Menu Role and Security
How do you enable menu roles and enforce security in forms?
For example in an complex application if we want to have a control of access of menus based on user login
I know it can be done thru the front-end itself by using an if then condition.
but can it be integrated with the database user logins itself
kindly reply
Thanx in advance
Hi,
first RUN frm60sec.sql under system/manager
create different roles
GRANT roles to users
Grant select access to the view created by frm60sec as follows:
SQL > Grant select on frm50_enabled_roles to public;
Note it is NOT frm60_enabled_roles.
To verify that your roles and grants are correct, log on as a user and run the following:
SQL>Select * from frm50_enabled_roles;
You should be able to see the users roles.
then come to MMB file contibue assiging the roles in each menu Item. U ll see get the result.
regards
Similar Messages
-
Security-role and security-role-assignment not working in WL7.0
Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.comBelow are the screen shots for PFCG:
-
I have setup a 11g Oracle database.
Can I please have some help to create some user accounts (3 levels, eg. Administrator, Power User, and Guest style users) as well as setting up appropriate levels of security implemented via ROLES and PRIVILEGES for Roles.
Thanks in advance996403 wrote:
I am wanting the Administrator to have control over everything, the Power User to be a User who also has the ability to create tables, triiggers etc, and the Guest to just be able to view data in the database without changing anything.
Can you correct me if I am wrong with the following suitable roles for the users:
Administrator
- All roles
Power User
- Connect
- Resource
Guest
- ConnectYou have to get out of this Administrator/Power User/Guest Windows security group paradigm. Windows security groups cannot be directly correlated to Oracle security groups, and that is why you are having so much trouble doing so. I recommend that you:
-stop comparing Oracle to Windows
-learn what security rights your database users need
-fully understand the predefined roles, and then assign users to those roles only if they require every right that those roles grant
-create your own application roles for any users that have requirements that do not align exactly with the predefined groups
We are only encouraging you to do things in a manner that follows best practices, and doing so will keep your headaches to a minimum later on down the road. -
i have problem with role in my database
i have 2 table
t1 and t2
owner = ERP
i create user HAMID with grant connect,resource
then
create role xx and grant all on t1 and t2 to xx
then grant xx to HAMID
when hamid connect to database and select from t2 get error table dosnt exist
whyyyyyyyyyyyyyyyyy?plz help me
see this:
i have 2 table
t1 and t2
owner = ERP
conn sys
create role r1;
create role r2;
grant all on erp.t1 to r1
grant all on erp.t2 to r2
create user HAMID identified by hamid;
grant resource,connect to hamid;
alter user hamid default role connect;
grant r1 to hamid;
conn hamid
SELECT * FROM SESSION_ROLES;
see this
CONNECT
RESOURCE
R1
conn sys
grant r2 to hamid;
conn hamid
SELECT * FROM SESSION_ROLES;
see this
CONNECT
RESOURCE
R1
where is R2 ?????????????????????????????????????????? -
Roles and responsiblities of oracle dba in development team
What should be the roles and responsiblities of oracle dba in development team?
Does Application dba should have oracle user credentials on db box?Hi, Application DBA work as like production DBA, while resolving issue SLA would not apply for them . Apart from this developement team pressure will be there.
These are points remembered.
Creating test Db for testing environment,
Schema Replication of POC
replication the DB for interface setup .
User , Space management.
Roles and Security management
Space Forecasting -this will be useful when you are estimating for storage
need to give application set up to Production DBA with proper specification.
maintaining the schema changes
Ensure that right script shas to provide the Production DBA team .
Deployment of the application.
performance tuning..
All environment memory /CPU statistisc need to check by regular interval.If any issues need to escalte to INFRASTRUCTURE team
HTC
tippu -
How to generic menu roles functionality dynamically
right now i am using oracle built in menu roles, as we are not systematic the roles, every day we are adding - removing different screens form the diff users etc, it became difficult with menu roles. and Programmer presence is needed to change Menu roles very oftenly. already im having 50+ menu roles in my application, as i read in tech docs it is not advisable to increase menu roles toomany.
But i would like to wants that things as programatically.. by keeping all the menu names,usernames in tables and assign to users when ever we need manually, as it is replicating Oracle Menu roles default functionality.
is there any body can help/ advise on this issue. any work around please...
thx regads subbarao..right now i am using oracle built in menu roles, as we are not systematic the roles, every day we are adding - removing different screens form the diff users etc, it became difficult with menu roles. and Programmer presence is needed to change Menu roles very oftenly. already im having 50+ menu roles in my application, as i read in tech docs it is not advisable to increase menu roles toomany.
But i would like to wants that things as programatically.. by keeping all the menu names,usernames in tables and assign to users when ever we need manually, as it is replicating Oracle Menu roles default functionality.
is there any body can help/ advise on this issue. any work around please...
thx regads subbarao.. -
Issues with test-all role and browser security
WLS 10.3.5
I have a deployed application on Linux using a SQLAuthentication and Authorization - all is well here.
I have setup all the security (without the test-all role) and I cannot access any of the system.
If I put the test-all role in - I can access the system.
I have verified the user has all the roles (I used the example bean to display the user and roles on the menu page) and the test-all role is not in the list.
I have the menu setup to not display items unless the user has the role (this is working fine - SecurityContext.inRole(rolelist).
So the context is fine.
I used jazn-data to set the same roles in the taskflows - this is not working at all unless the test-all role is set - I get authorization errors - not authorized).
Have I missed something in this?
I have also noticed that if I close the browser (X) without logging out and come back into the system the authentication is totally bypassed and I go back in as the same user as before.
Is there some way to destroy the previous context every time the welcome screen is executed.Add the following parameters to the Run options for the ViewController project:
-Djps.auth.debug=true -Djps.auth.debug.verbose=true
Then restart WebLogic, run the app and watch the console - you'll see all the security evaluations take place which should help you to identify the problem. -
I have a menu with role security enabled. If I grant one of
these roles to a pre-existing user, everything works fine.
However, if I grant it to a brand new user I get "FRM-10256 User
is not authorized to Run Form Builder Menu". (Note that all of
the forms, menus etc are held in the file system).
I have definitely granted the right role. What is going on
here?
Thanks
Chris
nullThanks.
Chris Rimmer (guest) wrote:
: John,
: Don't worry, I already answered my own question! To use menu
: role security:
: 1) Ensure that the view SYSTEM.FRM50_ENABLED_ROLES exists. If
: not, you will need to run a script (FRM50SEC.SQL I think) to
: create it. I also advise that you grant SELECT on this view
to
: PUBLIC, to avoid the problem that I encountered.
: 2) Create the roles to be used, if they don't yet exist.
: 3) In the menu module, set the "Use Security" property to TRUE
: and add the roles to the "Module Roles" list.
: 4) For every item in the menu, you must now make a selection
in
: the "Item Roles" property to decide which roles can access the
: item.
: 5) Make sure you compile the Menu Module. Done.
: Chris
: john (guest) wrote:
: : Hello Chris,
: : I don't have the answer, sorry. I would like to ask you for
: : your help on creating menu role. How can I create a menu
role
: : then grant it to users specificly? Thanks for you time.
: : john
null -
Developing security Roles and profiles
Hi Team,
Can you guys let me know how to develop security roles and profiles. We are rolling out for a company in Japan, and the congif is completed. We are in the process of developing test cases ans also security roles and profiles for users? Can somebody guide and help me on this?
Regards,Hi,
Use Tcode = PFCG -->then create any customized roles and profiles for any users on module based.
user masters: USR01 to 09, UST04,
profiles: USR10, USR11, UST10S, UST10C,
authorisations: USR12, USR13, UST12.
password exceptions USR40.
History tables(may not be applicable but FYI): users: USH02, USH04,
profiles: USH10, auths USH12.
R/3 Security Tcodes
End User Transaction Code Menu Path Purpose
SU3 System > User Profile> Own Data Set address/defaults/parameters
SU53 System > Utilities > Display Authorization Check Display last authority check that failed
SU56 Tools --> Administration --> Monitor --> User Buffer Display user buffer
Role Administration Transaction Code Menu Path Purpose
PFCG
Tools --> Administration --> User Maintenance --> Roles Maintain roles using the Profile Generator
PFUD Work on SAP check indicators and field values
Select: Copy SAP check IDu2019s and field values
Installation
1. Initial Customer Tables Fill
Upgrade
2a. Preparation: Compare with SAP values
2b. Reconcile affected transactions
2c. Roles to be checked
2d. Display changed transaction codes
SU24
Same as for SU25:
Select: Change Check Indicators > Maintain Check Indicators>Maintain
Regards,
Srini Nookala -
Interaction of BW Roles and BWA Explorer Security
We secure all our BW users via roles these roles have Analysis
authorizations embedded in them which restrict access to specific
infoproviders and values in these based on authorization relevant
infobjects.
When we try to create a BWA Explorer object in RSDDTPS we are forced to
assign a userid and an analysis authorization directly in
the "Authorizations" tab. Our security group only wants to have too
assign roles to users either via SU01 or CUA.
Configuration
BO 2008 Enterprise Server (connected to BW system)
BW system (Netweaver 7.01 EHP1)
BWA 7.2
1) How can we create BWA Explorer objects on a infoprovider without
directly assigning users in Authorization Tab and how can we make the
system ignore whatever is on this tab and base access to a BWA explorer
object on the roles assigned to the user via SU01/CUA.
2) If a User has roles assigned in BW that give them access to a
specific infoprovider will this automatically also give them access to
a BO Server published BWA explorer object built on that infoprovider.
Related to this do we also need import the same roles and assign to the
user in CMS server with link to BWA Explorer Server or does the user
automatically get access to BWA Explorer as long as BWA Explorer is
published on BO Server.
3) If the user in BW is assigned roles that limit values based on an
authorization relevant object is this restriction enforced in the
values returned in published BWA Explorer for the user. Example
Authorization Relevant object is Profit Ctr and the user has two value
roles one contains access to all profit center that role up to a
hierarchy node limited to the USA and the other contains hierarchy
analysis authorization limiting access to all profit centers rolling up
to hierarchy node representing Europe. When a user access's the BWA
Explorer object which contain profit ctr will the values be limited
only to USA AND Europe Profit centers or will the BW value based
security be ignored.
Please provide advice on above questions and document resources on how
BW role based security interacts with BWA Explorer.Hi Expert,
I need a solution for same scenario, anyone can give inputs.
Regards,
Ganesh -
Hello,
I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
So:
1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
Your response is appreciated.Hello,
I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
So:
1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
Your response is appreciated. -
Hello,
Could you please provide information on "security roles and profiles "
I would appreciate.
Regards,
AlexRoles give you authorization to specific area of the system. Use TC pfcg and you will see different setting for a role.
In specific Role -> Authorization -> click on Display Authorization Data.
Here all specific InfoArea, Cube, ODS, Reporting componets: display, execute and other security rules are defined.
User Section: defines who has access to this role.
Multiple authorization are combined to create an Authorization Profile. You defined a profile at TC su01 and under profile section.
Hope that helps.
thanks.
Wond -
Configure security-role and method permission for EJB 3.0 using Jdev 11g
The EJB 3.0 session bean created by Jdev 11g EJB wizard does not have ejb-jar.xml. Where and how can security-role and method permission for the EJB be configured?
For example,
<assembly-descriptor>
<security-role>
<role-name>managers</role-name>
</security-role>
<method-permission>
<role-name>managers</role-name>
<method>
<ejb-name>Employees</ejb-name>
<method-name>setSalary</method-name>
<method-params>
<method-param>java.lang.Long</method-param>
</method-params>
</method>
</method-permission>
</assembly-descriptor>user516954,
By default annotations are used. However, you can create a new descriptor and that will take presidence over any declared annotation.
--Ric -
Portal Design - Best Practices for Role and Workset Tab Menu
We are looking to identify and promote best practices in SAP Portal Design.
First, is there a maximum number of tabs which should exist on the highest level tab menu, commonly called the role menu? Do a large number of tabs on this menu cause performance issues? Are there any other issues associated with a large number of tabs on this menu?
Second, can the workset tab menu be customized to be 2 lines of tabs? Our goal is to prevent tab scrolling.
ThanksDebra,
Not aware of any performance issues with the number of tabs in the Level 1 or 2 menus, particularly if you have portal navigation caching enabled.
From an end user perspective I guess "best practice" would be to avoid scrolling in the top level navigation areas completely if possible.
You can do a number of things to avoid this, including:
- Keep the role/folder/workset names as short as possible.
- If necessary break the role down into multiple level 1 entry points to reduce the number of tabs in level 2.
An example of the second point would be MSS. Instead of creating a role with a single workset (i.e. level 1 tab), we usually split it into two folders called something like "My Staff" and My Finance" and define these folders as entry points. We therefore end up with two tabs in level 1 for the MSS role, and consequently a smaller number of tabs in level 2.
Hope that helps......
Regards,
John -
Security report with native roles and the roles they have access to.
We need a security report that shows the Native/Custom Roles and the roles that they have access to.
So, an example would be the role US_Acct, and the report would show what roles that has access to (Post Journals, Consolidate, etc).Can this be done?Export the Provision report from Shared Services.
Upload report to Excel or Access.
Build Tables to show what tasks each Role has access to.
Build a report that links the provision report and the xref tables.
You should also do this with Security Classes.
Maybe you are looking for
-
Hi All, I am seeing the following error for SMS_AWEBSVC_CONTROL_MANAGER component with Message ID: 8100 Application Web Service Control Manager detected AWEBSVC is not responding to HTTP requests. The http status code and text is 400, Bad Request. a
-
Connecting an ipad 2 to a non hd tv
Hi. I have the cable to connect to a HDTV which is fine but my new apartment has the old style box tv - is there any way of connecting the ipad to the old TV?
-
Regarding Enhancements/User-Exits in ABAP
Hi, Can anybody tell me What is meant BY Enhancements & User-Exits. Also what are diffrent types of Enhancements/User-Exits avialable. Can anybody explain me about diffrent types of Enhancements/User-Exits. Can anybody provide me documentation with t
-
Updating Acrobat Pro 9 to new Mac
I have an existing version of Acrobat Pro ( (version 10.1.8) running on my old MacBook Pro (running OSX 10.6.8) How do I transfer this to my new MacBook Air (running 10.7.4)?
-
Changed web services need to be imported in NWDS mapping
Hi All I have to import a web service WSDL in service interfaces of the project in NWDS and use it in a mapping which is in a read web service step in BPM. The mapping already has a WSDL having different name but same namespace as of the new WSDL How