OIM Role assignment
Hi,
We have a requirement where in we have two roles
service desk role (This role should only be able to search for a user or search for a role, but should not be able to modify them)
org admin role(This role should only be able to create user but not modify or delete user)
In addition we have,
end-user role (this role should only be able to view his/her profile and request catalog but all others should be disabled)
Thanks.
chu
Ok
-Vamsi.
Similar Messages
-
Getting roles assigned to a user in OIM
We need to write a query to find what are the roles assigned to a particular user and when it has been assigned , is there any source where the OIM tables and their attributes have been explained? We were referring the UPA_GRP_MEMBERSHIP for getting the roles( referring UGP_KEY) and the user with (UPA_USR_KEY), is this correct or is there some other table which has the info?
Thanks for your reply...
To getting the roles of a user, what is the common attribute between USR and UPA_GRP_MEMBERSHIP table? Is it usr_key from usr table and upa_usr_key from UPA_GRP_MEMBERSHIP? if not, what are the differences between the two attributes and is there any other attribute to refer ? -
Role Assignment date is not reflected properly
Hi All,
I have OIM 11.1.1.5.0 version installed on my machine. In it, whenever I create a new user and assign some role to him, the role assignment date is coming as the date on which the role was created in OIM setup and not the day on which the role was assigned to the user. I think there's something wrong here. Can someone please help me with the same? Not understanding what to check or how to proceed.
Thanks,
$idHi Nishith,
I checked the values of the usg_create in the usg table as suggested by you. And surprisingly it has the correct value in it. 20-DEC which was today. However in the self service profile page of the same user in the My Roles tab, the Role Assignment date is shown as 09 November. Can you please help me with whatever is wrong here?
Thanks a lot,
$id -
Hi All,
I had created an access policy in OIM 11g to work for a role EndUser. Also I created a membership rule in design console to check that a custom attribute on Create User page called UserRole had the value of EndUser. I applied this rule as membership rule in the EndUser role so that the role would be auto assigned if I selected EndUser in UserRole attribute during create user phase. Also I assigned the access policy I had created to this role in Access Policies tab. After this, whenever I created user with UserRole attribute set to EndUser the role was auto assigned to the user as well as the access policy was invoked and it was working fine.
Then I enabled LDAP Sync today and to check it worked I disabled the access policy by changing the role assignment it had to some other role temporarily so that it wouldnt get invoked. After some time I reverted back to the old role in the access policy so that it would work as before. However now the access policy has stopped working. Also user role is not getting auto assigned. And to top this, I am not even able to assign role to any user I create later on manually. The error I get is:
An error occurred. The corresponding error code is IAM-0080062 Can someone please guide me to get the solution for this unacceptable error? I dont understand how I am unable to assign roles as well. If at all there was problem with access policy then only it should have stopped working. But not being able to assign roles manually is simply amazing. Please help.
Thanks,
$idHey you are right. The role I am trying to assign doesn't exist in the LDAP server. Actually this role exists in a new category I had created specifically for my case. I see that the Administrators and other default roles that come packaged with OIM are synced to the LDAP server automatically but these are not. Can you guide me as to how to achieve that? The server diagnostic logs also show the same error:
[2012-07-30T15:15:07.651+05:30] [oim_server1] [ERROR] [IAM-3010070] [oracle.iam.ldapsync.impl.eventhandlers.membership] [tid: [ACTIVE].ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [APP: oim#11.1.1.3.0] Adding user membership failed because role EndUser is not synchronized to the LDAP directory
[2012-07-30T15:15:07.651+05:30] [oim_server1] [ERROR] [IAM-3010003] [oracle.iam.ldapsync.impl.eventhandlers.membership] [tid: [ACTIVE].ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [APP: oim#11.1.1.3.0] Failed to execute the handler.[[
oracle.iam.platform.kernel.EventFailedException: Adding user membership failed because role EndUser is not synchronized to the LDAP directory
at oracle.iam.ldapsync.impl.eventhandlers.membership.UserMembershipCreateLDAPHandler.grantRoleMembership(UserMembershipCreateLDAPHandler.java:216)
at oracle.iam.ldapsync.impl.eventhandlers.membership.UserMembershipCreateLDAPHandler.execute(UserMembershipCreateLDAPHandler.java:107)
at oracle.iam.platform.kernel.impl.OrchProcessData.runPreProcessEvents(OrchProcessData.java:898)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:634)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:670)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeChildProcess(OrchestrationEngineImpl.java:751)
at oracle.iam.platform.kernel.impl.OrchProcessData.handleAdditionalChanges(OrchProcessData.java:540)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:802)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:675)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:705)
at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy348.onMessage(Unknown Source)
at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:574)
at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:477)
at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:380)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3822)
at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
[2012-07-30T15:15:07.651+05:30] [oim_server1] [ERROR] [IAM-3010003] [oracle.iam.ldapsync.impl.eventhandlers.membership] [tid: [ACTIVE].ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [APP: oim#11.1.1.3.0] Failed to execute the handler.[[
oracle.iam.platform.kernel.EventFailedException: Adding user membership failed because role EndUser is not synchronized to the LDAP directory
at oracle.iam.ldapsync.impl.eventhandlers.membership.UserMembershipCreateLDAPHandler.grantRoleMembership(UserMembershipCreateLDAPHandler.java:276)
at oracle.iam.ldapsync.impl.eventhandlers.membership.UserMembershipCreateLDAPHandler.execute(UserMembershipCreateLDAPHandler.java:105)
at oracle.iam.platform.kernel.impl.OrchProcessData.runPreProcessEvents(OrchProcessData.java:898)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:634)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:670)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeChildProcess(OrchestrationEngineImpl.java:751)
at oracle.iam.platform.kernel.impl.OrchProcessData.handleAdditionalChanges(OrchProcessData.java:540)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:802)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:675)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:705)
at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy348.onMessage(Unknown Source)
at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:574)
at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:477)
at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:380)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3822)
at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: oracle.iam.platform.kernel.EventFailedException: Adding user membership failed because role EndUser is not synchronized to the LDAP directory
at oracle.iam.ldapsync.impl.eventhandlers.membership.UserMembershipCreateLDAPHandler.grantRoleMembership(UserMembershipCreateLDAPHandler.java:216)
at oracle.iam.ldapsync.impl.eventhandlers.membership.UserMembershipCreateLDAPHandler.execute(UserMembershipCreateLDAPHandler.java:107)
... 38 more
Thanks,
$id -
Need procedure for creation of BW Roles, Assigning Queries,Publishing Roles
Hi Experts,
Could you please let me know the procedure for creation of BW Roles, Assigning Queries,Publishing Roles in Business Explorer (BEx - BW 3.5)
Thanks in advance,
AndyHi,
Creating BW Roles
http://help.sap.com/saphelp_nw04/helpdata/en/52/6714b6439b11d1896f0000e8322d00/frameset.htm
Assigning Queries
After creating the query, save the query to a role from the query designer.
Publishing Roles in Business Explorer
https://websmp101.sap-ag.de/~sapdownload/011000358700002894802003E/HowToBIPortal1.pdf
Hope this helps you..!
-Pradnya -
Background job fails for BDC profile creation and role assignment
Hi Experts,
I have created a BDC Function module for Tcode 'PFCG' for profile creation and role assignment, and called this FM in my zprogram. the problem is that when i run this program in foreground it executes succesfully, but if i schedule it in background it fails throwing error in job log 'Role 'Z...' does not contain any active authorizations'. But i have created one more program to create authorization objects which runs before this zprogram.I have also checked the authorization object in 'RSECADMIN', it reflects active. I dont understand whats happening exactly when it runs background.
Below is the process of job
1. ZMIS_AUTH_OBJECT_CREATE
Variant : auth-create
2. ZMIS_AUTH_ASSIGN_TO_ROLE
Variant : auth-assign
The problem is in second program, runs in foreground but fails in background.
Code which i have written in my second program
***BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
***Generation of Profile created
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14 .
Experts please help me out its very urgent. your help is appreciated and rewarded. Thanking you in advance.
Regards,
ChetanHi Praveen,
Yeah definately, my requirement is that I have to access of some BI reports to certain users, so contract data will be downlaoded from ECC on application server, need to read that file from application server and for the each contract i ahould create a authorization object, role creation and assigning of role to the user and profile generation and activation.
To achieve this i have written two programs
1) ZMIS_AUTH_OBJECT_CREATE- This program will create the Authorization Object using BDC and Role creation Using the BAPI
"" Creation of Authorization Object
CALL FUNCTION 'ZAUTHOBJ'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
g_authname_001 = 'ZDUMMY_MIS'
g_targetauth_002 = wa_tab-auth
g_authtxt_003 = wa_tab-short_desc
g_authtxtmd_004 = wa_tab-med_desc
marked_04_005 = 'X'
g_authtxt_006 = wa_tab-short_desc
g_authtxtmd_007 = wa_tab-med_desc
tctiobjnm_04_008 = 'ZBUS_UNIT'
g_authtxt_009 = wa_tab-short_desc
g_authtxtmd_010 = wa_tab-med_desc
marked_05_011 = ''
opt_01_012 = 'EQ'
low_01_013 = wa_tab-bu
g_authtxt_014 = wa_tab-short_desc
g_authtxtmd_015 = wa_tab-med_desc
marked_04_016 = 'X'
g_authtxt_017 = wa_tab-short_desc
g_authtxtmd_018 = wa_tab-med_desc
tctiobjnm_04_019 = 'ZCONTRCT'
g_authtxt_020 = wa_tab-short_desc
g_authtxtmd_021 = wa_tab-med_desc
marked_05_022 = ''
opt_01_023 = 'EQ'
low_01_024 = lv_contract
g_authtxt_025 = wa_tab-short_desc
g_authtxtmd_026 = wa_tab-med_desc
g_authtxt_027 = wa_tab-short_desc
g_authtxtmd_028 = wa_tab-med_desc
g_authname_029 = wa_tab-auth
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
"" Creation of role
LOOP AT it_role INTO wa_role.
CLEAR wa_text.
wa_text-text = wa_role-desc.
wa_text-langu = 'E'.
APPEND wa_text TO it_text.
wa_jobrole-agr_name = wa_role-role_name.
wa_parentrole-agr_name = 'ZM_CT_DUMMY_MIS'.
wa_method-usmethod = 'CHANGE'.
CALL FUNCTION 'ZBAPI_JOBROLE_CLONE'
EXPORTING
jobrole = wa_jobrole
parent = wa_parentrole
method = wa_method
TABLES
* RETURN =
shorttext = it_text
* LONGTEXT =
* MENU_NODES =
* MENU_TEXTS =.
ENDLOOP.
2) ZMIS_AUTH_ASSIGN_TO_ROLE - This program will generate the profile created assign it to the role.
""*BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message .
COMMIT WORK AND WAIT.
""*Generation of Profile created
LOOP AT it_role INTO wa_role.
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
ENDLOOP.
For creating authorization objects, role & profile i have created one dummy auth, dummy role & dummy profile respectively.
i have created dummy objects to copy the roles from dummy object and assign the same to new Auth obj, role & profile.
Let me know what needs to be done. because these both the programs run perfectly in foreground, but fails in background.
Regards,
Chetan -
Role Assignment Discovery Issue for Files and Folders through Sharepoint REST services
To preface, I am a decided Sharepoint newbie in every sense. I am trying to use the Sharepoint REST services (Sharepoint 2013) to walk the folder and file structure of my Sharepoint server and, determine as I go, the Role Assignments (and subsequently
Permissions) on those folders and files. I'm using an Administrator credentials and I'm actually able to successfully do it but I've run into some caveats. All the caveats begin with this; when I'm examining a folder, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/ListItemAllFields
I receive either an empty list or an error response doc when following the link supplied for ListItemAllFields. When following that kind of link for folders, I either get:
<d:ListItemAllFields
m:null="true"
/>
or an error response document that says "The object specified does not belong to a list." When I hit the /ListItemAllFields endpoint for files, I receive a response with a link for Role Assignments which subsequently also works and I get the
info I need. So, is this a bug? Why does the link returned from Sharepoint work for files and not folders? So, google, google, google, and I discover that there is another possible way to get at the Role Assignments (and that the object does, indeed, belong
to a list!).
If I know the Title (or the guid) of the folder in question, I can use the following endpoint:
/_api/Web/Lists/GetByTitle('Development')
If I use that endpoint, I get the information I would have expected to get from following /ListItemAllFields and the subsequent Role Assignments links all work and I get what I need. If there's a bug and this is how I have to work around it, that's fine
but I have yet to discover how to dynamically determine the Title of a given folder nor am I sure if all Titles are supposed to be unique within a given Sharepoint server. I'm assuming that the folder name as represented in the server relative URL and the
Title may be different and this is where my newbishness may start to shine if I'm misunderstanding what a "List" is supposed to be in Sharepoint. Anyway, I did find that I could use the Properties endpoint to perhaps get the Title, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/Properties
gives me:
<d:vti_x005f_listtitle>Development</d:vti_x005f_listtitle>
whose value I assume I could then supply to the /GetByTitle endpoint and be golden. However, "vti_x005f_listtitle" just sounds a little too deep to be something I should be relying on but maybe that's kosher. That's part of what I'm trying to
find out. Also, if there is a way to use the Sharepoint REST API to discover the guid of a given object, then I could look it up in that way.
So, in summary:
1. Am I going about getting folder Role Assignment information in the wrong way? Based on the CSOM examples I've seen, I believe I'm doing it correctly and that the answer to #2 below is a resounding "Yes!" :)
2. Is it a bug if I'm not able to use /ListItemAllFields on folders using the server relative url?
3. If I'm supposed to use GetByTitle as a workaround, am I discovering that Title correctly through /Properties? Seems quite circuitous and awkward. Are Titles required to be unique throughout a given Sharepoint server?
4. If I'm supposed to use the guid, how can I use the REST interface to discover an object's guid? Once we get down to the Role Assignments and other links, the guid appears in those links but I don't know how to discover it independently if that's the
path I should use to get the data I described above.Upon further research, I'll answer my own question for the benefit of some other potential future newbie. The answer to question number 1 above is "Not exactly.". The server relative URLs I was using corresponded to lists (which are
returned as a collection through /_api/web/lists). I was treating them mentally like regular folders. That, coupled with the fact that accessing their data as I showed above returns a ListItemAllFields link, made me think that was the way to get
the Role Assignments just as I would for files and, as it turns out, "real" folders and sub-folders created under these lists. That was the other problem with thinking of these lists as regular folders. So, ListItemAllFields works on
all files and folders in a list. However, if you want Role Assignments for the lists themselves, you can keep track of the Titles and\or Guids from the /_api/web/lists that you're interested in (in my case, all non-hidden "document library"
type lists) and then access those Role Assignments as I discussed in questions 3 and 4 above. For example, from the /_api/web/lists collection from my test server, the "Development" document library Role Assignments are accessable via /_api/Web/Lists(guid'cd242eeb-aafa-4efa-aecc-9bbdf8e3d459')/RoleAssignments
or /_api/Web/Lists/GetByTitle('Development')/RoleAssignments. -
FPN - error trying to lookup object - remote role assignment not working
Hello everyone,
We have implemented a Federated Portal Network connection in our landscape between our portals.
We use only remote role assignment functionality.
Everything was working fine, but since 2 days we encounter the following error in the Default trace.
Error trying to lookup object: alias: <role name>
It is possible to open the producer portal in the Portal Content Administration and also searching for the Producer portal roles is possible in User administration. But when we assign the remote role the tab is not displayed in the portal only the above mentioned error is shown in the default trace. Our portals run SP 12 and BI Java SP14.
Is there a solution or workaround for this issue ?
MartinHi,
I have the same issue as you, I cannot see role tabs in Consumer portal and I get the same error in the defaulttrace as you.
What did you do to resolve this issue?
Many thanks
Gordon -
Report to see user type and roles assigned to users in EP?
Hi,
a) Is there any reporting mechanism in EP? Any specific report which throws up user types and roles assigned to the users? There is an option of 'Export' in the user management role but unfortunately it does not give information on User Type.
b) If the group is assigned a role, How can we see ( in any report) the roles assigned to a group? In the 'export' option of the 'User Management' this information does not come.By default Portal UME comes along with the installation of portal.
Sometimes we may integrate external users using LDAP. At that time users come from ABAP stack or some active directories. But you can also create users in the portal UME. The purpose of using LDAP is to maintain the users centrally rather than creating again in portal.
You can check them in user administration->identity management and search for the users.
THere you can see some users will be from UME and some from LDAP.
User Admin tool is nothing but User Administration only.
Raghu -
Mass Change for Indirect Role Assignment
Hi all,
I am in the process of changing the companys authorisations from a standard SU01 role assignment to a position based indirect role assignment.
At the moment I am using PFCG going to the Org Mg button under the User tab then attaching the position that way. Is there a way of assigning more than one role to a position at the same time?
Is there a Mass Assignment option in PFCG or is there a separate transaction available to make this process quicker??
Thanks for your help
Ianyou can mass-assign people and roles if you go to transaction PPOME instead of PFCG. to make role assignments from PPOME please apply note 578271 first. be careful whilst implementing this <insert nasty word here> note because some of those view-clusters tend to refuse to load your changes = you can see them, but they don't work - might be you will have to flush table buffers for the changes to take effect.
-
Security-role and security-role-assignment not working in WL7.0
Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.comBelow are the screen shots for PFCG:
-
How to get the list of roles assigned to a user in all the child systems
how to get the list of roles assigned to a user in all the child systems from CUA SYSTEM
Try transaction SUIM in your CUA system. Go to user, cross-system information, users by roles. If you run it wide open, you'll get all users and all roles assigned for all systems managed in your CUA.
Krysta -
Role info not appearing once role assignment request is submitted from UI
Hi Everyone,
We have a strange problem in our project in IDM 7.2 SP8 where IDM role concept is used which contains privileges (could be role/profile) of backend systems.
Usually when ever a role (i.e IDM role) assignment request is submitted from UI, the activity with the associated info (like user details, role details, audit ID) should be stored in MXI_LINK table from where the info will be fetched and used in next stages of the processing
Even though the information is getting available for most of the cases for all users but some times for few users once the role assignment request is initiated from UI there is no info is getting available in MXI_LINK table corresponding to this activity which is strange.
Because of this problem even though user submits role assignment request no role info getting passed to IDM, set to pending state for the user which is getting meaning of user not submitted any role assignment request at all.
Can any one suggest what are the things that gets involved between these two steps and any troubleshooting hints are highly appreciable.
Regards,
Venkata BavirisettyIs this a situation you recreate at will? In other words, is it always happening on the same users? If so, you could put a trace on that user's account then try to add the role and see what that trace log shows. Additionally, you could just follow the links in the chain of the various tasks that kick off when you do a role assignment and check each task / job's job log and see what that tells you. There's got to be an error somewhere along the way that's preventing this from executing properly.
-
Hi everyone,
I am trying to assign different roles to different users for GRC - Risk Management 10.0; however it seems like standard roles don't have any affect on type of activity. I have maintained various levels of roles (e.g. risk owner, risk expert, risk manager, etc) using PFCG and assigned almost every role to the users; but it doesn't give them the authorization to create or edit anything, they can only display.
The only workaround for this was assigning a role with the authorization object GRFN_USER (with 02 Change value enabled) or assigning SAP_GRC_FN_ALL (Power user role which also contains object GRFN_USER). However this would allow users to do "anything" they want which obviously isn't what I seek.
I have tried changing customization options such as Maintain Custom Agent Determination Rules and Maintain Entity Role Assignment, it hasn't solved anything so far.
I urgently require your assistance on this issue. Thank you.
Regards,
SeckinHi,
I 'm facing same kind of problem.
Case 1:
I tried with:
Assigning users to group (abap role) which didn't worked.
Assigning UME Role to group (abap role) which worked. Then i assigned the user to the UME Role, but the user is not getting the backend authorizations.
Assigning the portal role to the group (abap role), then when i assiged a user to the abap role from R/3 automatically the user is getting the portal role.
How can i do the same from portal?
Case2:
While distributing the portal roles to the ABAP system (System Administrator -> Permissions -> SAP Authorizations), the status is showing as "Role transfer compleated". but when i checked from the R/3 transaction WP3R, there are no portal roles.
Why are the portal roles not getting transfered even though the status is green?
Mr.Chowdary -
How to Disply the List of Roles assigned to a selected user ?
Hi all,
I have a specific requirement to develope using Webdynpro. I want to programically display the list of roles assigned to a selected user. Could some one help me . I promise to award points for the solution.
Thank you in advance
Regards
MarutiHi Maruti,
Iterator rit = null;
try
IWDClientUser clientUser = WDClientUser.getCurrentUser();
IUser user = clientUser.getSAPUser();
rit = user.getRoles(true);
IRoleFactory rfact = UMFactory.getRoleFactory();
while (rit.hasNext()) {
String roleName = (String) rit.next();
IRole role = rfact.getRole(roleName);
}catch(Exception e)
e.getLocalizedMessage();
check this thread too
/message/1565111#1565111 [original link is broken]
Regards, Suresh KB
Maybe you are looking for
-
What are the privledges for each level of the support communities
do i need to say more?
-
Automatic Pause (through program) and Manual Resume through front panel Button
Hi, I am trying to implement a system which measures voltage and current for a varying source voltage at varying temperature. The program acquires 5 pairs of voltage and current data. The issue here is that the source voltage is varied by manually ch
-
Hi, Is it possible to display a pie chart using BSP.The piechart want to viewable in internet (URL) Can anyone help me with step by step procedure.
-
PrintWriter outputStream = new PrintWriter(new FileWriter(filenameOut)); BufferedReader inputStream = new BufferedReader(new FileReader(filenameIn));I create a PrinterWriter like so, then I read a line of text from a text file using a BufferedReader
-
G5 dual 1.8 ghz ?
I'm thinking of purchasing a g5 dual 1.8ghz unit its not that expensive but I want to know the major draw backs between this unit and going with a new mac pro. I know the price difference but will I see a significant faster performance with the mac p