Nested groups ,multi-valued groups,nested roles ,multi-valued roles

Similar Messages

• User= Group= SubGroup= Role: Now working when this link is used

  Hai,
  We are using EP 5.0 with LDAP 7.6 When a user id created it is attached to a group and the group is attached to a role. I introduced a nested group in this link as userid is attached to group, group is attached to sub group and subgroup is attached to role. When i did like this and login to the portal system the roles are not seen in the portal.
  Below are the things which i did,
  When a user id(Ex : MYTEST1) is created it is attached to a group(Ex : ESS_GE) by the below code.
         String group = "ESS_GE";
         String groupdn = "cn=" + group.toUpperCase() + "," + groupsRoot;
         String userdn = "cn=" + userid.toUpperCase() + "," + peopleRoot;
        // modifications for group and user
        LDAPModification[]  modGroup = new LDAPModification[2];
        LDAPModification[]  modUser  = new LDAPModification[2];
     // Add modifications to modUser
     LDAPAttribute membership = new LDAPAttribute("groupMembership", groupdn);
     modUser[0] = new LDAPModification( LDAPModification.ADD, membership);
     LDAPAttribute security = new LDAPAttribute("securityEquals", groupdn);
     modUser[1] = new LDAPModification( LDAPModification.ADD, security);
      // Add modifications to modGroup
      LDAPAttribute member = new LDAPAttribute("uniqueMember", userdn);
      modGroup[0] = new LDAPModification( LDAPModification.ADD, member);
      LDAPAttribute equivalent = new LDAPAttribute("equivalentToMe", userdn);
      modGroup[1] = new LDAPModification( LDAPModification.ADD, equivalent);
     // Modify the user's attributes
     lc.modify( userdn, modUser);
     // Modify the user's group attributes
      lc.modify( groupdn, modGroup);
  Group is attached to a role(EP_GE_USER_ROLE).  So the link is User =>Group=>Role which is MYTEST1=>ESS_GE=>EP_GE_USER_ROLE. This linke is working perfectly
  I introduced a nested group and changed the link as User=>Group=>Sub_Group=>Role  which is MYTEST1=>ESS_GE=>ESS_GE_ONLINE=>EP_GE_USER_ROLE.
  After this when I login with the user id MYTEST1 the Roles which are attached to ESS_GE_ONLINE is not shown. Any idea why the roles which are attached to group ESS_GE_ONLINE is not transferred to ESS_GE group. Should I have to add any other LDAP attributes apart from the one which are coded below.
    String group1 = "ESS_GE";
    String group2 = "ESS_GE_ONLINE";
    String groupdn1 = "cn=" + group1.toUpperCase() + "," + groupsRoot;
    String groupdn2 = "cn=" + group2.toUpperCase() + "," + groupsRoot;
    //Add ESS_GE_ONLINE group to ESS_GE group
    LDAPAttribute membership1 = new LDAPAttribute("uniqueMember", groupdn2);
    modGroup1[0] = new LDAPModification( LDAPModification.ADD, membership1);
    LDAPAttribute security1 = new LDAPAttribute("equivalentToMe", groupdn2);
    modGroup1[1] = new LDAPModification( LDAPModification.ADD, security1);
    //Add ESS_GE group to ESS_GE_ONLINE group
    LDAPAttribute membership2 = new LDAPAttribute("uniqueMember", groupdn1);
    modGroup2[0] = new LDAPModification( LDAPModification.ADD, membership2);
    LDAPAttribute security2 = new LDAPAttribute("equivalentToMe", groupdn1);
    modGroup2[1] = new LDAPModification( LDAPModification.ADD, security2);
    lc.modify( groupdn1, modGroup1);
    lc.modify( groupdn2, modGroup2); 
  Thanks & Regards,
  H.K.Hayath Basha.

  change that to the following and retest:
  Joshua Fowler wrote:
  I think you're correct. Under the Publish settings of the document, that's what "Class" points to.
  Here's the first main section of the code:
  package com.anselmbradford
    import flash.display.MovieClip;
    import flash.events.TimerEvent;
    import flash.utils.Timer;
    public class Main extends MovieClip
    * Create a new CountDown object, listen for updates and pass it the date to countdown to.
    public function Main()
    var cd:CountDown = new CountDown();
    cd.addEventListener( CountDownEvent.UPDATE , _updateDisplay );
    cd.init( new Date(2015,3,9,20,00) );
    * Update the display.
    private function _updateDisplay( evt:CountDownEvent ) : void
  Does this look correct?
  Thanks again!

• Nesting Roles within Roles, is it used in practice ?

  Can the Oracle DBA community comment of the practice of nesting one or more roles within another role. Said another way, the concept of creating "super-group" role and assigning "sub-group" roles beneath them.
  1. Is this concidered to be good or bad practice ?
  2. Would you consider this easy to maintain, and report on, would you concider this be effective for security and administration of security policies ?
  3. Are there known issues (technical, performance, security, bugs, other) when nesting roles within another "super-group" role for Oracle 8i, 9i, 10g ?

  I would certainly consider it good practice if your organization is structured such that the role heirarchy makes sense. If your organizational structure doesn't support this kind of hierarchy, though, it is probably a bad idea.
  If you have just a few types of users for your system-- a couple of developers, some reporting users, and a DBA or two-- having three distinct roles makes more sense to me than would giving developers the reporting user role plus access to a bunch of stored procedures. If you have more fine-grained job roles, however, it would make sense to nest roles-- a senior developer role might have the developer role plus some additional privileges to enable tracing or to do some "Jr DBA" tasks like creating a new reporting user.
  It seems easiest to me to match your privilege management to your organization and application structure-- if there are roles whose function is logically "all the responsibilities of another role plus some additional responsibilities", nest your roles. Otherwise, I would keep them separate. If you start nesting things too deeply, and you start getting down to object-level permissions, I would consider moving to something like fine-grained access control (FGAC).
  Justin
  Distributed Database Consulting, Inc.
  http://www.ddbcinc.com/askDDBC

• MDG-S BP Grouping,BP Role,BP Categeory and ERP Vendoe Account Group

  Hi
  Can anybody explains me releationship between MDG-S BP Grouping,BP Role,BP Categeory and ERP Vendoe Account Group?
  It seems there is no requried field except Change Request Description.If we input value for CR Description only, we can still able to sumbit and activate CR and Bussiner Partner ID (Which is internally generated) will be stored in MDG stagging table for entity type BP_HEADER.
  My question is then what is use of BP Grouping,BP role in this as it contains blank value? Also it observed that for new ERP Vendor the Account Group field is always in non editable mode,Any reason for this? Same issue with Company Code after selecting CC it displayed as non editable field before submitting CR as well.

  Hi Sanjay,
  When you select New -> Organization, below screen comes, In Grouping drop down you need to select Vendor Account Group and in Role list enter role.
  Follow same procedure when you want to create next vendor.
  Under new pushbutton, you will get three options:
  Organization means when you want to create vendor.
  Person means you are creating person not vendor, these person you can assign as a contact person to the vendor in Relationship tab.
  Regards,
  Sudhir

• Assign SQ03 Abap Query User Group to role

  Please advise how to assign SQ03 Abap Query User Group to a role. Thanks.
  Moderator message: please do more research before asking.
  [Rules of engagement|http://wiki.sdn.sap.com/wiki/display/HOME/RulesofEngagement]
  [Asking Good Questions in the Forums to get Good Answers|/people/rob.burbank/blog/2010/05/12/asking-good-questions-in-the-forums-to-get-good-answers]
  Edited by: Thomas Zloch on May 12, 2011 5:40 PM

  Hello Sunil,
  The problem is that I have hundreds of users to maintain user groups.
  found out that it is possible to assign user group to role and role to user groups. implementing hr authorization with in-direct assignment of auth. So if I could use sq10, user groups could also be link to position in the org chart.
  sq10 does allow you to assign a user group to a role but when you assign the role to a user and the user runs a query, it reports that no user group has been assigned.
  Suspect that there must be a parameter or switch that is not turned on
  Regards

• Making users available for OpenSSO realm group and role assignment?? Help.

  Here is the situation. We have 3 Open SSO realms set up. One we have called OpenSSO-Admin, a second called OpenSSO-Provider and a third OpenSSO-Internal. We are having issues provisioning and managing the OpenSSO-Internal OpenSSO-Provider realms, but OpenSSO-Admin seems to be fine.
  Here is the behavior that is manifest.
  In the 2 'broken' realms, when we create users and assign them to the appropriate Open SSO realm, they appear to be provisioned correctly in IDM as well as the realm (We have validated user creation in LDAP and everything about the user appears to be fine). When we view the groups and roles in the specific resources, we are presented with a list of users that are in Brackets and appear to be provisioned. The brackets indicate that the users are not found as available users. The bracketed users can not be unassigned, nor can any others. note, our bracketed users in the list of assigned users are created from a workflow which assigns them directly to the appropriate group and role based on their business role.
  The third realm, OpenSSO-Admin works fine and we can add, and manage users in the groups and roles within the realm.
  We have ruled out the workflow as a source as the problem persists when we use the tool to manage users. We can create a user from scratch and add them to the realms. In the 'Broken' relms, the users do not appear in thelist of available users to be assigned to the groups or roles. Yet in the 'good realm, everything appears fine. We can move users from one realm to another and the problem persists in the broken realms, but when a user is added to the 'good' realm, everything is fine.
  I have tried reconciling and get no different results.
  Question is, We have isolated that the issue seems to be in the generation / management of the left hand "Available Users" list. How and where is this generated from and how can we check/fix or regenerate this list?
  Thanks.
  Joe

  I should clarify. We are using Sun IDM 8.1

• So how do nested roles work?

  I'm trying to define an admin role that can be assigned to certain users in my directory, while enabling me to define a separate password policy for just this set of users.
  What I want to do is this:
  - create a managed admin role in a specific area of my directory (e.g. ou=roles, o=suffix)
  - add users to this role (they sit in ou=users,o=suffix)
  Now, I'm aware the roles only have scope over the subtree where they are created, so I've created a nested role at the root level (o=suffix) and added the managed admin role (cn=admin role,ou=roles,o=suffix).
  As far as I'm concerned this should give my admin role scope over the whole o=suffix tree?
  Unfortunately when I try to open up access using an ACI it doesn't seem to work. The only way I can get it to work is if I create the managed role at the suffix level (i.e. cn=admin role, o=suffix) and reference that role in the ACI.
  What am I missing here?

  http://docs.iplanet.com/docs/manuals/uds/50/toolref.pdf
  Page 159
  You should read the document but there is a snippet from the doc:
  Nesting event statements You can nest an event statement in your statement
  block either by using another event statement or by invoking a method that
  contains an event statement.
  A typical example is when you want to open a new window and the Display
  method for the window contains an event loop. Another example is using the
  start task statement to start a new task and then use the event statement to wait
  for the return or exception events.
  Code Example 3-13 Nesting event statements
  event loop
  when <quit_button>.Click do
  exit;
  when <start_task>.Click do
  tsk_desc : TaskDesc;
  tsk_desc = start task o.meth() where completion =
  event;
  event loop
  when o.meth_return(x = return) do
  when o.meth_exception(e = exception, f = errs);
  when <cancel_button>.Click do
  tsk_desc.SetCancel();
  end event;
  when <cancel_button>.Click do
  exit;
  end event;
  If more than one event statement is registered for the same event, the event
  statement that is currently executing when the event reaches the top of the queue is
  the one that handles the event. Once the event has been handled, it is removed
  from the queue. Therefore, an event is never handled more than once.
  ka

• Defualt group and role size

  What is the default size or number of charachters allowed while creating a group or role in Oracle Identity Manager?

  Default it is 30.
  See Formmetadata.xml
  <Attribute name="-30" label="UserGroupAdmin.message.groupName" displayComponentType="TextField" variantType="String" dataLength="30" map="Groups.Group Name" />
  You can modify it. If you want to increase it then you'll have to increase it at the database level also.
  alter table UGP modify UGP_NAME varchar2(2000 char);
  Don't forget to restart the server.

• Difference between Groups and roles?

  Hi All,
  What is the difference between groups and roles?
  Thanks for your time and help.

  Oracle does not have anything called a 'group'.
  A role is a named object that can contain a set of privileges. The members of the set can be individual privileges or can be another role that contains its own set of privileges. Roles can then be granted to users (or to other roles) so that those users (or roles) have the specified privileges.
  See the SQL Language reference - http://docs.oracle.com/cd/B28359_01/server.111/b28286/toc.htm
  Read the topics for CREATE ROLE, GRANT and REVOKE

• Group, Users, Roles framework - book or article??

  Can anyone refer to me a good book or article on designing a framework to handle groups, users, roles, rights, permissions, etc.. for a software system, including database tables. I have a rough idea but would like more guidance.?
  thanks

  http://www.martinfowler.com/apsupp/roles.pdfI'd say that doesn't count either.
  Specifically, consider these two (very common) requirements:
  1. Remember My Login
  2. Display this part of my web page only if I'm a member of this site.
  By now, I'd expect platform support...
  /k1

• AM nested roles (J2EE case)

  Hello!
  I have a classic problem here but did not find a proper solution yet:
  In the web.xml , the customer wants to state the roles as "Create Stuff", "Read Stuff", "Delete Stuff". Then he wants to create roles in AM that have access to these nested roles. That could be a "Manager" top-level role that has access to all of the sub-roles, and a "Viewer" top-level roles that has access to only "Read Stuff". These top-level roles are the ones that are going to be associated with the users.
  Is there a way to achieve this with OpenSSO / Access Manager?
  I though about creating filtered roles.. but it didn't seem like the best solution.
  Thanks!
  Zica.

  Hi,
  i have tested CAS by using delphi.And i felt that CAS was not a ripe product :(
  please have a look at http://www.jboss.org/forums/thread.jsp?forum=47&thread=16404

• Nested roles

  Hello,
  I have problem with nested roles. Let's say that I have two roles. Role1 and Role2. I add Role1 as delta link to Role2. Then I assign Role2 to user A. I have KM object (folder) which has assigned full access for users with Role1. Could I suppose that user A has permission to folder? In other words, can I construct something like composite roles by "inserting" some roles to another role?
  Thanks for answers,
  Zdenek

  Hi Zdenek,
  be aware that for each PCD "role" a corresponding UME role is created. While PCD roles can be used to structure the navigation based on the role assignment of the corresponding UME roles to users, UME roles can not be assigned to another UME role. So the PCD structure of roles containing roles is not reflected on the UME side.
  On the other hand, KM permissions are base on the UME.
  Having this said, the answer to your question is clear, I hope: No.
  Hope it helps
  Detlev

• Is there User Group and Role Reporting in SAP Enterprise Portal?

  I want to know if there is a way to pull users statistics our of SAP Enterprise Portal like you can out of the R3 backend systems.
  I would like functionality similar to the SUIM transaction. I know through user administration you can access any user, even a list of all users, and you can do similar lists with roles and groups. You can then access any of these things individually and look at their assignments. However, I want to do this on a large scale. I want to know for example every group that has a user assigned to it. Evergroup that has roles assigned to it. Or groups that have no user or role assignments. We have approximately 1904 groups in our Production Portal system and I am trying to clean up the groups that have no user assignment, but I don't want to look through them one by one.

  Hi Chris,
  There is no standard report available for this purpose. However all this information is stored in table UME_STRINGS.
  You can write your own SQL queries to generate such reports. However please note that this table is not normalized, and it's a master UME table. You should use it strictly for READ ONLY purpose.
  For a sample code you which i wrote some time back, you might refer:
  http://forums.sdn.sap.com/thread.jspa?threadID=2088099&messageID=10859334#10859334
  Thanks
  Prashant

• New Request/Service Offerings not displaying on Portal via Catalog Group/ User Role

  I have created some new service offerings and request offerings which I have published and are visible on the portal when logged in as an administrator.
  I have then added these new items into a catalog group which is tied to a pre-existing user role to target our IT department ( this user role is currently working fine and shows all the other IT related offerings)
  The new published items do are not showing up on the portal.
  AD sync completed with no errors.
  I have done the following to troubleshoot to no avail:
  -  created a new catalog group and user role to target the new SO RO's to
  - targeted directly to a test user rather than the AD group 
  Some other weird things that I  believe to be  related to this is that the contents of catalog groups appear empty on local console but when logging on to the SM server to launch console all catalog group items are visible.
  we are seeing a lot of  error and warning event logs 26319 & 3333
  Any suggestions?
  Thanks
  Pete

  did you try to restart the Microsoft Monitoring Agent?
  Antoine AL Ibry

• Custom Distribution Group management role (manager excpeiton)

  My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
  By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
  technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
  Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
  words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
  sufficient permissions. this operation can only be performed by a manger of the group”.
  New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
  New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
  New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
  When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
  group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
  Below confirms by scope.
  Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
  Name DisplayName SamAccountName GroupType
  distro1 distro1 distro1 Universal, SecurityEnabled
  distro2 distro2 distro2 Universal, SecurityEnabled
  distro3 distro3 distro3 Universal, SecurityEnabled
  On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
  Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
  Name
  Add-DistributionGroupMember
  Disable-DistributionGroup
  Enable-DistributionGroup
  Get-ADServerSettings
  Get-AcceptedDomain
  Get-DistributionGroup
  Get-DistributionGroupMember
  Get-DomainController
  Get-DynamicDistributionGroup
  Get-Group
  Get-MailUser
  Get-Mailbox
  Get-OrganizationalUnit
  Get-Recipient
  Get-ResourceConfig
  Get-User
  New-DistributionGroup
  New-DynamicDistributionGroup
  Remove-DistributionGroup
  Remove-DistributionGroupMember
  Remove-DynamicDistributionGroup
  Set-ADServerSettings
  Set-DistributionGroup
  Set-DynamicDistributionGroup
  Set-Group
  Set-OrganizationConfig
  Update-DistributionGroupMember
  Write-AdminAuditLog

  Hello,
  I understand that you have create custom management scope for each group and assigned a custom role to it.
  But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
  You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
  Check below link. http://exchange2010cmd.blogspot.de/
  You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
  You can either use existing default policy or create new policy and assign this management role to it.
  Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
  NOTE: If you are creating new policy , place that name instead of default policy name".
  I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
  Now, regarding your second concern, that your custon role has to many role entries.
  You can remove unwanted role entries.
  Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
  Before linking management role to email policy, remove unwanted role entry from role.
  I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer.