Oracle APM: Grant 'authenticated-role' a privilege to access a taskflow?
Hi
Using Oracle APM (Authorization Policy Manager), I need to grant the 'authenticated-role' a privilege to access a particular taskflow.
Usually one is able to search for a role and add it, however the 'authenticated-role' does not turn up in the search. How do I add it?
If I create such a role, how will I be able to link it to the appropriate enterprise role using APM.
Thanks,
Rohit
Edited by: 909799 on May 29, 2012 3:04 AM
Hi there,
I am afraid you were referring to a different documentation at 11g.
Have a look at this: [http://download.oracle.com/docs/cd/B28359_01/server.111/b28286/statements_9013.htm#i2155015]
So, same behavior.
Hope this helps,
Regards,
Jozsef
Similar Messages
-
Strange behavior after granting a role associated to an access policy.
Greetings.
I am using OIM 11.1.1.3 and I am using also the DBUM Adapter 9.1.0.4.
I Defined 3 roles in OIM after that I defined three access policies with the purpose of provision roles at a database.
Every policy is associated to a role and a DBUM resource.
At the end I have the following policies.
Policy Name OIM Role Database Role
1. Policy Role A - Role A - DBRoleA
2. Policy Role B - Role B - DBRoleB
3. Policy Role B - Role C - DBRoleC.
When a role is granted to OIM User using the Administration Console the correct database role is provisioned at the specified database. But If I revoke a Role from the user and grant the same role again the specified role is not provisioned to the specified database.
Example: An user have "Role A", "Role B" ,"Role C" at the database the user have DBRoleA, DBRoleB, DBRoleC.
After revoking "Role A" from the user the database have the correct roles DBRoleB and DBRoleC.
But if the "Role A" is granted again to the user the DBRoleA is not provisioned at the database.
I enabled the dbum log file and it looks like the wrong role was chosen and the DBRoleB is the database role to be provisioned. Because we see at the log file when the "Role A" is granted to the user:
[WLS_OIM1] [TRACE] [] [OIMCP.DBUM] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 0000JDjSF5i9h^5prOt1iY1EgfQX0000lD,0] [SRC_CLASS: com.thortech.util.logging.Logger] [APP: oim#11.1.1.3.0] [dcid: 4506c477d760fc7e:26c2d53a:1336a1dbc64:-7ffd-0000000000000d45] [SRC_METHOD: debug] oracle.iam.connectors.dbum.integration.DBUMProvisionManager : getChildFormData : Form Value2011-11-04[2011-11-04T11:37:14.392-05:00] [WLS_OIM1] [TRACE] [] [OIMCP.DBUM] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 0000JDjSF5i9h^5prOt1iY1EgfQX0000lD,0] [SRC_CLASS: com.thortech.util.logging.Logger] [APP: oim#11.1.1.3.0] [dcid: 4506c477d760fc7e:26c2d53a:1336a1dbc64:-7ffd-0000000000000d45] [SRC_METHOD: debug] oracle.iam.connectors.dbum.integration.DBUMProvisionManager : getChildFormData : Child form data map received:- {UD_DB_ORA_R_VERSION=0, UD_DB_ORA_R_KEY=3180, UD_DB_ORA_R_UPDATE=2011-11-04, UD_DB_ORA_R_CREATE=2011-11-04, Process Instance.Key=5916, UD_DB_ORA_R_UPDATEBY=6, UD_DB_ORA_R_ROLE=102~*DBRoleB*, Access Policies.Key=183, UD_DB_ORA_R_CREATEBY=6}
The question is somebody has experienced the same issue?
Is there another way to provisioning database roles after granting OIM Roles?
Thanks!
Ramiro OrtízFinally we opened a Service Request to solve this issue, and it was a bug "OIM SENDING WRONG ENTITLEMENT NAME TO TARGET DURING ADD ENTITLEMENT OPERATION" and Oracle generated the patch 13499465 for DBUM Connector. Oracle had to provide us a new Readme to apply this patch because it wasn't well explained. So far the patch seems to work, we are making some tests now to be sure that the issue is solved. I just want to share that with the OIM community.
Ramiro Ortiz -
Hi Team,
As of IDM 7.2 SP8 patch2, when we use Enterprise role or Privilege in the access control definition of a task, accessing this task from UI5 i.e REST API is giving unauthorized error even though user is already having the required role or privilege.
But the task is working fine if we use fixed user ID or keeping blank value in allowed users field.
Attached the current access control definition of the task we configured & the error message info for reference
Regards,
Venkata BavirisettyHi Ralitsa,
Thanks for your response and sorry for late reply.
The XXXX in role is not used as a wild card. the name itself is in that format. I have searched the role and then selected from search list.
Let me know if you need any clarifications?
Refards,
Venkata Bavirisetty -
Role and privilege used by JDBC
Is there any reqiured role and privilege used by JDBC?
I use Oracle JDBC9203 for Oracle to connect Oracle8163, when executing certion codes, the JDBC raise a exception as below:
at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:134)
at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:179)
at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:269)
at oracle.jdbc.oracore.OracleTypeCOLLECTION.initCollElemTypeName(OracleTypeCOLLECTION.java:1026)
at oracle.jdbc.oracore.OracleTypeCOLLECTION.getAttributeType(OracleTypeCOLLECTION.java:1056)
at oracle.jdbc.oracore.OracleNamedType.getFullName(OracleNamedType.java:110)
at oracle.jdbc.oracore.OracleTypeADT.createStructDescriptor(OracleTypeADT.java:2262)
at oracle.jdbc.oracore.OracleTypeADT.unpickle81(OracleTypeADT.java:1656)
at oracle.jdbc.oracore.OracleTypeUPT.unpickle81UPT(OracleTypeUPT.java:466)
at oracle.jdbc.oracore.OracleTypeUPT.unpickle81rec(OracleTypeUPT.java:416)
at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81_imgBody_elems(OracleTypeCOLLECTION.java:979)
at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81_imgBody(OracleTypeCOLLECTION.java:923)
at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81(OracleTypeCOLLECTION.java:743)
at oracle.jdbc.oracore.OracleTypeCOLLECTION._unlinearize(OracleTypeCOLLECTION.java:242)
at oracle.jdbc.oracore.OracleTypeCOLLECTION.unlinearize(OracleTypeCOLLECTION.java:208)
at oracle.sql.ArrayDescriptor.toJavaArray(ArrayDescriptor.java:963)
I decompile "OracleTypeCOLLECTION.class", in funtion "initCollElemTypeName", i see a SQL as "select elem_type_name, elem_type_owner from all_coll_types where ....", this sql raise the error.
Since all_coll_types is a system view of Oracle, i think the user connect to Oracle must have some role and privilege, it has connect role and execution privileges on some user-defined packages, is there any other role and privilege it needs? I don't like to grant DBA role to it for security reason.
Very thanks for your reply.Can you post the code (Java and PL/SQL) that is being executed when this error is thrown? You don't need any particular privilege to execute PL/SQL via JDBC-- just the privileges you'd need to execute it in SQL*Plus or anywhere else.
Justin
Distributed Database Consulting, Inc.
www.ddbcinc.com/askDDBC -
Privileges granted to roles sometimes are not effective(not functioning)?
Hello,
I have experienced where roles where granted and privileges granted to the roles. The roles are they granted to certain users. But when these users try to perform dml/ddl, they get insufficient priviledges even though these users were granted the roles which do contain the correct priviledges. Why are some priviledges not functioning when they are granted to the roles? To resolve, direct grants were granted to the users. But why aren't they working through the roles? Thank you.Hi watson2000 ,
can you send the scripts...what you have performed.
Since, I did not faced any problem with granting privliges and roles.
If you provide some information on that (little more) whjat you have done so that we can help you out..
Thanks
Pavan Kumar N -
Oracle recommends that you revoke EXECUTE privileges on powerful packages f
Oracle recommends that you revoke EXECUTE privileges on powerful packages from PUBLIC
Got on error on the home page of Enterprise Manager and read that I should run the code below to correct the problem, but when I click on the link at the bottom of EM to go to iSQL*Plus and choose to connect as sysdba I get a popup asking for me to input a password for my computer so I tried my local computer username and password, my network username and password and even my database username and password and neither lets me in. I can login under Normal but then I do not have rights to execute the command.
revoke execute on utl_file from public;
I know I have my computer username and password correct because I had to enter it to shutdown the database yesterday.
And I had a problem with my listener not knowing the SID, but the error has since went away, but I do have an error on my listener saying
Disk Utilization for 0 C: is 151.45%
Edited by: jamesH2 on Aug 29, 2008 9:20 AMHi James,
Where you saw that Oracle recommend that? If you are refering to the Db console recomendations please take a look on this note also: Note:343620.1
If you revoke any privilege from PUBLIC it becomes your own responsibility
to ascertain that all your applications will keep working. The same goal can often be accomplished
by replacing the privileges formerly granted to PUBLIC to some individual users or
roles.
Please take a look on this Metalink Note: 247093.1 Be Cautious When Revoking Privileges Granted to PUBLIC
Regards,
Francisco Munoz Alvarez
www.oraclenz.com
Edited by: F. Munoz Alvarez on Aug 30, 2008 1:31 AM -
I want to know the role's privileges
I want to select all ROLES's privileges.
Hi,
The DBA_SYS_PRIVS dictionary view, describes system privileges granted to users and roles. For more information, take a look at [url http://tahiti.oracle.com]documentation
SQL> select privilege from dba_sys_privs where grantee = 'CONNECT';
PRIVILEGE
CREATE VIEW
CREATE TABLE
ALTER SESSION
CREATE CLUSTER
CREATE SESSION
CREATE SYNONYM
CREATE SEQUENCE
CREATE DATABASE LINKCheers
Legatti -
Roles/System privileges/Object privileges
Oracle 10g. we created a role and assigned this role to the user. We also assigned some system privileges and Object privileges directly to the same user. Now the company's new policy is that the user's permissions have to be assigned only via role. system privileges and Object privileges cannot be assigned directly to the user. So I have to alter the role. The steps are:
1. grant system privileges and Object privileges to role. (this will be executed as a script)
These privileges were directly assigned to the user.
2. revoke all privileges which were directly assigned to the user.
Do I miss anything?
Please advise.
Thanks
S.Object privileges cannot be assigned directly to the user.Privileges acquired via ROLE do not apply within PL/SQL procedures.
You may face some coding challenges in the future due to this policy. -
Database Vault Owner Grant Any Role Permission
So I just noticed that the role DV_OWNER has the system privilege to GRANT ANY ROLE assigned to it by default. I was wondering if this is necessary for something. If not I would like to remove it. We would prefer the Database Vault owner person to not have any permissions execept for logging into the Data Vault console to modify realms and rules and stuff, and as well as looking at audit logs. The DV_OWNER role also has ADMINISTER DATABASE TRIGGER and ALTER ANY TRIGGER privileges which I would like to remove as well. Any body have any opinions on this?
Oracle EE 11.2.0.2 on Windows 2008 R2
Thanks.Sysdba can issue powerful statements such as create user, drop user, alter user, create profile .. and so on... can be done only if it is allowed so by modifying the Can maintain accounts/profiles rule set.
You can also login with dvsys account but that account is locked after installation. So unlock it with
alter user username account unlock; command. And be aware that ANY system privileges are blocked in protected schemas. You can try to grant the following roles in DB Vault := DV_OWNER, DV_REALM_OWNER, DV_REALM_RESOURCE, DV_ADMIN, DV_PUBLIC, DV_ACCTMGR, DV_SECANALYST
Following can help you
SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
Regards
Karan -
Sql to show all roles object privileges owned by a specific schema
maybe this is simple but i'm just not getting it...
i need sql to show me all of the distinct roles that have privileges granted against objects in a specific schema.
thanks in advance.Feel free to modify the script to reduce the rows to only what you need.
In terms of Oracle users, roles and privileges, it is just that complicated. Internally, a user and role exist in the same structure (user$). And privileges can be granted to users or roles. Roles can be granted to users and other roles. This means that a privilege (object or system) may have been granted to a user multiple times. USER1 can have 'SELECT' on 'TABLEA' that has been granted directly or via ROLE1, ROLE2 and ROLE3 (since ROLE1 is granted to ROLE3). -
Select Granted By Role Doesn't Work
Oracle 11.1.0.7.0 running on AIX
This is crazy I don't know why it is happening or even how it is happening but when I grant a role to a user they still cannot select from the granted tables & views.
CREATE ROLE RETROMAN_USERS NOT IDENTIFIED
GRANT SELECT ON YBP.DDA_STATUS_CODES TO RETROMAN_USERS
GRANT SELECT ON YBP.DEMAND_DRIVEN_ACTIVITY TO RETROMAN_USERS
GRANT SELECT ON YBP.V_DDA_STATUS_CODES TO RETROMAN_USERS
GRANT SELECT ON YBP.V_DEMAND_DRIVEN_ACTIVITY TO RETROMAN_USERS
GRANT RETROMAN_USERS TO SABEL WITH ADMIN OPTION
GRANT RETROMAN_USERS TO CKING
GRANT RETROMAN_USERS TO FCROWELL
GRANT RETROMAN_USERS TO HCAMPBELL
GRANT RETROMAN_USERS TO LJOHNSON
GRANT RETROMAN_USERS TO RWILLIAMS
GRANT RETROMAN_USERS TO LMONTCALM
When I try to Select * from ybp.Demand_Driven_Activity as hcampbell I get a "table or view does not exist" error. where other users can get results using the same query. Any ideas? I am completely out of them. I am not a DBA and our company doesn't employ a DBA - scary huh. Any help would be greatly appreciated.
ScottOK, the user cannot select from the table...
$ sqlplus hcampbell@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 07:51:33 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from ybp.demand_driven_activity;
select * from ybp.demand_driven_activity
ERROR at line 1:
ORA-00942: table or view does not exist-----
Let's grant the role and verify that the role is assigned and what privileges it has.
oracle@qa:/home/oracle
$ sqlplus sabel@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 07:53:21 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> grant retroman_users to hcampbell;
Grant succeeded.
SQL> select * from DBA_ROLE_PRIVS where grantee = 'HCAMPBELL';
GRANTEE GRANTED_ROLE ADM DEF
HCAMPBELL YBPREGUSER NO YES
HCAMPBELL OOPS NO YES
HCAMPBELL YBPENDUSER NO YES
HCAMPBELL RETROMAN_USERS NO NO-----
The role does exist (I think) and has the following permissions
SQL> set linesize 132
SQL> Select * from role_tab_privs Where role = 'RETROMAN_USERS';
ROLE OWNER TABLE_NAME COLUMN_NAME
PRIVILEGE GRA
RETROMAN_USERS YBP DEMAND_DRIVEN_ACTIVITY
SELECT NO
RETROMAN_USERS YBP V_DEMAND_DRIVEN_ACTIVITY
SELECT NO
RETROMAN_USERS YBP DDA_STATUS_CODES
SELECT NO
ROLE OWNER TABLE_NAME COLUMN_NAME
PRIVILEGE GRA
RETROMAN_USERS YBP V_DDA_STATUS_CODES
SELECT NO
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options-----
sys can't see the role though - but that may be normal...
$ sqlplus sys@devorcl as sysdba
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:30:34 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> Select * from role_tab_privs Where role = 'RETROMAN_USERS';
no rows selected-----
The user still cannot select from the table
$ sqlplus hcampbell@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:39:46 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from ybp.demand_driven_activity;
select * from ybp.demand_driven_activity
ERROR at line 1:
ORA-00942: table or view does not exist-----
let's try to make it a default role....
$ sqlplus sabel@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:42:59 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> ALTER USER HCAMPBELL DEFAULT ROLE YBPREGUSER, OOPS, YBPENDUSER, retroman_users;
User altered.
SQL> exit-----
after the user logs out and then back on, now user can access the table.
oracle@qa:/home/oracle
$ sqlplus hcampbell@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:47:57 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> Select Count(1) from ybp.demand_driven_activity;
COUNT(1)
161295If I remove the retroman_users from the default role I can still access the table until I log out and then back in so it must have something to do with default roles. I don't know why I didn't see this before but the other users that were granted the retroman_users role and could access the table had their default role set to ALL. Sorry, I didn't give you all the information that you needed to help me, this might have helped:
CREATE USER HCAMPBELL
IDENTIFIED BY h
DEFAULT TABLESPACE DATASMALL
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK
-- 4 Roles for HCAMPBELL
GRANT YBPREGUSER TO HCAMPBELL
GRANT OOPS TO HCAMPBELL
GRANT YBPENDUSER TO HCAMPBELL
GRANT RETROMAN_USERS TO HCAMPBELL
ALTER USER HCAMPBELL DEFAULT ROLE YBPREGUSER, OOPS, YBPENDUSERI guess I need to read more about Default Roles. Sorry for my belligerent responses. -
Mapping a user's role and privilege to another
Hi all,
Is there a command/way to map the role and privileges of a current user to a new user? I am new to oracle, I did read through the online docs but was not able to figure it out.
Thank you very much!Check this link would help: Check the part where they are copying roles and grants for the users using dbms_metadata. You can limit this to one user you want by adding additional where clause like "where username = <username>
Copying Oracle Users -
Error while granting BPMOrganizationAdmin role to SOAOperator.
Error Starting While starting SOA server. Please advise.
<Mar 5, 2015 12:56:08 PM EST> <Error> <oracle.bpm.services.organization> <BEA-000000> <Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.
ORABPEL-10513
Cannot get application roles from application identified by "{0}".
An error occurred while getting application roles from application identified by "soa-infra".
The underlying APIs threw an exception. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:920)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10510
Application role not found.
Application role "BPMOrganizationAdmin" could not be found for application identified by "soa-infra".
Check if the application role exists in the repository associated with the application. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
at oracle.tip.pc.services.identity.jps.JpsProvider$9.run(JpsProvider.java:2338)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRoleEntry(JpsProvider.java:2333)
at oracle.tip.pc.services.identity.jps.JpsProvider.access$000(JpsProvider.java:169)
at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:917)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
>
<Mar 5, 2015 12:56:08 PM EST> <Error> <oracle.bpm.common> <BEA-000000> <Exception
BPM-70692
Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:324)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:29)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10513
Cannot get application roles from application identified by "{0}".
An error occurred while getting application roles from application identified by "soa-infra".
The underlying APIs threw an exception. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:920)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused By: ORABPEL-10510
Application role not found.
Application role "BPMOrganizationAdmin" could not be found for application identified by "soa-infra".
Check if the application role exists in the repository associated with the application. Check the error stack and fix the cause of the error. Contact Oracle Support Services if error is not fixable.
at oracle.tip.pc.services.identity.jps.JpsProvider$9.run(JpsProvider.java:2338)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRoleEntry(JpsProvider.java:2333)
at oracle.tip.pc.services.identity.jps.JpsProvider.access$000(JpsProvider.java:169)
at oracle.tip.pc.services.identity.jps.JpsProvider$1.run(JpsProvider.java:917)
at oracle.tip.pc.services.identity.jps.JpsProvider.lookupAppRole(JpsProvider.java:913)
at oracle.bpm.bpmn.engine.runtime.DeploymentDescriptorUtil.grantBPMOrganizationAdminRoleToSOAOperator(DeploymentDescriptorUtil.java:294)
at oracle.bpm.bpmn.engine.service.BPMNServiceEngine.stateChanged(BPMNServiceEngine.java:578)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.notifyListeners(FabricLifecycle.java:46)
at oracle.integration.platform.blocks.mesh.FabricLifecycle.setState(FabricLifecycle.java:30)
at oracle.integration.platform.blocks.mesh.MeshImpl.postDeployInit(MeshImpl.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy307.postDeployInit(Unknown Source)
at oracle.integration.platform.kernel.FabricKernelInitializerServlet$1.run(FabricKernelInitializerServlet.java:555)
at oracle.integration.platform.blocks.executor.WorkManagerExecutor$1.run(WorkManagerExecutor.java:120)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:183)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
>Hi user,
Can you give us some information on the version you are using and your security setup? Are you using an external security provider? Because to me it sounds that you are using an external LDAP server.
Antonis -
Hi friends,
I created a role in oracle 10 and can be granted to user one by one. it works.
But I try to grant the role to all users and get error.
my code as (copy and modify from OTN)
====
DECLARE
l_schema VARCHAR2(30) := 'SCHEMA_OWNER';
BEGIN
FOR i IN (SELECT USERNAME
FROM all_users
WHERE username not in ('SYS','SYSTEM','OUTLN','DMSYS','TSMSYS','XDB','CTXSYS','WMSYS','DBSNMP','DIP','OLAP','OLAPSYS','MDSYS','EXFSYS','MDSYS'))
LOOP
BEGIN
EXECUTE IMMEDIATE 'GRANT USERS_SELECT ||' TO i.USERNAME;
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
END LOOP;
END;
ORA-06550: line 10, column 41:
PLS-00103: Encountered the symbol "TO" when expecting one of the following:
* & = - + ; < / > at in is mod remainder not rem return
returning <an exponent (**)> <> or != or ~= >= <= <> and or
like LIKE2_ LIKE4_ LIKEC_ between into using || multiset bulk
member SUBMULTISET_
The symbol "* was inserted before "TO" to continue.
SQL>
I double check syntax is OK. what is wrong?
Thanks for help!
JimTry:
EXECUTE IMMEDIATE 'GRANT RAC_SELECT TO '|| i.USERNAME;And remove this part, which is for 99.99% a bug:
EXCEPTION
WHEN OTHERS THEN
NULL;
ENDOnly catch errors you expect... -
Oracle Security - Controlling the 'alter user' privilege
Hi,
1. DB 10.1.0.5 and 10.2.0.3
2. "Admin User" needs to be able to change some users passwords in database.
3. Create user adminuser - grant alter user to adminuser.
4. DBAs will grant "approle" role to list of required users. DBAs will maintain control of who gets this role.
4. Create system trigger on alter database - will prevent "adminuser" from changing passwords for accounts not authorized - Script does not fire for DBAs and anyone changing their own password.
The trigger works as intended - the "adminuser" account can only change the specific set of users.
Question: We've discovered that the "adminuser" can also use the "alter user" privilege to change default tablespace and tablespace quota. User should only be able to change password.
Anyone have ideas on adding to the trigger to make sure the "adminuser" is only altering the password?
I am playing with the ora_is_alter_column system event, thinking that maybe the password column in user$ would be changed but so far I can't get this to work: Here is my trigger --
CREATE OR REPLACE TRIGGER SYS.PASSWORD_CONTROL AFTER ALTER ON DATABASE
DECLARE
DBACHK varchar2(50);
USRCHK varchar2(50);
BEGIN
BEGIN
-- Ensure users can change their own passwords --
IF
ora_login_user = ora_dict_obj_name
THEN
RETURN;
ELSE
-- Do not apply trigger to DBA group --
select grantee into DBACHK from dba_role_privs where granted_role='DBA'
and grantee = ora_login_user;
IF
DBACHK = ora_login_user
THEN
RETURN;
END IF;
END IF;
EXCEPTION
WHEN NO_DATA_FOUND
THEN
NULL;
END;
BEGIN
select grantee into USRCHK from dba_role_privs where
granted_role='DISCUSR' and grantee = ora_dict_obj_name;
IF
ora_dict_obj_type = 'USER'
and ora_dict_obj_name = USRCHK
---- Need to check that only the password is being change -- the line below does not work
and ora_is_alter_column('PASSWORD') = TRUE
THEN
RETURN;
ELSE
RAISE_APPLICATION_ERROR(-20003,
'You are not allowed to alter user.');
END IF;
EXCEPTION
WHEN NO_DATA_FOUND
THEN
RAISE_APPLICATION_ERROR(-20003,
'You are not allowed to alter user.');
END;
END;user602453 wrote:
Ed, thank you for your reply. But, let me explain in more detail.
More detail is always helpful. ;-)
>
A specific user has been assigned as the application administrator. This admininstrator is responsible for reseting application user passwords. The DBA (me) recognizes the DB security issues so I am trying to craft a solution that will allow the application administrator the ability to change only the password of the application users.
I see that this may be out your hands, but I'd still question the wisdom of having an apps administrator being the one to change user passwords. Especially if that were a model where the users couldn't change their own passwords. I might accept it if the app admin were acting more of a helper to a clueless user.
Since the only way to change user passwords is to grant the 'alter user' privilege I need a system trigger to keep the user from changing non-application user passwords. Also, because I support nearly 100 production databases that support about 35 different applications I need a solution that can apply to multiple databases. I've been assured that there will only be one administrator charged with resetting passwords.
So,
Given those requirements, I have this trigger that will allow the the specific administrator to change the password of a specific set of user while not impacting DBAs or people wanting to change their own password. The way I've implemented this is to create a "dummy" role and assigning the role to the application user. The trigger will allow the administrator to change the password only if the user has the role assigned. The role has no privileges, it is just a way to "mark" the user as an application user. The administrator cannot grant this "dummy" role, only the DBA can.
Hope that clears things up.I still see another problem in that it still comes back to the dba to create the apps user in the first place, and to assign that dummy role to the user. Also, I'd hope that this proposed apps admin user is a role assigned to a real user. If not, as I mentioned before, you have no real accountability to who is using that account. Simply saying "it shall not be shared", even if written in corporate policy, won't secure it, and you won't be able to trace it. Well, you could turn on auditing and capture the OS userid in the audit log.
Maybe you are looking for
-
Multiple crashes within certain apps.
Recently, i started to suspect my computer had gotten malware. I took the steps nessicary to remove it. Check for updates. Downloaded 2 different anti-virus software. Quarentine and delete/clean infected files. The suspicion started when i found my
-
I can't open more than 5 tabs at a time in Firefox
This is how I work: I have 7 folders, each with 40 web pages as files. From each previous previous version of the Mac OS, including Mavericks, I've been able to open one of the folders, "Select All" and open all 40 web page files in tabs at once in F
-
Macbook Pro on 10.5.8 online banking issues, + failed verify... help!
Macbook Pro (late 2008) 10.5.8 I could not sign in to my online banking (it would sign me back out immediately), and I was told by the bank IT that it is malicious software of some type on my machine. I ran the Sophos scan (Sophos still supports 10.
-
How to override methods in JDeveloper simply!????
Hi Having just used Eclipse for the 1st time, I am now very frustrated by JDeveloper!!! In Eclipse, if I create a class that extends another, I can simply right click and import methods from the super class to override! This is great and I can't do t
-
when I installed this update it said that it was not compatible with my Norton toolbar, which I didn't think would be a problem. now I've got malware ads popping up on different websites and when I scan my computer for viruses/spyware, it always says