Modify user roles through SPML?

Similar Messages

• Unable to modify user password through OAM identity system console.

  HI,
  I am trying to reset the password of a user through OAM Identity console.
  I had logged in through orcladmin(admin), and tried to update the password for users, as well as orcladmin also.
  After clicking save, its giving me error "Modify User Entry Failed" and password is not updated in LDAP
  Also note that I am able to modify any other attribute of that user like last name, title, firstname etc through identity console.
  Its only user password attribute which is not geting updated.
  I am user OVD, which is integrated with OID & AD for user store.
  Also I tried to set "Access Attribute control" for modifying user password, but that didnt help.
  Kinldy suggest if you have came across this kind of issue.
  Regards,
  Ankit.

  HI,
  Thanks for the replies.
  As my OVD is integrated with OID & AD both, I am picking up the users from OID for update.
  Also the SSL is configured betveen OVD & AD, but still AD user password is also not successfull.
  Niether of two is working.
  I am not able to create a user through Identity System console, as I had not configured workfllow.
  I believe for updating user attibute, workflow defination need not to be define.
  Also As I had mentioned before, I am able to modify all the other attributes other than user password.
  Also Schema is extended properly.
  Thanks & Regards,
  Ankit

• Problem assigning internet user Role through portal

  Hi All,
  Please could someone help me with the following:
  I am creating a registration process that creates a new CRM Business partner with contact person and internet user roles. When i run the Bapi from with in CRM everything works fine however when i run my jsp dynpage application and call the same bapi, the internet user that i create does not have any of the logon details or roles. Does anyone know why this is? i am using the same user when running in crm and the portal.
  Many thanks in advance
  Calvin

  Hi Sunil,
  Thanks for your reply. answers to your questions:
  1. Yes, all portal users are maintained and have the same roles as CUA users. Portal authenticates against CUA.
  2. Yes the user is created correctly on the backend. i have created a BAPI that creates users, BP's and assigns roles. This Bapi works perfectly when run in CRM but as soon as it is accessed via the portal the internet user role does not have all the required information.
  Many thanks
  Calvin

• Weblogic API for modifying users/roles

  I need to write an application which will enable adding users to weblogic
  domain and configuring roles.
  Does Weblogic provide such API?
  If so, what are the relevant packages?
  P.S.
  I wasn't sure which exact newsgroup my question belongs to.
  If anyone has a better suggestions please provide it.

  I searched the newsgroup and found that somebody addressed this issue.
  "Andrey" <[email protected]> wrote in message
  news:[email protected]...
  >
  WebLogic 7.0
  I have read a number of questions on how to do these but not many answers,so
  after figuring it all out, I thought I would post a message describing allthese
  tasts (It would be great if BEA would start something like 'HOW-TOs forLinux'
  for WebLogic)
  -1. Imports required :
  import weblogic.jndi.Environment;
  import weblogic.management.MBeanHome;
  import weblogic.management.WebLogicObjectName;
  import weblogic.management.configuration.DomainMBean;
  import weblogic.management.configuration.SecurityConfigurationMBean;
  import weblogic.management.security.RealmMBean;
  importweblogic.management.security.authentication.AuthenticationProviderMBean;
  import weblogic.management.security.authentication.GroupEditorMBean;
  import weblogic.management.security.authentication.UserEditorMBean;
  importweblogic.management.security.authentication.UserPasswordEditorMBean;
  import weblogic.security.providers.authentication.*;
  0. Code to retrieve DefaultAuthenticatorMBean (this code is running insideWebLogic
  server - I have it inside EJB):
  DefaultAuthenticatorMBean authBean;
  Context ctx = new InitialContext();
  MBeanHome mbeanHome = (MBeanHome)ctx.lookup(MBeanHome.ADMIN_JNDI_NAME);
  >
  //Find UserEditorMBean
  DomainMBean dmb = mbeanHome.getActiveDomain();
  SecurityConfigurationMBean scmb =dmb.getSecurityConfiguration();
  RealmMBean rmb = scmb.findDefaultRealm();
  AuthenticationProviderMBean[] providers =rmb.getAuthenticationProviders();
  >
  for (int i = 0; i < providers.length; i++) {
  if (providers[i] instanceof DefaultAuthenticatorMBean) {
  authBean = (DefaultAuthenticatorMBean) providers;
  break;
  1. Create/Drop/Update users
  to perform these tasks, the user must be logged in into weblogic and be in
  Administrators
  group. Then, the code is as follows:
  create user: authBean.createUser(username, password, description);
  remove user: authBean.removeUser(username);
  change user's description: authBean.setUserDescription(username,newDescription);
  >
  remove user from group: authBean.removeMemberFromGroup(groupname,username);
  >
  add user to group: authBean.addMemberToGroup(groupname,username);
  >
  2. Change other users' passwords (MUST BE ADMIN TO DO THIS - by Admin Imean be
  a member of Administrators group)
  authBean.resetUserPassword(username, newPassword);
  3. Change your own password:
  this is a bit trickier, because if you are not an admin, you can't changeyour
  own password!!!! This is a part that I personally don't understand - seemslike
  a screw up on BEA's part. So, to allow users to change their ownpasswords, you
  must change security context in the middle of processing to that of Adminuser
  and run this function as Admin user. Although a bit ackward, it's veryeasy to
  do. Suppose you have two EJBs - EJB A and EJB B. EJB A does normalprocessing
  for the user and always runs in logged in user's security context. Now,suppose
  you want to add a method to EJB A to change current password. The methodmay
  look like:
  public void changePassword(String logon, String oldpwd, String newpwd)
  throws some exceptions
  Now, there is no way to do it in EJB A, because for most users, it willrun in
  a 'non-admin' security context. So, to get around it, you create another
  EJB - EJB B. This EJB has one method:
  public void changePassword(String logon, String oldpwd, String newpwd)
  throws some exceptions
  and one major difference - this EJB always runs in a secrity context ofadmin
  user. To get an EJB B running 'as admin user', all you have to do in EJBA is
  the following
  EJB A:
  public void changePassword(String logon, String oldpwd, String newpwd)
  Hashtable props = new Hashtable();
  props.put(Context.SECURITY_PRINCIPAL, "wlmanager");
  props.put(Context.SECURITY_CREDENTIALS, "password");
  // get context that with different credentials
  Context ctx = new InitialContext(props);
  EJBBHome home = (EJBBHome) ctx.lookup("EJBBHome");
  EJBBLocal adminEJB = home.create();
  adminEJB.changePassword(logon, oldpwd, newpwd);
  adminEJB.remove();
  of course, this poses a problem of hardcoding user id and password foradmin user
  in your application - you can come up with your own ways to secure that.
  THAT's IT!!! You can use the method explained in part 3 to allownon-admin users
  to do pretty much everything, however for the sake of security, I woulddefinetly
  vote against it and use part 3 to ONLY allow users change their ownpasswords
  >
  Enjoy
  Andrey
  "Yonatan Taub" <[email protected]> wrote in message
  news:[email protected]...
  I need to write an application which will enable adding users to weblogic
  domain and configuring roles.
  Does Weblogic provide such API?
  If so, what are the relevant packages?
  P.S.
  I wasn't sure which exact newsgroup my question belongs to.
  If anyone has a better suggestions please provide it.

• Roles through SearchRequest ?

  Hi,
  anybody tried to query user roles through spml ?
  I can get the default attributes (sn,gn,telephone) with
  SearchRequest, and more by setting attributes (list/all),
  but no roles.
  Could anybody give me a hint ?
  Best,
  Kjell

  Hi...
  Yes, i've tried <ref>waveset.roles</ref>... or better, i'm inside workflow and the context is variables.user, and i see, while debugging, the value change but when i call the refreshView and the checkinView the value defaults to nothing...
  i don't understand why...
  could you help me???
  thanks
  Jorge

• Provisioning EP roles and user groups through CUP

  Hello experts,
  I am configuring EP provisioning through CUP.
  I created the EP connector as per the instructions in the config guide. But I have not added any parameter values or did any field mapping. I have imported necessary Portal roles.
  My EP connector is tested successful. But when I try to provision a role through CUP, I get this error:
  Error processing your request, Request no: 4 in stage : NEW_AS11.
  In the log it shows,  Field Mapping is not set for Application  (EP)
  But when I go to field mapping, I get this error for EP.
  Data retrieval from system XP1 failed : com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
  I could not find much documentation on fieldmapping.
  Are there any steps that I am missing for EP provisioning?
  Thanks in advance..
  Kee

  Thanks for your response.
  I have set up the parameters while setting up the EP connector in CUP.
  My role search URI is correct  but I am not sure about the last three parameters...
  ASSIGN_GROUPS:OC sapgroup
  ASSIGN_ROLES:OC saprole
  CHANGE_USER:OC sapuser
  CREATE_USER:OC sapuser
  CREATE_USER:password password
  DELETE_USER:OC sapuser
  LOCK_USER:OC sapuser
  LOCK_USER:islocked true
  RESET_PASSWORD:OC sapuser
  RESET_PASSWORD:password password
  ROLESEARCH_URI -  http://portalserver name:port number/UserRoleSearchForAEService_5_3/Config1?wsdl&style=document
  ROLESEARCH_URI_USERNAME -  same user Id I provided for the connector
  ROLESEARCH_URI_PASSWORD See your system administrator for the value.
  UNLOCK_USER:OC Sapuser
  UNLOCK_USER:islocked false
  ROLE_DATA_SOURCE -- ROLE.UME_ROLE_PERSISTENCE.un:   ??? What  is the role data source?? Is the value that is  provided is correct for the UME roles
  SCHEMA_ID SAPprincipals   ?? What does this Schema Id mean???
  USER_DATA_SOURCE  ????  Should we mention the user data source on the Portal system. In our case, it is the LDAP. But what would be the corresponding parameter value for LDAP.
  So when I go to field mapping to create one for EP, I get the following error:
  Data retrieval from system XP1 failed : com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
  Log Details:
  2009-03-03 14:28:48,055 [SAPEngine_Application_Thread[impl:3]_19] ERROR Error in gettting Field Def
  com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
       at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.sendSchemaRequest(SchemaRequest.java:131)
       at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.getSchemaAttributes(SchemaRequest.java:142)
       at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.getFieldDefinition(SchemaRequest.java:163)
       at com.virsa.ae.configuration.bo.FieldMappingBO.getSAPFieldDefList(FieldMappingBO.java:126)
       at com.virsa.ae.configuration.actions.LoadFieldMapAction.execute(LoadFieldMapAction.java:56)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:425)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Caused by: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
       at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.setContent(SOAPPartImpl.java:192)
       at com.sap.engine.services.webservices.jaxm.soap.SOAPMessageImpl.<init>(SOAPMessageImpl.java:83)
       at com.sap.engine.services.webservices.jaxm.soap.MessageFactoryImpl.createMessage(MessageFactoryImpl.java:35)
       at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.sendSchemaRequest(SchemaRequest.java:118)
       ... 25 more
  Caused by: com.sap.engine.lib.xml.parser.NestedSAXParserException: Fatal Error: com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)(:main:, row=5, col=18) -> com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)
       at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:139)
       at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:173)
       at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.parseDocument(SOAPPartImpl.java:221)
       at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.setContent(SOAPPartImpl.java:189)
       ... 28 more
  Caused by: com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)
       at com.sap.engine.lib.xml.parser.XMLParser.scanAttValue(XMLParser.java:1403)
       at com.sap.engine.lib.xml.parser.XMLParser.scanAttList(XMLParser.java:1577)
       at com.sap.engine.lib.xml.parser.XMLParser.scanElement(XMLParser.java:1712)
       at com.sap.engine.lib.xml.parser.XMLParser.scanContent(XMLParser.java:2442)
       at com.sap.engine.lib.xml.parser.XMLParser.scanElement(XMLParser.java:1843)
       at com.sap.engine.lib.xml.parser.XMLParser.scanContent(XMLParser.java:2442)
       at com.sap.engine.lib.xml.parser.XMLParser.scanElement(XMLParser.java:1843)
       at com.sap.engine.lib.xml.parser.XMLParser.scanContent(XMLParser.java:2442)
       at com.sap.engine.lib.xml.parser.XMLParser.scanElement(XMLParser.java:1843)
       at com.sap.engine.lib.xml.parser.XMLParser.scanDocument(XMLParser.java:2845)
       at com.sap.engine.lib.xml.parser.XMLParser.parse0(XMLParser.java:231)
       at com.sap.engine.lib.xml.parser.AbstractXMLParser.parseAndCatchException(AbstractXMLParser.java:145)
       at com.sap.engine.lib.xml.parser.AbstractXMLParser.parse(AbstractXMLParser.java:160)
       at com.sap.engine.lib.xml.parser.AbstractXMLParser.parse(AbstractXMLParser.java:261)
       at com.sap.engine.lib.xml.parser.Parser.parseWithoutSchemaValidationProcessing(Parser.java:280)
       at com.sap.engine.lib.xml.parser.Parser.parse(Parser.java:342)
       at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:101)
       ... 31 more
  2009-03-03 14:28:48,055 [SAPEngine_Application_Thread[impl:3]_19] ERROR com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
  com.virsa.ae.core.BOException: com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
       at com.virsa.ae.configuration.bo.FieldMappingBO.getSAPFieldDefList(FieldMappingBO.java:134)
       at com.virsa.ae.configuration.actions.LoadFieldMapAction.execute(LoadFieldMapAction.java:56)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:425)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
       at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:455)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Caused by: com.virsa.ae.service.ServiceException: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
       at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.sendSchemaRequest(SchemaRequest.java:131)
       at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.getSchemaAttributes(SchemaRequest.java:142)
       at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.getFieldDefinition(SchemaRequest.java:163)
       at com.virsa.ae.configuration.bo.FieldMappingBO.getSAPFieldDefList(FieldMappingBO.java:126)
       ... 22 more
  Caused by: com.sap.engine.services.webservices.jaxm.soap.accessor.NestedSOAPException: Unable to create message from source.
       at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.setContent(SOAPPartImpl.java:192)
       at com.sap.engine.services.webservices.jaxm.soap.SOAPMessageImpl.<init>(SOAPMessageImpl.java:83)
       at com.sap.engine.services.webservices.jaxm.soap.MessageFactoryImpl.createMessage(MessageFactoryImpl.java:35)
       at com.virsa.ae.provisioning.idm.spml.request.SchemaRequest.sendSchemaRequest(SchemaRequest.java:118)
       ... 25 more
  Caused by: com.sap.engine.lib.xml.parser.NestedSAXParserException: Fatal Error: com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)(:main:, row=5, col=18) -> com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)
       at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:139)
       at com.sap.engine.lib.xml.parser.DOMParser.parse(DOMParser.java:173)
       at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.parseDocument(SOAPPartImpl.java:221)
       at com.sap.engine.services.webservices.jaxm.soap.SOAPPartImpl.setContent(SOAPPartImpl.java:189)
       ... 28 more
  Caused by: com.sap.engine.lib.xml.parser.ParserException: XMLParser: Bad Attribute value: ' or " expected!(:main:, row:5, col:18)
  Appreciate your response.
  Thanks
  Kee

• SPML Modify user workflow

  Does anyone come across with this error from SPML request " <spml:errorMessage>ID 'id' is invalid. </spml:errorMessage>.
  Im getting this error while im trying to modify user with SPML request. It is using custom form and custom workflow. The same workflow and form works fine for create user, but it is giving above error for modify user. I know that create and modify user uses same workflow and form.
  If i use create user workflow (out-of-the-box), it works fine for create and modify user using SPML, but i customized .
  Any suggestion is appriciated
  -S-

  I've usually seen errors like this when the accountId is null on a workflow view checkIn operation such as this snip below (note that id is an argument).
  <Action application='com.waveset.session.WorkflowServices'>
            <Argument name='op' value='checkoutView'/>
            <Argument name='type' value='User'/>
            <Argument name='id'>
              <ref>accountId</ref>
            </Argument>What I'd suggest you try if possible is put a global error handler in your workflow like right at the top outside of any Activity such as Start and just below the variable declarations like this:
  <Comments>&#xA;      Object containing information for registering a sunset date/time.&#xA;    </Comments>
        </Variable>
        <Variable name='error'>
          <Comments>Set in the event of unusual processing errors.</Comments>
        </Variable>
        <Variable name='options'>
          <Comments>Options to pass to the provisioning task regarding resource&#xA;              provisioning.&#xA;    </Comments>
        </Variable>
       <Transition to='end'>
  <Comments>&#xA; Terminate if we encounter unusual errors (not provisioning errors).&#xA; </Comments>
  <select>
  <ref>error</ref>
  <ref>WF_ACTION_ERROR</ref>
  </select>
  </Transition>
        <Activity id='0' name='start'>
          <Transition to='Rename'>
            <notnull>Then use the Workflow debugger to set a breakpoint on this <select> code and then you can trap the point in which the error occurs and inspect the variable namespace. If you don't want to use the debugger you could use the dumpView method:
  <invoke name='dumpFile'>
           <ref>user</ref>
           <s>c:/temp/requestAccess-userView.xml</s>
  </invoke> If you using activeSync and you're seeing this error I'd be tempted to breakpoint the activeSync userForm and simply step through the execution of the workflow until you find the error. Before the debugger was introduced debugging workflow errors was a world of pain.
  HTH,
  Paul

• Modify Script to Create User Role on Single Database.

  Hi All,
  Below is the script to create user role on database. Here problem is when I execute this script, it creates user role for all database within an instance and I want it to create user role only on 2 database say TEST1 and TEST2
  Can anyone help me to modify the script? 
  --===================================================================================
  -- Description
  -- Database Type: MSSQL
  -- This script creates a role called 'gdmmonitor' for ALL databases.
  -- It grants some system catalogs to this role to allow Classification and Assessment on the database.
  -- It then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.
  -- before runnign this script
  --  you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
  --  This sqlguard login doesn't need to be added to any database or given
  --  any privilege.  The script will take care of that.
  --  Note:
  --   If you wish to use a different login name (instead of 'sqlguard') you need to change
  --   the value of the variable '@Guardium_user' in the script below; 
  --   (Look for the string: "set @Guardium_user = 'sqlguard'" and replace the 'sqlguard')
  -- after runnign this script
  -- Nothing to do, the script already creates the db user
  -- User/Password to use
  -- User: sqlguard (or any other name, if changed)
  -- Pass: user defined
  -- Role: gdmmonitor
  --===================================================================================
  PRINT '>>>==================================================================>>>'
  PRINT '>>> Creating role: "gdmmonitor" at the server level.'
  PRINT '>>>==================================================================>>>'
  -- Change to the master database
  USE master
  -- *** If a different login name is desired, define it here. ***
  DECLARE @Guardium_user AS varchar(50)
  set @Guardium_user = 'sqlguard'
  DECLARE @dbName AS varchar(256)
  DECLARE @memberName AS varchar(256)
  DECLARE @dbVer AS nvarchar(128)
  SET     @dbVer = CAST(serverproperty('ProductVersion') AS nvarchar)
  SET     @dbVer = SUBSTRING(@dbVer, 1, CHARINDEX('.', @dbVer) - 1)
  IF (@dbVer = '8') SET @dbVer = '2000'
  ELSE IF (@dbVer = '9')  SET @dbVer = '2005'
  ELSE IF (@dbVer = '10')  SET @dbVer = '2008'
  ELSE IF (@dbVer = '11')  SET @dbVer = '2012'
  ELSE SET @dbVer = '''Unsupported Version'''
  IF (@dbVer != '2000')
  BEGIN
    -- This privilege is required to peform a specific MSSQL test.
    -- Test name: SQL OLEDB disabled (DisallowAdhocAccess registry key) 
    -- Procedure execute: EXEC master.dbo.sp_MSset_oledb_prop 
    -- Purpose: To display provider property, not changing anything.
    PRINT '==> Granting MSSSQL 2005 and above setupadmin server role'
    EXEC master..sp_addsrvrolemember @loginame = @Guardium_user, @rolename = N'setupadmin'
  END
  SELECT  @dbName = DB_NAME()
  PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
  -- find any members of the role if they exist
  CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL)
  INSERT INTO #rolemember
  SELECT DISTINCT usr.name FROM dbo.sysusers usr, .dbo.sysmembers mbr
  WHERE usr.uid = mbr.memberuid
  AND mbr.groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
  --  Drop the Role Members If they exist
  IF EXISTS (SELECT count(*) FROM #rolemember)
  BEGIN
    PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
    DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
    OPEN DropCursor
    FETCH DropCursor INTO @memberName
    WHILE @@Fetch_Status = 0
     BEGIN
      PRINT '==> Dropping member: ''' + @memberName + ''''
      exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
      FETCH DropCursor INTO @memberName
     END
    CLOSE DropCursor
    DEALLOCATE DropCursor
  END
  -- drop the role if it exists
  IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
  BEGIN
    PRINT '==> Dropping the role gdmmonitor on: ' + @dbName
    exec sp_droprole 'gdmmonitor'
  END
  -- Create the role
  PRINT '==> Creating the role gdmmonitor on: ' + @dbName
  exec sp_addrole 'gdmmonitor'
  -- Grant select privileges to the role for MSSql Common
  PRINT '==> Granting common SELECT privileges on: ' + @dbName
  GRANT SELECT ON dbo.spt_values     TO gdmmonitor
  GRANT SELECT ON dbo.sysmembers     TO gdmmonitor
  GRANT SELECT ON dbo.sysobjects     TO gdmmonitor
  GRANT SELECT ON dbo.sysprotects    TO gdmmonitor
  GRANT SELECT ON dbo.sysusers       TO gdmmonitor
  GRANT SELECT ON dbo.sysconfigures  TO gdmmonitor
  GRANT SELECT ON dbo.sysdatabases   TO gdmmonitor
  GRANT SELECT ON dbo.sysfiles       TO gdmmonitor
  GRANT SELECT ON dbo.syslogins      TO gdmmonitor
  GRANT SELECT ON dbo.syspermissions TO gdmmonitor
  -- Grant execute privileges to the role for MSSql Common
  PRINT '==> Granting common EXECUTE privileges on: ' + @dbName
  GRANT EXECUTE ON sp_helpdbfixedrole    TO gdmmonitor
  GRANT EXECUTE ON sp_helprotect         TO gdmmonitor
  GRANT EXECUTE ON sp_helprolemember     TO gdmmonitor
  GRANT EXECUTE ON sp_helpsrvrolemember  TO gdmmonitor
  GRANT EXECUTE ON sp_tables             TO gdmmonitor
  GRANT EXECUTE ON sp_validatelogins     TO gdmmonitor
  GRANT EXECUTE ON sp_server_info       TO gdmmonitor
  -- Check if the version is 2005 or greater
  IF (@dbVer != '2000')
  BEGIN
    -- Grant select privileges to the role for MSSql 2005 and above
    PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
    GRANT SELECT ON sys.all_objects           TO gdmmonitor
    GRANT SELECT ON sys.database_permissions  TO gdmmonitor
    GRANT SELECT ON sys.database_principals   TO gdmmonitor
    GRANT SELECT ON sys.sql_logins            TO gdmmonitor
    GRANT SELECT ON sys.sysfiles              TO gdmmonitor
    GRANT SELECT ON sys.database_role_members TO gdmmonitor 
    GRANT SELECT ON sys.server_role_members   TO gdmmonitor 
    GRANT SELECT ON sys.configurations        TO gdmmonitor
    GRANT SELECT ON sys.master_key_passwords  TO gdmmonitor
    GRANT SELECT ON sys.server_principals     TO gdmmonitor
    GRANT SELECT ON sys.server_permissions    TO gdmmonitor
    GRANT SELECT ON sys.credentials    
     TO gdmmonitor
    --This is called by master.dbo.sp_MSset_oledb_prop.  
    --By defautl it should have already been granted to public. 
    GRANT EXECUTE ON sys.xp_instance_regread TO GDMMONITOR
    GRANT EXECUTE ON sys.sp_MSset_oledb_prop TO GDMMONITOR 
  END
  -- Re-add the dropped members
  IF EXISTS (SELECT 1 FROM #rolemember)
  BEGIN
    PRINT '==> Re-adding the role members on: ' + @dbName
    DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
    OPEN DropCursor
    FETCH DropCursor INTO @memberName
    WHILE @@Fetch_Status = 0
      BEGIN
       PRINT '==> Re-adding member: ''' + @memberName + ''''
       exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
       FETCH DropCursor INTO @memberName
      END
    CLOSE DropCursor
    DEALLOCATE DropCursor
  END
  -- END of role creation on database
  PRINT '==> END of role creation on: ' + @dbName
  PRINT ''
  -- Change to the msdb database
  USE msdb
  set @memberName = ''
  SELECT  @dbName = DB_NAME()
  PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
  -- find any members of the role if it exists
  TRUNCATE TABLE #rolemember
  INSERT INTO #rolemember
  SELECT DISTINCT usr.name FROM .dbo.sysusers usr, .dbo.sysmembers mbr
  WHERE usr.uid = mbr.memberuid
  AND groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
  --  Drop the Role Members If they exist
  IF EXISTS (SELECT count(*) FROM #rolemember)
  BEGIN
    PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
    DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
    OPEN DropCursor
    FETCH DropCursor INTO @memberName
    WHILE @@Fetch_Status = 0
     BEGIN
      PRINT '==> Dropping member: ''' + @memberName + ''''
      exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
      FETCH DropCursor INTO @memberName
     END
    CLOSE DropCursor
    DEALLOCATE DropCursor
  END
  -- drop the role if it exists
  IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
  BEGIN
    PRINT '==> Dropping the gdmmonitor role on: ' + @dbName
    exec sp_droprole 'gdmmonitor'
  END
  -- Create the role
  PRINT '==> Creating the gdmmonitor role on: ' + @dbName
  exec sp_addrole 'gdmmonitor'
  -- Grant select privileges to the role for MSSql Common
  PRINT '==> Granting common SELECT privileges on: ' + @dbName
  GRANT SELECT ON dbo.sysobjects     TO gdmmonitor
  GRANT SELECT ON dbo.sysusers       TO gdmmonitor
  GRANT SELECT ON dbo.sysprotects    TO gdmmonitor
  GRANT SELECT ON dbo.sysmembers     TO gdmmonitor
  GRANT SELECT ON dbo.sysfiles       TO gdmmonitor
  GRANT SELECT ON dbo.syspermissions TO gdmmonitor
  GRANT SELECT ON dbo.backupset   TO gdmmonitor
  -- Check if the version is 2005 or greater
  IF (@dbVer != '2000')
  BEGIN
    -- Grant select privileges to the role for MSSql 2005 and above
    PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
    GRANT SELECT ON sys.all_objects TO gdmmonitor
    GRANT SELECT ON sys.database_permissions TO gdmmonitor
    GRANT SELECT ON sys.database_principals TO gdmmonitor
    GRANT SELECT ON sys.sysfiles TO gdmmonitor
    -- Grant execute privileges to the role for MSSql 2005 or above
    PRINT '==> Granting MSSql 2005 and above EXECUTE privileges on: ' + @dbName
    GRANT EXECUTE ON msdb.dbo.sp_enum_login_for_proxy TO gdmmonitor
    GRANT SELECT ON sys.database_role_members  TO gdmmonitor
  END
  IF (@dbVer > '2000' and @dbVer < '2012') 
  --This sp is not available in SQL 2012
  BEGIN
    GRANT EXECUTE ON sp_get_dtspackage TO gdmmonitor
  END
  -- Re-add the dropped members
  IF EXISTS (SELECT count(*) FROM #rolemember)
  BEGIN
    PRINT '==> Re-adding the gdmmonitor role members on: ' + @dbName
    DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
    OPEN DropCursor
    FETCH DropCursor INTO @memberName
    WHILE @@Fetch_Status = 0
      BEGIN
       PRINT '==> Re-adding member: ''' + @memberName + ''''
       exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
       FETCH DropCursor INTO @memberName
      END
    CLOSE DropCursor
    DEALLOCATE DropCursor
  END
  -- drop the temporary table
  DROP TABLE #rolemember
  -- END of role creation on database
  PRINT '==> END of gdmmonitor role creation on: ' + @dbName
  -- Role creation complete
  PRINT '<<<==================================================================<<<'
  PRINT '<<< END of creating role: "gdmmonitor" at the server level.'
  PRINT '<<<==================================================================<<<'
  PRINT ''
  PRINT '>>>==================================================================>>>'
  PRINT '>>> Starting application database role creation'
  PRINT '>>>==================================================================>>>'
  use master
  DECLARE @databaseName AS varchar(80)
  DECLARE @executeString AS varchar(7950)
  DECLARE @dbcounter as int   
  set @dbcounter = 0
  DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases where name not in ('master', 'msdb')
  and not (status & 1024 > 1)
  --read only
  and not (status & 4096 > 1)
  --single user
  and not (status & 512 > 1)
  --offline
  and not (status & 32 > 1)
  --loading
  and not (status & 64 > 1)
  --pre recovery
  and not (status & 128 > 1)
  --recovering
  and not (status & 256 > 1)
  --not recovered
  and not (status & 32768 > 1)
  --emergency mode
  OPEN DatabaseCursor
  FETCH DatabaseCursor INTO @databaseName
  WHILE @@Fetch_Status = 0
  BEGIN
  set @dbcounter = @dbcounter + 1     
  set @databaseName = '"' + @databaseName + '"'  
  set @executeString = ''
  set @executeString = 'use ' + @databaseName + ' ' +
           'PRINT ''>>>==================================================================>>>'' ' +
           'PRINT ''>>> Starting MSSql ' + @dbVer + ' role creation on database: ' + @databaseName + ''' ' +
           'PRINT ''>>>==================================================================>>>'' ' +
         '/* Variable @memberNameDBname must be declare within the string or else it will fail */ ' +
         'DECLARE @memberName' + cast(@dbcounter as varchar(5)) + ' as varchar(50) ' +
         '/*find any members of the role if it exists*/ ' +
           'CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL) ' +
           'INSERT INTO #rolemember ' +
           'SELECT DISTINCT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr ' +
           'WHERE usr.uid = mbr.memberuid ' +
           'AND groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
           '/*Drop the Role Members If they exist*/ ' +
           'IF EXISTS (SELECT * FROM #rolemember) ' +
           'BEGIN ' +
             'PRINT ''==> Dropping the role members on: ' + @databaseName + ''' ' +
             'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
             'OPEN DropCursor ' +
             'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
             'WHILE @@Fetch_Status = 0 ' +
               'BEGIN ' +
               'PRINT ''==> Dropping member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
               'exec(''EXEC sp_droprolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5))  + ' + '''''';'') ' +
               'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
               'END ' +
             'CLOSE DropCursor ' +
             'DEALLOCATE DropCursor ' +
           'END ' +
           '/*drop the role if it exists*/ ' +
           'IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = ''gdmmonitor'') ' +
           'BEGIN ' +
             'PRINT ''==> Dropping the gdmmonitor role on: ' + @databaseName + ''' ' +
             'exec sp_droprole ''gdmmonitor'' ' +
           'END ' +
           '/* Create the role */ ' +
           'PRINT ''==> Creating the gdmmonitor role on: ' + @databaseName + ''' ' +
           'exec sp_addrole ''gdmmonitor'' ' +
           '/* Grant select privileges to the role for MSSql Common */ ' +
           'PRINT ''==> Granting common SELECT privileges on: ' + @databaseName + ''' ' +
           'GRANT SELECT ON dbo.sysmembers     TO gdmmonitor ' +
           'GRANT SELECT ON dbo.sysobjects     TO gdmmonitor ' +
           'GRANT SELECT ON dbo.sysprotects    TO gdmmonitor ' +
           'GRANT SELECT ON dbo.sysusers       TO gdmmonitor ' +
           'GRANT SELECT ON dbo.sysfiles       TO gdmmonitor ' +
                 'GRANT SELECT ON dbo.syspermissions TO gdmmonitor ' +
           '/* Check if the version is 2005 or greater */ ' +
           'IF (' + @dbVer + ' != ''2000'') ' +
           'BEGIN ' +
             '/* Grant select privileges to the role for MSSql 2005 and above */ ' +
             'PRINT ''==> Granting MSSql 2005 and above SELECT privileges on: ' + @databaseName + ''' ' +
             'GRANT SELECT ON sys.database_permissions TO gdmmonitor ' +
             'GRANT SELECT ON sys.all_objects          TO gdmmonitor ' +
             'GRANT SELECT ON sys.database_principals  TO gdmmonitor ' +
             'GRANT SELECT ON sys.sysfiles      TO gdmmonitor ' +          
             'GRANT SELECT ON sys.database_role_members  TO gdmmonitor ' +           
           'END ' +
           '/* Re-add the dropped members */ ' +
           'IF EXISTS (SELECT 1 FROM #rolemember) ' +
           'BEGIN ' +
             'PRINT ''==> Re-adding the gdmmonitor role members on: ' + @databaseName + ''' ' +
             'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
             'OPEN DropCursor ' +
             'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
             'WHILE @@Fetch_Status = 0 ' +
               'BEGIN ' +
                 'PRINT ''==> Re-adding member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
                 'exec(''EXEC sp_addrolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5))  + ' + '''''';'') ' +
                 'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
               'END ' +
             'CLOSE DropCursor ' +
             'DEALLOCATE DropCursor ' +
           'END ' +
           '/* drop the temporary table */ ' +
           'DROP TABLE #rolemember ' +
           'PRINT ''<<<==================================================================<<<'' ' +
           'PRINT ''<<< END of role creation on: ' + @databaseName + ''' ' +
           'PRINT ''<<<==================================================================<<<'' ' +
           'PRINT '' ''' +
           'PRINT '' '''
  execute (@executeString)
  FETCH DatabaseCursor INTO @databaseName
  END
  CLOSE DatabaseCursor
  DEALLOCATE DatabaseCursor
  --  Adding user to all the databases
  --  and grant gdmmonitor role, only if login exists.
  PRINT '>>>==================================================================>>>'
  PRINT '>>> Add and Grant gdmmonitor role to: ''' + @Guardium_user + ''''
  PRINT '>>> on all databases.'
  PRINT '>>>==================================================================>>>'
  USE master
  /* Check if @Guardium_user is a login exist, if not do nothing.*/
  IF NOT EXISTS (select * from syslogins where name = @Guardium_user)
  BEGIN
    PRINT ''
    PRINT '************************************************************************'
    PRINT '*** ERROR: Could not find the login: ''' + @Guardium_user + ''''
    PRINT '***        Please add the login and re-run this script.'
    PRINT '************************************************************************'
    PRINT ''
  END
  ELSE
  BEGIN
    DECLARE @counter AS smallint
    set @counter = 0
    --  This loop runs 4 time just to make sure that the @Guardium_user gets added to all db.
    --  99% of the time, this is totally unnecessary.  But in some rare case on SQL 2005
    --  the loop skips some databases when it tried to add the @Guardium_user.
    --  After two to three executions, the user is added in all the dbs.
    --  Might be a SQL Server bug.
    WHILE @counter <= 3
    BEGIN
    set @counter = @counter + 1
      set @databaseName = ''
      set @executeString = ''
      DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases
      where not (status & 1024 > 1)
  --read only
      and not (status & 4096 > 1)
  --single user
      and not (status & 512 > 1)
  --offline
      and not (status & 32 > 1)
  --loading
      and not (status & 64 > 1)
  --pre recovery
      and not (status & 128 > 1)
  --recovering
      and not (status & 256 > 1)
  --not recovered
  and not (status & 32768 > 1)
  --emergency mode    
      OPEN DatabaseCursor
      FETCH DatabaseCursor INTO @databaseName
      WHILE @@Fetch_Status = 0
      BEGIN
      set @databaseName = '"' + @databaseName + '"' 
      set @executeString = ''
      set @executeString = 'use ' + @databaseName + ' ' +
               '/*Check if the login already has access to this database */ ' +
               'IF EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
               'BEGIN ' +
                '/*Check if login already have gdmmonitor role*/ ' +
                'IF NOT EXISTS (SELECT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr WHERE usr.uid = mbr.memberuid ' +
              'AND mbr.groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
              'AND usr.name = ''' + @Guardium_user + ''') ' +
                'BEGIN ' +
                'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
                'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
                'PRINT '' ''' +
                'END ' +
               'END ' +
               'IF NOT EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
               'BEGIN ' +
               'PRINT ''==> Adding user [' + @Guardium_user + '] to database: ' + @databaseName + ''' ' +
               'execute sp_adduser [' + @Guardium_user + '] ' +
               'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database '  + @databaseName + ''' ' +
               'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
               'PRINT '' ''' +
               'END '
      execute (@executeString)
      FETCH DatabaseCursor INTO @databaseName
      END
      CLOSE DatabaseCursor
      DEALLOCATE DatabaseCursor
    END   -- end while
    -- Required for Version 2005 or greater.
    IF (@dbVer != '2000')
    BEGIN
      -- Grant system privileges to the @guardium_user.  This is a requirement for >= SQL 2005
      -- or else some system catalogs will filter our result from assessment test.
      -- This will show up in sys.server_permissions view.
      PRINT '==> Granting catalog privileges to: ''' + @Guardium_user + ''''
      execute ('grant VIEW ANY DATABASE to [' + @Guardium_user + ']' )
      execute ('grant VIEW ANY DEFINITION to [' + @Guardium_user + ']' )
    END
    PRINT '<<<==================================================================<<<'
    PRINT '<<< Finished Adding and Granting gdmmonitor role to: ''' + @Guardium_user + ''''
    PRINT '<<< on all databases.'
    PRINT '<<<==================================================================<<<'
    PRINT ''
  END
  GO

  Thanks a lot Sir... it worked.
  Can you also help me in troubleshooting below issue?
  This script is working fine on all databases except one MS SQL 2005 database. build of this database is 9.00.3042.00
  SA account with highest privileges is been used for script execution. errors received are as follow:
  >>>==================================================================>>>
  >>> Creating role: "gdmmonitor" at the server level.
  >>>==================================================================>>>
  ==> Granting MSSSQL 2005 and above setupadmin server role
  ==> Starting MSSql 2005 role creation on database: master
  (0 row(s) affected)
  ==> Dropping the gdmmonitor role members on: master
  ==> Creating the role gdmmonitor on: master
  Msg 15002, Level 16, State 1, Procedure sp_addrole, Line 16
  The procedure 'sys.sp_addrole' cannot be executed within a transaction.
  ==> Granting common SELECT privileges on: master
  Msg 15151, Level 16, State 1, Line 117
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 118
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 119
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 120
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 121
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 122
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 123
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 124
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 125
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 126
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  ==> Granting common EXECUTE privileges on: master
  Msg 15151, Level 16, State 1, Line 130
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 131
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 132
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 133
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 134
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 135
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
  Msg 15151, Level 16, State 1, Line 136
  Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.

• Function module to modify the user roles & profiles

  Hi All,
  I am working on user maintenance and i need a function module to modify the user roles & profiles.
  Thanks in Advance.
  Phani.

  i used the below fms
  BAPI_USER_ACTGROUPS_ASSIGN for assigning the roles.
  delete the profiles of the user qnd assign the profiles to the user:
  BAPI_USER_PROFILES_DELETE
  BAPI_USER_PROFILES_ASSIGN
  i used the above FMs for my requirement.
  Regards,
  Phani.

• Locked users and modify user screens modifications.

  Hi,
  Need a suggestion how to...:
  1. Filter locked users list screen so it will display
  users locked with a particular reason only.
  2. Make "modify user" action (available from locked
  users and users search result lists) to display my
  edit user form instead of portal's default one.
  Thank you,
  Yuri

  Hi;
  1. How can I log in to SYS account despite being locked. Is it because i logged in through external authentication?set ORACLE_HOME, ORACLE_SID than
  sqlplus "/as sysdba"
  alter user xx account unlock;
  2. Is locking the SYS user a standard practise ? If so, why ?
  SYS and SYSTEM are default users, created with the creation of the database. Although they have much power - as they are granted the DBA role - they're still ordinary users. Because SYS owns the data dictionary, (s)he is considered a bit more special than SYSTEM. But SYS has the SYSDBA privilege which SYSTEM doesn't. This makes it possible for SYS to become a very very powerful user. This is the case when (s)he connects as sys/password as SYSDBA or / as sysdba. The as sysdba phrase is a request to aqcuire the privileges associated wht the single SYSDBA system privileges (see here).
  Source:
  http://www.adp-gmbh.ch/ora/misc/sys_system_internal.html
  Regard
  Helios

• Custom plugin based on user role membership

  Hi all,
  I would like to develope a custom plugin that generates account userid (on process form) with different syntax against role membership.
  With "syntax" I mean name.surname.random_number for employee users and surname.company.random_number for example.
  I'll try to explain the scenario more in details:
  1. I create a user identity through a request
  2. After user identity has created successfully, I assign a role to the user. Since roles are associated with access policies, role assignment triggers provisioning on target system.
  3. The custom plugin that I would like to develope shuold be able to generate proper userid against role membership. For example if I assigned the role "Project Manager" the custom plugin should generate the account userid with name.surname.random_number format; viceversa if I assigned the role "External Reseller" the custom plugin should generate the account userid with surname.company.random_number format.
  Looking for custom plugin based on role membership in forum, I found a couple of threads about this subject:
  - Email notifications after role grant
  - Re: OIM 11g Role Membership Event Handlers.
  I tried to implement what explained in the threads, but I would be sure about what I've done.
  Here what I've done:
  1. created plugin.xml file
  2. created EventHandler.xml metadata file
  3. developed a java calss for testing pourpose
  4. copied the custom plugin class to OIM server for example in $MIDDLEWARE_HOME/OIMPlugins/lib
  NOTE: during this operation I have exactly mantained the same directory structure of custom java package.
  For example custom plugin class is under my.custom.plugin java package and I have copied custom java class under $MIDDLEWARE_HOME/OIMPlugins/lib/my/custom/plugin folder
  5. created a zip file containing custom plugin class (always with its directory structure) and plugin.xml file
  6. copied the zip file to $OIM_HOME/server/plugins
  7. edited ant.properties file (under $OIM_HOME/server/plugin_utility) setting wls.home and oim.home variables
  8. built the wlfullclient.jar (only the first time)
  9. registered the custom plugin
  10. created the custom plugin dataset file
  11. imported it in OIM database using "weblogicImportMetadata" utility
  12. purged cache using "PurgeCache" utility
  NOTE: all the steps above was executed using the system user running OIM process
  test java class
  package com.zeropiu.sky.custom.eventhandlers;
  import java.io.Serializable;
  import java.util.HashMap;
  import com.thortech.util.logging.Logger;
  import oracle.iam.platform.kernel.spi.ConditionalEventHandler;
  import oracle.iam.platform.kernel.spi.PostProcessHandler;
  import oracle.iam.platform.kernel.vo.AbstractGenericOrchestration;
  import oracle.iam.platform.kernel.vo.BulkEventResult;
  import oracle.iam.platform.kernel.vo.BulkOrchestration;
  import oracle.iam.platform.kernel.vo.EventResult;
  import oracle.iam.platform.kernel.vo.Orchestration;
  import oracle.iam.platform.context.ContextManager;
  import java.util.Set;
  public class TestUserAnonimi implements PostProcessHandler, ConditionalEventHandler {
       private static final Logger logger = Logger.getLogger("com.zeropiu.sky.custom.eventhandlers");
  private static final String className = "TestUserAnonimi";
       @Override
       public void initialize(HashMap<String, String> arg0) {
            // TODO Auto-generated method stub
            String methodName = "initialize";
            System.out.println("###### " + className + " - " + methodName);
       @Override
       public boolean isApplicable(AbstractGenericOrchestration abstractGenericOrchestration) {
            // TODO Auto-generated method stub
            String methodName = "isApplicable";
  System.out.println("###### " + className + " - " + methodName + " - STARTED");
  System.out.println("###### " + className + " - " + methodName + " - ContextManager.getContextType(): " + ContextManager.getContextType());
  System.out.println("###### " + className + " - " + methodName + " - ContextManager.getContextSubType(): " + ContextManager.getContextSubType());
  System.out.println("###### " + className + " - " + methodName + " - abstractGenericOrchestration.getOperation(): " + abstractGenericOrchestration.getOperation());
  System.out.println("###### " + className + " - " + methodName + " - Printing ContextManager parameters");
  HashMap allContextManagerPairs = ContextManager.getAllValuesFromCurrentContext();
  Set<String> allContextManagerParams = allContextManagerPairs.keySet();
  String[] parameters = allContextManagerParams.toArray(new String[allContextManagerParams.size()]);
  for (int i = 0; i < parameters.length; i++) {
            System.out.println("###### " + className + " - " + methodName + " - Context parameter " + i + ": " + parameters[i] + " - Object type is: " + Utils.getObjectType(ContextManager.getValue(parameters)));
  System.out.println("###### " + className + " - " + methodName + " - ENDED");
  return true;
       @Override
       public boolean cancel(long arg0, long arg1,     AbstractGenericOrchestration arg2) {
            // TODO Auto-generated method stub
            String methodName = "cancel";
            System.out.println("###### " + className + " - " + methodName);
            return false;
       @Override
       public void compensate(long arg0, long arg1, AbstractGenericOrchestration arg2) {
            // TODO Auto-generated method stub
            String methodName = "compensate";
            System.out.println("###### " + className + " - " + methodName);
       @Override
       public EventResult execute(long arg0, long arg1, Orchestration orchestration) {
            // TODO Auto-generated method stub
            String methodName = "Eventresult execute";
            System.out.println("###### " + className + " - " + methodName);
            return null;
       @Override
       public BulkEventResult execute(long arg0, long arg1, BulkOrchestration arg2) {
            // TODO Auto-generated method stub
            String methodName = "BulkEventResult execute";
            System.out.println("###### " + className + " - " + methodName);
            return null;
  plugin.xml file
  <?xml version="1.0" encoding="UTF-8"?>
  <oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <plugins pluginpoint="oracle.iam.platform.kernel.spi.EventHandler">
  <plugin pluginclass="com.zeropiu.sky.custom.eventhandlers.TestUserAnonimi" version="1.0" name="TestUserAnonimi">
  </plugin>
  </plugins>
  </oimplugins>
  EventHandler.xml metadata file
  <?xml version='1.0' encoding='UTF-8'?>
  <eventhandlers xmlns="http://www.oracle.com/schema/oim/platform/kernel" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/platform/kernel orchestration-handlers.xsd">
  <action-handler class="com.zeropiu.sky.custom.eventhandlers.TestUserAnonimi" entity-type="RoleUser" operation="CREATE" name="TestUserAnonimi" stage="preprocess" order="1007" sync="FALSE" />
  </eventhandlers>When I assign a role to a user through OIM web interface, I can see in OIM log file all System.out.println contained in initialize(), isApplicable() and BulkEventResult execute() methods. Is it correct? Can I implement my custom plugin logic now, or my starting point is wrong?
  ###### TestUserAnonimi - initialize
  ###### TestUserAnonimi - isApplicable - STARTED
  ###### TestUserAnonimi - isApplicable - ContextManager.getContextType(): ADMIN
  ###### TestUserAnonimi - isApplicable - ContextManager.getContextSubType():
  ###### TestUserAnonimi - isApplicable - abstractGenericOrchestration.getOperation(): CREATE
  ###### TestUserAnonimi - isApplicable - Printing ContextManager parameters
  ###### TestUserAnonimi - isApplicable - Context parameter 0: origuser - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 1: oimuser - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 2: RESOLVED_LOCALE - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 3: counter - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 4: TIME_ZONE - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - Context parameter 5: ipaddress - Object type is: java.lang.String
  ###### TestUserAnonimi - isApplicable - ENDED
  ##### TestUserAnonimi - BulkEventResult execute
  Thanks,
  Daniele
  Edited by: 886636 on Jan 24, 2012 2:53 AM
  Edited by: 886636 on Jan 24, 2012 2:53 AM

  Probably I don't explain myself clearly....sorry for that!
  Anyway you are right, the role of the user can change after the user is initially provisioned.
  I'll try to summarize to be sure to have understood your answer and to explain my scenario more in details:
  1. After user identity creation, I'll assign the role "Project Manager". Before role assignment the user has not any role. So using a pre-populate adapter I can retrieve the assigned role and compose the right userid.
  2. After step 1, I need to assign another role to the user, the new role should be "External Reseller" for example. In this case the user has a role already. What I would is: basing on the role that I'm assigning (External Reseller), the pre-populate should compose the right userid. Obviously this second userid will be different from the first one and this means a new account will be created for the user. At the moment I don't care to deprovisioning the first userid.
  Is it possible with pre-populate adapter?
  Sorry again for my not very clear explanations.
  Daniele
  Edited by: 886636 on Jan 24, 2012 4:10 AM

• OIM 11g Modify User Profile for Updating End Date

  Hi Gurus!
  We have an OIM implementation where users may request the creation of other users by means of a Create User request template. In this template we set the End Date to be 3 months after the request date.
  In order for the requester to extend the period of a user's OIM user account (along with its provisioned resources) we customized a Modify User Profile by displaying the End Date field and automatically populate it again to 3 months after the request date. Also we developed a custom event handler to enable the user when it is disabled and the End Date is updated to a future date.
  This Modify User Profile is working great when the user is still enabled (the End Date is still in the future), however, when the End Date has passed (and the user is Disabled) the requester is not able to see the user when selecting the Modify User Profile request template.
  Is there a way to allow requesters to also see disabled users in the Modify User Profile request template?
  Thank you in advance.
  Regards,

  Hi Kevin,
  thanks for your reply!
  But, in this case, when the user is already disabled due to his End Date, how can a requester, through the Self Service TAB, enable it?
  The Enable User request template does not work since when trying to enable the user, OIM sees the End Date is already passed and the DataSet validation throws an exception.
  The only way I saw was providing a Modify User Profile Request template to change the End Date and developing a custom event handler to enable the user upon the extension of the End Date...
  How can, in this situation, a requester enable the user and extend its End Date?
  Thank you!
  Regards,

• Windows Small Business Server User Roles - Missing or deleted

  I have a small business server sbs 2008 r2.
  The user roles, Standard, Administrator, Standard w/ admin are no longer available. I don't know why, or how. All I can guess is the previous IT admin, removed the roles, without permission.
  I am wondering is there a way to simply get them back?

  As Robert says, You can create them manually.
  http://technet.microsoft.com/en-us/library/cc794287(v=ws.10).aspx
  KnowHow :
   Behind the scenes, each User Role is created as a disabled user account in Active Directory, and these accounts are used as “Templates” for user creation. To view these, open Active Directory Users and Computers (from the
  Administrative Tools start menu folder, or through Start à Type “dsa.msc” and press enter. Drill down to the SBSUsers folder under “<yourdomain>\MyBusiness\Users\” and you’ll see several disabled user accounts listed.
  Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• How to create/get user & role in Weblogic 9.2 programmatically?

  Hi,
  I am new to Weblogic 9.
  I need to create a web service to manage user/role in WebLogic 9.
  Searching thru the web and found some classes like:
  AtnSecurityMgmtHelper, AtnProviderDescription etc
  Are those the correct classes to create/retrieve user & role?
  If so, what jar file contains those classes and where is the jar
  file?
  Thanks in advance,
  Terry

  You can do it with WLST help
  http://e-docs.bea.com/wls/docs92/config_scripting/config_WLS.html#wp1019913
  or via JMX through http://e-docs.bea.com/wls/docs92/javadocs/weblogic/management/security/authentication/UserEditorMBean.html and such

• How to add a new tab on modify user form

  Hi,
  In OIM11g, we can assign roles to a user using a tab named Roles in the modify user form. I want to add a new custom tab alongside all the already present tabs.
  The new custom attribute functions the same as 'Roles' in OIM.
  Does OIM11g provide any functionlity to do so?
  Thanks..

  Have you seen the 11g tutorial thing about adding a Custom ADF tabs in OIM Self Service Console at
  http://apex.oracle.com/pls/apex/f?p=9830:37:3242381082783477::NO:RIR:IR_PRODUCT,IR_PRODUCT_SUITE,IR_PRODUCT_COMPONENT,IR_RELEASE,IR_TYPE,IRC_ROWFILTER,IR_FUNCTIONAL_CATEGORY:,,,OIM_11g,,,
  Is that any help?
  Also, more general advice on customising OIM 11g is available at:
  http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14309/uicust.htm
  Try metalink too because there may be examples of how to do stuff with OIM 11g there.
  Good luck