OID Dynamic Groups and J2EE security roles

Hi
I've searched the forums but can't get a definite answer. Is it possible to use OID dynamic groups and map them to J2EE security roles? I can't find anything that says specificially not but I can't seem to get it to work.
Thanks
Adam

Hi,
Let me know if you find answer of your question.
thanks

Similar Messages

Using dynamic groups for j2ee security

Hi all,
I have my realm setup in server.xml and my standard and sun-specific deployment descriptors setup for j2ee security.
Everything seems to work fine for groups defined via uniquemember attributes (all users are specified), but I'm having trouble with dynamic groups (defined with the memberurl attribute)
How do I configure my realm in my server.xml to get this working?

Hi,
I got an official answer from SUN.
"Dynamic Groups" are not (longer) supported with SJS AS 7!
It will probably be supported with SJS AS 8 SE.
If you have a iPlanet 6.5 application that is running with dynamic groups, just wait a little bit before you migrate.

Authorization check for caller assignment to J2EE security role

Dears experts, in the default.trc logs in, my Enterprise Portal NW2004s, appear this error:
#1.#0018714E4A14005E000027E1000057B8000441BB7EF2FC03#1198173451524#com.sap.engine.services.security.roles.SecurityRoleReference#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleReference#Guest#2126####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ : ] referencing J2EE security role [ : ].#5#ACCESS.ERROR#service.jms.default.authorization#administrators#SAP-J2EE-Engine#administrators#
#1.#0018714E4A14005E000027E5000057B8000441BB7F8BDC21#1198173461543#com.sap.engine.services.security.roles.SecurityRoleImpl#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#2127####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ :
Any idea about it?
Thanks friends

Hi Holger,
Thanks for the tip, it could be the case, I just checked and we are on Patch 0 for JEECOR as you can see here below:
sap.com/SAP-JEECOR 7.00 SP13 (1000.7.00.13.0.20070907082334) 20071028144036
sap.com/SAP-JEE 7.00 SP13 (1000.7.00.13.2.20071026143730) 20071203150628
Will inform some people internally to patch to atleast 3 to check if it still occures.
Anyway, Thanks again..
Benjamin Houttuin

Error :Authorization check for caller assignment to J2EE security role whil

Hi Experts,
i m working as a portal resource .
after the deployment of standered Sap e-rec package .
i m getting some error. i have assigned the recruiter role to one test user.
Now i m getting two issue:
1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
2) I m able to see few iview for the test user but those are also in detailed navigation view.
And few ivews are giving following error :
i)Internal error
ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
/System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
Full Message Text
ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
please suggest what can be done or what is pending from my side.

Prajakta2602 wrote:
Hi Experts,
>
> the previous issue got solved..
> it was due to servies pack miss match and applying notes
> the Basis guy checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
> notes 1445294 and 1175239 were applied.
> now the issue is:
>
>
> After implemetation and i assigning the standerd sap roles
> 1)Recruiter Administrator
> 2)Recruiter
> to the test user .
> but for few iview it is showing error as in
> 1) you are not a authorized user
> 2) internal error
>
> please help experts.
>
> i m working on portal side have i to assign any role to that test user..
>
>
> Thnaks & Regards,
> Prajakta
You can run a quick check using the below steps:
1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
Regards,
Mahesh

SOAP and J2EE security

We have deployed several SOAP services (Apache SOAP) on a WLS6.1
server. Since there are more and more services are being deployed
people are getting worried about security. I was wondering what the
best solution was to to authentication and authorization on EJB and
method level for SOAP clients ? I was thinking about the following
solution: use the standard J2EE security by defining security
constrainst in the ejb-jar.xml file. Therefor every client needs to
provide credentials to use the EJB's (this should work for both
RMI/IIOP and SOAP clients).
What are your ideas and opinions about this solution ?
If you post a reply please CC to [email protected]

Hi,
Let me know if you find answer of your question.
thanks

WLS Groups and JDeveloper Enterprise Roles

When there are roles (global, domain, etc.) in the WLS Console, they seem to not have any representation in JDeveloper. It seems that JDeveloper Enterprise Roles correspond to WLS Groups. When I add permissions in the jazn-data.xml, it is Groups that I have to grant to users in the WLS Console, not roles.
SecurityContext.getUserRoles() also returns a list of WLS Groups assigned to given user.
Is it some disarray in the terminology, or am I doing something wrong?

Hi,
The term "Enterprise Roles" match to WLS groups. Enterprise is a more genric synonym for user groups as on different servers these may have different names otherwise. Note that getUserRoles() shows the enterprise roles and the application roles a user is member of
Frank

Ticketadmin and Custom Security Role

A friendly hello to all readers!
I'm facing the following problem:
We want our customer to enter his tickets into the WebCRM. For this task I've created two new Security Roles ('GP User' and 'GP Key User'). The 'GP User' Role is working fine. Members of this Role just can enter tickets and watch the status.
Members of the Role 'GP Key User' are also part of the Role 'Licensed User'. This users are only allowed to work on the tickets and the knowledge-base in the administration panel.
The problem now is, that this special Users can't change the status of an ticket and are not allowed to assign the ticket to another person. (But in batch operation they can!).
What can I do to enable the full functionality on admin/support/ticketadmin.aspx?
Hints:
- The user of role 'Key User' are not assigned to the internal account.
- Version: 2007.0.631.11
Thanks!

If you go to Admin > Definitions > Security Roles you can select a role to see what that role has access too. This role is in addition to the licensed user role and determines what will show up on the admin menu and what pages they can access directly.
You could either screenshot the Support Admin's list of permissions or run it directly on the sql db.
Even if a menu item is not listed, it would still be possible for the user to type in the direct url of a specific page for any pages they have access to. For example the permission for Web Page admin/support will allow that role to access any page in the support directory. To restrict, you might just give access to admin/support/tickets.aspx or other aspx pages directly.
Before praxis was acquired by SAP we used to have a custom theme strictly for support that had links to 4 ticket related functions only. Might reduce some confusion.
James

Creating New Security group and Refreshing Security Filters

Hi
I have created a new security group (and added people to it)
I have given this security group write access to certain dimension members within the planning application
I have refreshed the security filters via Planning_Manage Database_Security Filters
But the people in the new security group still dont have write access to the dimension members
If I look in EAS ... I cant see the the new security group that I have created
Question 1
Do I need to refresh the security filters via EAS
If I do this ... I know that I need to make sure that no one is in the Essbase application
Do I also need to make sure that no one is within the relavent planning application?
Question 2
Is it enough to refresh the security filters (tick security filters) .. or Do I need to tick database in the manage database options
Question 3
Does anyone have any suggestions that I havent mentioned above?
Thank you
PD

Hi John
Thanks for your suggestion
I tried this and He still doesnt have write access
He doesnt need to be able to lock and send values via essbase ... However when we are in planning, He cant submit data to the dimension members mentioned above.. i.e the cells are all green
I have checked and doubled check the security on the dimension members (and form security) in the form that he cant edit
Do you have any other suggestions?
Thank you
PD

Row Level Security using BO SDK - Dynamic Group and Criteria (where clauses)

To the Universe Gurus out there:
I have a rather daunting task of implementing a Row Level Security on a number of tables within our project using BO XI R2 SP2 with SQLServer 2005. Given the nature of the requirements around this (listed below), I am going to go with BO SDK to accomplish the creation of Restrictions. That said, I need some insight into some of the problem areas I have listed below. Any help is much appreciated.
Background:
We have 11 tables that are to be restricted.
Each table is accessible to potentially 1..* group of users only.
For eg SALES is accessible to ALL_SALES members only.
Each row within each table is accessible to 1..* groups of users only. The restriction will occur on 2 columns Jurisdiction and LineID on SALES table.
For eg
1)Rows with NY Jurisdiction and LineID=123 are accessible to NY_SALES_ADMIN group only initially.
2)NY_ADMIN will then approve that the above rows be open to NY_SALES_INTERNAL group only. This approval in turn will call upon the BO SDK to add a new restriction for the group with appropriate where clause.
3)At a later point, the above rows will be opened to NY_SALES_EXTERNAL group also.
This same concept holds good a number of jurisdiction (more or less static) and a dynamic number of LineIDs. So, if 10000 rows of data corresponding to new LineID 999 and Jurisdiction AK are in the table now, they are initially accessible only to AK_SALES_ADMIN group only. No one else should be able to access it.
Results:
1) With the way I laid out the business rules above, I am ending up with 528 groups.
2) There is a restriction created for a unique combination of Jurisdiction and LineID for each table.
Problems/Questions:
How can I restrict access to the new rows to one group only. I know that I can let a certain group only look at certain data but how can I restrict that all others cannot look at the same.
AK_SALES_ADMIN can look at LineID=999 and Jurisdiction='AK'.
Do I use an Everyone group based restriction? If so, my Everyone group will end up with tons of restrictions. How will they be resolved in terms of priority.
Am I even thinking of this the right way or is there a more noble way to do this?
Regards

the connectinit setting should look something like this:
declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
The vpd_setup procedure (in Oracle) should look like this:
CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
BEGIN
DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
END vpd_setup;
Then you can retrieve the value of the context variable in your vpd functions
and set the vpd.

Jsp and jspx and scriplets - Hiding buttons based on J2EE security roles

Hello:
I have security a scoped managed bean with methods is Technician(), isUser() etc. In the jsp world, it was very easy to inspect these methods in the jsp via scriplets and show/hide buttons/links etc. I am just curious. Or, is rendering via EL expression the way to go?
(1) In the jspx world (SRList.jspx in my case), is there an easy way to inspect these managed bean methods and use scriplets to access them and show/hide buttons.
In the jsp world, I would have written something like
if (SecurityInfo.isTechnician()
{ %>
<Button>
<% } %>
There would be an import statement to have access to SecurityInfo class in jsp world. I know something is out there in the ADFBC/jspx world. Please advice? If you know of any urls, please let me know.
(2) Is there a way to grant read/write access to individual pages in my app? I can hide/view buttons based on roles but can't grant update/view access to individual fields on my pages. I know I have to wait for JDEV 11 release to grant permissions via pagedef/iterator as is done in file based security.. Any other solution till then?
Thanks

hi useradfbc
about (1), you could try something like this
<af:commandButton text="my button for managers" rendered="#{userInfo.manager}"/>(tip : You can use "Your Control Panel" to make your name visible in forum posts.)
success
Jan Vervecken

Webcenter spaces user and group and WLS security realm

I want to configure external ORACLE DB,
I configed the security realm in WLS, and I can see the user and group list in WLS page, But I cant find any of them in webcenter spaces,
and also can not login with those users.
I added a user with WLS, it works well.
do I need to do other configrations?

First you need to create a Administrator for this new identity stores. Weblogic user is not identified now because its not mapped by first authenticator. See Oracle WebCenter Admin Guide, section 28.4.1.1 Granting the WebCenter Spaces Administrator Role Using FusionMiddleware Control. Once you have done this step, do the same steps for other application user. For this you have to give Application role to other user so that they can login and use WebCenter Space.See Oracle WebCenter Admin Guide, Section 28.4.2.1 Granting Application Roles Using Fusion Middleware Control.
After doing above steps, restart WC_Spaces managed server.

Security-role and security-role-assignment not working in WL7.0

Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

Below are the screen shots for PFCG:

OAM 10g - obmygroups and nested dynamic groups

I've run into an issue with the obmygroups header action in OAM 10g, and I'm not sure whether this is by design or not.
The obmygroups will return static and dynamic group names for which the user is a member, and it will return static groups that contain nested static groups where the user is a member of the nested group. However, it doesn't seem to static groups with nested dynamic groups where the user is a member of the nested dynamic group.
Is that by design? Is there any way to nest dynamic groups so that obmygroups will return the parent group name? I'd like to have a group that contains both nested static and nested dynamic groups, and have the obmygroups action return the name of the parent group.
Thanks,
Matt

Return Attribute Action in authentication or authorization rules
obmygroups:<ldap_url> special attribute returns those groups to which the user belongs that also satisfy the criteria <ldap_url> filter specifies.
EX: "obmygroups:ldap:///cn=Groups,dc=myorg,dc=com??sub(group_type=role) returns all the groups in cn=Groups,dc=myorg,dc=com tree for which the logged-in user is a member and the group_type is role.
For more information check OAM Access Administration Guide

Problem with security role

Hello,
I have Enterpise Portal 7.0 SP13 instance (only Java stack installed). My enviroment is AIX 5.3 and Oracle 10.
This instance has a lot of security alerts in the default trace log, like this:
#1.5^H#C2B30000C03D006400000039000A9084000443246AFD6467#1199723599717#com.sap.engine.services.security.roles.SecurityRoleImpl##com.sap.engine.services.security.roles.SecurityRoleImpl#j2ee_admin#1208####41667d10bd3e11dccc51c2b30000c03d#SAPEngine_Application_Thread[impl:3]_5##0#0#Error#1#/System/Security/Audit/J2EE#Java###:Authorization check for caller assignment to J2EE security role [ : ].#3#ACCESS.ERROR#SAP-J2EE-Engine#guests#
Anyone knows what is it?
Regards
Rodrigo

I found the bug : in LDAP I've got a user also called OIDGroup1 (the same as group's name).

How to get security roles in a JSF portlet

I need to get the LDAP user-roles available in the Sun Portal Server 7 in my JSF-168 portlet.
I've added the mapping file, updated the portlet.xml and web.xml, deployed the portlet (psconsole). But the portlet shows the "content not available" error with javax....title title.
I've probably messed up the descriptors, but I don't see what is wrong. Here they are:
roleMaps.properties
cn\=VSM.Administrator,dc\=neco,dc\=cz=Administrator
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4">
<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>server</param-value>
</context-param>
<context-param>
    <param-name>javax.faces.CONFIG_FILES</param-name>
    <param-value>/WEB-INF/navigation.xml,/WEB-INF/managed-beans.xml</param-value>
</context-param>
<context-param>
    <param-name>com.sun.faces.validateXml</param-name>
    <param-value>true</param-value>
</context-param>
<context-param>
    <param-name>com.sun.faces.verifyObjects</param-name>
    <param-value>false</param-value>
</context-param>
<filter>
    <filter-name>UploadFilter</filter-name>
    <filter-class>com.sun.rave.web.ui.util.UploadFilter</filter-class>
    <init-param>
      <description>
          The maximum allowed upload size in bytes. If this is set
          to a negative value, there is no maximum. The default
          value is 1000000.
        </description>
      <param-name>maxSize</param-name>
      <param-value>1000000</param-value>
    </init-param>
    <init-param>
      <description>
          The size (in bytes) of an uploaded file which, if it is
          exceeded, will cause the file to be written directly to
          disk instead of stored in memory. Files smaller than or
          equal to this size will be stored in memory. The default
          value is 4096.
        </description>
      <param-name>sizeThreshold</param-name>
      <param-value>4096</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>UploadFilter</filter-name>
    <servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet>
    <servlet-name>ExceptionHandlerServlet</servlet-name>
    <servlet-class>com.sun.errorhandler.ExceptionHandler</servlet-class>
    <init-param>
      <param-name>errorHost</param-name>
      <param-value>localhost</param-value>
    </init-param>
    <init-param>
      <param-name>errorPort</param-name>
      <param-value>25444</param-value>
    </init-param>
</servlet>
<servlet>
    <servlet-name>ThemeServlet</servlet-name>
    <servlet-class>com.sun.rave.web.ui.theme.ThemeServlet</servlet-class>
</servlet>
<servlet>
    <description>Generated By Sun Java Studio Creator</description>
    <display-name>CreatorPortlet Wrapper</display-name>
    <servlet-name>VSMPortal</servlet-name>
    <servlet-class>org.apache.pluto.core.PortletServlet</servlet-class>
    <init-param>
      <param-name>portlet-class</param-name>
      <param-value>com.sun.faces.portlet.FacesPortlet</param-value>
    </init-param>
    <init-param>
      <param-name>portlet-guid</param-name>
      <param-value>VSMPortal.VSMPortal</param-value>
    </init-param>
</servlet>
<servlet-mapping>
    <servlet-name>ExceptionHandlerServlet</servlet-name>
    <url-pattern>/error/ExceptionHandler</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>ThemeServlet</servlet-name>
    <url-pattern>/theme/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>VSMPortal</servlet-name>
    <url-pattern>/VSMPortal/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
    <welcome-file>faces/null</welcome-file>
</welcome-file-list>
<error-page>
    <exception-type>javax.servlet.ServletException</exception-type>
    <location>/error/ExceptionHandler</location>
</error-page>
<error-page>
    <exception-type>java.io.IOException</exception-type>
    <location>/error/ExceptionHandler</location>
</error-page>
<error-page>
    <exception-type>javax.faces.FacesException</exception-type>
    <location>/error/ExceptionHandler</location>
</error-page>
<error-page>
    <exception-type>com.sun.rave.web.ui.appbase.ApplicationException</exception-type>
    <location>/error/ExceptionHandler</location>
</error-page>
<jsp-config>
    <jsp-property-group>
      <url-pattern>*.jspf</url-pattern>
      <is-xml>true</is-xml>
    </jsp-property-group>
</jsp-config>
     <security-role>
          <role-name>Administrator</role-name>
     </security-role>
</web-app>
portlet.xml
<?xml version='1.0' encoding='UTF-8' ?>
<portlet-app xmlns='http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd                         http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd' version='1.0'>
     <portlet>
          <description>Created By Java Studio Creator</description>
          <portlet-name>VSMPortal</portlet-name>
          <display-name>VSMPortal Portlet</display-name>
          <portlet-class>com.sun.faces.portlet.FacesPortlet</portlet-class>
          <init-param>
               <name>com.sun.faces.portlet.INIT_VIEW</name>
               <value>/Uctarna.jsp</value>
          </init-param>
          <expiration-cache>0</expiration-cache>
          <supports>
               <mime-type>text/html</mime-type>
               <portlet-mode>VIEW</portlet-mode>
          </supports>
          <supported-locale>en</supported-locale>
          <portlet-info>
               <title>VSMPortal</title>
               <short-title>VSMPortal</short-title>
               <keywords>Creator</keywords>
          </portlet-info>
          <security-role-ref>
               <role-name>Administrator</role-name>
               <role-link>Administrator</role-link>
          </security-role-ref>
     </portlet>
</portlet-app>If I don't use the security-role and security-role-ref tags, the portlet works, and the isUserInRole method obviously doesn't.

Nobody uses the LDAP roles in a portlet? Anybody knows other thread discussing similar issue (I can't find anything)?

OID Dynamic Groups and J2EE security roles

Similar Messages

Maybe you are looking for