Process to activate access control dynamiclly
Hello,
I would like to make a process that activate the access control to a specific button, page..etc dynamically according to a condition, something like:
" Assign access control (view,edit,admin) of (page#, button..) to user (x) when (condition)"
How can I do that?
Thanks in advance,
Edited by: Najla on Jan 17, 2013 12:19 AM
Hi Najla,
you can use authorization schemes:
http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35125/sec_authorization.htm#BABEDFGB
Br,
Marko Goricki
http://apexbyg.blogspot.com/
Similar Messages
-
Are GRC Access Control, Process Control and Risk Management separate?
Are these 3 different modules that you have to purchase separately or are they included in one suite?
Hi Anne,
If you are refering to GRC Access Controls 5.3, Process Control 3.0 and Risk Management 3.0 - All 3 are separate.
A new version of GRC 10.0 has been launched which is currently in ramp up. This has all the above 3 in one suite.
Thanks and Best Regards,
Srihari.K -
UWL Integration - Process Control & Access Control
Hello Community,
Has anyone worked on UWL integration of Access Control 5.3 & Process Control 3.0?
Is this feasible by developing UWL custom connectors? Any hints?
(NW2004s - EP7.0)
Thanks!
DhanzHi
Even though you set risk analysis to be done at single in RAR , it will automatically consider following type if done from CUP
1. SOD conflict
2.Critical action
3. Critical Permission
If you want to have only SOD risk analysis ,then deactivate all critical action rules in RAR OR create a new ruleset and assign all SOD risk to it and use with CUP .
Thanks & Regards
Asheesh -
We have a problem when execute the next steps in GRC Access Control 10.0
SPRO-->Governance, Risk and Compliance>Access Control--> Access Risk Analysis--> Batch RisK Analysis
We applied the next note, but problem is the same.
1563583 - SYSTEM_NO_TASK_STORAGE dump on AIX
Category
ABAP Programming Error
Runtime Errors
ASSERTION_FAILED
ABAP Program
CL_GRRM_DASHBOARD_MENU_AUTH===CP
Application Component GRC-RM
Date and Time
13.03.2013 11:50:04
|Short text
|
|
The ASSERT condition was violated.
|
|What happened?
|
|
In the running application program, the ASSERT statement recognized a
|
|
situation that should not have occurred.
|
|
The runtime error was triggered for one of these reasons:
|
|
- For the checkpoint group specified with the ASSERT statement, the
|
|
activation mode is set to "abort".
|
|
- Via a system variant, the activation mode is globally set to "abort"
|
|
for checkpoint groups in this system.
|
|
- The activation mode is set to "abort" on program level.
|
|
- The ASSERT statement is not assigned to any checkpoint group.
|
|What can you do?
|
|
Note down which actions and inputs caused the error.
|
|
|
|
|
|
To process the problem further, contact you SAP system
|
|
administrator.
|
|
|
|
Using Transaction ST22 for ABAP Dump Analysis, you can look
|
|
at and manage termination messages, and you can also
|
|
keep them for a long time.
|
|Error analysis
|
|
The following checkpoint group was used: "No checkpoint group specified"
|
|
|
|
If in the ASSERT statement the addition FIELDS was used, you can find
|
|
the content of the first 8 specified fields in the following overview:
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|
" (not used) "
|
|How to correct the error
|
|
Probably the only way to eliminate the error is to correct the program.
|
|
|
|
|
|
If the error occures in a non-modified SAP program, you may be able to
|
|
find an interim solution in an SAP Note.
|
|
If you have access to SAP Notes, carry out a search with the following
|
|
keywords:
|
|
|
|
"ASSERTION_FAILED" " "
|
|
"CL_GRRM_DASHBOARD_MENU_AUTH===CP" or "CL_GRRM_DASHBOARD_MENU_AUTH===CM001"
|
|
"IF_GRFN_MENU_ITEM_AUTH~IS_AUTHORIZED"
|
|
|
|
If you cannot solve the problem yourself and want to send an error
|
|
notification to SAP, include the following information:
|
|
|
|
1. The description of the current problem (short dump)
|
|
|
|
To save the description, choose "System->List->Save->Local File
|
|
(Unconverted)".
|
|
|
|
2. Corresponding system log
|
|
|
|
Display the system log by calling transaction SM21.
|
|
Restrict the time interval to 10 minutes before and five minutes
|
|
after the short dump. Then choose "System->List->Save->Local File
|
|
(Unconverted)".
|
|
|
|
3. If the problem occurs in a problem of your own or a modified SAP
|
|
program: The source code of the program
|
|
In the editor, choose "Utilities->More
|
|
Utilities->Upload/Download->Download".
|
|
|
|
4. Details about the conditions under which the error occurred or which
|
|
actions and input led to the error.
|
|
|
|
|
|System environment
|
|
SAP Release..... 702
|
|
SAP Basis Level. 0012
|
|
|
|
Application server... "KIO13701"
|
|
Network address...... "172.20.1.137"
|
|
Operating system..... "AIX"
|
|
Release.............. "7.1"
|
|
Hardware type........ "00F6C78E4C00"
|
|
Character length.... 16 Bits
|
|
Pointer length....... 64 Bits
|
|
Work process number.. 10
|
|
Shortdump setting.... "full"
|
|
|
|
Database server... "KIO13701"
|
|
Database type..... "DB6"
|
|
Database name..... "DGR"
|
|
Database user ID.. "SAPDGR"
|
|
|
|
Terminal.......... "192.168.0.5"
|
|
|
|
Char.set.... "C"
|
|
|
|
SAP kernel....... 720
|
|
created (date)... "Jul 8 2012 19:43:01"
|
|
create on........ "AIX 2 5 00092901D600"
|
|
Database version. "DB6_81 "
|
|
|
|
Patch level. 300
|
|
Patch text.. " "
|
|
|
|
Database............. "DB6 08.02.*, DB6 09.*, DB6 10.*"
|
|
SAP database version. 720
|
|
Operating system..... "AIX 2 5, AIX 3 5, AIX 1 6, AIX 1 7"
|
|
|
|
Memory consumption
|
|
Roll.... 0
|
|
EM...... 8379584
|
|
Heap.... 0
|
|
Page.... 16384
|
|
MM Used. 6205712
|
|
MM Free. 2170976
|
|User and Transaction
|
|
Client.............. 100
|
|
User................ "LVELASCO"
|
|
Language key........ "E"
|
|
Transaction......... " "
|
|
Transaction ID...... "51400164B1F00C40E1008000AC140189"
|
|
|
|
EPP Whole Context ID.... "5140015EB1F00C40E1008000AC140189"
|
|
EPP Connection ID....... "5140F9B0B19C1150E1008000AC140189"
|
|
EPP Caller Counter...... 1
|
|
|
|
Program............. "CL_GRRM_DASHBOARD_MENU_AUTH===CP"
|
|
Screen.............. "SAPMHTTP 0010"
|
|
Screen Line......... 2
|
|
Debugger Active..... "none"
|
|Server-Side Connection Information
|
|
Information on Caller of "HTTPS" Connection:
|
|
Plug-in Type.......... "HTTPS"
|
|
Caller IP............. "192.168.0.5"
|
|
Caller Port........... 44300
|
|
Universal Resource ID. "/sap/bc/webdynpro/sap/grfn_service_map"
|
|
|
|
Program............. "CL_GRRM_DASHBOARD_MENU_AUTH===CP"
|
|
Screen.............. "SAPMHTTP 0010"
|
|
Screen Line......... 2
|
|
|
|
Information on Caller ofr "HTTPS" Connection:
|
|
Plug-in Type.......... "HTTPS"
|
|
Caller IP............. "192.168.0.5"
|
|
Caller Port........... 44300
|
|
Universal Resource Id. "/sap/bc/webdynpro/sap/grfn_service_map"
|
|Information on where terminated
|
|
Termination occurred in the ABAP program "CL_GRRM_DASHBOARD_MENU_AUTH===CP" -
|
|
in "IF_GRFN_MENU_ITEM_AUTH~IS_AUTHORIZED".
|
|
The main program was "SAPMHTTP ".
|
|
|
|
In the source code you have the termination point in line 59
|
|
of the (Include) program "CL_GRRM_DASHBOARD_MENU_AUTH===CM001".
|
|Source Code Extract (Source code has changed)
|
|Line |SourceCde
|
| 29|
lv_dashboard = lv_value.
|
| 30|
|
| 31|
TRANSLATE lv_dashboard TO UPPER CASE.
|
| 32|
|
| 33|
CASE lv_dashboard.
|
| 34|
WHEN 'HEATMAP'.
|
| 35|
lv_report = 'GRRM_HEATMAP'.
|
| 36|
|
| 37|
WHEN 'LOSS_OVERVIEW' OR 'LOSS_STRUCTURE' OR 'OB_LOSS_OVERVIEW' OR 'OB_LOSS_STRUCTU|
| 38|
lv_report = 'GRRM_LOSS_ANALYSIS'.
|
| 39|
|
| 40|
WHEN 'OVERVIEW'.
|
| 41|
lv_report = 'GRRM_OVERVIEW'.
|
| 42|
|
| 43|
WHEN OTHERS.
|
| 44|
ASSERT 1 = 2.
|
| 45|
|
| 46|
ENDCASE.
|
| 47|
|
| 48|
EXIT.
|
| 49|
|
| 50|
ENDLOOP.
|
| 51|
|
| 52|
WHEN 'GRRM_LOSS_MATRIX' OR 'GRRM_LOSS_MATRIX_NEW'.
|
| 53|
lv_report = 'GRRM_LOSS_ANALYSIS'.
|
| 54|
|
| 55|
WHEN 'GRRM_HEATMAP_REPORT'.
|
| 56|
lv_report = 'GRRM_HEATMAP'.
|
| 57|
|
| 58|
WHEN OTHERS.
|
|>>>>>|
ASSERT 1 = 2.
|
| 60|
|
| 61| ENDCASE.
|
| 62|
|
| 63| TRY.
|
| 64|
lv_regulation_id = cl_grfn_api_regulation=>if_grfn_api_regulation~get_regulation_id( i|
| 65|
|
| 66|
ev_authorized = cl_grfn_util_rep_auth=>has_rep_auth(
|
| 67|
io_session
= io_session
|
| 68|
iv_regulation_id = lv_regulation_id
|
| 69|
iv_report
= lv_report
|
| 70|
iv_activity
= grfn0_c_activity-print
|
| 71|
|
| 72|
|
| 73|
CATCH cx_grfn_exception.
|
| 74|
ev_authorized = abap_false.
|
| 75|
|
| 76| ENDTRY.
|
| 77|
|
| 78|ENDMETHOD.
|
|Contents of system fields
|
|Name
|Val.
|
|SY-SUBRC|4
|
|SY-INDEX|2
|
|SY-TABIX|1
|
|SY-DBCNT|1
|
|SY-FDPOS|0
|
|SY-LSIND|0
|
|SY-PAGNO|0
|
|SY-LINNO|1
|
|SY-COLNO|1
|
|SY-PFKEY|
|
|SY-UCOMM|
|
|SY-TITLE|HTTP Control
|
|SY-MSGTY|
|
|SY-MSGID|
|
|SY-MSGNO|000
|
|SY-MSGV1|
|
|SY-MSGV2|
|
|SY-MSGV3|
|
|SY-MSGV4|
|
|SY-MODNO|0
|
|SY-DATUM|20130313
|
|SY-UZEIT|115004
|
|SY-XPROG|SAPCNVE
|
|SY-XFORM|CONVERSION_EXIT
|
|Active Calls/Events
|
|No. Ty.
Program
Include
Line |
|
Name
|
| 34 METHOD
CL_GRRM_DASHBOARD_MENU_AUTH===CP
CL_GRRM_DASHBOARD_MENU_AUTH===CM001
59 |
|
CL_GRRM_DASHBOARD_MENU_AUTH=>IF_GRFN_MENU_ITEM_AUTH~IS_AUTHORIZED
|
| 33 METHOD
CL_GRFN_API_MENU_ITEM_ELA=====CP
CL_GRFN_API_MENU_ITEM_ELA=====CM001 126 |
|
CL_GRFN_API_MENU_ITEM_ELA=>IF_GRFN_MENU_AUTH~ITEM_AUTH
|
| 32 METHOD
CL_GRFN_API_MENU==============CP
CL_GRFN_API_MENU==============CM003
34 |
|
CL_GRFN_API_MENU=>IF_GRFN_MENU_AUTH~ITEM_AUTH
|
| 31 METHOD
CL_GRFN_LAUNCHPAD_UIBB========CP
CL_GRFN_LAUNCHPAD_UIBB========CM006
60 |
|
CL_GRFN_LAUNCHPAD_UIBB=>IF_FPM_GUIBB_LAUNCHPAD~MODIFY
|
| 30 METHOD
CL_FPM_LAUNCHPAD_UIBB_ASSIST==CP
CL_FPM_LAUNCHPAD_UIBB_ASSIST==CM001
76 |
|
CL_FPM_LAUNCHPAD_UIBB_ASSIST=>INIT_FEEDER
|
| 29 METHOD
/1BCWDY/T2POSMRSKMLY9L6LJP5Z==CP
/1BCWDY/B_T2POSBAR6C8HPR0XTR4P
410 |
|
CL_COMPONENTCONTROLLER_CTR=>WDDOINIT
|
|
Web Dynpro Component
FPM_LAUNCHPAD_UIBB
|
|
Controller
COMPONENTCONTROLLER
|
| 28 METHOD
/1BCWDY/T2POSMRSKMLY9L6LJP5Z==CP
/1BCWDY/B_T2POSBAR6C8HPR0XTR4P
181 |
|
CLF_COMPONENTCONTROLLER_CTR=>IF_WDR_COMPONENT_DELEGATE~WD_DO_INIT
|
|
Web Dynpro Component
FPM_LAUNCHPAD_UIBB
|
|
Controller
COMPONENTCONTROLLER
|
| 27 METHOD
CL_WDR_DELEGATING_COMPONENT===CP
CL_WDR_DELEGATING_COMPONENT===CM004
9 |
|
CL_WDR_DELEGATING_COMPONENT=>DO_INIT
|
| 26 METHOD
CL_WDR_CONTROLLER=============CP
CL_WDR_CONTROLLER=============CM00V
3 |
|
CL_WDR_CONTROLLER=>INIT_CONTROLLER
|
| 25 METHOD
CL_WDR_COMPONENT==============CP
CL_WDR_COMPONENT==============CM019
24 |
|
CL_WDR_COMPONENT=>INIT_CONTROLLER
|
| 24 METHOD
CL_WDR_CONTROLLER=============CP
CL_WDR_CONTROLLER=============CM002
7 |
|
CL_WDR_CONTROLLER=>INIT
|
| 23 METHOD
CL_WDR_CLIENT_COMPONENT=======CP
CL_WDR_CLIENT_COMPONENT=======CM00E
24 |
|
CL_WDR_CLIENT_COMPONENT=>INIT
|
| 22 METHOD
CL_WDR_CLIENT_COMPONENT=======CP
CL_WDR_CLIENT_COMPONENT=======CM00A
42 |
|
CL_WDR_CLIENT_COMPONENT=>IF_WDR_COMPONENT_FACTORY~CREATE_COMPONENT
|
| 21 METHOD
CL_WDR_COMPONENT_USAGE========CP
CL_WDR_COMPONENT_USAGE========CM009
67 |
|
CL_WDR_COMPONENT_USAGE=>IF_WD_COMPONENT_USAGE~CREATE_COMPONENT
|
| 20 METHOD
CL_FPM_COMPONENT_MANAGER======CP
CL_FPM_COMPONENT_MANAGER======CM003
81 |
|
CL_FPM_COMPONENT_MANAGER=>ADD_COMPONENT
|
| 19 METHOD
CL_FPM_COMPONENT_MANAGER======CP
CL_FPM_COMPONENT_MANAGER======CM004
19 |
|
CL_FPM_COMPONENT_MANAGER=>ATTACH_COMPONENT_TO_USAGE
|
| 18 METHOD
CL_FPM========================CP
CL_FPM========================CM005
89 |
|
CL_FPM=>PROCESS_EVENT
|
| 17 METHOD
CL_FPM========================CP
CL_FPM========================CM00C
34 |
|
CL_FPM=>RUN_EVENT_LOOP
|
| 16 METHOD
CL_FPM========================CP
CL_FPM========================CM002
5 |
|
CL_FPM=>IF_FPM~RAISE_EVENT
|
| 15 METHOD
CL_FPM========================CP
CL_FPM========================CM003
11 |
|Hi Alberto,
The below Notes should resolve!
1428775
1744179
Hope this helps,
Luciana -
To run OHS at port 80 using solaris role based access control
Hi.
I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
/etc/user_attr:
oracle::::type=normal;defaultpriv=basic,net_privaddr
Change OHS httpd.conf Listen from port 8888 to port 80.
However, opmnctl startproc process-type=OHS
failed as below with nothing showing in the diag logs:
opmnctl startproc: starting opmn managed processes...
================================================================================
opmn id=truffle:6701
0 of 1 processes started.
ias-instance id=asinst_1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ias-component/process-type/process-set:
ohs1/OHS/OHS/
Error
--> Process (index=1,uid=187636255,pid=25563)
failed to start a managed process after the maximum retry limit
Thx,
KenJust to add my two cents here.
The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
# usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
Restart the opmnctl daemond.
After that OHS/Apache user can bind to lower TCP ports.
Regards.
Edited by: Tuelho on Oct 9, 2012 6:05 AM -
Hello,
I'm attempting to get a SharePoint 2013 Provider Hosted Application working in a brand new SharePoint environment. I've created snapshots of both my dev and the sharepoint environments along the way and have meticulously documented every step of the
way. I've followed these instructions (among many other resources found along this journey) :
http://msdn.microsoft.com/en-us/library/fp179923(office.15).aspx
http://technet.microsoft.com/en-us/library/fp161236(office.15).aspx
http://msdn.microsoft.com/library/office/fp179901%28v=office.15%29
Upon package and publish of my application to SharePoint, I get a 401 Unauthorized error. I use Fiddler to obtain the SPErrorCorrelationID to ultimately obtain the following ULS Viewer Output. Please explain how to fix if you're able.
Please Note: I was under the impression that a Provider Hosted Application does not use the Azure Access Control service, so I'm confused as to why my system is attempting to make this connection?
Also Note: I've used a self signed and godday obtained certificate to successfully f5 debug my basic web.title (out of the visual studio 2012 box) sharepoint provider hosted application... so I know my certs are good.
Here's my ULS output:
03/24/2014 08:54:47.83 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (GET:http://portal.cltenet.com/_layouts/15/appredirect.aspx?instance_id=22d5252f%2D392c%2D4f68%2Db820%2Da3053b9d4f24)
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.83 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation Authentication Authorization agb9s Medium Non-OAuth request.
IsAuthenticated=True, UserIdentityName=0#.w|cltenet\sp.apps, ClaimsCount=25 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.83 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation Logging Correlation Data xmnv Medium Site=/ 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.84 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Deployment acjjg Medium The current user has System.Threading.Thread.CurrentPrincipal.Identity.Name
= 0#.w|cltenet\sp.apps, System.Security.Principal.WindowsIdentity.GetCurrent().Name = NT AUTHORITY\IUSR, System.Web.HttpContext.Current.User.Identity.Name = 0#.w|cltenet\sp.apps. 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.84 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsrv Medium redirectLaunUrl after getting it from query
string, web or app instance: https://hightrust31.cltenetapps.com/Pages/Default.aspx?{StandardTokens} 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation General aib0n High trying to get app tokens for site: 888b71f7-51ee-40f5-8344-8de4869d37d0
Unable to load app tokens from appInstanceId: 22d5252f-392c-4f68-b820-a3053b9d4f24 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsrw Medium redirectLaunUrl after getting token replacement:
https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http%3A%2F%2Fportal%2Ecltenet%2Ecom&SPLanguage=en%2DUS&SPClientTag=0&SPProductNumber=15%2E0%2E4420%2E1017 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsry Medium m_oauthAppId after NormalizeAppIdentifier()
i:0i.t|ms.sp.ext|[email protected]8df36d5d. Now getting app principal info. 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsr0 Medium decided that we need to do a POST to the
app. 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsr1 Medium m_redirectMessage: EndpointAuthorityMatches
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsr2 Medium realm matched attempting to get app token
using GetAccessToken() 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth advzm High Error when get token for app i:0i.t|ms.sp.ext|[email protected]8df36d5d,
exception: Microsoft.SharePoint.SPException: The Azure Access Control service is unavailable. at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)
at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext
userIdentityContext, String applicationId, Uri applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken) 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth ajsr3 High App token requested from appredirect.aspx
for site: 888b71f7-51ee-40f5-8344-8de4869d37d0 but there was an error in generating it. This may be a case when we do not need a token or when the app principal was not properly set up. LaunchUrl:https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http://portal.cltenet.com&SPLanguage=en-US&SPClientTag=0&SPProductNumber=15.0.4420.1017
Exception Message:The Azure Access Control service is unavailable. Stacktrace: at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext)
at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext
userIdentityContext, String applicationId, Uri applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenFromThreadIdentityOrUserToken(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPApplicationContextAccessTokenType tokenType, SPAppPrincipalInfo appPrincipal, Boolean useThreadIdentity, SPUserToken userToken) at Microsoft.SharePoint.ApplicationPages.AppRedirectPage.ValidateAndProcessRequest().
Since this is a nonfatal error, it will be sanitized and posted to the app as part of the app launch. 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation General ajlz0 High Getting Error Message for Exception Microsoft.SharePoint.SPException:
The Azure Access Control service is unavailable. at Microsoft.SharePoint.ApplicationServices.SPApplicationContext.GetApplicationSecurityTokenServicesUri(SPServiceContext serviceContext) at Microsoft.SharePoint.ApplicationServices.SPApplicationContext..ctor(SPServiceContext
serviceContext, SPIdentityContext userIdentity, OAuth2EndpointIdentity applicationEndPoint) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForApplicationContext(SPIdentityContext userIdentityContext, String applicationId, Uri
applicationRealm, SPApplicationContextAccessTokenType applicationTokenType, SPApplicationDelegationConsentType consentValue) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenPrivate(SPServiceContext serviceContext,
String appId, Uri appEndpointUrl, SPAppPrincipalInfo appPrincipal, SPApplicationContextAccessTokenType tokenType, Boolean useThreadIdentity, SPUserToken userToken) at Microsoft.SharePoint.SPServerToAppServerAccessTokenManager.GetAccessTokenFromThreadIdentityOrUserToken(SPServiceContext
serviceContext, String appId, Uri appEndpointUrl, SPApplicationContextAccessTokenType tokenType, SPAppPrincipalInfo appPrincipal, Boolean useThreadIdentity, SPUserToken userToken) at Microsoft.SharePoint.ApplicationPages.AppRedirectPage.ValidateAndProcessRequest()
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation App Auth aib0p Medium Doing appredirect from appredirect.aspx:
in site: 888b71f7-51ee-40f5-8344-8de4869d37d0 with RedirectLaunchUrl: https://hightrust31.cltenetapps.com/Pages/Default.aspx?SPHostUrl=http%3A%2F%2Fportal%2Ecltenet%2Ecom&SPLanguage=en%2DUS&SPClientTag=0&SPProductNumber=15%2E0%2E4420%2E1017
306c809c-66a1-d0d5-d8e2-89d3631ce1bf
03/24/2014 08:54:47.85 w3wp.exe (0x1448) 0x22D8 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (GET:http://portal.cltenet.com/_layouts/15/appredirect.aspx?instance_id=22d5252f%2D392c%2D4f68%2Db820%2Da3053b9d4f24)).
Execution Time=26.5933938531294 306c809c-66a1-d0d5-d8e2-89d3631ce1bf
Your help is very much appreciated.
With Respect,
LarryYes, actually - I was able to resolve it.
However I don't know how, unfortunately. I suspect it was because I needed to have the names of the certificates, defined during the certificate registration (to sharepoint) process, different.
I have a complete document that shows step by step instructions on the exact process I took to complete the provider hosted application creation, deployment and publishing. It was a daunting task, but I finished it successfully.
If there's a way to send private message on this forum, please do so and I'll respond with a way to obtain my document.
NOTE: I'm not all impressed with the way this forum works. This is supposed to be a Microsoft resource and I'll be damned if I ever get a response to highly technical questions. Completely lame. Boooooo Microsoft. -
ESYU: R12 - Order Management를 위한 Multi Org Access Control(MOAC) setup 방법
Purpose
Oracle Order Management - Version: 12.0 to 12.0
Information in this document applies to any platform.
R12의 Order Management에 대핸 Multi Org Access Control(MOAC) setup 방법에 대해 알아본다.
Solution
일반적인 MOAC Setup:
1. HRMS에서 Security Profile을 정의:
a. HRMS Management responsibility 선택
b. HRMS Manager> Security> Profile로 이동
c. Security Profile이 정의되어 있는지 확인 (OM responsibility 혹은 Site level로)
d. 만일 아직 setup 되어져 있지 않다면 Operating Units를 입력
e. 저장
Note: 만일 위 d step과 같이 새로운 security profile을 생성하였다면 concurrent program 'Security List Maintenance'를 꼭 실행해야 한다.
그렇지 않으면 multiple operating units가 OM forms의 LOV에 나타나지 않을 것이다.
이 program은 multi-org access를 validating 하기 위해 사용하는 table에 data를 생성한다.
Navigation: HRMS Management> HRMS Manager> Processes & Reports> Submit Process & Report> Security List Maintenance
2. MO Profile Options setup:
a. MO: Security Profile - 이 profile setting은 MOAC functionality를 활성화 한다.
b. MO: Default Operating Unit - 이 Operating Unit는 OM forms과 report에서 default가 될 것이며, 이를 clear 하거나 변경하기 위해 LOV를 사용할 수 있다.
Keep the MO profiles in sync:
MO: Security Profile은 site와 responsibility level로 setting 할 수 있다.
MO: Default Operating Unit은 site, responsibility, user level로 setting 할 수 있다.
Application이 원하는대로 동작되지 않는것을 발견하면 이 profile options의 setting 값을 확인한다.
3. OM setup:
R12 upgrade 시 OM Profile에서 migrate 된 새로운 OM System Parameters를 확인:
Order Management Super User> Setup> System Parameters> Values
(See <<NOTE 393646.1>>-R12 Readiness Cheat Sheet: Migrated OM Profile Options)
4. Form에서 hidden field 'Operatin Unit'를 활성화시키고 default folder로 저장:
Sales Order and Order Organizer forms
Quick Sales order and Organizer forms
Sales Agreement forms
Pricing and Availability form
Other forms
Note: Sales Order form에서 hidden field 'Operating Unit'를 'Show' 하기 전에 fotm안에 이 field를 위한 공간을 만들어 놓아야 한다.
예를 들면 Customer Number field를 짧게 하거나 Operating Unit field로 이 field를 덮어씌울수 있다.
Reference
Note 393634.1Hi Larry,
Have you considered adding the exec apps.mo_global.set_policy_context call to your connection's start-up script?
Tools -> Preferences -> Database -> Filename for connection startup scriptNot the most flexible approach, so I'm not sure if it is appropriate for your application, but just a thought. You might create distinct connection names with different start-up scripts for each org_id.
Regards,
Gary
SQL Developer Team -
Creating SOD matrix with the help of Access control default ruleset
I am creating the SOD matrix for the existing roles of CRM and HR modules. As I am the security consultant therefore does not have the functional knowledge about the conflicts for CRM and HR transactions. My question is can I use the function/actions/risks conflicts provided with the Access control 5.3 default ruleset. We are not using Access control for these systems, so I want to know whether I can take the help of AC 5.3 default risks to create the SOD matrix based on it.
For e.g, like H001 default HR risk, I would make sure not to assign PA30(maintain HR data) with the PA03/PA04(maintain personal control record) as this will result in the providing conflict "Modify payroll master data and then process payroll".
Once I have the SOD list based upon AC 5.3, I can consult the Business approver/auditor to verify and modify as per the business requirement.
Maybe I am thinking the wrong way, please provide your inputs so I can work on it. Any help appreciated.
Thanks,
Sanjay DesaiThe most important thing to keep in mind is that you need to build a rule set that reflects the customers real business risk!
What you build there will influence the way the customer will be able to continue work, assign access and perform control activities. The input HAS to come from the business!
You can use the SAP standard risk definitions as a starting point for discussions, and the HR functions are an excellent building block to identify the transactions and necessary authorization objects that allow users to perform the actions.
But the real challenge is to identify the risks as perceived/accepted by the business!
Frank. -
GRC 10 Add on installation -Access control node missing in IMG SPRO
Dear Experts
We have got GRC 10 addon install on our server by basis team and i can verify that by going to saint t code but when i am going to SPRO i cannot see aplication by name GRC .Where as i can see GRC Process control and GRC risk management , GRC access control is missing , following are the attached files. quick response will be appreciated. thanks in advance.Hi Luciana.,
Thanks for your great explanation and you have answered my query all the way Thanks once again.
But one more query please
Regarding below,
"The GRCPIERP is an addon basically for your system that has SAP HR installed, so you can integrate HR into GRC, to get requests for new hires, termination, etc."
Does this means if I have no need of HR trigger/my plugin systems is not HR system then GRCPIERP is not at all required for ARQ, EAM, ARA and BRM for even single functionality?
BR,
Mangesh -
Access Control functionality in Oracle workflow
Hi everyone,
I am doing research into access control models and workflow systems (separation of duty policies in particular). As far as I could tell, Oracle Workflow does not provide much in terms of securing access to data in a workflow process (except from the normal login authentication of course).
One usually assigns a task's performer to a CONSTANT role from your database roles so that only certain users will have access to that task. This is not always enough though, especially when the role-hierarchy is not properly contructed and maintained. So, I've been working on a few scripts to dynamically prevent users from receiving tasks on their worklists based on their previous participation in the process (e.g. to prevent a manager from approving his own leave application).
I was just wondering if anyone else have been working on access control in Oracle Workflow. Is there any built-in functionality that I missed that controls task-user assignment?
Thanks,
CarmenThank you very much Sirish for your help.
We are facing huge performance issues while Risk Analysis with Oracle Application servers through Greenlight Adaptor - its taking around 10 hours for 3000 users. Can you please point out what can be the possibilities and how can we trace out exact root cause and then solve it.
This is happening on GRC AC 5.2 SP10 and GRC logs doesn't say much , it just gives output taken 12 secs for one user Risk Analysis.
Here is our understanding on how GRC does Risk Analysis and our observations on our systems -->
1. GRC asks for 1 user details at a time from Oracle Application Server - please confirm does GRC do Risk Analysis for one user at a time or a bunch of users?
2. Oralce App server get details of that user and sends back results to GRC.
3. Now there is a wait time for around 3 secs before Oracle Server gets request for the second user. 3 sec for one user means 2.5 hours of wait time for 3000 users. We are not able to understand why Oracle Server needs to wait for next user request from GRC?
Would highly appreciate if you can share your experience on GRC Risk Analysis with Oracle (Greenlight Adaptor) and with SAP systems.
Best Regards
Davinderpal Singh -
Access control for different user groups in APEX 4.0
Hi guys,
in Apex 4.0, is there any way to use the access control page to configure access control for different user groups?
The access control page currently only has an access control list by users with 3 privileges namely, Administrator, Edit & View where Administrator has the highest access level & View the lowest. Therefore 1 user cannot have more than 1 different privilege, however if the user belongs to 2 or more different groups then we can control what access he can have in a more fine grained manner. We also want to have more than the 3 privileges given.
Can we assign different groups to different users and let them have different privileges to be configured by page, region, process or item level?
Now Apex will create 2 tables, Apex_Access_Control & Apex_Access_Setup to store the application access control mode & access control list. It will also create 3 authorization schemes "access control - administrator", "access control - edit" & "access control - view" based on the 2 tables.
Does this mean we have to change the table structures & edit the authorization schemes to suit our usage? We are reluctant to do this because if we upgrade to a newer version of Apex then we would have to merge our pl/sql coding with Apex's updated code.
How can we auto-configure more than the 3 authorization schemes in the access control page? Is there any way to achieve a finer grain of access control based on the current access control administration page given by Apex without writing it ourselves?
We are afraid that we may have missed something on Apex access control & do not want to reinvent the wheel.Hi Errol,
to build your own application authorization scheme around the security model supplied by Apex for administration of the Apex environment would be a bad idea.
This was never intended for authorization scheme management in custom built Apex applications, it was solely intended to control access in the Apex environment overall. The API for it is not published, and making changes to it, such as adding more roles, would run the risk of breaking the overall Apex security model. It would not be supported by Oracle and Oracle would not guarantee the upwards compatibility of any changes you make in future versions of Apex.
In short, you should follow Tyson's advice and build your own structure. As he indicated, there are plenty of examples around and provided your requirements are not too complicated, it will be relatively simple.
Regards
Andre -
I have problems with the Assign Access Control in HFM
I have problems when I want assign Access Control by Shared Services in application HFM. I login with user admin and send me this message
Processing Error:
Description: Invalid argument.
Code: -2147220951
Trace: Number:-2147220951
Description:
Source:General Security Error
Page:
Actor: General Security Error
Anyone can't help meI've seen this error when the application isn't registered properly. Try re-registering via Workspace.
-
Composition of business team in GRC Access control project
Hi
Can I get any information about the composition of business team in a GRC access control project?
What type of people form this team?
Please provide some clarity on the role of business people in this type of projects.
Regards
AbhijeetHi,
Idealy the team should comprise of
1] A representative of the IT Governance team -he ensures that the IT delivers value to the business,the risks have been analysed and fully addressed to.
2] The Buiness process owners -these people only define the access restrictions for various activities like purchase,payment,etc.
3] Application specialist -in charge of SOD-he defines the roles and profiles for the access control.
4] If required a member from "Assurance" - these will be auditing the "access control " on a regular basis after the implementation.
5] The configuration team.-they configure the controls in the Appln.sysytem
Regards.
Ramesh. -
Add Fields in CUP Request - SAP GRC Access Control 5.3
Dear Friends,
I am wondering on how to add fields value in CUP (Compliant User Provisioning) SAP GRC AC 5.3.
Currently i'm leading 9 SAP Security Coordinators in Indonesia and i want to create Performance Metrics on how long the CUP Requests is processed. It needs to enhance the CUP by adding value Delegation of Authority and the record no. of the DOA requests.
Really appreciate your inputs on how to add fields value in CUP.
Thank you so much
-Mesti-
Edited by: AnnisaPramesti on Jan 2, 2012 5:37 PMHi.
Check under http://service.sap.com/instguides
SAP BusinessObjects -> SAP BusinessObjects Governance, Risk, Compliance (GRC) -> Access Control -> SAP GRC Access Control 5.3
Cheers,
Diego. -
GRC Access Control 5.3 Organizational Levels - logical AND - OR changed
Hello GRC Community,
We are working with Access Control 5.3 SP 12 and we are setting up organization levels for the risk analysis.
The setup is loaded with a flat file, and the configurations seems to be loaded in the right way.
Doing the configuration on the RAR portal, openning the tab "rule architect" then "organization rules" and "create", we have this information:
Organization Rule: Z001
Description: TEST
Risk Organization Level from to search type Status
F001* BUKRS PRE0 AND Enabled
F001* EKORG PR00 OR Enabled
F001* EKORG PR01 OR Enabled
F001* EKORG RP00 AND Enabled
F001* VKORG RP00 OR Enabled
F001* VKORG RP01 OR Enabled
F001* VKORG RP02 AND Enabled
F001* WERKS SV00 OR Enabled
F001* WERKS VS00 OR Enabled
Finally save button.
When we want to edit an organization rule or add new one with the screen of organization rules, after saving we have the next result when load the rule again:
In the case of the same organization rule (Z001), the RAR returns this info:
Organization Rule: Z001
Description: TEST
Risk Organization Level from to search type Status
F001* BUKRS PRE0 AND Enabled
F001* EKORG PR00 OR Enabled
F001* EKORG PR01 OR Enabled
F001* EKORG RP00 OR Enabled
F001* VKORG RP00 OR Enabled
F001* VKORG RP01 OR Enabled
F001* VKORG RP02 OR Enabled
F001* WERKS SV00 OR Enabled
F001* WERKS VS00 OR Enabled
So the RAR has changed the logical AND for OR.
Why is it happening? This effect doesnt happen if i made an upload from a ftlat file of organizational rules.
We already tryed this symptom doing the same exercise with RAR SP 14 with the same issue.
Thanks in advance for all your comments
Regards,
Alejandro
Edited by: Alejandro Acuña Acosta on Jun 3, 2011 8:53 AMHi,
>
> 1. The Addons HR and NonHR are installed on the erp?
>
Yes.
> 2. The GRC could be an stand alone java server?
>
It should be on separate server.
> 3. The Spro config for process control is configured on the ERP or the grc server?
>
ERP server.
Thanks
Sunny
Maybe you are looking for
-
How to copy link text from links?
Currently when selecting a link, there is no easy option to copy link text. This feature should be implemented to be one of the options in the popup menu once a link is selected, alongside with "Open Link in New Tab"; "Copy Link"; !"Copy Link Text"!;
-
I recently purchased a Season Pass of South Park Season 10. The first, and at that time, only, episode downloaded right away. But, a few days ago, there was an update. However, I am not recieving my epiode. PLEASE HELP!!!
-
Setting default Finder preferences
Hi, I recently upgraded t 10.7.2 and I was wondering if there was a way to set default finder arrange and view preferences. I upgraded form SL and I was able to do this (all finder windows would open in icon view with the files arranged by kind). I
-
Where has Merge to HDR Pro gone?
I normally use Bridge in combination with PShop to browse my RAW files then select and use the 'Merge to HDR Pro' script from the tools menu (in Bridge) This feature seems to have disappeared in CC 2014 and been replaced with an Automate script which
-
Hi, I'm pretty familiar with FCPX, but completely new to Motion. I am now looking for some basic introductory video-tutorials for Motion 5 to get started. Any ideas, anyone?