Portal & MDM to use central user base (something like LDAP)?

Similar Messages

• How to lock transaction using function module or something like that

  Hi, all
  I'd like to know the way to lock transacitons using function module or something like that.
  I know this would be possible if calling transaciton SM01, but I want to know other ways like calling function module  (BAPI ) or method.
  Thank you for your cooperation In advance.
  Regards,
  Hideki Kozai

  Hi,
         Try the following FM
  BRF_NETWORK_GRAPHICS           BRF: Network Graphics for BRF Objects
  BRF_INITIALIZE_GRAPHICS_NGR    BRF: Initialize Network Graphics
  BRF_NETWORK_GRAPHICS_NGR       BRF: Network Graphics: Start
  BUSG                           SAP Business Graphics
  GRAPH_2D                       Calling up the 2D business graphics
  GRAPH_2D_MENUE                 DO NOT USE (use 'GRAPH_2D' and 'GRAPH_BUSG_MENU_SET')
  GRAPH_3D                       Calling up the 3D presentation graphics
  GRAPH_BUSG_COLOR_SET           Definition of color pallets for business graphics
  GRAPH_BUSG_MENU_SET            Pushbutton menu (tool bar) for all BUSG modules
  GRAPH_MATRIX                   Calling up SAP Business Graphics (2D, 3D and 4D)
  GRAPH_MATRIX_2D                Calling up the 2D graphics (user-friendly version)
  GRAPH_MATRIX_3D                Structure of 3D graphics (user-friendly version)
  GRAPH_MATRIX_4D                Calling up a 3D graphic (4th dimension stacked representation)
  Regards,

• OSB db-adapter: how to pass a proxy user or something like this?

  Hello, on OSB with a Oracle db-adapter, I'd like to do some database updates. Usually the db-adapter is set up with a technical database user.
  But on database side, this way I don't know exactly which user has been updating my table because only the technical user will be inserted into "Created_by" Column
  (select USER from dual ==> technical user).
  Now I thougt about using Proxy Users. But there exists some other Problems:
  - every proxy user has to be initially created in the database
  - how can I pass proxy user and technical user from OSB to the database?
  (using JCA, JNDI and JDBC Data Sources)
  ... on JDBC datasources I can only specify hard coded userid/password (--> technical user)
  Any help would be appreciated. Maybe some good white papers or tutorial exists in the web, but I can't finde a good one.
  Thanks
  Best regards

  You can pass in the adapter header property "jca.db.ProxyUserName". That way you can specify a user for each invoke.
  I got confirmation that OSB supports setting these properties. The sample adapters-db-201-MovieImages on soasamples.samplecode.oracle.com > Adapters shows working with header properties but with Mediator.
  Thanks
  Steve

• MMP using wrong search base when doing LDAP query.

  Hi all,
  I installed a new MMP (sun java communication suite v5 on Redhat linux x86).
  When an imap user connects to MMP, the MMP does an ldap query for attributes "MailHostAttrs mailHost".
  This query fails because the search base is
  SRCH base="dc=my,dc=domain,dc=com,o=my.domain.com"
  instead of simply "o=my.domain.com"
  When I ran 'configure' I specified the Organization DN to be o=my.domain.com
  And I've specified the following in the ImapProxyAService.cfg file:
  LdapUrl "ldap://ldap1.my.domain.com:389/o=my.domain.com"
  UserGroupDN "o=my.domain.com"
  DefaultDomain my.domain.com
  So why does it use "dc=my,dc=domain,dc=com,o=my.domain.com"?
  I must be missing something but I can't find it.

  Hi,
  kevin_sysadmin wrote:
  So why does it use "dc=my,dc=domain,dc=com,o=my.domain.com"?
  I must be missing something but I can't find it.The first step the MMP will do to resolve the base DN for a hosted domain is a directory search along the lines of (this is for schema 2 which is the default for a new install):
  [26/Oct/2007:16:46:23 +1000] conn=3152 op=1 msgId=2 - SRCH base="dc=aus,dc=sun,dc=com" scope=2 filter="(&(objectClass=sunManagedOrganization)(|(associatedDomain=aus.sun.com)(sunPreferredDomain=aus.sun.com)))" attrs=ALL
  So in my case I have default:LdapUrl "ldap://server.aus.sun.com/dc=aus,dc=sun,dc=com" and default:DefaultDomain aus.sun.com
  So you will probably find that you have a hosted domain configured under "dc=my,dc=domain,dc=com,o=my.domain.com" which got created during installation but not propagated with users.
  Regards,
  Shane.

• Using a User Store different from LDAP to identify users

  Hello everybody,
  I've developed a couple of authentication classes in Access Manager and
  I found the constrain to use a LDAP user store very limitative.
  I have to develop a class that check the credential against a table in
  a database. I've no LDAP user store at all. I find all the relevant
  information in the db. So I can correctly authenticate the user but I
  can't "say" to the Identity Server that the user is also correctly
  identified. In the code I can create a new NIDPPrincipal object with a
  (null UserAuthority) setting its properties for the authenticated user.
  It works but anyway I've to add a "fake" LDAP User store to be able to
  check the "identify user" option in the method definition in the
  Administration Console. And I presume that the Identity Server can
  became unstable because it can not find the User in the user store.
  I've looked at the LDAP Plugin extesion, trying to create a "wrapper"
  to the db, but the documented API is only about the LDAP definition and
  does not expose any interface to catch ldap search or read (or whatever
  else the Indentity Server may ask to the User store) so I guess that the
  LDAP access is hard-wired in the Identity server code. This approach
  seems very strange because the modular architecture of the NAM solution
  could work very well with other type of user stores than LDAP. I
  expected to find an interface to abstract the User Authority.
  I'm missing something or my argumentations are very wrong?
  Thanks
  Giovanni
  cannata_g
  cannata_g's Profile: http://forums.novell.com/member.php?userid=17484
  View this thread: http://forums.novell.com/showthread.php?t=422784

  cannata g wrote:
  >
  > Hello everybody,
  > I've developed a couple of authentication classes in Access Manager
  > and I found the constrain to use a LDAP user store very limitative.
  >
  > I have to develop a class that check the credential against a table in
  > a database. I've no LDAP user store at all. I find all the relevant
  > information in the db. So I can correctly authenticate the user but I
  > can't "say" to the Identity Server that the user is also correctly
  > identified. In the code I can create a new NIDPPrincipal object with a
  > (null UserAuthority) setting its properties for the authenticated
  > user. It works but anyway I've to add a "fake" LDAP User store to be
  > able to check the "identify user" option in the method definition in
  > the Administration Console. And I presume that the Identity Server can
  > became unstable because it can not find the User in the user store.
  >
  > I've looked at the LDAP Plugin extesion, trying to create a "wrapper"
  > to the db, but the documented API is only about the LDAP definition
  > and does not expose any interface to catch ldap search or read (or
  > whatever else the Indentity Server may ask to the User store) so I
  > guess that the LDAP access is hard-wired in the Identity server code.
  > This approach seems very strange because the modular architecture of
  > the NAM solution could work very well with other type of user stores
  > than LDAP. I expected to find an interface to abstract the User
  > Authority.
  >
  > I'm missing something or my argumentations are very wrong?
  I'm probably not really the right person but the way I see it is that
  NAM supports LDAP userstores therefore it kinda makes why the LDAP code
  is so heavily embedded. Maybe log an enhancement request to see if JDBC
  can be supported as an authentication mechanism.
  Cheers,
  Edward

• How to use company users on existing ldap server as EP6.0 sp2  Users?

  Hi everybody
  Our company user data is on a  LDAP server we want to connect our EP6  UME  to this existing LDAP server so that existing company users can access  the Portal with their company id and password. What configuration we should do on the portal ?
  thanks and regards
  Rajendra

  Hi!
  Look at Admin Guide:
  Administration Guide->Portal Platform->System Administration->User Management Configuration->Configuration of Data Sources Used for User Management->Defining an LDAP Directory as a Data Source
  WBR, Lnk

• Regd : How to find Validity date for a user in central user system

  Hi Experts;
  I want to get the list of users with profile SAP_ALL  with following details like validity ,user type ,user name ,user id..
  I can get through SUIM for each individual systems.Its very difficult to login to each system ,generate the report.So I prefered to go for Central system
  But if I use central user system I have no option to find validity and user type for the system ( SUIM - > Cross system application )
  I have also tried to the table USRO2 ( which gives only the list of users in the central system )
  So is there any possible ways to find the Users with profile SAP _ALL with validity date in the central user system. So that I can easily generate it as one report instead of logging to each and every system
  Regards
  Sanjeev.S

  Hi Ruchit
  Thanks for your reply. I want to find the validity date of all users having SAP_ALL
  profile of all child system connected through central user system .So it is possible
  to do that in Centrals System by executing the report?
  If I execute that report in Central user system will it give the details of all child
  system connected to central system
  I think it will give only the result of Central system and not the child system connected to Central system.Please clarify me.
  I can execute the report by logging to each child system ,but it takes very long hours for me since there are many system in my landscape.
  Awaiting for your reply.'
  Thanks
  Sanjeev.S

• How can i get the list of all users present in the LDAP

  Hi Experts,
  How can i get the list of all users present in the LDAP ?
  Is there any API or function Code to get all user list??
  Please help me out!!!
  Help will be rewarded

  Well it will depend on exactly where your UME configuration points to in the LDAP tree but yes, it is possible to get all users.  Something like the following should do it:
  import com.sap.security.api.*;
  import com.sapportals.portal.prt.component.*;
  IUserFactory iuf;
  ISearchResult isr;
  IUser user
  String userid;
  iuf = UMFactory.getUserFactory();
  isr = iuf.getUniqueIDs();
  you will need to iterate the ISearchResult object but you can get IUser objects by
  userid = (String)isr.next();
  user = iuf.getUser(userid);
  then you can imanipulate / identify / or whatever you need with the user object
  Haydn

• How to lock R/3 master data transatcions when using Central MDM Scenario?

  Hello Colleagues.
  We are implementing a Central master data management scenario, all master data will be created / changed within MDM; so we need to block create/change for fields that are considered in MDM for the master records within R/3.
  In a previous project we used authorization profiles to achieve this task. I supose an other option is to use the field status configuration.
  However, I was wondering if SAP has something standard to achieve this blocking within R/3?
  Thank you for your answers.
  Regards,
  Jorge.

  Hi Jorge,
  SAP MDM has released Central Master Data management as standard already.  Also SAP MDM SP04 has more features which will have easy integratoin for standard R/3 Repositories for CRM, SRM etc.  You have a facility in MDM Repository for creating your customized Roles which will help you to block certain access to users.
  Hope this answers your requirement.
  Regards
  Veera
  Note : Please mark the Points if this reply is helpful to you

• I just upgraded to mountain lion and I can't figure out how to use messages...  it wants me to use AIM or something like it, but I can't change the user...

  I just upgraded to mountain lion and I can't figure out how to use messages...  it wants me to use AIM or something like it, but I can't change the user... How do I do this??

  See this Thread

• When I log in the Portal using Administrator user, I can use it correctly.

  I have created a Room IView.
  When I log in the Portal using Administrator user, I can use it correctly. However when I am using another user, I get this error message: 
  com.sap.portal.pcm.Title
  Portal Runtime Error
  An exception occurred while processing a request for :
  iView : pcd:portal_content/com.sap.ip.collaboration/Rooms/00a2953f-0d06-2a10-749d-afc6884d33a7/workset/com.sap.netweaver.coll.ProjectHome/relatedItems/DynamicNavigation/com.sap.netweaver.coll.ARoomQuickLaunch
  Component Name : null
  Page could not create the iView.
  See the details for the exception ID in the log file
  What should I do??
  Regards
  Ika

  Hi Ika,
  This seems to be a permission issue.
  Go to the pcd and give read access to portal_content/com.sap.ip.collaboration/Rooms .
  That should solve the problem.
  Points are welcome if this helps
  Rgrds
  Vineeth

• Central User Administration using EP

  Hi,
  Can any body tell me how we can do central user Administration using EP. My landscape has multiple SAP systems, BW system and EP system. How should we go about it?
  Any help?
  regards,
  Sujesh

  HI Sujesh,
  EP is not able to serve as a hub for central user administration in my opinion.
  You can connect EP to several user stores like LDAP servers (including Microsoft ActiveDirectory) and SAP Systems.
  So
  a) you store all your users in an LDAP and connect all your SAP systems to that LDAP
  b) you declare one of your SAP systems as central user administration (CUA) "master", connect all other as "slaves" and connect the EP UME to the master
  But in any way - there is no GUI inside the EP where you can administer all user related things like roles from all systems, etc. This can only be done in an ABAP system.
  Hth,
  Michael

• Using oc4j Jaas with external user-base

  Hi,
  Im evaluating the possibility of migrating my application from BEA Weblogic 7.00 to Oracle9iAS. I Use OC4j 9.0.3 for the migration proof.
  My Weblogic application uses a LoginModule, written by us which access our existing user-base (stored in an rdbms).
  We use proprietary Principal classes and update the Subject when a login 'transaction' is committed.
  Our EJB code (which is the resource we want to protect) includes role definitions and the specific weblogic deployment-descriptors includes mapping between the roles defined in the ejb dd and the principal names we return with the login-module.
  I have some questions:
  1. How can i perform a similar mapping (propriatary principal names to ejb roles), do i have to declare all those principals in jazn.data?, where do I have to declare them?
  2. Can i disregard the UserManager concept?
  3. Do i have to implement a LoginContext on my own?
  4. Do I need to explicitly call LoginCOntext.login in my login code or is it automatically done (please elaborate)?
  5. Do i have to keep using RealmLoginManager along with my LoginModule?
  6. Where is the preferable place for putting the login module (application’s ear file?)
  7. Can i use any LoginModule which simply implements the JAAS LoginModule interface?, are there any specific oracle behavior/requirement i should know about?
  8. What is the class name for the JAZN class which serves as the default LoginContext?
  Note: I dont want to integrate with OID or manage the user-base using Oracles JAZN-XML, i want to simply integrate with my own existing user authentication data and use it for authorizing calls to EJBS.
  Thanks in advanced,
  Yuval.

  sorry for delay in repsonding.
  I only use my LDAP directory to manage poeple and groups but not organisational units.
  When a user logs in using BPM, you view the details for a person in process administrator or view a groups members etc that information is then stored in the bpm database. That information is refreshed whenever the directory service is polled. The frequency of this is determined by the value of 'Directory Polling Interval' set under the Other tab of your engine.
  I don't belive the user passwords etc are stored in the bpm database only meta information about people and groups and therefore your directory service must be available whenever a user tries to login to workspace etc.
  Hope that helps,
  Mike.

• Configuring Oracle Application Server to use a user friendly url

  Hi All,
  I am having trouble configuring the apache httpd.conf file within an applicaton server to be able to use user-friendly urls for the infrastructure identity management tools server. I also need this for security reasons as well as hardware reasons - loadbalancing.
  At the moment I have a standard setup, whereby the sso application server is using port 7777. I would like the user not to enter the port, but to enter just a standard url, like http://login.<company>.com.au, so that if the user needs to modify oid using the oiddas web application, they can enter something like http://login.<company>.com.au/oiddas/ rather than http://<machine host name>:7777/oiddas/. This would also be used by portal for sso logins.
  From the standard installation, Apache was configured as follows:
  Port 7777
  Listen 7777
  ServerName <machine host name>
  DocumentRoot <root document folder>
  Now reading the documentation from the Oracle Application Server Installation notes for the Http Server, they document how to do this (in the loadbalancer section - this will eventually be used in the hardware setup):
  Port 80
  Listen 7777
  Listen 80
  # Virtual Hosts
  # This section is mandatory for URLs that are generated by
  # the PL/SQL packages of the Oracle Portal and various other components
  # These entries dictate that the server should listen on port
  # 7777, but will assert that it is using port 80, so that
  # self-referential URLs generated specify www.oracle.com:80
  # This will create URLs that are valid for the browser since
  # the browser does not directly see the host server.oracle.com.
  NameVirtualHost <machine ip>:7777
  <VirtualHost <nameofmachine>:7777>
  ServerName login.<company>.com.au
  Port 80
  </VirtualHost>
  # Since the previous virtual host entry will cause all links
  # generated by the Oracle Portal to use port 80, the server.company.com
  # server needs to listen on 80 as well since the Parallel Page
  # Engine will make connection requests to Port 80 to request the
  # portlets.
  NameVirtualHost <machine ip>:80
  <VirtualHost <nameofmachine>:80>
  ServerName login.<company>.com.au
  Port 80
  <VirtualHost>
  Note that I used slightly different names for the url's rather than the oracle names www.oracle.com and server.oracle.com
  Now after applying this, I noticed not only could I not go to the oiddas from the original machine name, but also couldnt go there from the new machine name.
  Also I was not even able to go to the standard index page whereby you can go to the enterprise manager for the application server, from either names.
  The following urls provide me with "The Page Cannot Be Displayed" error message:
  http://login.<company>.com.au:7777/
  http://<nameofmachine>:7777/
  The following urls provide me with "Page Under Construction" error message:
  http://login.<company>.com.au/
  http://<nameofmachine>/
  Could someone please tell me why this is the case, considering I am using the installation procedures Oracle has published within the Oracle Http Server Admistrators Guide (http://download-west.oracle.com/docs/cd/B14099_19/web.1012/b14007/netconf.htm#sthref379).
  Cheers
  Rodney

  Hi Rondey,
  Ik think that I can see your probleem.
  Just change the following line at your httpd.conf, then restart the component.
  First of all if the port is installed with nr. 7777. then the listen process will be on port 7778
  the second thing is just try to do the following steps
  ((Port 80 to Port 7777)))
  Listen 7778
  %%%% In loadbalancer section %%%%%%
  just add the following lines
  Listen 80
  Listen 8103
  Listen 8102
  NameVirtualHost *
  NameVirtualHost *:8103 or 80
  If you want to use this ports (8103 or 8102) for other site (url), then
  <VirtualHost *:80>
  ServerName <machine ip> or (host name)
  Hear from U,
  Regards,
  Hamdy

• Restrict access to buttons, regions, etc. on a per user basis?

  My application restricts access to buttons, regions, etc. on a per user basis.
  Here is my application logic...
  1. A User can only edit items they own.
  2. A Super-User can edit all items
  So, when a user logs in, I use a post-authentication process to set the user ID to an application level item.
  Now, for example, to have an edit button display on a page, I need to check the item's owner ID against the application level user ID...and check to see if this user is on the Super User list via a query.(which could be set to another application level item upon login...I guess)
  Question...What is the best way to do this? Conditional display? Authorization scheme?
  Would something like the following work for a Conditional Display?
  Condition: SQL Expression
  &USER_ID.=&P6_ITEM_OWNER_ID. OR USER_ID in (select USER_ID from table where USER_ID=&USER_ID.)
  How would I do this with an Authorization Scheme? (I like the idea of updating the logic in single location...but I'm not sure if it is possible because I have to check PX_OWNER_ID would be different on each page.)

  Hi Denes,
  Thanks for your code which allows user to edit (if authorized) and view (if not).
  But some how - I do not get the image to show up - instead it show a small underline.
  From SQL point of view - here is what I get - when i run the sql
  '<img src="/i/ed-item.gif">',2,CR TEST,,,,dune2.cit.cornell.edu,CRDMTEST.CIT.CORNELL.EDU,PSPROD,,,CRDMTEST
  Here is my wrap_image function
  create or replace function wrap_image(p_user_name in varchar2,p_dm_name_id in number)
  return varchar2 IS
  v boolean := False;
  ret_val varchar2(1000);
  begin
  dbms_output.put_line('user='||p_user_name);
  dbms_output.put_line('dm_name='||p_dm_name_id);
  -- Check authorization if the user is super user - return true, else if he has edit priv on dm_name_id - return true - else false
  v:=ACL_DMTOOLS_DM_PRIV(p_user_name,p_dm_name_id);
  if v then
  ret_val := '<img src="/i/ed-item.gif">';
  ret_val := ''''||ret_val||'''';
  dbms_output.put_line('TRUE');
  else
  ret_val := '';
  dbms_output.put_line('FALSE');
  end if;
  return ret_val;
  end;
  Thanks for your great educational site.
  Regards
  atul