCRealm
  according to docs you have to create these tables
  create table users (
  user_name varchar(15) not null primary key,
  user_pass varchar(15) not null
  create table user_roles (
  user_name varchar(15) not null,
  role_name varchar(15) not null,
  primary key (user_name, role_name)

• E-Recruiting and Manager Role?

  Hello we are installing E-Rec 3.0: I have a quick question regarding Manager role.
  Once a Manager(I guess Requesting Person) creates a  requisition, Recruiter - approved and posted, Candidate applied.  At what point will the manager see the data for the candidate assigned to the Requisition. 
  I am able to see data only when I assign questionnaire to the Manager as a responsible person, but Manager can see EEO info which is a problem for us. 
  Any ideas?
  Thanks,
  Alex

  This is a job specific questionnaire, and manager sees it in the shortlist.  Activity is in planned status and assigned to the questionnaire.  Manager has a Decision Maker Role within the requisition.
  Thank you for all your help.
  Sincerely,
  Alex Berenson
  [email protected]

• Modifying a precanned RBAC management role

  I'm trying to revert a precanned management role "Mailbox Import Export" to the default out-of-the-box state. Some time ago, someone removed a handful of parameters and entries from it.
  When I try to just add them back I get an error "The precanned management role "Mailbox Import Export" can't be modified."
  I understand that it's not normally done, and some people think its not possible to do. But someone figured out how to remove entries in the past -- now I have to figure out how to put them back.
  Anyone have any experience with this?
  Also, is it possible to modify assigned management roles? This role is already a member of a group & has some assignments. If possible, I'd like to modify it in-place.

  Everything is stored in AD so ADSIEdit will be your friend but it's not recommended (or probably supported too) to modify this via raw AD editors...
  Configuration -> Services -> Microsoft Exchange -> YourExOrgName -> RBAC -> Roles -> Mailbox Import Export -> msExchRoleEntries is the attribute with proper formatted values...
  I strongly recommend you to test this in a Test environment first and take backup of AD before doing any modification in production environment...
  Blog |
  Get Your Exchange Powershell Tip of the Day from here

• "Office 365 Mailbox" missing for users that are member of Ricipent Management role

  Hi,
  I have a hybrid setup with Office 365 and one exchange 2013 standard server on-premises.
  I currently have an issue with that I have a button after pressing the + under recipient to create a Office 365 mailbox from the ECP, but users that are members of the Recipient Management role don't have that button visible.
  What extra permissions are required to be able to create an Office 365 mailbox from the on-premises Exchange?

  Hi SeidKrv,
  Thanks for your update.
  Following article introuduces the permissions that need to assigned before running "New-Mailbox" command.
  Please focus on "Recipient Provisioning Permissions" session.
  Recipients Permissions
  http://technet.microsoft.com/en-us/library/dd638132(v=exchg.150).aspx
  Based on the article, it seems both Recipient Management role and Organization Management role are required.
  More detailed information on both management role as below:
  1. Administrators who are members of the Recipient Management role group have administrative access to
  create or modify Exchange 2013 recipients within the Exchange 2013 organization.
  2. Administrators that are members of the Organization Management role group have administrative access to the entire Exchange 2013 organization and
  can perform almost any task against any Exchange 2013 object, with some exceptions. By default, members of this role group can't perform mailbox searches and management of unscoped top-level management
  roles.
  Thanks
  Mavis Huang
  TechNet Community Support