Querying user groups while using @RunAs on a bean

Hi,
I am trying to implement a scenario in which I have three entities:
- bean A - datastore for all users
- bean B - implementing logic, filtering results from datastore for specific user based on groups he is in
- User - calling bean B
Calling chaing is User -> bean B -> bean A.
bean B has to query user groups and filter data based on that. I've implemented that using:
Subject subject = Security.getCurrentSubject();
for (Principal principal : subject.getPrincipals()) {
if (principal instanceof WLSGroup) {
Without any security specified (like @RolesAllowed) it works like charm.
But I want to add security constraints to the beans:
@RolesAllowed("admin")
class A {}
@RolesAllowed("user")
class B {}
The problem is that B cannot acces A methods because it is calling A using 'user' security context.
I've thought I change it to:
@RunAs("application")
@RolesAllowed("user")
class B {}
"Application" is an account in group admin.
Now B can call A. The problem is that security context is switched to "application" on entering B's methods. Inside them I cannot query user groups using method presented above, because I get "application" groups.
Is there a way to change security context on calling other bean methods? Like using Security.runAs( somehowGetApplicationSubject(), runnable) ??
Other method I've thought of, but I have no idea how to implement that, is somehow querying weblogic to get groups of SessionContext.getCallerPrincipal(), which returns user account regardless of using RunAs.
Hope someone made through this problem before,
Krzysiek

getBounds() will only generally make sense while the component itself is being rendered. I wouldn't be completely surprised if the framework which gets that component also resets its size once it's done painting the thing.
If you're calling it from outside the rendering loop, perhaps you could try calling validate() on the component, which should force it to determine its size.
Failing that, you could possible use getPreferredSize() instead, which will likely obtain a similar result in most cases.

Similar Messages

  • SAP Query, user groups, revoking 'change' rights

    Hi,
    I have a problem regarding SAP Queries and revoking the change rights. This is what I have done:
    1. Created the new user group in SQ03
    2. Created the new InfoSet (SQ02), assigned it to the above UG (SQ03)
    3. Created the new user, assigned it to the UG in SQ03 and removed the Change checkbox (revoke change rights)
    4. Logged on as the new user
    5. Started SQ01, switched user group to the new one
    6. Created the new SAP query based on the new InfoSet, run the query
    As I understand the principles of user groups and queries, I wasn't supposed to be allowed to do the step 6 as the new user, as it was revoked the change rights. Why wasn't I stopped?
    I searched for reply in previous posts - everybody agrees on principles, but I didn't find explanation on why it doesn't work.
    Thanks in advance!
    KR,
    Igor

    The table AQGDBBN seems to display a mapping of User Group with use rindeed but the results are less than the actual assignment. And the mapping does not have the Z query usergroups that have users assigned in SQ03.
    Anything that I may be missing?
    Thanks,
    Kashif

  • Assign SQ03 Abap Query User Group to role

    Please advise how to assign SQ03 Abap Query User Group to a role. Thanks.
    Moderator message: please do more research before asking.
    [Rules of engagement|http://wiki.sdn.sap.com/wiki/display/HOME/RulesofEngagement]
    [Asking Good Questions in the Forums to get Good Answers|/people/rob.burbank/blog/2010/05/12/asking-good-questions-in-the-forums-to-get-good-answers]
    Edited by: Thomas Zloch on May 12, 2011 5:40 PM

    Hello Sunil,
    The problem is that I have hundreds of users to maintain user groups.
    found out that it is possible to assign user group to role and role to user groups. implementing hr authorization with in-direct assignment of auth. So if I could use sq10, user groups could also be link to position in the org chart.
    sq10 does allow you to assign a user group to a role but when you assign the role to a user and the user runs a query, it reports that no user group has been assigned.
    Suspect that there must be a parameter or switch that is not turned on
    Regards

  • How to handle  user exits while using BAPI

    HI experts can any one help me on how to handle user exits while using BAPI. Do we need to handle it explicitly or standard  BAPI will take care of it??.
    Regards,
    Hari Krishna

    If you have added some fields using append structures for screen enhancements, then you have to use appropriate user exits to fill these data while calling BAPI.  Some BAPIs have EXTENSION structures to fill the custom data which can be processed using user exists or enhancements.
    Regards
    Vinod

  • Windows 2012 RDP "resets" user settings while using Roaming Profiles

    Last month we installed a RDP environment running a Windows 2012 DC and 2 Windows 2012 RDP servers. The RDP servers are running in a pool.
    For the rest it's nothing fancy.
    The problem is that user-settings are reset, most likely during logon. This only occurs when we use Roaming Profiles.
    - We create a new user, in a container with no GPO's attached.
    - This user gets a RP while logging on, no errors, at logoff the RP is written to it's correct folder.
    - Logging on again. Now for example I make Chrome standard browser and change the program which opens JPG files.
    - Logging off
    - I check the NTUSER.DAT in the RP folder and the changes I made can be found in the file. So it has been saved to the NTUSER.DAT.
    - Now I login again and check the settings I made. IE is standard browser again and the JPG setting is also back to standard.
    - Logging off
    - Checking the NTUSER.DAT in the RP folder and yes, everything is back to default.
    Now the funny part is, when I create a user with a local profile, everything is working properly. Settings been saved.
    It doesn't make a different what kind of user it is. Domain User, Domain Admin. They all have the same problems when using RP's.
    No error messages in the Event Viewer.
    I'm clearly unable to solve this problem. Hoping someone can help me on this one.
    What makes the settings reset at logon while using Roaming Profiles?
    Thanks!

    Hi,
    Thank you for posting in Windows Server Forum.
    Have you enable Cache copies option of roaming profiles?
    This issue might occurs because the User Profile service does not load the terminal server roaming profile correctly after the user account password is reset.
    When the Delete cache copies of roaming profiles Group Policy setting is enabled, and when a user is prompted to change the user account password, the User Profile service loads a local temporary user profile. The User Profile service loads this user profile
    to perform the password reset operation. However, the profile changes to a combination of the local temporary profile and of the roaming profile after the user password is reset. Therefore, the terminal server roaming profile is not loaded correctly.
    In addition, please try to delete the SID of the user from registry key and check the result. You can follow the below path.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    More information:
    You receive a "The User Profile Service failed the logon” error message
    http://support.microsoft.com/kb/947215/en-us
    Also check “User Profiles on Windows Server 2008 R2 Remote Desktop Services” article.
    Hope it helps!
    Thanks.
    Dharmesh Solanki

  • How MDX query will work while we run BOXIR3 query!

    Hi All,
    I am facing lots peformance issues in terms of reports while running.
    Can somebody can explain how the query runs at backend like when we hit Run query in Webi how it functioins.When the MDX Query will be generated and how the query hits the BI/Underlying database.
    I am basically looking out what happens behind the screen when we run a report in Back end etc.
    I am using BI7.0 and BOXIR3.. Thanks in advance for reply.

    ok Thanks for your reply.Here are the answers for your questions.
    I)how many items are in the BI query ?
    52 dimensions it has and 15 keyfigures(ckfs,Rkfs) and around 250 details objects
    but we are using only the dimension objects in reports,we are not using detail objects I mean to say hardly 3 detail objects we are using in each report.
    Since these objects are navigationla attributes they are automatically created in universe as detailed objecs.So if we remove the detail objects does the performance will increase considerably?
    CAN YOU PLEASE COMMENT ON THIS
    II)how many items are using in the Web Intelligence query panel for each report ?
    In webI Query Panel roughly for each report we are using 10 Dimensions and 5 Keyfigures(Including Ckf,Rkfs) with 6 Prompts
    III)Do the reports share characteristics ? If yes - how many ?
       Yes they share charactorstics .Maximum upto 7 Characterstics  which are shared among the reports like Country,Post code,Group,Tier

  • Query overall Result while using structures

    Hi all,
    I have 2 structures in my query, in both <b>rows and columns</b>. Now I want to display the total result for all the columns in my structure. How do I go about that?
    I cant use cell definition as I used the cell definition on a couple of cells to calculate and all other columns have been derived normally thru selections and formulas.
    Any insight or pointers would be appreciated and rewarded.
    Cheers,
    Sri

    Thanks folks - I figured it out.

  • Database Account and User Groups

    Hello,
    Currently, I am using DATABASE ACCOUNT for an authentication scheme for all of my applications but, I would like to setup User Groups as well to limit users to thier prospective pages and/or objects within the application for easy maintenance of users. I have read that, in order to apply user groups in an application, you must use APPLICATON EXPRESS ACCOUNT credentials.
    Another developer has modified the "APEX_ACCESS_CONTROL" table with an additional column(s) that would allow access to specific pages. I am not sure if this is good practice to modify Apex tables.
    Is there a way to create user groups while using DATABASE ACCOUNT for authentication? What is the best practice in a case like this?
    Can anyone please shed some light on this? Thanks.
    - Dee

    Dee,
    I would like to setup User Groups as well to limit users to thier prospective pages and/or objects within the application for easy maintenance of users.I'm not clear on what your purpose is, just runtime authorization, or something more?
    Another developer has modified the "APEX_ACCESS_CONTROL" table with an additional column(s) that would allow access to specific pages. I am not sure if this is good practice to modify Apex tables.Those tables belong to your application's parsing schema and they are accessed only by code in applications you develop. The Application Express machinery knows nothing about them.
    Is there a way to create user groups while using DATABASE ACCOUNT for authentication?You can create your own tables to define groups and to keep track of which named accounts belong to which groups. And you can write an API for applications to use to query this information and to maintain it from custom applications built for that purpose.
    All

  • Creating user groups using SQ03.

    I am going to make a change to a already existing query 01 in the user group /SAPQUERY/AM. I am not a query expert, in fact this is the second query that I am modifing. I am reading some documentation that the first thing that I have to do is create a user group. from what I am reading, the user group will contain the users that are allowing to modify queries. Since our users do not use this tool, I am the only one that creates and modifies queries. I think I am going to create a user group and that my user-id will be the only one in the group - correct? will I create one user group and and queries that I make changes to in the future user this user group or do I create user groups based on the users group that are defined by SAP. example - If I am changing a query in /SAPQUER/AM  and in /SAPQUERY/AU - would I create 2 user groups  1 for AM and 1 for AU or would I create only 1 user group and use it for both queries.
    After this, I think I have to copy the infoset (SQ02)and the query (SQ01) to custom names (names starting with Z) and then attaching the parts to the new user group.

    Hi Timothy
    Typically you want to create user groups for functional areas or grouped reports/queries. You can enter as many users as needed into a user group and only those who have the checkbox next to their name in the user group screen will have authorization to create/modify queries in the infosets where the usergroup is assigned. If you are creating 2 usergroups with the same users and authorizations then that is redundant but if the list of users is different or the authorizations may change then it would make sense to have 2 usergroups. You should have some naming convention to follow when creating the queries but the Z prefix is not required.
    Andy

  • Sql query slow while using poc *C, OCI

    Sql query is taking long time while using fetching records from RAC using Pro *C, OCI. Same query working fine while using JDBC connection.what could be the issue.Please help
    Thanks,
    Sam

    Pro*C is not part of Oracle Solaris Studio (formerly Sun Studio). Studio has no special support for database programming. You are more likely to get a helpful answer in a database programming forum. Start here:
    https://forums.oracle.com/forums/category.jspa?categoryID=18

  • User Groups for Queries

    All,
    I have a user that gets a message stating that they are not assigned to any user group when using t-code SQ00.
    I have checked and the profile they are assigned to has rights to run SQ00 and I have also checked SQ03 and I do have her assigned to query groups.
    Am I missing something?  I've been administering users for years and have never had one with a problem like this.  All the usual areas are fine.
    Thanks for you help!

    i have to apologize - i didn't read your post carefully - my mistake.
    does this also happen when parameter AQB in SU3 is set to a default user-group?
    have you checked whether infosets are assigned to that particular user-group?
    Edited by: Mylene Euridice Dorias on Feb 13, 2008 5:18 PM
    i'm editing this: i have just been testing. is the infoset assigned to that usergroup properly generated?

  • How to pass the User Group for a SQ00 Transaction iView

    Hello,
    To start off, I am relatively new to SAP technology in general.  I may be missing something obvious.
    I am trying to create an SAP Transaction iView in our EP Portal that will call the SQ00 transaction (start query) and run a particular query against our R/3 backend.  I set the Transaction Code to: SQ00, the application parameters to: RS38R-QNUM=<my query> and the OK Code to: SHOW and the System to the System alias for our R/3 system.
    My problem is that the query that I need to run is not in the default User Group that comes up by default.  So I get a screen that has the query field (RS38R-QNUM) correctly populated but the error that the query has not been created.  From that screen I can navigate to the correct User Group and then run query.  There does not seem to be a User Group field on the screen, you change it by accessing a different menu, so I do not know how to call the screen for a particular User Group.
    Is their an application parameter that I can initially pass to set the User Group?
    Thank you.

    And my lecturer is suck, every lectures she just read
    the slices and never explains why and how they are.
    (If ask her, she talks and talks rubbish and
    eventually I get nothing)Maybe you should drop the class and complain to the administration.

  • How to create User Groups

    I would like to understand the steps for creating an User Group. I am currently doing SAP-HR configuration activities in Sandbox client & for the purpose of testing I have created an infogroup for "Hiring" action. But the action is not appearing in PA40. I realized later that I was doing some mistakes in assigning the user groups. So, I would like to create a user group. Is it an activity to be done by the BASIS consultant or can anyone create the user and user group in Sandbox environment.
    I request your help in resolving my problem.
    -Shambhvi

    HI,
    You have to define the user group while creating Infotype menu and Action.
    For infotype menu-  V_T588B.
    Action- V_T588D- Action.
    Define the same user group for infotype menu adn action. Once it done then maintain the same user group  against your user parameters.
    Go to transaction code su01( if you have the authorization or talk to your basis guy)
    Enter you user id (which you used to login your SAP )
    Click on parameters tab and maintain your user group there, like
    UGR-  for Eg. 40( what you have defined in infotype menu and action.

  • Windows user groups with # character ok?

    I wanted to know if a windows user group is used in SQL server 2008R2 which contains a naming convemtion that includes the # character would operate ok within BizTalk databases.
      eg.  domain\#mg-dd-something
    Any help and advice would be greatly appreciated.

    But in this context, its the backslash that is the special character. A legal identifier in SQL Server consists of alphanumeric characters + plus the characters _, #, @ and $. Of these $ can never been used initially. @ can only be used initially for variables.
    # can be used initially without restrictions except for objects in sys.objecs, where it only can be used for stored procedures and tables and for these have a special meaning. For non-object objects, # can be used freely. Underscore should never been an issue,
    as it is commonly used an identifier in many languages.
    So this is legal:
    create login #nisse@manpower with password ='hult'
    Whether you should use it? There is certainly a bigger risk that you run into issues. Not necessarily in SQL Server itself. It could also be with other MS products or third-party software. And not forget people in your organisation who will be confused by
    it.
    Erland Sommarskog, SQL Server MVP, [email protected]

  • Windows user group for BizTalk contains # characters

    I wanted to know if a windows user group is used in BizTalk Server 2013 which contains a naming convention that includes the # character would operate ok in BizTalk and SQL.  PLease see the example below:
      eg.  domain\#mg-dd-BizTalk-SSO-Affiliate-Admins
    Any help and advice would be greatly appreciated.

    Hi Chris,
    There are some naming conventions followed while creating the Windows user groups. not a concrete ones..one of them is here.
    http://technet.microsoft.com/en-us/library/cc775802(v=ws.10).aspx
    When it comes to BizTalk, if I can recollect, one of our clients had Windows user group with a symbol like yours which did work without any issues. But we suggested them to change the user group's name as this could affect some of our automated scripts like
    Powershell/C# programs. For which they agreed and changed their Windows user group to ones without any symbols.
    Yes, this would work but might fail for any of your automated maintenance scripts. Note: This experience with my client is with BizTalk 2006 and I have tested the case for latest versions.
    If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

Maybe you are looking for