OAM Authorization cache query

Similar Messages

• Caching Query Issues?

  I have a test(on the server) and a development(localhost) sites so is the oracle database schemas.  Both Oracle database schemas reside on the same server. I have the same datasource name for both schemas in the CF Administrators (local and server). For some reason, it seems to me that the data being pulled only from the test environment database eventhough I run the code on the development(localhost).  I cleared the cache on the CF administrator.   Any advise would be great.  Thanks.

  Soumen Mondal,
  If you are facing this problem from the same client PC and in the same session, it's very strange.. but if there are two sessions running on the same PC this kind of issue may come..
  Something about caching:
  To decide whether to cache a query or not, consider the number of times you intend to run the query in a minute. For data changing in seconds, and queried in minutes, I would recommend not to cache query at all.
  I may give a typical example for query caching in a query on material master cached for 24 hours, where we know that after creating material master, we are not creating a PO on the same day.
  BR,
  SB

• Order for resources in OAM authorization policy

  Hi All
  Does the order for the resources in OAM authorization policy matters or can I put the resources in any order ?
  Thanks

  OAM performs resource Authentication and Authorization based on the URLs. It doesn't matter on what order you try to put them.
  ~Yagnesh

• Cannot query using both conforming and cached query result

  TopLink doesn't allow me to both use conforming and cached query result at the same time.
  Conforming is certainly not a superset of the [cached query result] features.
  Can you confirm that it's a limitation of TopLink?
  Any know workaround to end-up with the same features as using both conforming and cached query result?
  Conforming is about seeing modifications you do in the same transaction. As a bonus, if you query for one object and specify at least the id as criteria because TopLink will have to check in memory anyway it can avoid going to the database.
  But if I do a query like "give me employees hired before now and after 30 days ago" it's about more than one objects and about finding existance so cached query result is needed to get acceptable performance in a complex application trying to avoid the same SQL generated over and over again.

  Thats where the trace just ends? It doesnt look like there's any LIKE or filtering going on (with respect to the Oracle pieces anyway), apparently MSAccess simply requested the whole table.
  What do you mean by 'hang' exactly? Are you sure it's just not taking a long time to complete? How long have you waited? How fast does it complete on the other environment?
  ODBC tracing isnt likely to help much for that. SQLNet tracing would be better to see what is going on at a lower level. Specifically, what is going on at the network level? Is the client waiting for a packet to be returned from the database?
  Is the database having a hard time processing the query, perhaps due to index/tuning issues?
  Assuming that is indeed the query that is "hung", how much data does that return?
  Are you able to reproduce the same behavior with that query and vbscript for example?
  Greg

• cache-query-results question

  I have another post for general descriptor tag information but I do have a specific question. In a project I am looking at I see:
  <cache-usage> check cache by primary key </cache-usage>
  <cache-query-results>false</cache-query-results>
  <maintain-cache>true</maintain-cache>
  I'm not sure how to interpret this. Does this mean that a cache is in place or not? cache-query-rests is set to false which implies no caching, yet the other parameters imply a cache is in place. What overrides here?
  Thanks

  The XML maps directly to the API so the JavaDocs and related documentation are the best tools:
  cache-usage: query.setCacheUsage(int)
  This option indicates how the object cache should be used when processing the query. This is how in-memory query is configured as well as support for cache-hits on ReadObjectQuery.
  cache-query-result: query.setShouldCacheQueryResults(boolean)
  This option allows you to indicate that the results returned from the query execution should be held. When the query is executed again these results will be returned without going to the database or searching the object cache. This is just caching the results locally within the query.
  maintain-cache: query.maintainCache() or query.dontMaintainCache()
  This setting determines if the results returned from the query should be cached in the shared object cache. It is on by default and turning this off is very rare. Occasionally done to compare the cache version with the database verision when handling an optimistic locking failure.
  Doug

• OAM 10g Authorization ldap query

  Hi all
  Please let me know if we can write a LDAP query in Authorization - Deny access to deny the users who are not a member of Usergroup 'X'.
  If yes, please give me a sample. Please help.
  Thanks

  Hi,
  Does the solution offered by Sagar (from the above link):
  "If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
  All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access"
  (which also applies to Denying access to groups) meet your needs?
  Regards,
  Colin
  Edited by: ColinPurdon on Jun 27, 2011 9:20 AM

• OAM - Authorization based on the authentication method

  We are using OAM 10g for a customer to protect a large number of web application. In order to access those applications a user can chose from several authentication methods (e.g. client certificate, SecureId and mobile TAN). All applications use the same cookie domain and OAM provides SSO to the user. The customer now wants to define access rules for each of the applications based on the chosen authentication method.
  In other words, he wants to have the flexibility to define rules such as the following:
  Application A: Only accessible with client certificates
  Application B: Only accessible with mobile TAN
  Application D: Only accessible with SecureId or mobile TAN
  Application E: Accessible with any authentication method
  In order to implement this with OAM we would have assign each authentication method a different authentication level and define authorization rules that depend on those authentication levels (maybe using a custom authorization plug-in). According to the OAM documentation it doesn't seem possible to reference the authentication level in a authorization rule.
  Does anyone know a way to implement these requirements.
  Any help is appreciated.
  Best regards,
  Donat

  This is how I think we can do this.
  Write Authentication plug-in which adds which authentication scheme was used to login to the application in one of the multivalued attribute in OID. Write Authorization plug-in also which checks this value and makes authentication decision.
  One more approach is, Create as many attributes in OID as number of authentication schemes you have. Each of them is a flag representing whether user is logged in with the authentication scheme or not. When user authenticates using an authentication scheme, turn on that flag. Also flush access server user profiles cache. In the authorization rule, use this flag to make authorization decisions. Using this approach, you do not have to write authorization plugin but this may not be scalable approach as you might have to create a new attribute in OID when new authentication scheme is added.
  You can also keep this information somewhere in database or flat file and use that information in authentication and authorization plugin.
  I hope one of this solutions will help you.
  Thanks
  Kiran Thakkar

• Authorization on Query Print Layout Report

  Hi Experts,
  Is there a way to limit users from generating Query Print Layout which they are not suppose to generate? Currently, all query print layout is exposed to all users, but I want to limit which users who can access specific reports only and to prevent from accidentally generating other confidential reports.
  I tried grouping the queries per Query Manager and assigned the query number to designated users in Authorizations, but it seems that this does not apply in Query print layout generation.
  Any help?
  Don

  Hi Gordon,
  Yes, I gave the users authorization for the query print layout so that they can run one of the report, however, all the reports are exposed also, for confidentiality purposes, I don't want to allow the same users to generate other query print layouts.
  Is there a way for this?
  Thanks.

• Analysis Authorization and Query

  Hi everybody,
  while studying the new analysis authorization concept in BI7 I tested a little bit around. I was wondering how I can realize the following scenario:
  A user should see "0VERSION" "2" and "0DIVISION" "01" as well as "0VERSION" "5" and "0DIVISION" "02" while executing the query with BEx Analyzer.
  Am I right that I have to create two analysis authorizations?  How do I have to model the query? I always get the message that my testuser does not have enough authority.
  Thanks for your suggestions.

  Hi Anja,
  Did you ever get a resolution to the question you asked.  I am facing the same scenario now where i want to restrict a user to seeing seeing the following:
  user must see:
  Division = 001 and Area = A
  Division = 002 and Area = B
  But he must not see Division 001, Area B for example
  Creating the analysis authorizations is not a problem, the problem is modelling the query to return this result.  I always get no results due to lack of authorization as the authorization variables try to return All Division "001" and "002" and All "A" and "B"
  As i see it, you cannot model the query to return the required result.  What would be ideal is if the query would only return what the user is authorized to, rather than returning nothing and giving an auth error.
  Thanks
  Gavin

• Customization of "No Authorization" for Query in BI!!!

  Hi,
  Have a query on when we get a no authorization for a query in BI. Can we customize the error message or create pop up in analyzer to show the user that he does not have access to a particular value like a Company Code etc.
  Also is it possible to show data to the user for which he is authorized even if he has put in fields to which he has no access.
  Thanks,
  Yogesh

  May be you can try Authorization Fill variable.
  To see what the user ID is Authorized to see use RSECADMIN (Only in BI7.0) and see for Error Logs under Analysis.
  AB

• Is it possible to stop APEX using a cached query?

  I was hoping that the issue where report regions sometimes show the error: "ORA-06502: PL/SQL: numeric or value error: NULL index table key value" would be fixed in 3.1.1 however it seems not to have been (We have had it several times now). The workaround seems to be to change the query slightly such as selecting NULL as an additional column and then hiding that column.
  This obviously only works AFTER the issue has occured, ie, after we have received a complaint from someone!
  Is it possible to stop APEX using the cached version of some queries altogether? The ones we are calling are quite simple and so will not give that much overhead.
  Thanks.

  I've actually found several threads on this from the past:
  ORA-06502: PL/SQL: numeric or value error: NULL index table key value
  http://kr.forums.oracle.com/forums/thread.jspa?threadID=644172&tstart=120 (This thread states the problem has been fixed however it would appear either it hasn't or there is a similar bug elsewhere.)

• OAM Authorization POST parameters

  Dear all,
  I have a question about the authorization rules in OAM, my requirement is that I want on successful authorization to send a POST parameter to a protected application this parameter will include some piece of data of the logged in user (for example his social security number) and I want to make sure that no authenticated user can send the social security number of another user, so I want this parameter to be sent by OAM to ensure that it will sent the number of the logged in user.
  In authorization rules (on success action) I can sent an HTTP Header or set a cookie with the number of the logged in user but I couldn't find a way to send a POST parameter.
  I thought of another solution to send the parameter through a normal HTML form and make an authorization rule to check in the POST parameter (say: ssn) in the HTTP request is equal to the SSN of the logged in user but I couldn't figure how to receive parameters in the authorization rule.
  I don't know it writing custom authorization plugin can be a solution or there is another solution???
  Thanks in advance

  Hi,
  As far as I know, OAM does send params to the end user application in 2 ways. 1. Header Var 2. Cookies.
  Passing params through Headervar are safer than cookies as cookies can be tampered in the interim.
  However, I think Custom Authz plugin or using Reverse Proxy Server might do this job for you. You might need to explore more on that.
  For the alternative solution that you are talking about as passing SSN no. from HTML form, its vulnerable and it can easily be tampered with.
  -Mahendra.

• Authorization issue - Query is not working

  Hi All,
  I have creared an auth.object on zcomp_code. created a role and assigned to a particular user. I have included 20 comp.codes in this auth object. All is well except the query result
  I have 2 variables in the variable pop-up screen. 1 is FiscYear and 2nd is zcomp_code (auth.variable). If i execute by not giving any value to comp.code, its showing "no autho". If I pass values then its giving proper result. Per my understanding, without input to comp.code it should display what and all are authorised to that particular role/user. Please correct me if I am wrong. I would like to show the result even there is no input to comp.code. Could anyone please suggest any approach to do this. Your assistance highly appreciable.
  Note: the comp.code variable is of type auth. variable. optional, ready for input.
  Thank you in advance!!!
  Best Regards
  Venkat....

  Hi Venkatesh,
  Hope you did all necessary developments, however i guess there is something missing in assignment of authorization relevant obj. Please go through below link which has explained on possible errors for "No Authorization Error" during this type of development.
  http://wiki.scn.sap.com/wiki/display/BI/Characteristic+Value+Authorization++BI+7.0
  Hope this helps.
  Regards,
  Venu Gopal

• Field based authorization in Query SQ01

  Hi SAP Gurus
  I have made a query via SQ01 . Now i have assigned two users to execute the query but both these users are from different companies and able to execute the query for another company also which is not correct .
  What i want to do is to restrict company code in accordance to user id of the respective person .
  We do not have an abapper currently ? Can anyone help me with this ?
  Regards
  Hitesh

  Hi,
  You can  restrict the users from accessing the query from infoset with standard/custom authorization authorization for company code.
  if company code selection field is defined inside the infoset,then authorization check can be implemented in at selection screen event inside the infoset.
  if the company code selection field is defined in query level,then we can implement authorization check at start-of-selection event in infoset.
  Regards
  Shibino

• BI Authorization problem query in web

  Hello Guru,
  i have authorization problems to execute query on the Web.
  When i try to execute query on web i have these messages:
  - Missing display authorization msg R9 108
  - Missing authorization to execute query msg R9 108
  - User doesn't have authorization for selected component
    Component selected can not be executed
    Contact person responsible for the authorizations if user need authorization to execute this component
    Function is checked with object "Business explorer - components" with these fields:
      - InfoCube ZSD_007
      - Component type ERP
      - Component ZTEST_SD_007
      - Activity  16
    Message number BRAIN 800
  In BI i have add to my usere all these profiles and role, but the problem still again:
  Profiles:
  SAP_ALL                                                                               
  S_A.SYSTEM               System administrator (Superuser)
  S_RS_ADMWB_A        All Administrator Workbench Authorizations
  S_RS_EXPL_A             All Business Explorer Authorizations
  T-BS590005                  Profile for role Z_RS_RREPU
  T-BS590006                  Profile for role Z_RS_RREDE
  Roles:
  SAP_BW_CFO_ADMIN
  Z_RS_RREDE   (copy from template  RS_RREDE)
  Z_RS_RREPU   (copy from template  RS_RREPU)
  I can not understand if this problem is related to BI authorization or maybe something in Netweaver
  please help me
  Kind regards
  Boris

  Hello,
  i can execute query from transaction RSRT, anyway also from this transaction when select "ABAP WEB" , web page is open but i have same authorizations problem.
  In transaction SU53 seems everithing correct (i have all authorizations) .... this is probably becouse my problem is in Portal or netweaver side and not in BI ???
  any suggestion?
  Thanks in advance
  Boris