OEG and OES integration - 11g Authorization filter and XACML

Similar Messages

• OEG and OSB - username token with message protection

  Salve,
  I've got a simple example of OEG / OSB integration up and running -
  Scenario 1 - username token validation works fine
  Scenario 2 - username token /message protection has issues.
  I register the web service with OEG and the security policy is auto-generated. I configure as appropriate but get the error -
  No asymmetric key foundERROR12/5/11 1:46 PM signature error: not specified/not specified, key is not found:
  A doc detailing all the steps I took is available at -
  https://docs.google.com/open?id=0B7YrnfO7h717ODI5NGExODAtNjI0Yy00ZGE0LWI3NzQtZTg4YjM2ZDQzOWQ1
  any help --> greatly appreciated.

  Replied offline as forum was down. Issue sorted.
  Many thanks for detailed analysis.

• OIM 11g - Authorization Policy

  Hi,
  I am facing issue in OIM 11g Authorization policy configuration. I am using OIM 11.1.1.5 Version.
  I have Created a OU --> Sample Helpdesk OU. Under this OU, i have created a user --> Sample Helpdesk user.
  I have created a role --> Sample Helpdesk Role and assigned this role to the user --> Sample Helpdesk user.
  I have created a Auth Policy --> "HelpDesk Create User - HelpDesk OU" which has to allow the user --> Sample Helpdesk user, to create a new users under the organization "Sample Helpdesk OU".
  During creation of User in OIM, i am not able to search the Organization in the lookup field. I am getting Zero records for the search. I used all type of filters to search the OU in the OIM User Form.
  Thanks,
  Sandy.
  Edited by: Sandy on Dec 6, 2011 9:24 PM
  Edited by: Sandy on Dec 6, 2011 9:25 PM

  Hi,
  Make Helpdesk Role created above as administrative role of OU.
  Regards,
  Raghav.

• 2 questions about authorization filter...

  Hi guys,
  i need your help to solve my question..
  i'm developing a jsf application and i've created an authorization
  filter...
  My filter must checking for each page access if a registered user is
  stored in the session,if not redirect to login page. I've a bit
  experience on servlet and filter and i've solved this question with
  this filter.
  import java.io.IOException;
  import javax.servlet.*;
  import javax.servlet.http.*;
  public class AuthorizationFilter implements Filter {
           * @uml.property name="config"
           * @uml.associationEnd
          FilterConfig config = null;
           * @uml.property name="servletContext"
           * @uml.associationEnd
          ServletContext servletContext = null;
          public AuthorizationFilter() {
          public void init(FilterConfig filterConfig) throws ServletException {
                  config = filterConfig;
                  servletContext = config.getServletContext();
          public void doFilter(ServletRequest request, ServletResponse response,
                          FilterChain chain) throws IOException, ServletException {
                  Utils.log(servletContext, "Inside the filter");
                  HttpServletRequest httpRequest = (HttpServletRequest) request;
                  HttpServletResponse httpResponse = (HttpServletResponse) response;
                  HttpSession session = httpRequest.getSession();
                  String requestPath = httpRequest.getPathInfo();
                  Visit visit = (Visit) session.getAttribute("visit");
                  if (visit == null) {
                          System.out.println("Visit Nullo");
                          session.setAttribute("originalTreeId", httpRequest
                                          .getPathInfo());
                          Utils.log(servletContext, "redirecting to "
                                          + httpRequest.getContextPath() + "/faces/Login.jsp");
                          httpResponse.sendRedirect(httpRequest.getContextPath()
                                          + "/index.jsp");
                  else {
                          chain.doFilter(request, response);
                  Utils.log(servletContext, "Exiting the filter");
          public void destroy() {
  } in my authentication bean,after user has logged in i've
  loggedIn=true;
  User newUser = new User(loginName, password,teamName, role);
  Visit visit = new Visit();
  visit.setUser(newUser);
  visit.setAuthenticationBean(this);
  visit.setLoggedIn(loggedIn);
  setVisit(visit);
  getApplication().createValueBinding("#{sessionScope.visit}").setValue(faces�Context,visit); to store values into visit object.
  and this is my logout function
  FacesContext facesContext = getFacesContext();
                  Utils.log(facesContext, "Executing AuthenticationBean.logout()");
                  HttpSession session = (HttpSession) facesContext.getExternalContext()
                                  .getSession(false);
                  session.removeAttribute("sessionScope.visit");
                  if (session != null) {
                          session.invalidate();
                  } My 2 questions are:
  1) how can i redirect to login page a user that tries to log in with
  the same data of a user stored in the session?
  2) how can i handling browser closing?I need a listener?
  Please help me,i'm trying to learn about it and i need your help.
  Thanks

  hi,
  1. use the copy - paste functions in the drop down menu.
  2. same menu, save setting as........
  DR9.

• Book on Oracle Data Integrator 11g Published May 25, 2012

  I am pleased to announce the availability of "Getting Started with Oracle Data Integrator 11g: A Hands-on Tutorial"
  Six ODI experts within Oracle ( Technical Sales, Consulting and Product Management ) collaborated and put in ALOT of work in creating:
  Title: Getting Started With Oracle Data Integrator 11g: A Hands-on Tutorial
  Authors: Hecksel, Wheeler, Boyd-Bowman, Testut, Dupupet, Gray
  Publisher: Packt Publishing
  For more information on the book: http://astore.amazon.com/davidheckselc-20
  Regards,
  David Hecksel
  http://davidhecksel.com

  Hi,
  My odi.conf looks the same as yours :
  IncludeConfFile ../../ide/bin/ide.conf
  AddVMOption -XX:MaxPermSize=256M
  AddVMOption -Doracle.core.ojdl.logging.config.file=ODI-logging-config.xml
  AddVMOption -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger
  AddVMOption -Djava.util.logging.config.class=oracle.core.ojdl.logging.LoggingConfiguration
  AddJavaLibFile ../../../../oracledi.sdk/lib/ojdl.jar
  AddJavaLibFile ../../../../oracledi.sdk/lib/dms.jar
  AddJavaLibFile ../../jdev/extensions/oracle.odi.navigator/lib/log4j-1.2.8.jar
  AddJavaLibFile ../../jdev/extensions/oracle.odi.navigator/lib/odi_hfm.jar
  AddJavaLibFile ../../jdev/extensions/oracle.odi.navigator/lib/odihapp_common.jar
  AddJavaLibFile ../../jdev/extensions/oracle.odi.navigator/lib/ess_es_server.jar
  AddJavaLibFile ../../jdev/extensions/oracle.odi.navigator/lib/ess_japi.jar
  AddJavaLibFile ../../jdev/extensions/oracle.odi.navigator/lib/odihapp_essbase.jar
  AddJavaLibFile ../../jdev/extensions/oracle.odi.navigator/lib/odihapp_planning.jar
  AddVMOption -Dnative.canonicalization=false
  AddVMOption -Doracle.security.jps.config=./jps-config.xml
  AddVMOption -Doracle.odi.studio.ess=false
  AddVMOption -Dide.AssertCheckingDisabled=true
  AddVMOption -Dide.AssertTracingDisabled=true
  AddVMOption -DLOG_FILE=studio.log
  AddVMOption -Dsun.java2d.noddraw=true
  SetJavaHome /usr/lib/jvm/java-6-openjdk-amd64
  About access rights : if I use "oracle" user, which is the owner of the ODI folder and its content, the result is the same. I can't figure out why it is not finding a thing ?
  Do you have more suggestions I could try ?
  Thanks a lot !
  Best regards,
  Fred

• OEG and Oracle Service Registry integration

  Any people got idea about how to integrate OEG with Oracle Service Registry ?

  http://www.oracle.com/technetwork/middleware/id-mgmt/documentation/osr-oeg-integration-guide-428916.pdf

• OIM-OES integration

  Hi all,
  can anybody gelp me with integrating (OIM 11g and OES 11g) or (OAM 11g and OES 11g ).please provide me the document that describe the integration steps.
  Thank you.

  Can you give more information on your use case. BTW, you should look at attending OES training, this will give you a good high level picture as well as hands on experience.
  Bye,
  Subbu Devulapalli
  *My Blog: [url http://accessmanagement.wordpress.com/]Authorization for the Real World*
  *Follow me on [url https://twitter.com/#!/BloggerSubbu]Twitter*

• Please Help PI Data Dependent Integration Builder Authorizations NOT Workng

  Dear Friends / Experts,
  I had spend many days and explored all Weblog  and links on this website and implemented all the steps required to acheive Data Dependent Integration Builder Security and I am not successful so far. I am just giving up now - Please Help Me ---
  As I said, I already read all the important Forum Links and SAP Web links and Followed Each and Every Step - service.sap.com/instguidesNW04 ® Installation ® SAP XI
  Security Requirement - Data Dependent/Object Level Authorizations in XI / PI
  In distributed teams or in a shared PI environment it might be necessary to limit authorization for a developer or a group of developers to only one Software Component or objects within a Software Component or to specific Configuration Objects.
  Our Environment - PI 7.0 SP 16
  Created a new role in the Integration Builder Design
  u2013Add Object Types of any Software Component and Namespace
  - Enable usage of Integration Builder roles in Exchange Profile
  Integration Builder u2013Integration Builder RepositoryParameter com.sap.aii.util.server.auth.activation to true
  Assign users to the newly created Integration Builder roles
  u2013Create dummy roles in Web AS ABAP, these roles are then available as groups in Web AS Java
  u2013Assign users to these roles
  u2013Assign the Integration Builder roles to the above groups in Web AS Java
  u2013Assign unrestricted roles to Super Users
  Please help - How to validate whether Data Dependent Authorizations are Activated?
  I am working with XI Developers and Basis Team and we did updated all the Required Exchange profile parameters.
  Per this Document - User Authorizations in Integration Builder Tools - Do we need to update the server.lockauth.activation in Exchange Profile. When We updated, It removed Edit Access from all XI Developers in PI
  In both the Integration Repository and the Integration Directory, you can define more detailed authorizations that restrict access to design and configuration objects.
  In both tools, you define such authorizations by choosing Tools ® User Roles from the menu bar. The authorization for this menu option is provided by role SAP_XI_ADMINISTRATOR_J2EE. Of course, this role should only be granted to a very restricted number of administrators. To activate these more detailed authorizations, you must set exchange profile parameter com.sap.aii.ib.server.lockauth.activation to true.
  The access authorizations themselves can be defined at the object-type level only (possibly restricted by a selection path), where you can specify each access action either individually as Create, Modify, or Delete for each object type, or as an overall access granting all three access actions.
  http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/frameset.htm
  I was able to control display and maintain access from ABAP Roles, but completely failed to implement Integration Builder Security?
  Are there any ways to check Whether Data Dependent authorization or J2EE Authorizations are activated?
  Thanks a lot
  Satish

  Hello,
  so to give you status of our issue.
  We were able to export missing business component .
  But we also exported some interfaces after that and we had some return code 8, due  to objects still present in change list on quality system (seems after previous failed transports , the change list was not cleared completley...).
  So now we have checked that no objects is present in the change list of quality system and we plan to export again our devs on quality system.
  Hope after that no more return code 8 during imports and all devs transported correctly on quality system.
  Also recommending to read that, which is pretty good.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/7078566c-72e0-2e10-2b8a-e10fcf8e1a3d?overridelayout=t…
  Thanks all,
  S.N

• Errors with Integrated Planning authorizations

  Dear experts,
  We are working with Integration Planning, and when we try to create or
  modify whatever object (by the modeler or the wizard) we receive an error message like this:
  "You have no authorization for Multiprovider XXXX"
  Not only Multiprovider, but InfoCube....whatever object.
  The curious thing is that we have with the user we are working a SAP ALL.
  With the T-CODE bps0 we can do everything, but with T-CODE rsplan is
  impossible.
  We’ve checked in the T-CODE su53 and everything is OK.
  We’ve checked in the T-CODE rsecadmin and nothing there.
  We’ve checked as well in the T-CODE st01, followed the actions with the
  trace and all the return codes are 0.
  Does anyone know what happens?
  Thanks in advance
  Cecilia

  Hello Cecilia,
  if you keep a carott in front of a donkey he will run faster... this is the same what I mean if I talked from experts: Men like to be the hero and instead of carott you need to need to laud him as an expert, he will reply faster
  Lets come back to authorization: I am not sure whether RSECADMIN is a newer version of RSSM. Reason: In RSSM you can activate authorization check for a cube or MP but in RSECADMIN you administrate authorization for an user.
  I am not sure, but I think that your problem is related to this issue. If not, there are very strange problems with the web authroization, its true: What we have done is to copy an exisiting BW user and assign him the same authorization like in web. Reason: To create a new user in the web does not work in all cases. We had very much problems with SP7, since we have SP10 we dont have those problems.
  regards
  Eckhard

• Integration Builder: authorization problem

  Hello all,
  I have the following message error when i try to login on Integration Builder:
  "No authorization for this action"
  My user was created in SU01 with all XI roles:
  SAP_XI_ADMINISTRATOR_J2EE
  SAP_XI_DEMOAPP
  SAP_XI_CONFIGURATOR
  SAP_XI_DISPLAY_USER
  SAP_XI_SUPPORT
  the user also exists in UME with several authorizations..
  Please, could anybody help me?
  Thanks in advance
  Javier Guio

  hi,
  I have created a new user in SU01with the same roles but when I try to access on Integration builder with the new user I get the error:
  "authorization error, unknown user name or incorrect password"
    - <b>Go to SU01 enter the username check the roles are in Green color , if roles are not green colore generate Role generation Using Tcode : PFCG.</b>
  Generating Roles for SAP_XI and SAP_SLD
  Generate all roles beginning with SAP_XI and SAP_SLD:
  1. Call transaction PFCG.
  2. Choose Utilities &#8594; mass generation. Do the following:
  a. Field Role: Enter SAP_XI*
  b. Select Generate automatically
  c. Press <F8> and choose Generate online
  If there is a list of profiles displayed, which are not yet generated, repeat the
  procedure by pressing <F8>.
  d. Repeat the steps for roles SAP_SLD*
  3. Choose Utilities &#8594; mass comparison. Do the following:
  a. Field Role: Enter SAP_XI*
  b. Select Output error messages
  c. Choose Execute (F8).
  No error message should be displayed
  You can ignore the message that the role SAP_XI_CMS_SERV_USER does
  not have a profile.
  Regards,
  Venu.

• NAC Profiler integration - cant add filter list on CAM

  Hi All,
  I have a problem regarding the Profiler - NAC integration for end point profiling.
  Here is the situation:
  I already created the integration based on the steps on the guide: Configuring Cisco NAC Appliance Integration. I think the configuration is correct because i can do database synchronization between Profiler and CAM. Here is the Profiler server log:
     NAC_SYNC: Task_Queue_Runner starting up
     NAC_SYNC: Profiler / NAC Synchronization END [add 0, upd 0, desc 0, rm 0]
     NAC_SYNC: Profiler / NAC Synchronization START
     INFO: [2010-12-15 11:01:09 (fcapGetHWAddr:49)]  Getting MAC for eth0
  I already created end point profile named "Admin" which is based on IP address. I also created NAC events based on the end point profile "Admin".
  The NAC event is profiling "Admin" to a NAC role. The purpose for this event is to bypass "Admin" from NAC authentication so that the "Admin" can connect to network automatically to one NAC role.
  However when "Admin" connect to network, it is still challanged by NAC. I dont see the "Admin" on the CAM filter list either.
  This means that the end point profiling is still failed.
  Is there anyone who have any experiences with this?
  Thank you for the supports and comments
  Imad

  Hi,
  Ok, so the Profiler will only add devices to the CAM filter list, if a device fals into a profile for which a nac event is configured.
  If there is no device on the profile -> No NAC event -> No device added to the CAM.
  Is there any device that was assigned to that profile?
  Regarding the Active Rule column, it is used to quickly  ascertain which Endpoint Profiles on a system (if any) contain an Active  Rule that will result in the Profiler system doing active collection if  one or more NetInquiry Collector component modules are enabled. Active  profiling rules and active profiling is described in detail in the "Configuration of Active Directory Data Rules" section: http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/311/p_endpt_part231.html#wpxref59325.
  HTH,
  Tiago

• Dyncamics Connector Error CRM to NAV, no integration record within filter

  In working to connect CRM Account records to the NAV Contact Card as Companies, experiencing an inner exception error that there is no integration record within the filter.  Searching for a solution has not turned up a solid answer to path to resolution. 
  We are mapping basic data fields; address/city/state/zip/email/website/account name/account number/...  The only required fields in NAV on the Contact Card are No and Name which we populate.  The Account record from CRM does get created in NAV on
  the Contact Card BUT updates within those data fields will not take and we get these errors (#1 & #2) in sequence.  Error #3 below comes from an attempt at updating a field's data to sync from CRM Account to NAV after receiving errors
  #1 & #2.  It should be noted that the we are trying to send the Account record to Contact Card then to Customer Card.  The Customer Card record is created without issue, but we believe error #3 may be fallout from the exception error #1.
  1) WARNING TID:18 [2013-09-23T11:19:02.5269850-05:00]: [Account to NAV Contact Card] has encountered an error while processing key [[Test Company, 59057fb9-2cdb-e111-86eb-00155d006a06]]. Exception occurred in Microsoft Dynamics NAV
   --- Exception Dump ---
   Caught Exception: Exception occurred in Microsoft Dynamics NAV
   Stack trace:
     at Microsoft.Dynamics.Integration.Adapters.Nav2009.NavObjectProvider.WriteObject(Object value)
     at Microsoft.Dynamics.Integration.Service.MapThread.ProcessReads()
   Inner Exception: There is no Integration Record within the filter.
  Filters: Record ID: Contact: 88888
   Stack trace:
     at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
     at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
     at Microsoft.Dynamics.Integration.Adapters.Nav2009.NavIntegrationHelper.InvokeUpdateMethod(Object& newobj, Boolean create, String integrationId, Boolean updateIntegrationId)
     at Microsoft.Dynamics.Integration.Adapters.Nav2009.NavIntegrationHelper.DoUpdate(Object newobj, Object obj, String integrationId, Boolean create, Boolean hasExistingLines)
     at Microsoft.Dynamics.Integration.Adapters.Nav2009.NavIntegrationHelper.DoWrite(Object newobj)
     at Microsoft.Dynamics.Integration.Adapters.Nav2009.NavObjectProvider.WriteDynamicObject(Object value)
     at Microsoft.Dynamics.Integration.Adapters.Nav2009.NavObjectProvider.WriteObject(Object value)
  2) [Account to NAV Contact Card] has encountered an error while processing key [[Test Company, 59057fb9-2cdb-e111-86eb-00155d006a06]]. The record already exists.
  3) [Account to NAV Contact Card] has encountered an error while processing key [[Test Company, 59057fb9-2cdb-e111-86eb-00155d006a06]]. Table Id 18 of a supplied key does not match Table Id 5050 of the page 5050  source table.
  Any direction to resolution would be much appreciated.
  Thanks,
  Troy

  May have isolated the cause to the Type field on the Contact Card in NAV not accepting a "Company" value as sent through the Connector.  There are two values on the Contact Card for Type, Person/Company, where Person is accepted during send to create
  an Integration Record but Company is not (even using it as the designed default doesn't work).
  Has anyone experienced NAV not accepting the Type code of Company on the Contact Card through the Connector from CRM Accounts which in turn stops the creation of an Integration Record for the Account?
  Any help or input would be very beneficial.  Thanks.

• Desktop Integration 11g - problem with Office 2007

  Hi
  I'm trying to install DI 11g (64b) on an computer with windows 7 64b and Office 2007. The installation goes without problems, but in all office programs it doenst appear the Oracle panel.
  When i went to the suppllements panel of any office program i see that appears Oracle Microsoft Office integration but it is desactivated. I try to activate it but it gives the message: Not loaded. A runtime error occured during the load of the COM supplement.
  I tryed reinstalling several times (cleaning the registry in the process) and tryied to activate the instruaction: VSTO_SUPPRESSDISPLAYALERTS=0 (via command console) to try to see what is the error behind the problem (the runtime error), but it didnt work.
  Has anyone encountered the same problem?
  Is there any requirements that i have to install before installing DI?
  Thx for the Atention
  Sérgio P.

  Hi
  1. OPEN any MS-Office WORD
  2. CLICK Office icon (top left corner)
  3. CLICK Word Options (bottom)
  4. NAVIGATE to Add-ins option
  5. SELECT " Disabled Items" in Manage drop down (bottom)
  6. CLICK GO
  7. SELECT Oracle UCM Microsoft Office Integration
  8. CLICK Enable
  9. CLICK OK & APPLY
  10. CLOSE Word document
  11. REOPEN MS-Office Word
  12. VERIFY Oracle UCM tab is available
  Thanks
  Srinath

• SCD - Map integration 11g

  Hi all,
  I have a question about scd on areas (polygon) on integrated maps in 11g.
  Let's say that a postal code area changes from 1 year to another.
  Is it possible to configure the maps/area to use the old area for previous years s and another for the new area?
  Do you somehow add a query specification on the two themes in Mapviewer?
  Regards,
  Hakan

  Hi all,
  Reposting below....
  Regards,
  Hakan

• Authorization filter for search resulut list according to UI Guidlines

  Hi,
  can anybody give me a hint where I can find the filters for diplaying results in a search result list. I found following information in chapter 17 of the UI Guidlines for SAP CRM:
  Search result lists
  One option for entries in a search result list is to show only objects for which the user executing the search has at least display authorizations (in other words, the result list is filterred based on maintained authorizations).
  The other option is to also show objects for which the user doeas not at least have display authorization (in other words, the result list is not filtered based on maintained authorizations).
  But I don't know where ic can set these filters.
  Best Regards
  Michael

  You should use BAdI CRM_BADI_RF_Q1O_SEARCH for BTX and BADI_CRM_BUPA_IL_SEARCH_EXT for BUPA search. There is one little problem with BUPA - BAdI is called not always, solution of this is here: Filtering account search
  Best regards,
  Artur Litvinov.