Nesting Roles within Roles, is it used in practice ?

Can the Oracle DBA community comment of the practice of nesting one or more roles within another role. Said another way, the concept of creating "super-group" role and assigning "sub-group" roles beneath them.
1. Is this concidered to be good or bad practice ?
2. Would you consider this easy to maintain, and report on, would you concider this be effective for security and administration of security policies ?
3. Are there known issues (technical, performance, security, bugs, other) when nesting roles within another "super-group" role for Oracle 8i, 9i, 10g ?

I would certainly consider it good practice if your organization is structured such that the role heirarchy makes sense. If your organizational structure doesn't support this kind of hierarchy, though, it is probably a bad idea.
If you have just a few types of users for your system-- a couple of developers, some reporting users, and a DBA or two-- having three distinct roles makes more sense to me than would giving developers the reporting user role plus access to a bunch of stored procedures. If you have more fine-grained job roles, however, it would make sense to nest roles-- a senior developer role might have the developer role plus some additional privileges to enable tracing or to do some "Jr DBA" tasks like creating a new reporting user.
It seems easiest to me to match your privilege management to your organization and application structure-- if there are roles whose function is logically "all the responsibilities of another role plus some additional responsibilities", nest your roles. Otherwise, I would keep them separate. If you start nesting things too deeply, and you start getting down to object-level permissions, I would consider moving to something like fine-grained access control (FGAC).
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC

Similar Messages

  • Same user different roles within different organizations

    Hello All,
    We have requirement where Same user has to have different roles within different organizations.
    What will be the solution to handle this situation using SUN IDM ?
    Any inputs are greatly appreciated.
    Thanks,
    Akeel

    Let me simplify this,
    We have requirement where a user can work for different organizations , which can be achieved in SIM using membership rules.
    Say a user works for two organizations Say Org1 and Org2.
    The user can have different roles in these 2 different organizations. For example user can have Role1 in Org1 and Role2 in Org2.
    Role1 and Role2 both are available for assignment for respective admins of both Org1 and Org2.
    Suppose Admin of Org1 assigns the user Role1; and admin of Org2 assigns the user Role2.
    Now waveset.roles will have Role1 and Role2, but it can not tell the user has which role in which organization.
    How do i specify the relationship between the role and organization ? The number of organizations are very large 70000+ and Number of identified roles around 51.
    I dont think this can be implemented in Sun Identity Manger. Anybody has done this? Or any inputs are highly appreciated.
    Regards,
    Akeel

  • Trying to add a role on a remote server using windows powershell.

    Im reading a book that wants us to install a role on a remote computer using powershell.  The comands below is what we are sopuse to use and nothing happens.  Does anyone know why?
    function Invoke-WindowsFeatureBatchDeployment {
    param (
    [parameter( mandatory)]
    [string[]] $ ComputerNames,
    [parameter( mandatory)]
    [string]
    $ ConfigurationFilePath )
    # Deploy the features on multiple computers simultaneously.
    $ jobs = @()
    foreach( $ ComputerName in $ ComputerNames) {
    $ jobs + = Start-Job -Command { Install-WindowsFeature -ConfigurationFilePath
    $ using:ConfigurationFilePath -ComputerName $ using:ComputerName -Restart } } Receive-Job -Job $ jobs -Wait | Select-Object Success, RestartNeeded, ExitCode, FeatureResult }
    Then after this he states it is going to want a few parameters, for example.
    # Sample Invocation $ ServerNames = 'TestServer_01', 'LabServer_02' Invoke-WindowsFeatureBatchDeployment -ComputerNames $ ServerNames -ConfigurationFilePath C:\ RemoteDesktopConfig.xml

    I've been working on this for the last hour or so and here is what I got. Any ideas?
    PS C:\Users\Administrator> foreach ($computerName in $ComputerNames) {
    >> param (
    >> [parameter (mandatory) ]
    >> [string[]] $ComputerNames,
    >> [parameter (mandatory)]
    >> [string] $ConfigurationFilePath
    >> )
    >> $jobs = @()
    >> foreach ($computerName in $ComputerNames) {
    >> $jobs += Start-Job -Command {
    >> Instal-WindowsFeature
    >> -ConfigurationFilePath
    >> $using:ConfigurationFilePath
    >> -ComputerName
    >> $using:ComputerName
    >> }
    >> }
    >> Receive-Job -Job $jobs -Wait | Select-Object
    >> }
    >> $ServerNames = 'WIN-AN69NIQ6ARI'
    >> Invoke-WindowsFeatureBatchDeployment
    >> -ComputerNames $ServerNames
    >> -ConfigurationFilePath C:\Users\Administrator\Desktop\DeploymentConfigTemplate.xml
    >>
    Invoke-WindowsFeatureBatchDeployment : The term 'Invoke-WindowsFeatureBatchDeployment' is not recognized as the name
    of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included,
    verify that the path is correct and try again.
    At line:21 char:1
    + Invoke-WindowsFeatureBatchDeployment
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (Invoke-WindowsFeatureBatchDeployment:String) [], CommandNotFoundExcepti
       on
        + FullyQualifiedErrorId : CommandNotFoundException
    -ComputerNames : The term '-ComputerNames' is not recognized as the name of a cmdlet, function, script file, or
    operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
    again.
    At line:22 char:1
    + -ComputerNames $ServerNames
    + ~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (-ComputerNames:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
    -ConfigurationFilePath : The term '-ConfigurationFilePath' is not recognized as the name of a cmdlet, function, script
    file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
    and try again.
    At line:23 char:1
    + -ConfigurationFilePath C:\Users\Administrator\Desktop\DeploymentConfigTemplate.x ...
    + ~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (-ConfigurationFilePath:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException

  • Which role that Take a iview use SAP GUI for HTML need ?

    hi all
        i made a transaction iview use the  sap gui for html,and this ivew add a role,the role add a user.and the user had only this role.when i use the user logon the portal,it will give me a error message:
      portal runtime error....
       whether it need another necessary role?
       and when i take the user to mapping user.i can't found any system that i had configration.
        but i can do all use admin user .
       what i can do?

    Use System admin -> System Config and find your system in the PCD (under portal content). Right click and open -> permissions. Find a user or group or role and give it the end user permission. I'd suggest the group Everyone.
    Cheers

  • Import roles to the ERM without using the "Mass Role Import

    Hello,
    I want to know if there is another way to import roles to the ERM without using the "Mass Role Import.
    Im'm using SAP GRC AC 5.3
    Best Regards.
    Pablo Mortera.

    Hi.
    There is NO other way to import roles..
    We need to use only ERM for "Mass Role Import.
    Regards
    Gangadhar

  • Not able to comapre roles in DEV and QAS using SUIM?

    Hi,
    I am trying to compare role in both DEV and QAS, DEV and PRD using SUIM t-code.
    While comapring its showing that roles are in different systems, not able to comapre.
    Actually role exisitng in both QAS and PRD.
    Individually I can login to QAS, PRD can see the role.

    For role comparision both the roles must be in the same system, in same client
    Transaction code SUIM -> Comparision-> Roles
    If the roles are in different system, then tranport the role into one of the system and do comparision. If no transport connection defined then, you can use the upload and download option in the PFCG
    comparing
    Run the t-code SUIM
    Go To Comparison and select the option of roles
    Click on Across systems option it will give option to select the sys name under Remote Comparison there enter the SYS ID between which system you want to do comparison and put the role name in compare role section then execute it will give you the result.
    If there is any difference b/wn the t-codes it will b in red colour otherwisein yellow.

  • Role within a role, seperate permissions

    Hi there
    I have a role, HR, which must appear in the top level navigation. That is simple to do ... create the role, add iviews etc., mark as entry point and assign users to the role ... displays nicely.
    Now, as part of the HR section, we would like another section, namely Payroll, which is only accessible to certain people.
    I can create a new role, called Payroll, and assign certain users to that role.
    I then add the Payroll role to the HR Role ... Payroll now appears in the detailed navigation as required, but all users have access to the iviews within the Payroll role, which is not what we want.
    If I mark the Payroll role as an entry point, then it only appears in the top level navigation for users who have been assigned to the role.
    This makes me think I have the permissions configured correctly.
    What do I need to do to make detailed navigation rely on the role permissions? It would appear the permissions are being "inherited" from the parent Role, which is not what I want.
    Is there a way to get a role within a role to keep its permissions and ignore the parent permissions?
    Can I do this in the detailed navigation, or should I be trying something else?
    Should this perhaps be done at a workset level instead?
    Any help would be greatly appreciated (and no doubt points awarded)

    Thanks Marty
    I had forgotten about Merging, and that seems to have gotten me most of the way.
    I can successfully merge, and the new item only appears for the relevant users, but it merges quite high.
    I would like the merging to happen in the detailed navigation, but I can't seem to get this right.
    At the moment, I have 2 worksets, namely Home and Payroll. I set the merge properties on these 2 worksets. Home workset is then assigned to the HR Workbench role. When I log in as a user who has access to the Payroll role, then I see the HR Workbench role, and in the second level navigation, I see Home and Payroll (worksets).
    What I would like, is to have the Payroll workset appearing in the detailed navigation.
    I have tried merging on the folders in the Home workset, but still don't see anything in the detailed navigation.
    Do you know if it is possible to merge in the detailed navigation, or only top level navigation?
    Thanks for the answer ... I will reward points now

  • Easy Question: How to identify user roles within form?

    Hi folks,
    I would like to display/hide button which calls static data maintenance form (from other form) based on current user roles.
    If user has role "STATIC_DATA" granted then DISPLAY button (which calls static data form), else DO NOT DISPLAY it.
    Any example, how to get user roles within form?
    Thanks,
    Tomas

    I can do it with below code:
    declare
      l_cnt number;
    begin
      select count(*)
         into l_cnt
         from user_role_privs
      where granted_role = 'STATIC_DATA';
      if l_cnt > 0 then
            -- display it
      else
         -- do not display
      end if;
    end;I think, above should work.
    Thanks,
    Tomas

  • Provision Unix accounts/roles/groups to Directory server using OIM

    Hi,
    I have a requirement to integrated large number of Unix servers with LDAP (OID or Sun Directory Server) for Centralized Authentication and Authorization and to provision Unix accounts/roles/groups to Directory server using OIM, I have following queries.
    1. If using PAM_LDAP then what are the schema changes required in ldap to support it ?
    2. Does OIM's out of box connector for OID or Sun Directory Server supports Unix accounts/roles/groups provisioning to Directory server ? If not, can it be extend ? or do I need to write a custom connector ?
    3. If I use Oracle Authentication Services for OS for centralized unix account management then OIM provisioning is same as #2 or different ?
    Thanks
    Nitin

    yes. iPlanet connector support for multivalued attribute. Go through the connector doc. It will let you know how to extend its functionality.
    --nayan                                                                                                                                                                                                                                                                                                               

  • Automatic Creation of Roles and Role Mappings in GRC

    Hi,
    we are planning to use SAP Identity Management and SAP GRC Access Management.
    In SAP IDM we have defined several business roles that contain privilieges in SAP systems. When a user is requesting a role, the request will first be sent to SAP GRC for approval and risk checking.
    In order to get this to work, we need to load the business roles of SAP IDM into SAP GRC and we also need to configure the role mapping between the business roles and the technical SAP privileges.
    From what I understood, this could be implemented by loading the required information via Excel filles into SAP IDM.However, this is a quite cumbersome and error-rpone approach an we would like to automate this.
    Is there a way to use e.g. web service calls to create/delete roles and role mappings in SAP GRC?
    BTW: is a documentation of all available GRC web service calls and their parameters available?
    Thanks for your help in advance!
    Best regards
    Tom

    Hi Tom,
    as stated before, the web service description is in the config guide.
    Unfortunately there is no web service to create roles or even mappings in CUP - this is one of many I would also like to se created
    I don't think in your context you will be able to directly send Business Roles to CUP. The role mapping only happens after you send the request, so I'm not sure if that's in time for risk analysis - you will need to try that.
    Are you a customer or a consultant - anyway, feel free to contact me if you need further help integrating CUP and IdM. This is an evolving interface with many possible scenarios, so it's not easy to give you good advise without seeing the full picture.
    Frank.

  • GRC 10 - Business role, no role owner but associated role have owner....

    Dear All,
    In GRC 5.3 we perform the following mapping:
    Business Role A mapped with (no owner)
    - Technical Role 1 (from ECC with Owner1)
    - Technical Role 2 (from CRM with Owner2)
    - Technical Role 3 (from HR with Ownwer3)
    IN GRC 5.3 we have a business role mapped with multiple child role(techinical role) from other system.
    GRC 5.3 request is able to close and provisioned as it can see owners from child role.
    Now in GRC 10, we did the same. Create a business role, then mapped the child role (technical role). Unfortunately, when manager approves the workflow reroute to "NO OWNER DETOUR PATH" because it cannot see the technical role owner.
    Seems like GRC 10 is only looking at business role owner. We are unable to add Owner1, Owner2, Owner3 to the business role because when one of the owner approves, it will provision all the technical roles. We might have owners who will reject their role.
    Please advice.
    Jacky

    Hi Mustafa,
    you can use end user personalization to avoid a role owner to approve roles for himself. Define a dedicated EUP for role owner stage and restrict via "Approve/Reject Own Requests" like shown below:
    Does this answer your question?
    Regards,
    Alessandro

  • Add Role to Role Category

    Hello Experts,
    my scenario:
    1) AD Group Reconciliation Task
    2) Auto creation Role category "AD Roles" if it doesnt exists
    3) Auto creation Roles based on AD groups in "AD Roles" Role category
    Ive already done auto creation role category and roles in default category, but i still cant create roles in my category.
    I think it could be done like this in role creation:
    mapAttrs.put(RoleManagerConstants.ROLE_CATEGORY_KEY, key)
    but how can i get Role category key of my category to var "key"?
    Are there more links between role and role category?
    Pls help.
    Thanks.

    public static String getRoleCategoryKey(String categoryName)
    String roleCategoryKey = null;
    RoleManager rmgr2;
    Set retAttrs = new HashSet();
    rmgr2 = oimClient.getService(RoleManager.class);
    System.out.println("Creating....");
    String ctxFactory = "weblogic.jndi.WLInitialContextFactory";
    String serverURL = "t3://10.111.6.101:14000";
    String username = "xelsysadm";
    String password = "xelsysadm";
    Hashtable env = new Hashtable();
    env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,ctxFactory);
    env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, serverURL);
    oimClient = new OIMClient(env);
    System.out.println("Logging...");
    try {
    oimClient.login(username, password);
    } catch (LoginException e) {
    System.out.println("Log in");
    rmgr2 = oimClient.getService(RoleManager.class);
    retAttrs.add(RoleManagerConstants.ROLE_CATEGORY_KEY);
    retAttrs.add(RoleManagerConstants.ROLE_CATEGORY_NAME);
    SearchCriteria criteriaM = new SearchCriteria(RoleManagerConstants.ROLE_CATEGORY_NAME, categoryName, SearchCriteria.Operator.EQUAL);
    try
    List roleCategories = rmgr2.search(criteriaM, retAttrs, null);
    System.out.println(roleCategories.size());
    boolean found = false;
    Iterator i$ = roleCategories.iterator();
    do
    if(!i$.hasNext())
    break;
    RoleCategory roleCat = (RoleCategory)i$.next();
    roleCategoryKey = roleCat.getEntityId();
    System.out.println("FOUND!!!");found = true;
    } while(!found);
    catch(Exception e) { }
    return roleCategoryKey;
    - I just find interesting code, but it doesnt work, when i use it to my map:
    mapAttrs = new HashMap<String, Object>();
    mapAttrs.put(RoleManagerConstants.ROLE_NAME, "testrole");
    mapAttrs.put(RoleManagerConstants.ROLE_DISPLAY_NAME, "testrole");
    mapAttrs.put(RoleManagerConstants.ROLE_DESCRIPTION, "desc for test");
    mapAttrs.put(RoleManagerConstants.ROLE_CATEGORY_KEY, getRoleCategoryKey("testcat"));
    And with .browse() I even know my category key, but when i use it:
    mapAttrs = new HashMap<String, Object>();
    mapAttrs.put(RoleManagerConstants.ROLE_NAME, "testrole");
    mapAttrs.put(RoleManagerConstants.ROLE_DISPLAY_NAME, "testrole");
    mapAttrs.put(RoleManagerConstants.ROLE_DESCRIPTION, "desc for test");
    mapAttrs.put(RoleManagerConstants.ROLE_CATEGORY_KEY, "21"));
    - errors.
    Whats wrong?

  • Clustered role 'Availability Role' has exceeded its failover threshold

    I am getting this alert on SQL 2012 R2 SP1. So please kindly tell me the solution of the below given alert on windows failover clustering .
    Clustered role 'Availability Role' has exceeded its failover threshold. It has exhausted the configured number of failover attempts within the failover period of time allotted to it and will be left in a failed state. No additional attempts will
    be made to bring the role online or fail it over to another node in the cluster.Please check the events associated with the failure. After the issues causing the failure are resolved the role can be brought online manually or the cluster may attempt to bring
    it online again after the restart delay period.

    Hi Syed Tauseef Ahmed,
    Please offer more information such as under what circumstances this issue occurs, what event id you have got. The failover threshold is the number of times the group can fail
    over within the number of hours specified by the failover period.
    The related KB:
    Tuning Failover Cluster Network Thresholds
    http://blogs.msdn.com/b/clustering/archive/2012/11/21/10370765.aspx
    You can refer the following similar thread for the first step troubleshooting:
    Clustered role 'Cluster Group' has exceeded its failover threshold.
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/4eb44f05-eb9b-448a-821b-359879141608/clustered-role-cluster-group-has-exceeded-its-failover-threshold
    I’m glad to be help to you!
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Default role + session role

    Hi,
    How do I enable a session role in addition to keeping the default role enabled. Eg. If user scott has a default role of scott_dflt, I want to enable role scott_session without affecting scott_dflt. Using dbms_session.set_role to enable scott_session semms to disable scott_dflt.
    Thank you.

    when you call DBMS_SESSION.SET_ROLE, give a comma separated list of roles that you want to set as
    parameter:
    SQL> exec DBMS_SESSION.SET_ROLE('<role#1>,<role#2>,<role#3>.....') ;

  • Roles and Role List

    Hi all,
    Please explain me about the Roles and Role List used in Projects...
    Thanks
    Dinesh

    Hi
    Roles are using in Projects for two goals -
    A) a basis for project-based security. You might create roles as project roles and assign people to the role in a project. For example, project manger, project admin, project billing person, etc. You then might configure the security access to forms and functions of specific roles.
    B) when implementing Proejct Resource Management, the project roles may be scheduled on a project and serve as a template for resource demand. In that case you might configure the team member role on a project, such as competencies, job information, and security.
    You might want to review Oracle Projects Fundamentals and Projects Implementation Guide for more details.
    Dina

Maybe you are looking for