Problem with role

Similar Messages

• Problem with Roles and Triggers

  I'm having a strange problem with Roles and Triggers in Oracle. It's a little difficult to describe, so bear with me...
  I'm trying to create a trigger that inserts records into a table belonging to a different user/owner. Of course, the owner of this trigger needs rights to insert records into this other table. I find that if I add these rights directly to the owner of the trigger, everything works okay and the trigger compiles successfully.
  However, if I first create a Role and grant the "insert" rights to it, and then assign this role to the owner of the trigger, the trigger does not compile successfully.
  To illustrate this, here's an example script. I'm using Oracle 10g Release 2...
  -- Clean up...
  DROP TABLE TestUser.TrigTable;
  DROP TABLE TestUser2.TestTable;
  DROP ROLE TestRole;
  DROP TRIGGER TestUser.TestTrigger;
  DROP USER TestUser CASCADE;
  DROP USER TestUser2 CASCADE;
  -- Create Users...
  CREATE USER TestUser IDENTIFIED BY password DEFAULT TABLESPACE "USERS" TEMPORARY TABLESPACE "TEMP" QUOTA UNLIMITED ON "USERS";
  CREATE USER TestUser2 IDENTIFIED BY password DEFAULT TABLESPACE "USERS" TEMPORARY TABLESPACE "TEMP" QUOTA UNLIMITED ON "USERS";
  CREATE TABLE TestUser.TrigTable (TestColumn VARCHAR2(40));
  CREATE TABLE TestUser2.TestTable (TestColumn VARCHAR2(40));
  -- Grant Insert rights on TestTable to TestRole...
  CREATE ROLE TestRole NOT IDENTIFIED;
  GRANT INSERT ON TestUser2.TestTable TO TestRole;
  -- Add TestRole to TestUser. TestUser should now have rights to INSERT on TestTable
  GRANT TestRole TO TestUser;
  ALTER USER TestUser DEFAULT ROLE ALL;
  -- Now, create the trigger. This compiles unsuccessfully...
  CREATE TRIGGER TestUser.TestTrigger AFTER INSERT ON TestUser.TrigTable
  BEGIN
  INSERT INTO TestUser2.TestTable (TestColumn) VALUES ('Test');
  END;
  When I do a "SHOW ERRORS;" after this, I get:
  SQL> show errors;
  Errors for TRIGGER TESTUSER.TESTTRIGGER:
  LINE/COL ERROR
  2/3 PL/SQL: SQL Statement ignored
  2/25 PL/SQL: ORA-00942: table or view does not exist
  SQL>
  As I said above, if I just add the Insert rights directly to TestUser, the trigger compiles perfectly. Does anyone know why this is happening?
  Thanks!
  Adrian

  Hi Raghu,
  If the insert rights exist only on TestRole, and TestRole is assigned to TestUser, I can do the INSERT statement you suggest with no problems if I just execute it from SQLPlus (logged in as TestUser).
  The question is, why does the same INSERT fail when it's inside the trigger?

• Problem with roles in CRM 5.0 PC-UI

  Hi everybody!
  I have a problem with CRM 5.0 PC-UI.
  When I have user profile SAP_ALL, BSP's are showed correctly.
  When I'm using restricted profile (for example role 'Account manager'), for some BSP's I'm receiving this error:
  Exception Class CX_CRM_BSP_NOAUTH
  Error name
  Program name CL_CRM_BSP_FRAME_MAIN=========CP
  Include CL_CRM_BSP_FRAME_MAIN=========CM003
  ABAP Class CL_CRM_BSP_FRAME_MAIN
  Method DO_INIT
  Row 170
  Long Text --
  I've explored the role SAP_PCC_ACCOUNT_MANAGER in pfcg transaction, and realized:
  on tab 'Menu' in section 'Portal Roles'
  when I click on service: HS PC-UI PC-UI_CRMD_MKTSEG
  In section 'External Service'
  There are only '?????????' in the field 'Type of Ext. Service' instead of 'PC-UI'
  and strange chars in the field 'Service'.
  But for example service: HS PC-UI PC-UI_CRMM_CONTACT is OK, and I'm receiving BSP.
  I think, that something important is missing.
  Do you have any idea how to solve this problem?
  Thanks
  Radka

  I am not sure whether you resolveed this issue already..
  Under Portal Roles  you find PCUI external services which refers to auth objects in order to access PCUI application.
  Read thru the section "Tracing Authority Objects of Blueprint Applications" under PCUI cook book .
  Thanks,
  Thirumala.

• Weird problem with role assignment in Portal

  Hi,
  In our newly installed Portal for eRecruitment Production System we encounter a weird problem with assigning roles to users.
  When I open User Administration and search for roles, it displays the Portal roles perfectly.
  However, when I search for a user in User Administration and click on it when found, I am unable to find any roles to assign! So I am unable to find any roles, when I want to modify the assigned roles for a particular user, while the roles do exist and can be found on its own. How is this possible? Am I missing something here?
  We have installed SPS 15 and use ABAP as user store. We have used reverse proxy and web dispatchers in this case.
  Thanks in advance and best regards,
  Jan Laros

  Found some entries in the default trace from this morning:
  #1.#005056A15F78006A000004F400006D310004520B11DB3CE8#1216107404407#com.sap.security.core.jmx.impl.CompanyPrincipalFactory#sap.com/tc~wd~dispwda#com.sap.security.core.jmx.impl.CompanyPrincipalFactory.static Set evaluateDatasourcesToSearchFor(String[] requestDatasourceIds,     String privateType, Locale locale)#JALAROS#58762##nun.efteling.nl_POP_9750151#JALAROS#581700b0524011ddc029005056a15f78#SAPEngine_Application_Thread[impl:3]_36##0#0#Error##Java###Error while connecting to remote producer {0}
  [EXCEPTION]
  {1}#2#PRODUCER_0KTHQ3YTJV#com.sap.security.core.persistence.remote.CommunicationException: Cannot display remote roles of selected producer. The producer has removed your consumer instance from their portal.
          at com.sap.portal.ivs.global.roles.RemoteProducerAccessImpl.sendToRemote(RemoteProducerAccessImpl.java:497)
          at com.sap.portal.ivs.global.roles.RemoteProducerAccessImpl.checkConnectivity(RemoteProducerAccessImpl.java:220)
          at com.sap.security.core.jmx.impl.CompanyPrincipalFactory.evaluateDatasourcesToSearchFor(CompanyPrincipalFactory.java:656)
          at com.sap.security.core.jmx.impl.CompanyPrincipalFactory.simplePrincipalSearchByDatasources(CompanyPrincipalFactory.java:3172)
          at com.sap.security.core.jmx.impl.JmxSearchHelper.getSimpleEntitySearchResult(JmxSearchHelper.java:74)
          at com.sap.security.core.jmx.impl.JmxSearchHelper.calculateSimpleEntityTable(JmxSearchHelper.java:1182)
          at com.sap.security.core.jmx.impl.JmxServer.calculateSimpleEntityTableByDatasources(JmxServer.java:1061)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
          at java.lang.reflect.Method.invoke(Method.java:391)
          at com.sap.pj.jmx.introspect.DefaultMBeanInvoker.invoke(DefaultMBeanInvoker.java:58)
          at javax.management.StandardMBean.invoke(StandardMBean.java:286)
          at com.sap.pj.jmx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:944)
          at com.sap.pj.jmx.server.interceptor.MBeanServerWrapperInterceptor.invoke(MBeanServerWrapperInterceptor.java:288)
          at com.sap.engine.services.jmx.CompletionInterceptor.invoke(CompletionInterceptor.java:409)
          at com.sap.pj.jmx.server.interceptor.BasicMBeanServerInterceptor.invoke(BasicMBeanServerInterceptor.java:277)
          at com.sap.jmx.provider.ProviderInterceptor.invoke(ProviderInterceptor.java:258)
          at com.sap.engine.services.jmx.RedirectInterceptor.invoke(RedirectInterceptor.java:340)
          at com.sap.pj.jmx.server.interceptor.MBeanServerInterceptorChain.invoke(MBeanServerInterceptorChain.java:330)
          at com.sap.engine.services.jmx.MBeanServerSecurityWrapper.invoke(MBeanServerSecurityWrapper.java:287)
          at com.sap.engine.services.jmx.ClusterInterceptor.invoke(ClusterInterceptor.java:776)
          at com.sap.pj.jmx.server.interceptor.MBeanServerInterceptorChain.invoke(MBeanServerInterceptorChain.java:330)
          at com.sap.security.core.jmx._gen.IJmxServer$Impl.calculateSimpleEntityTableByDatasources(IJmxServer.java:717)
          at com.sap.security.core.wd.jmxmodel.JmxModelCompInterface.calculateSimpleEntityTable(JmxModelCompInterface.java:396)
          at com.sap.security.core.wd.jmxmodel.wdp.InternalJmxModelCompInterface.calculateSimpleEntityTable(InternalJmxModelCompInterface.java:443)
          at com.sap.security.core.wd.jmxmodel.wdp.InternalJmxModelCompInterface$External.calculateSimpleEntityTable(InternalJmxModelCompInterface.java:746)
          at com.sap.security.core.wd.umeuifactory.UmeUiFactoryCompInterface.getSimpleEntityTable(UmeUiFactoryCompInterface.java:471)
          at com.sap.security.core.wd.umeuifactory.wdp.InternalUmeUiFactoryCompInterface.getSimpleEntityTable(InternalUmeUiFactoryCompInterface.java:517)
          at com.sap.security.core.wd.umeuifactory.wdp.InternalUmeUiFactoryCompInterface$External.getSimpleEntityTable(InternalUmeUiFactoryCompInterface.java:894)
          at com.sap.security.core.wd.relaterole.RelateRoleComp.searchNewRoles(RelateRoleComp.java:259)
          at com.sap.security.core.wd.relaterole.wdp.InternalRelateRoleComp.searchNewRoles(InternalRelateRoleComp.java:282)
          at com.sap.security.core.wd.relaterole.AssignParentRolesView.onActionSearchNewRoles(AssignParentRolesView.java:215)
          at com.sap.security.core.wd.relaterole.wdp.InternalAssignParentRolesView.wdInvokeEventHandler(InternalAssignParentRolesView.java:261)
          at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.invokeEventHandler(DelegatingView.java:87)
          at com.sap.tc.webdynpro.progmodel.controller.Action.fire(Action.java:67)
          at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doHandleActionEvent(WindowPhaseModel.java:420)
          at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:132)
          at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
          at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
          at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:313)
          at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingPortal(ClientSession.java:733)
          at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:668)
          at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
          at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
          at com.sap.tc.webdynpro.clientserver.session.core.ApplicationHandle.doProcessing(ApplicationHandle.java:73)
          at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.sendDataAndProcessActionInternal(AbstractApplicationProxy.java:860)
          at com.sap.tc.webdynpro.portal.pb.impl.localwd.LocalApplicationProxy.sendDataAndProcessAction(LocalApplicationProxy.java:77)
          at com.sap.portal.pb.PageBuilder.updateApplications(PageBuilder.java:1257)
          at com.sap.portal.pb.PageBuilder.SendDataAndProcessAction(PageBuilder.java:325)
          at com.sap.portal.pb.PageBuilder$1.doPhase(PageBuilder.java:826)
          at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processPhaseListener(WindowPhaseModel.java:755)
          at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doPortalDispatch(WindowPhaseModel.java:717)
          at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:136)
          at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
          at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
          at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:313)
          at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713)
          at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666)
          at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
          at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
          at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
          at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
          at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
          at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
          at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
          at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
          at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
          at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
          at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
          at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
          at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
          at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
          at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
          at java.security.AccessController.doPrivileged(AccessController.java:180)
          at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
          at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  #1.#005056A15F780060000004FD00006D310004520C6A35F87C#1216113181849#com.sap.engine.services.security.roles.SecurityRoleReference##com.sap.engine.services.security.roles.SecurityRoleReference#J2EE_GUEST#0####399cb180524e11dd9849005056a15f78#SAPEngine_Application_Thread[impl:3]_37##0#0#Error#1#/System/Security/Audit/J2EE#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}] referencing J2EE security role [{3} : {4}].#5#ACCESS.ERROR#service.naming#jndi_all_operations#SAP-J2EE-Engine#administrators#
  #1.#005056A15F78005C00000C0500006D310004520C6A394185#1216113181992#com.sap.engine.services.jmx.connector.p4.P4ConnectorServerImpl##com.sap.engine.services.jmx.connector.p4.P4ConnectorServerImpl#J2EE_GUEST#0####39aa6d20524e11ddaee2005056a15f78#SAPEngine_Application_Thread[impl:3]_29##0#0#Error#1#/System/Server#Java###Runtime exception occurred while processing external JMX request [ JMX request (java) v1.0 len: 150 |  src: 2 target-node: 9750150 req: getAttribute params-number: 2 params-bytes: 0 |  ]
  [EXCEPTION]
  {0}#1#com.sap.engine.services.jmx.exception.JmxSecurityException: Caller J2EE_GUEST not authorized, only role administrators is allowed to access JMX
          at com.sap.engine.services.jmx.EngineAuthorization.checkMBeanPermission(EngineAuthorization.java:88)
          at com.sap.engine.services.jmx.auth.UmeAuthorization.checkMBeanPermission(UmeAuthorization.java:77)
          at com.sap.engine.services.jmx.JmxServerFrame.checkMBeanPermission(JmxServerFrame.java:98)
          at com.sap.engine.services.jmx.MessageClientSecurityWrapper.checkPermissions(MessageClientSecurityWrapper.java:76)
          at com.sap.engine.services.jmx.MessageClientSecurityWrapper.invokeMbs(MessageClientSecurityWrapper.java:38)
          at com.sap.engine.services.jmx.ClusterInterceptor.invokeMbs(ClusterInterceptor.java:196)
          at com.sap.engine.services.jmx.ClusterInterceptor.getAttribute(ClusterInterceptor.java:512)
          at com.sap.engine.services.jmx.MBeanServerInterceptorInvoker.invokeMbs(MBeanServerInterceptorInvoker.java:84)
          at com.sap.engine.services.jmx.connector.p4.P4ConnectorServerImpl.invokeMbs(P4ConnectorServerImpl.java:61)
          at com.sap.engine.services.jmx.connector.p4.P4ConnectorServerImplp4_Skel.dispatch(P4ConnectorServerImplp4_Skel.java:64)
          at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:313)
          at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:199)
          at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:136)
          at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
          at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
          at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
          at java.security.AccessController.doPrivileged(AccessController.java:180)
          at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
          at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)

• Problem with role mapping in custom login module

  Hi all,
  I have developed custom login modules. They don't use the default user store but own data tables holding the necessary user information.
  Login works fine. But there is one big problem: Only those users that exist with the same user-id in the default user store get roles assigned to it. Whicht leads to 403-errors in my web application.
  Now, this is weired because a user with id 'Susi' has completely different passwords in my custom tables and in the user store, therefore it shouldn't be possible to authenticate 'Susi' against the default user management.
  Next thing is, I don't use the default login modules at all. So why does the application validates against the user store?
  I thought a source of the  problem might be that I don't set the roles correctly. I set the roles as a principal to the subject. I have chosen the role based mapping  in the web-engine.xml and mapped all my custom roles to the server role 'guests'.
  Could anybody think of a solution to this problem ?
  Thanks,  Astrid

  Astrid,
  Sorry to go off-topic on your post...but I have a question in relation to how you deploy your login module. Do you deploy the login module with your application ? I've developed a login module that I would like to deploy by itself, I currently deploy it with the calculator example and it works fine like this, but I need to deploy it by itself. Any tips you can give would be greatly appreciated.
  I've tried to use the deploytool and deploy the module as a library...but I get a "cannot  load a login module" in the logs when authenticating a user.

• Problems with roles in IDM 8?

  I'm running a brand new install of IDM 8 on JBoss 4.2.2 GA, all steps are performed as configurator.
  I create a new user.
  I create a Business Role with a Required IT Role.
  I assign the business Role to the user, both the Business Role and the IT Role stands as Pending Save.
  I click Save. Both roles are in the Changes list.
  But when I select the user and select roles, Only the Business role is assigned - The IT Role is still Pending Save. And the business role is listed as an IT Role.
  Clicking Save again shows that roleInfos only contains the Business role. Save again shows the same changes as when first assigning the role. But the user still doesn't have the IT Role.
  Has anyone seen this behavior?
  Or even better: Can anyone give me a hint how to fix this problem?
  Best regards
  Stefan

  Version 8.0 Patch 1 -- http://sunsolve.sun.com/show.do?target=patches/zp-NetworkInternet#identitymanager
  Fixed a problem that caused Identity Manager running on JDK 1.6 to fail to assign roles assigned to a Business Role. A symptom of the problem included Identity Manager identifying a Business Role as an IT Role after the Business Role was assigned. This problem was limited to JDK 1.6. (ID-19086)

• Problems with roles and ldapgroups in IDM 8

  Hello Guys,
  I'm facing a problem. I have to put users in ldap groups and i using roles. I have create an IT role and a Business role.
  I use the IT Role to add users in ldap groups through a rule and the business role to assign groups to a user. The business contains the IT Role.
  Normally, when i put a list of two groups in the rule, i must have user put in the two groups and if i remove one of this group in the rule, user must be removed from the choosen group. Unfortunatly, the second scenario doesn't work. I always have the two. And i can't removed the users from all groups.
  Is there something that i'm missing?
  I'm using IDM 8.A patch 2 and Sun Directory Server 6.3.
  The definition of my IT Role is :
  <?xml version='1.0' encoding='UTF-8'?>
  <!DOCTYPE Role PUBLIC 'waveset.dtd' 'waveset.dtd'>
  <Role authType='ITRole' name='My Groups'>
    <ResetLimit count='0'>
        </ResetLimit>
    <Services>
      <ObjectRef type='Resource' name='RESSOURCE LDAP'/>
    </Services>
    <ContainedRoles>
    </ContainedRoles>
    <RoleAttributes>
      <RoleAttribute name='My Groups:#ID#RESSOURCE LDAP:groups'>
        <Comment>Auto generated by Role Mes Groupes</Comment>
        <AttributeName>groups</AttributeName>
        <AttributeValueRef>
          <ObjectRef type='Rule' id='#ID#RuleListeUserGroups' name='Rule Liste User Groups'/>
        </AttributeValueRef>
        <Requirement>Authoritative merge with value, clear existing</Requirement>
        <ResourceRef>
          <ObjectRef type='Resource' id='#ID#RESSOURCE LDAP' name='RESSOURCE LDAP'/>
        </ResourceRef>
      </RoleAttribute>
    </RoleAttributes>
    <MemberObjectGroups>
      <ObjectRef type='ObjectGroup' id='#ID#All' name='All'/>
    </MemberObjectGroups>
  </Role>Thanks All!

  i have it role mapped to ldap groups implemented successfully with the following...
  1. Instead of a rule adding to groups, you should have a resource attribute mapping ... this is described in the ldap resource adapter references....
  <AccountAttributeType id='101' name='ldapGroups' syntax='string' mapName='ldapGroups' mapType='string' multi='true' />2. Now have your IT ROLE to have the group population like the following
  <RoleAttribute name='MYROLE:RESOURCE-NAME:ldapGroups'>
        <AttributeName>ldapGroups</AttributeName>
        <AttributeValueString>
          <List>
            <String>cn=Wirelessaccess,ou=Groups,dc=example,dc=com</String>
          </List>
        </AttributeValueString>
        <Requirement>Authoritative merge with value</Requirement>
        <ResourceRef>
          <ObjectRef type='Resource' name='RESOURCE-NAME'/>
        </ResourceRef>
      </RoleAttribute>

• Problem with Role while Deprovisioning !

  I have assigned AD resource to a role and I have hard coded this role in waveset.roles field in my create form. I am able to create, update accounts in IDM and AD automatically from flatfileactivesync.
  Now I need to delete & deprovision an account in IDM and AD respectively. I have created a rule that catches the activesync.diffaction eq = delete. I have placed this rule in Delete Rule (optional) so that whenever an account is deleted from the flat file and diffaction=delete & feedop=delete, this rule should delete & deprovision this account.
  From the flatfile logs even i m seeing that both diffaction and feedop equals to delete and it seems the account is deprovisioned from the logs (without any errors in the logs). But in IDM the account still exists and also on AD.
  My problem is the account is not getting deprovisioned and deleted from IDM because it is attached with a role (AD resource assigned to that role) and i am having AD resource as "Excluded resource" column in the user account assignment tab [due to the role]
  What I am doing wrong ?? Can anybody through some light !!
  Thanks.

  dear pankaj,
  you can use the CATT utility(tcode SCAT) for altering the 100 roles.
  i presume that you have not used the catt utility before
  thats why i have detailed the procedure below.
  all you would need to do is execute the tcode scat record all the transaction steps of editing the role by adding the new t-code. now creat a microsoft excel file consisting the list of all the remaining 99 roles that have to be changed and give that excel file as input when prompted for input and all the roles will be updated with the new tcode.
  i hope you will find the my suggetion helpful.
  regards,
  sri srirangam

• Problem with Role and User Distribution to the SAP System

  Hi to all.
  I've a problem when i try to transfer roles from portal to SAP CRM. (System Administration --> Permissions --> SAP Authorizations).
  If I select from the drop down list the SAP Alias corresponding to the connector to the target system an error is displayed:
  class com.sapportals.connector.connection.ConnectionFailedExceptionConnection Failed: Nested Exception. Failed to get connection. Please contact your admin.
  I think the problem is in the connector configuration since the connector test fails too (due to User attribution problems I think)
  Thank you for any help!

  Hello Mario,
  I have the same problem.
  Did you find a solution for this?
  Please let me know.
  Thanks in advance, Michael

• Problem with role and user; user can't see the table

  Hello forum,
  I've created a role:
  CREATE ROLE enr_service;
  GRANT CONNECT TO enr_service;
  GRANT ALL ON Locataires TO enr_service;
  GRANT ALL ON Batiments TO enr_service;
  GRANT ALL ON Sportifs TO enr_service;
  GRANT SELECT ON Epreuves TO enr_service;
  and also a user:
  CREATE USER ENR1 IDENTIFIED BY password QUOTA UNLIMITED ON USERS;
  GRANT enr_service TO ENR1;
  ALTER USER ENR1 DEFAULT ROLE enr_service;
  ALTER USER ENR1 DEFAULT TABLESPACE USERS;
  I can connect to the database with this user but when I try to query a table he's been granted access to I get an error message:
  SELECT * FROM Sportifs;
  ORA-00942: table or view does not exists
  I can't see what I've done wrong. Any help is appreciated.
  Sebastian

  user2019788 wrote:
  Hello forum,
  I've created a role:
  CREATE ROLE enr_service;
  GRANT CONNECT TO enr_service;
  GRANT ALL ON Locataires TO enr_service;
  GRANT ALL ON Batiments TO enr_service;
  GRANT ALL ON Sportifs TO enr_service;
  GRANT SELECT ON Epreuves TO enr_service;
  and also a user:
  CREATE USER ENR1 IDENTIFIED BY password QUOTA UNLIMITED ON USERS;
  GRANT enr_service TO ENR1;
  ALTER USER ENR1 DEFAULT ROLE enr_service;
  ALTER USER ENR1 DEFAULT TABLESPACE USERS;
  I can connect to the database with this user but when I try to query a table he's been granted access to I get an error message:
  SELECT * FROM Sportifs;
  ORA-00942: table or view does not exists
  I can't see what I've done wrong. Any help is appreciated.
  SebastianThat's probably because ENR1 doesn't have any table named SPORTIFS and he didn't qualify the table name with the schema name ...

• Problem with role assignment

  Hello,
  using the NetWeaver CE 7.1 EhP1 SP 2, I have modeled a Guided Procedure approval workflow. The processor of the approval step is determined at runtime and provided as an input parameter.
  If the approver rejects, the customer may then modify their requests. In particular, the customer can choose a different approver.
  Now, I have the following problem:
  If the customer chooses a different approver, the new approver is notified as well as the old approver. Now, both are entitled to process the approval step.
  This is not what I intended. If the customer chooses a diffrent approver, the new approver should be the only one who is notified and entitled to process the approval step.
  What am I doing wrong or is it bug?
  Thanks and best regards
  Alexander

  Hi!
  It is neither wrong nor bug it depends on your requirement.
  As I said: I want to replace the old processor with a new processor. Moreover, I have to solve it with Guided Procedures.
  Best regards
  Alexander

• Problem with Role import in GRC 10.0

  Dear GRC Gurus,
  I want to import roles from backend to GRC 10.0 system. for this I am using NWBC.
  In NWBC --> Access Management --> Mass Role Maintenance --> Role Import --> in this age below OPtions are selected:
  Role Selection --> Technical Role
  Import Source: Role Attribute Source: User Input, Role Authorization Source: Backend System
  Definition Criteria:Application Type: SAP, Landscape: nothing is shown in the dropdown, Source System: nothing is shown in the dropdown
  Without Defining Landscape and Source system I cannot proceed further
  Please advise why the system is not showing up the values in the dropdown.
  I have maintained role status as production in SPRO.
  I appreciate your help.
  Thanks,
  Swathi

  Hi,
  Sabita is correct.
  Here is the link to the documentation
  SAP Access Control 10.0
  Simon

• Big problem with role

  Hi all,
  is it possible to determinate the role of user at runtime ? In fact, roles in my case are given by ABAP function. The user goes connected, i must determinate the role of user starting from the result of my ABAP function etc. Is it possible ?
  Thanks for help.
  Regards
  Message was edited by: tafkap

  Hi,
  you can get the roles for a user like below:
  //get the user object
  IUser user = UMFactory.getUserFactory().getUser(String uniqueId);
  //OR
  IUser user = UMFactory.getUserFactory().getUserByLogonID(String logonId);
  after this get the roles by
  user.getRoles(boolean recursive); This will return a collection of roles. If you pass true it will search the child roles under one role.
  Regards,
  Shubhadip

• Problems with the installation of Oracle Role Manager

  Hello everyone;
  I have a problem with the deployment of Jboss 4.05GA; just can not load the Role Manager Administrative Console (http://localhost:8080/ormconsole)
  Probe load the Jboss and that if I load the console this APPSERVER (http://localhost:8080)
  Also probe load the Role Manager Web UI and I had no problems (http://localhost:8080/webui)
  Use the method of installation Install Software Only then can make the integration with the IOM.
  Any suggestions for solving this problem.
  Part of the Log:
  14:17:02,953 ERROR [URLDeploymentScanner] Incomplete Deployment listing:
  --- Incompletely deployed packages ---
  org.jboss.deployment.DeploymentInfo@40e1e159 { url=file:/C:/jboss-4.0.5.GA/serve
  r/default/deploy/server.ear }
  deployer: org.jboss.deployment.EARDeployer@873723
  status: Deployment FAILED reason: URL file:/C:/jboss-4.0.5.GA/server/default/t
  mp/deploy/tmp18940server.ear-contents/ormconsole-exp.war/ deployment failed
  state: FAILED
  watch: file:/C:/jboss-4.0.5.GA/server/default/deploy/server.ear
  altDD: null
  lastDeployed: 1228418189671
  lastModified: 1228418186515
  mbeans:
  --- MBeans waiting for other MBeans ---
  ObjectName: jboss.web.deployment:war=ormconsole.war,id=-1206236729
  State: FAILED
  Reason: org.jboss.deployment.DeploymentException: URL file:/C:/jboss-4.0.5.GA/
  server/default/tmp/deploy/tmp18940server.ear-contents/ormconsole-exp.war/ deploy
  ment failed
  --- MBEANS THAT ARE THE ROOT CAUSE OF THE PROBLEM ---
  ObjectName: jboss.web.deployment:war=ormconsole.war,id=-1206236729
  State: FAILED
  Reason: org.jboss.deployment.DeploymentException: URL file:/C:/jboss-4.0.5.GA/
  server/default/tmp/deploy/tmp18940server.ear-contents/ormconsole-exp.war/ deploy
  ment failed
  14:17:03,281 INFO [Http11BaseProtocol] Starting Coyote HTTP/1.1 on http-0.0.0.0
  -8080
  14:17:03,718 INFO [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8009
  14:17:03,781 INFO [JkMain] Jk running ID=0 time=0/94 config=null
  14:17:04,015 INFO [Server] JBoss (MX MicroKernel) [4.0.5.GA (build: CVSTag=Bran
  ch_4_0 date=200610162339)] Started in 1m:35s:859ms
  Thank you

  HI JLK,
  i think i have solved the problem. Try to install the Oracle Role Manager with the installer and select the "Install Software and Configure" and install the "Standard Model" to the Database. Don't deploy the standard.car file.
  I hope i could help you.
  Thomas

• CUA problem with composite role

  Hello experts, I have a problem with a composite role in my CUA parent system. If you look at the roles tab you will see one of the child roles has a name of child CUA system in the 'target sys' column. the rest all have 'user system'. Can anyone explain how this 'target sys' column is defined?
  Thanks
  Dave Wood

  I do not know if you have solved this issue, but the target system is defined within your single role on you menu tab.
  No what happens is that in transaction SM30 table SSM_RFC you define system variable linked to your logical system.
  This variable determines that when you import roles from another system by means of transaction PFCG > Read from other system from RFC and you select your variable the system will automatically default in the target system field the system it is suppose to go back to.
  So this way when you distibute the roles it will only go back to that particular target system, and you do not need to specify and guess where the role came from.
  Try removing that table entry in SM30 SSM_RFC and see if that way you will be able to remove the target system from the role.
  However it is not a bad thing to have activated. If you are working with position base authorizations and you have more than 1 system, you define 1 composite role for all the roles, for all the systems and you will be able to see where the composite resides by means of the target value.
  Hope this makes sense.
  Regards
  Sonja