Managed Roles Question

Similar Messages

• Organization Management Interview Questions and Answers  Extremely Urgent

  Hi,
  Please let me know Organization Management Interview Questions and Answers. MOST MOST URGENT
  Please do not post Link or website name and detail response will be highly appreciated.
  Very Respectfully,
  Sameer.
  SAP HR .

  Hi there,
  Pl. find herewith the answers of the questions posted on the forum.
  1. What are plan versions used for?
  Ans : Plan versions are scenarios in which you can create organizational plans.
  •     In the plan version which you have flagged as the active plan version, you create your current valid organizational plan. This is also the integration plan version which will be used if integration with Personnel Administration is active.
  •     You use additional plan versions to create additional organizational plans as planning scenarios.
  As a rule, a plan version contains one organizational structure, that is, one root organizational unit. It is, however, possible to create more than one root organizational unit, that is more than one organizational structure in a plan version.
  For more information on creating plan versions, see the Implementation Guide (IMG), under Personnel Management  Global Settings in Personnel Management  Plan Version Maintenance.
  2. What are the basic object types?
  Ans. An organization object type has an attribute that refers to an object of the organization management (position, job, user, and so on). The organization object type is linked to a business object type.
  Example
  The business object type BUS1001 (material) has the organization object type T024L (laboratory) as the attribute that on the other hand has an object of the organization management as the attribute. Thus, a specific material is linked with particular employees using an assigned laboratory.
  3. What is the difference between a job and a position?
  Ans. Job is not a concrete, it is General holding various task to perform which is generic.(Eg: Manager, General Manager, Executive).
  Positions are related to persons and Position is concrete and specific which are occupied by Persons. (Eg: Manager - HR, GM – HR, Executive - HR).
  4. What is the difference between an organizational unit and a work centre?
  Ans. Work Centre : A work center is an organizational unit that represents a suitably-equipped zone where assigned operations can be performed. A zone is a physical location in a site dedicated to a specific function. 
  Organization Unit : Organizational object (object key O) used to form the basis of an organizational plan. Organizational units are functional units in an enterprise. According to how tasks are divided up within an enterprise, these can be departments, groups or project teams, for example.
  Organizational units differ from other units in an enterprise such as personnel areas, company codes, business areas etc. These are used to depict structures (administration or accounting) in the corresponding components.
  5. Where can you maintain relationships between objects?
  Ans. Infotype 1001 that defines the Relationships between different objects.
  There are many types of possible relationships between different objects. Each individual relationship is actually a subtype or category of the Relationships infotype.
  Certain relationships can only be assigned to certain objects. That means that when you create relationship infotype records, you must select a relationship that is suitable for the two objects involved. For example, a relationship between two organizational units might not make any sense for a work center and a job.
  6. What are the main areas of the Organization and Staffing user interfaces?
  Ans. You use the user interface in the Organization and Staffing or Organization and Staffing (Workflow) view to create, display and edit organizational plans.
  The user interface is divided into various areas, each of it which fulfills specific functions.
  Search Area
  Selection Area
  Overview Area
  Details Area
  Together, the search area and the selection area make up the Object Manager.
  7. What is Expert Mode used for?
  Ans. interface is used to create Org structure. Using Infotypes we can create Objects in Expert mode and we have to use different transactions to create various types of objects.  If the company needs to create a huge structure, we will use Simple maintenance, because it is user friendly that is it is easy to create a structure, the system automatically relationship between the objects.
  8. Can you create cost centers in Expert Mode?
  Ans. Probably not. You create cost center assignments to assign a cost center to an organizational unit, or position.
  When you create a cost center assignment, the system creates a relationship record between the organizational unit or position and the cost center. (This is relationship A/B 011.) No assignment percentage record can be entered.
  9. Can you assign people to jobs in Expert Mode?
  10. Can you use the organizational structure to create a matrix organization?
  Ans. By depicting your organizational units and the hierarchical or matrix relationships between them, you model the organizational structure of your enterprise.
  This organizational structure is the basis for the creation of an organizational plan, as every position in your enterprise is assigned to an organizational unit. This defines the reporting structure.
  11. In general structure maintenance, is it possible to represent the legal entity of organizational units?
  12. What is the Object Infotype (1000) used for?
  Ans. Infotype that determines the existence of an organizational object.
  As soon as you have created an object using this infotype, you can determine additional object characteristics and relationships to other objects using other infotypes.
  To create new objects you must:
  •     Define a validity period for the object
  •     Provide an abbreviation to represent the object
  •     Provide a brief description of the object
  The validity period you apply to the object automatically limits the validity of any infotype records you append to the object. The validity periods for appended infotype records cannot exceed that of the Object infotype.
  The abbreviation assigned to an object in the system renders it easily identifiable. It is helpful to use easily recognizable abbreviations.
  You can change abbreviations and descriptions at a later time by editing object infotype records. However, you cannot change an object’s validity period in this manner. This must be done using the Delimit function.
  You can also delete the objects you create. However, if you delete an object the system erases all record of the object from the database. You should only delete objects if they are not valid at all (for example, if you create an object accidentally)
  13. What is the Relationships Infotype (1001) used for?
  Ans. Infotype that defines the Relationships between different objects.
  You indicate that a employee or user holds a position by creating a relationship infotype record between the position and the employee or user. Relationships between various organizational units form the organizational structure in your enterprise. You identify the tasks that the holder of a position must perform by creating relationship infotype records between individual tasks and a position.
  Creating and editing relationship infotype records is an essential part of setting up information in the Organizational Management component. Without relationships, all you have are isolated pieces of information.
  You must decide the types of relationship record you require for your organizational structure.
  If you work in Infotype Maintenance, you must create relationship records manually. However, if you work in Simple Maintenance and Structural Graphics, the system creates certain relationships automatically.
  14. Which status can Infotypes in the Organizational Management component have?
  Ans. Once you have created the basic framework of your organizational plan in Simple Maintenance, you can create and maintain all infotypes allowed for individual objects in your organizational plan. These can be the basic object types of Organizational Management – organizational unit, position, work center and task. You can also maintain object types, which do not belong to Organizational Management.
  15. What is an evaluation path?
  Ans. An evaluation path describes a chain of relationships that exists between individual organizational objects in the organizational plan.
  Evaluation paths are used in connection with the definition of roles and views.
  The evaluation path O-S-P describes the relationship chain Organizational unit > Position > Employee.
  Evaluation paths are used to select other objects from one particular organizational object. The system evaluates the organizational plan along the evaluation path.
  Starting from an organizational unit, evaluation path O-S-P is used to establish all persons who belong to this organizational unit or subordinate organizational units via their positions.
  16. What is Managers Desktop used for?
  Ans. Manager's Desktop assists in the performance of administrative and organizational management tasks. In addition to functions in Personnel Management, Manager's Desktop also covers other application components like Controlling, where it supports manual planning or the information system for cost centers.
  17. Is it possible to set up new evaluation paths in Customizing?
  Ans. You can use the evaluation paths available or define your own. Before creating new evaluation paths, check the evaluation paths available as standard.
  18. Which situations require new evaluation paths?
  Ans. When using an evaluation path in a view, you should consider the following:
  Define the evaluation path in such a manner that the relationship chain always starts from a user (object type US in Organizational Management) and ends at an organizational unit, a position or a user.
  When defining the evaluation path, use the Skip indicator in order not to overload the result of the evaluation.
  19. How do you set up integration between Personnel Administration and Organizational Management?
  Ans. Integration between the Organizational Management and Personnel Administration components enables you to,
  Use data from one component in the other
  Keep data in the two components consistent
  Basically its relationship between person and position.
  Objects in the integration plan version in the Organizational Management component must also be contained in the following Personnel Administration tables:
  Tables                    Objects
  T528B and T528T     Positions
  T513S and T513     Jobs
  T527X                    Organizational units
  If integration is active and you create or delete these objects in Organizational Management transactions, the system also creates or deletes the corresponding entries automatically in the tables mentioned above. Entries that were created automatically are indicated by a "P". You cannot change or delete them manually. Entries you create manually cannot have the "P" indicator (the entry cannot be maintained manually).
  You can transfer either the long or the short texts of Organizational Management objects to the Personnel Administration tables. You do this in the Implementation Guide under Organizational Management -> Integration -> Integration with Personnel Administration -> Set Up Integration with Personnel Administration. If you change these control entries at a later date, you must also change the relevant table texts. To do that you use the report RHINTE10 (Prepare Integration (OM with PA)).
  When you activate integration for the first time, you must ensure that the Personnel Administration and the Organizational Management databases are consistent. To do this, you use the reports:
  •        RHINTE00 (Adopt organizational assignment  (PA to PD))
  •        RHINTE10 (Prepare Integration (PD to PA))
  •        RHINTE20 (Check Program Integration PA - PD)
  •        RHINTE30 (Create Batch Input Folder for Infotype 0001)
  The following table entries are also required:
  •        PLOGI PRELI in Customizing for Organizational Management (under Set Up Integration with Personnel Administration). This entry defines the standard position number.
  •        INTE in table T77FC
  •        INTE_PS, INTE_OSP, INTEBACK, INTECHEK and INTEGRAT in Customizing under Global Settings ® Maintain Evaluation Paths.
  These table entries are included in the SAP standard system. You must not change them.
  Since integration enables you to create relationships between persons and positions (A/B 008), you may be required to include appropriate entries to control the validation of these relationships. You make the necessary settings for this check in Customizing under Global Settings ® Maintain Relationships.
  Sincerely,
  Devang Nandha
  "Together, Transform Business Process by leveraging Information Technology to Grow and Excel in Business".

• Custom Distribution Group management role (manager excpeiton)

  My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
  By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
  technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
  Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
  words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
  sufficient permissions. this operation can only be performed by a manger of the group”.
  New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
  New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
  New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
  When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
  group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
  Below confirms by scope.
  Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
  Name DisplayName SamAccountName GroupType
  distro1 distro1 distro1 Universal, SecurityEnabled
  distro2 distro2 distro2 Universal, SecurityEnabled
  distro3 distro3 distro3 Universal, SecurityEnabled
  On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
  Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
  Name
  Add-DistributionGroupMember
  Disable-DistributionGroup
  Enable-DistributionGroup
  Get-ADServerSettings
  Get-AcceptedDomain
  Get-DistributionGroup
  Get-DistributionGroupMember
  Get-DomainController
  Get-DynamicDistributionGroup
  Get-Group
  Get-MailUser
  Get-Mailbox
  Get-OrganizationalUnit
  Get-Recipient
  Get-ResourceConfig
  Get-User
  New-DistributionGroup
  New-DynamicDistributionGroup
  Remove-DistributionGroup
  Remove-DistributionGroupMember
  Remove-DynamicDistributionGroup
  Set-ADServerSettings
  Set-DistributionGroup
  Set-DynamicDistributionGroup
  Set-Group
  Set-OrganizationConfig
  Update-DistributionGroupMember
  Write-AdminAuditLog

  Hello,
  I understand that you have create custom management scope for each group and assigned a custom role to it.
  But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
  You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
  Check below link. http://exchange2010cmd.blogspot.de/
  You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
  You can either use existing default policy or create new policy and assign this management role to it.
  Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
  NOTE: If you are creating new policy , place that name instead of default policy name".
  I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
  Now, regarding your second concern, that your custon role has to many role entries.
  You can remove unwanted role entries.
  Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
  Before linking management role to email policy, remove unwanted role entry from role.
  I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer.

• Integrate IdM roles with Sun Access Manager roles

  Hi all,
  I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
  I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
  What are the important differences between static and dynamic roles in AM?
  Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
  Thanks.

  I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
  About directory server roles:
  http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
  Forum thread reference:
  http://forums.sun.com/thread.jspa?threadID=5208694
  Here are roughly the steps I followed to get this working.
  Access Manager roles setup:
  1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
  Identity Manager roles setup:
  1. Create a new role in Identity Manager: tab Roles, click New....
  2. Assign the LDAP resource to synchronize the role with.
  3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
  4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
  * In the column Value override, select Text.
  * In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
  * In the text box, enter the role DN text (ex: cn=test_role,dc=com).
  5. Save the role. You can now add the role to a user.

• E-Recruiting and Manager Role?

  Hello we are installing E-Rec 3.0: I have a quick question regarding Manager role.
  Once a Manager(I guess Requesting Person) creates a  requisition, Recruiter - approved and posted, Candidate applied.  At what point will the manager see the data for the candidate assigned to the Requisition. 
  I am able to see data only when I assign questionnaire to the Manager as a responsible person, but Manager can see EEO info which is a problem for us. 
  Any ideas?
  Thanks,
  Alex

  This is a job specific questionnaire, and manager sees it in the shortlist.  Activity is in planned status and assigned to the questionnaire.  Manager has a Decision Maker Role within the requisition.
  Thank you for all your help.
  Sincerely,
  Alex Berenson
  [email protected]

• Exchange 2010 Management Role loading slowness

  Hello,
  I'm new to the company I currently work for and relatively new into IT, and one of the first issues I have noticed here is how incredibly slow Exchange 2010 is when loading. 
  I'm aware there are numerous topics covering this issue after having done many checks on search engines, however most of them seem to advise going to IE and un-checking the boxes defining Certificate Revocation or other solutions that I haven't found to
  be applicable, at least not to my knowledge. I have tried the first suggestion but found this made no difference.
  We don't get any error messages when loading but it is generally a little slow, however the issue is where it says "Getting management role information for: domain/user info etc...", at the end of the progress bar. It will sit there for
  6 minutes before finally loading and allowing me in. This happens every time you use it also, not just the first time, whether it's on the local machine of anyone in IT or on the server.
  I've checked the server's available resources and it seems to be more than enough, although it is a virtual server so I'm not sure whether that changes what the issue could be.
  Would anyone be able to help point me in the right direction of what I could be checking for? Sorry if this is a really vague question or I've not provided enough detailed information, but any help would be really appreciated. I'm sure one of the more experienced
  members of my new team could take a look but I figured I'd try and make a good impression!
  Apologies if this is in the wrong forum section also.
  Thanks very much

  Hi
  Thanks for the reply.
  We're on Exchange Server 2010 SP3 (14.03.0158.001), as far as I can tell it's all up to date.
  Server specs:
  OS - Server 2008 R2 Enterprise, 64bit
  RAM - 32GB
  Processor - Intel Xeon E5-2690 @ 2.90GZ, 16 Cores, 16 Logical Processors
  There's 433 mailboxes in total, spread over 19 databases (a database for each department), 17 of those being mounted and active.
  Once I'm into the management console and can use the various features, the performance is generally fine, it's just that initial loading where it hangs.
  Thanks

• Error While creating Collection Management role

  Hi
  We did a client copy and Iam getting the error "Database error UDM_PR_HEAD UDM_COLL_BUPA 5" whenever I tried to create collection management roles.
  Database error UDM_PR_HEAD UDM_COLL_BUPA 5
  Message no. UDM_WORK_LIST010
  Diagnosis
  Database instruction UDM_PR_HEAD was not successful.
  Procedure
  If you can reproduce the error message, contact SAP Support.
  Anyone knows anything about this error?
  Thanks

  Hi Ram,
  sorry for the inconvenience, can you provide the collections management(ecc6.0) configuration document.
  i am trying to learn that but i could not find any related document .
  Thanks,
  Ravi

• Managed Role Scope

  I learned that roles in DS are scoped to where they are created. Meaning if I create a managed role called role1 in ou=Roles,dc=sun,dc=com only entries (ie users and groups) under the ou=Roles branch will have visibility to role1. But since all my users are created underneath a different ou (ie ou=People), how do I get role1 to be visible to the users under ou=People? From a day's worth of reading, this doesn't seem possible. The only way around is to create the role under the ou=People branch. In this approach, all the member searches are behaving correctly. My concern is we will have thousands of roles, what's the scalability of having that many roles mingled with all 750,000 user entries under ou=People...
  Any help is appreciated!

  The problem with that is the nsRole virtual attribute never gets >calculated. While, the nsRoleDN will allow me to find all the roles for a >given user with a search filter like this:
  uid=user1 nsRoleDN
  I need the nsRole virtual attribute to find role members (all members >with a particular role)
  for example, using this search filter
  nsRole=cn=role1,ou=roles,dc=sun,dc=com
  to retrieve all members of role1. and this does not work unless role1 >was in the same scope as the user or aboveWhat about using
  nsRoleDN=cn=role1,ou=roles,dc=sun,dc=com
  It should return all members of role1. In the same time usage of on-the-fly computed nsRole attribute in searches isn't supported - please see Note 2 in the same link:
  http://docs.sun.com/source/816-5606-10/roles.htm#1117631

• "Discovery Manager" role cannot place a mailbox on hold

  My Company is testing Exchange 2013 and Exchange Online. We would like to have all discovery functions managed by our legal team.  We have assigned test users the “Discovery Manager” role.  That role should allow them rights to search all mailboxes
  and put search results on hold. Additionally, the discovery manager role should allow them to select a user mailbox in EAC, open the "Mailbox Features" page and enable litigation hold on the mailbox (no searching required). 
  We have found the second feature, enabling litigation hold without searching, is unavailable to discovery managers when using EAC. The "Mailbox Features" page is not exposed to discovery mangers using EAC.  The discovery manager can place a mailbox
  on hold using PowerShell but that would not be a reasonable option for our legal team.
  Please confirm if my understanding is correct, discovery manager should be able to place a mailbox on hold as well as in-place hold using EAC.
  Thanks in advance,
  Ron

  Does "Get-RoleGroup "discovery Management" | FL *role*" show that the Legal Hold role is assigned to the Discovery Mgmt role Group? If so, then  you may need to assign the "Recipient Management" or "Help Desk" role to those users as well or if you wish
  to security trim their access, create a customized RBAC role for them.
  Alternatively, see if they can simply set litigation hold via Powershell with set-mailbox
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Content Management Roles in SAP

  Hello Everyone,
  There are three Content Management Roles provided by SAP, but when we search for these roles in User Administration -> Roles,  only one Content Management role is shown up. Can anyone explain ??

  Hello,
  If u search for "Content Manager" in  the search tab under Content Administration role, u'll b able to see 3 Content Manager roles as follows:
  Content Manager with PCD Location   "pcd:portal_content/com.sap.pct/specialist/com.sap.km.ContentManager/com.sap.km.ContentManager"
  Content Manager with PCD Location 
  "pcd:portal_content/specialist/contentmanager/ContentManager"
  Content Manager with PCD Location "pcd:portal_content/specialist/contentmanager/com.sap.km.ContentManager"
  But if u do the same search in User Administration -> Roles, only one Content Manager role with PCD location "pcd:portal_content/specialist/contentmanager" is shown up. This was what I meant.
  Any idea on the same?

• Content Management Role missing in EP 7

  Hi Experts,
  I have to store some documents in SAP EP KM. I have noticed that Content Management Role missing. We are using EP 7. Its strange. Can you please let me know the reason. Earlier I was using Content Management role for storing documents, Collaboration etc.
  Regards,
  Gary

  Hi,
  Go to User Administration ->  Identity Management.
  Select the user and  click the modify button.
  Go to the assigned roles tab
  search for the Content Manager
  Add only pcd:portal_content/specialist/contentmanager/ContentManager role and save.
  Hope that helps.
  Raghu

• Reg: Hiring Manager role in E-Recuitment EHP4

  Hi all,
             i am working with Ehp4 . My business package for  Recruiter is Recruiter1.4.1  . I am trying to create a requisition from the recruiter login . I have a field HIRING MANAGER . Wat is the role tat we should assign for the Hiring Manager. 
  Thanks
  Priya

  Hi,
  I have the same problem on ERECRUIT604 EHP4 SP4. I cannot retrieve managers using Find Hiring Manager search on the Create Requisition page.
  I have though found out that there are 2 cases.
  On the one-instance solution with HR and ER on the same server an employee is retrieved as a Manager if there are following relationsships to his CP object:
  B     207     Is identic     BP
  B     208     Is identic     US
  B     209     Has employ     P
  B     650     Has candid     NA
  Especially the relationship CP B208 US is critical. The problem is though that this relationship is not created automatically be the system as on the one-instance solution the user is retrieved from IT105 subtype 0001 via P object, so you have to create this relationsship manually. Or am I wrong?
  On the two-instance solution with HR on one machine and ER on another the above solution does not work at all. Here the relationship CP B208 US is created via ALE, but it does not help for retrival of Hiring Managers.
  I have also added the 'manager' role to the employee, the employee is the manager in the Organizational Structure, and still I cannot retrieve him.
  Maybe it's a bug in the system. Anyway I cannot find any hints telling what are the assumptions for using this functionality.
  Waiting for an answer
  Best regards,
  Beata

• Server (Tomcat) Managed "Role-Based" Authentication (isUerInRole)

  I am using the Tomcat 5.0.27. In order to use server managed "role-based" authentication, we supply the server with two tables. One of the tables containes userID and password, and the other tables contains userID and userRole (a person can have more than one role). (We must map each user to his/her role somewhere, and it is in the $TOMCAT/conf/server.xml file)
  My difficulty stems from the tables are structured in my database. I do have a table that contains userID and password; however, I do not have a table that contains userID and userRole. In order to know a person's role, I have to navigate from one table to another using foreign key and primary key.
  Is there a way to tell the server to navigate from one table to another to find a person's role? Or we "must" create a table that contains userID and userRole for us to use the isUserInRole() method for security check?

  check out the tomcat docs
  http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html#JDBCRealm
  according to docs you have to create these tables
  create table users (
  user_name varchar(15) not null primary key,
  user_pass varchar(15) not null
  create table user_roles (
  user_name varchar(15) not null,
  role_name varchar(15) not null,
  primary key (user_name, role_name)

• Modifying a precanned RBAC management role

  I'm trying to revert a precanned management role "Mailbox Import Export" to the default out-of-the-box state. Some time ago, someone removed a handful of parameters and entries from it.
  When I try to just add them back I get an error "The precanned management role "Mailbox Import Export" can't be modified."
  I understand that it's not normally done, and some people think its not possible to do. But someone figured out how to remove entries in the past -- now I have to figure out how to put them back.
  Anyone have any experience with this?
  Also, is it possible to modify assigned management roles? This role is already a member of a group & has some assignments. If possible, I'd like to modify it in-place.

  Everything is stored in AD so ADSIEdit will be your friend but it's not recommended (or probably supported too) to modify this via raw AD editors...
  Configuration -> Services -> Microsoft Exchange -> YourExOrgName -> RBAC -> Roles -> Mailbox Import Export -> msExchRoleEntries is the attribute with proper formatted values...
  I strongly recommend you to test this in a Test environment first and take backup of AD before doing any modification in production environment...
  Blog |
  Get Your Exchange Powershell Tip of the Day from here

• "Office 365 Mailbox" missing for users that are member of Ricipent Management role

  Hi,
  I have a hybrid setup with Office 365 and one exchange 2013 standard server on-premises.
  I currently have an issue with that I have a button after pressing the + under recipient to create a Office 365 mailbox from the ECP, but users that are members of the Recipient Management role don't have that button visible.
  What extra permissions are required to be able to create an Office 365 mailbox from the on-premises Exchange?

  Hi SeidKrv,
  Thanks for your update.
  Following article introuduces the permissions that need to assigned before running "New-Mailbox" command.
  Please focus on "Recipient Provisioning Permissions" session.
  Recipients Permissions
  http://technet.microsoft.com/en-us/library/dd638132(v=exchg.150).aspx
  Based on the article, it seems both Recipient Management role and Organization Management role are required.
  More detailed information on both management role as below:
  1. Administrators who are members of the Recipient Management role group have administrative access to
  create or modify Exchange 2013 recipients within the Exchange 2013 organization.
  2. Administrators that are members of the Organization Management role group have administrative access to the entire Exchange 2013 organization and
  can perform almost any task against any Exchange 2013 object, with some exceptions. By default, members of this role group can't perform mailbox searches and management of unscoped top-level management
  roles.
  Thanks
  Mavis Huang
  TechNet Community Support