Question on Roles

Hi
In testdb (DB) i've 2 users (test , test1)
in user Test i created one table "sample" and then said
CREATE ROLE RL_CHK NOT IDENTIFIED
grant select on sample to RL_CHK
grant RL_CHK to TEST1
Then grant succeeded
In TEST1 i checked select * from test.sample
Then It said table does't existAny mistake in the above procedure
Thanks
Edited by: smile on Oct 5, 2010 3:16 AM

Query:
select * from session_roles;to see if the role is enabled in your (new) session by default.
If not, you'll need to:
set roles all;to enable that role inside the session.
Or, have your DBA alter your user definition such that by default all roles are enabled inside sessions of that user.

Similar Messages

Question about role query

Hi all,
I have created a rolequery and i made it as PUBLIC.
But when i go to fieldmapping and then selected the rolename radio button and when i tried to see the list in drop down box, i could not see my rolequery.
Did i miss anything?
Let me know if you do not understand the question.
Please help me.
Thank you.

Hi,
In order to be able to select the rolequery in the dropdownlist, you have to create a new role. Preferably you copy an existing role, based on another existing rolwquery and name it like your rolequery.
When the role is created, add your role query to the role on the workflow routing page of the role. When this is done the role query will appear in the drop down list.
Kind regards,
Joris Verdonschot

A question about role

Hello Expert,
I'm a beginner in BW. Now I'm trying to generate Demo Content for InfoCube SAP DemoCube(0D_DECU) and use it in query.
But I'm blocked by installing role SAP_BWC_0D_SAPDEMO (I got the role from the data flow network of the InfoCube).
I can find Role SAP_BWC_0D_SAPDEMO in the Medadata Repository->Activated Objects->Role, but canu2019t find it in BI Content->Role
Since the role SAP_BWC_0D_SAPDEMO is not available in BI Content->Role, I'm not able to install it.
Can any expert help me on how to make the role available in BI Content->Role
Thanks & Best Regards, Johnney.

Hi,
Check, the sap help..
http://help.sap.com/saphelp_nw70/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/frameset.htm
Thanks
Reddy

Question on Roles/Features

Hi,
I'm wondering why you chose to remove my ability to install Remote Web Workplace alone? It is now tied to a role that requires a separately licensed product.
You've taken a single useful feature and tied it to a bunch of crap that I don't need.
Is this part of the Let Them Eat Licensing strategy?
-=Chris

HI Chris,
What role are you talking about here?
i wasn't aware that the Remote Web Access role was a separately licences product now. I was under the impression it was included in 2012 R2 Standard / Datacentre and 2012 / 2012R2 essentials. Im pretty sure it was taken out of 2012 standard / datacentre
though.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn:

Quick question on role

Hi, I want to add a user to a role . This user needs access to BI-Q. Is it ok to add the role in QA or should I add in BI-Dev and transport it to QA? Please advise..
Will there be any problem if I add the user in BI-Q? what is the usual practice?
Edited by: tanu d on Jul 23, 2009 11:31 AM

Dear Tanu..
create the role in Development and transport that role to Quality.. this is finished.
Create the users separately in development and in quality system..
but you have a option to transport the users also from development to quality system...
But best recommended way to assign user is assigning user separately...
userids should be created not to be transported.. So you can create user in development and in quality separately..
Hope this would help you more..

Question about Roles And priviledges

I have designed my database and i have generated the ddl script. Now I want to design or somehow to create the system roles and system priviledges for every role.
for example:
CREATE ROLE DOCTOR;
GRANT SELECT ON DOCTOR TO DOCTOR;
So is there any way to do that from Enterprise manager or jdevelopper gui? Can I generate the dcl script somehow?

aa8a14cf-4c39-4940-8315-e35d47cccb28 wrote:
I know which roles and system privileges should be created. How am i gonna create them and generate the dcl script?
You've been shown two variants on how to have "sql write sql" to create a script. We assumed you know how to use sqlplus to run a script, and in this case to spool the output of the script we showed to create the script you want. (That was covered in my commend "I leave the details as an exercise for the student")
Since you wanted a script we also assumed NOT using a GUI. Live by the GUI, die by the GUI.
But since it seems our assumptions were false ...
Log on with sqlplus and do the following:
set echo off feedback off verify off head off trimsp on tab off lines 512 pages 0
spool doit.sql
select 'grant '||privilege||' on '||owner||'.'||table_name||' to '|| role||';' from ROLE_TAB_PRIVS WHERE ROLE='DOCTOR';
spool off
edit doit.sql
After examining and doing a sanity check on 'doit.sql', you just execute it in sqlplus ..
sql> @doit

Question about Role.

Hi
I create a Role A. and add some pages to it.
structure like this:
RoleA
.......FolderA
..............PageA
..............PageA1
..............PageA2
.......FolderB
..............PageB1
..............PageB2
I hava two user A,user B
now i want userA can only access RoleA and FolderA(include pages),
userB can only access RoleB and FolderB(include pages).
How i config permissions ?Please help me.
Thansk.
Fan

Hi Fan,
In your structure there is no Role-B. You have not created the Role-B. If You have create the structure like below then you can give the access the way you want.
Role-A
|.......FolderA
             |..............PageA
             |..............PageA1
             |..............PageA2
Role-B
|.......FolderB
             |..............PageB1
             |..............PageB2
Assign the Role-A to User-A and
                 Role-B to User-B
I hope this will fulfill your requirement.
Thanks,
Satya

Simple Question on Role assignment

1. How do I determine which users have been assigned a role as
a. Direct assignment
b.Indirect assingnemt, In this , i want to get the Posistion, Job and person. too.
I have tried SUIM , but it gives the complete set of assignments , meaning both the direct and the indirect assignments are reported.
Also PFCG will give both the Direct as well as the in Direct Assignment but this will not give the posistion/Job
Edited by: george G on Oct 15, 2010 3:28 PM

No Juluis. One needs to go into PFCG. The tab beside the "user comparision" ( if this tab is absent - go the settings and get the "complete view ") this will give to which posistion the role is attached to.
REd Cap and propeller --> I didnto see any ? was it you - flying past ?

Simple Question on Role Deletion !!

I want to delete a role from say 100 posistions. How can this be done? From PFCG or SU01 its not posible. I kno wit can be done through going into individual posistion but doing it for so many users is cumbersome. Do you strike on something similar to SU10 ?

>
george G wrote:
I get a huge list !! - how does one single out the role from this list -. you said we can filter -- where ?? I coudl not see any filter on the role.
>
George,
On the huge list you should get a "Set Filter" button or hit CTRL+F5 or Edit->Set Filter. Select column set "Variation field" and click on left arrow to select->click on filter button "2nd Step: Determine Values for Filter Criteria"->enter the Variable field for the role "AG???" then check mark.
It actually works pretty good.
Edited by: John Navarro on Oct 18, 2010 10:22 PM
Edited by: John Navarro on Oct 18, 2010 10:22 PM

Question About Roles for the viewonly user

Hi I am trying to configure user with viewonly permissions to WLI 10.3 worklistconsole (worklist console-> view tasks). i did add the following groups to the user.
Monitors
Operators
Integration Monitors
Integration Operators
Integration users
i am able to start/stop servers (Admin Server,ms1 and ms2) but unable to view worklist console tasks.
Any help will be appriciate
Thanks
Ksr
Edited by: ksr11 on May 24, 2010 3:01 PM

Recycle domain fix the problem

Role Creation and Copying.

Hello All,
I have 3 different queries.
1) In our landscape, we have CUA and a client system (X1). I need to create some dialog users in X1 with customized profile. In which system do I need to create customized roles so as I can create users in CUA and can assign them the customized roles?
2) When I trying to copy roles with option "copy all" in X1 system, as CUA is active in the landscape, I am getting an error saying "CUA is active, User is not copied". But on my left hand side of the screen I can see the action as Role Copied. I am trying to copy them using Copy Selectively and not selecting User assignments. Here my questions is why its saying users not copied first but still I can see Role copied..and what is the difference between user assignment and copy all in this scenario?
3) In some different situation, I am not able to use the customized roles for Dialog users. According to my limited knowledge, it is possible to customize the roles as per our company standards. But I am not able to use dialog users with customized roles?
Thanks in Advance.
Regards,
Farooq.

Hi,
1) coming to the first question
The roles should always be maintained in your child system to which they belong.
But CUA controls the way the assignments are maintained, whether they are maintained globally or locally or everywhere.
You can see the details in SCUM Tcode.
In short maintain the roles in X1 and then text compare in CUA and then assign the the roles to users in CUA
2) You might be getting the error because the SCUM setting for role assignments are set to Global i.e they can be maintained only through CUA . But since the roles are created and maintained locally in ur child system the role is copied.
The copy all is for copying a role with all its characteristics including the user assignments but user assignment is adding this role to a user for giving some access rights which are packaged in this role
3)I am not clear as to what you meant by custom roles
If you referred to assignment of roles created specific to ur company then make sure you are trying to assign the roles in CUA and not directly in child system X1.
It might not be the problem of Dialog Users.
hope this helps

Role based security and ACLs

Hello,
I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
So:
1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
Your response is appreciated.

Hello,
I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
So:
1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
Your response is appreciated.

CUP assignment - Role Validity

Hi,
I have a question about role validity periods in CUP when the request gets approved. Currently valid from period is selected based on request creation date and end date is always set to 12/31/9999. Is there any way the 'from date' can be set to the date the request gets its final approval with out asking the approves to change the dates as the request can have multiple approvers.
Request approval is set at role level and auto provisioning is in place.
Thank you.
R R

Srinivasan, Frank
Thanks for the replies. A custom program that looks at these periods and send emails, among other actions, to users with role information. This program can not send emails if the validity period is beyond certain days.
Is this FM /VIRSA/ROLE_ASSIGN_CUA can be customized to accomplish this?
As an option we can ask approvers to change the from date to current day.
Thanks
R R

Direct grants working, but not roles

Newbie question on roles.
I'm trying to give access to tables in one schema, zowner, to another (empty) schema, zuser, which represents an application user.
If I grant zuser a privilege directly, it works. For example:
SQL> grant insert on zowner.items to zuser; -- as DBA
Grant succeeded.
SQL> select count(*) from zowner.items; -- as zuser
COUNT(*)
3
But if I create a role instead, and grant it a privilege, and then grant zuser that role, then it doesn't work:
SQL> create role zowner_delete; -- as DBA
Role created.
SQL> grant delete on zowner.items to zowner_delete; -- as DBA
Grant succeeded.
SQL> grant zowner_delete to zuser; -- as DBA
Grant succeeded.
SQL> delete from zowner.items where num=3; -- as zuser
delete from zowner.items where num=3
ERROR at line 1:
ORA-01031: insufficient privileges
What am I missing??? Thanks, --DD

No, I don't think I was, yet I'm still seeing some weird stuff going on:
I did get further by granting 'create role' to zowner, and creating the roles using zowner, as it seems that a role created by system is less accessible that one creating by an ad-hoc (non-privileged) user.
But if you look at the SQL*Plus session below, you'll notice that despite granting the delete privileges (on table zowner.items) to zuser, the first delete attempts fails, while the second succeeds! The first one is made withing the test-roles script, while the second is later on, by hand in SQL*Plus, after listing the privileges of the roles.
So there's still something funny going on here, which I don't understand... And as you can also see, I'm alternating connections between zowner and zuser, so I am reconnecting everytime this time.
If anyone can shed more light on this, that be great. Thanks, --DD
Oracle Database 11g Enterprise Edition Release 11.1.0.4.0 - Beta
With the Partitioning, OLAP and Data Mining options
SQL>
SQL>
SQL>
SQL>
SQL>
SQL> @test-roles
SQL> SET SERVEROUTPUT ON
SQL> -- (zdb value changed)
SQL> DEFINE zdb = '@//host:port/sid'
SQL>
SQL> ---- As system ---------------------------------------------
SQL> DROP USER zowner CASCADE;
User dropped.
SQL> CREATE USER zowner IDENTIFIED BY zowner;
User created.
SQL> GRANT CONNECT, RESOURCE, CREATE ROLE, CREATE TABLE TO zowner;
Grant succeeded.
SQL>
SQL> -- Create empty user.
SQL> DROP USER zuser CASCADE;
User dropped.
SQL> CREATE USER zuser IDENTIFIED BY zuser;
User created.
SQL> GRANT CONNECT, RESOURCE TO zuser;
Grant succeeded.
SQL>
SQL> DROP ROLE zowner_insert;
Role dropped.
SQL> DROP ROLE zowner_delete;
Role dropped.
SQL> commit;
Commit complete.
SQL>
SQL> -- As zowner -----------------------------------------------
SQL> CONNECT zowner/zowner&zdb;
Connected.
SQL> create table items (num INTEGER, txt VARCHAR2(32));
Table created.
SQL> insert into items (num,txt) values (1, 'one');
1 row created.
SQL> insert into items (num,txt) values (2, 'two');
1 row created.
SQL> commit;
Commit complete.
SQL> PROMPT Listing items from zowner
Listing items from zowner
SQL> select * from items;
NUM TXT
1 one
2 two
SQL>
SQL> -- As zuser (no grant: select FAILS) -----------------------
SQL> CONNECT zuser/zuser&zdb;
Connected.
SQL> select * from zowner.items;
select * from zowner.items
ERROR at line 1:
ORA-00942: table or view does not exist
SQL>
SQL> -- As zowner -----------------------------------------------
SQL> CONNECT zowner/zowner&zdb;
Connected.
SQL> GRANT select on items to zuser;
Grant succeeded.
SQL>
SQL> -- As zuser (direct grant: select OK) ----------------------
SQL> CONNECT zuser/zuser&zdb;
Connected.
SQL> select * from zowner.items;
NUM TXT
1 one
2 two
SQL>
SQL> -- As zowner -----------------------------------------------
SQL> CONNECT zowner/zowner&zdb;
Connected.
SQL> CREATE ROLE zowner_insert;
Role created.
SQL> GRANT insert on items to zowner_insert;
Grant succeeded.
SQL> GRANT zowner_insert to zuser;
Grant succeeded.
SQL>
SQL> -- As zuser (indirect grant: insert OK) --------------------
SQL> CONNECT zuser/zuser&zdb;
Connected.
SQL> insert into zowner.items (num,txt) values (3, 'three');
1 row created.
SQL> commit;
Commit complete.
SQL> select * from zowner.items;
NUM TXT
3 three
1 one
2 two
SQL>
SQL> set linesize 90
SQL> column ROLE format a20
SQL> column OWNER format a10
SQL> column TABLE_NAME format a20
SQL> column COLUMN_NAME format a10
SQL> column PRIVILEGE format a20
SQL> select * from role_sys_privs;
ROLE PRIVILEGE ADM
RESOURCE CREATE SEQUENCE NO
RESOURCE CREATE TRIGGER NO
RESOURCE CREATE CLUSTER NO
RESOURCE CREATE PROCEDURE NO
RESOURCE CREATE TYPE NO
CONNECT CREATE SESSION NO
RESOURCE CREATE OPERATOR NO
RESOURCE CREATE TABLE NO
RESOURCE CREATE INDEXTYPE NO
9 rows selected.
SQL> select * from role_tab_privs;
ROLE OWNER TABLE_NAME COLUMN_NAM PRIVILEGE GRA
ZOWNER_INSERT ZOWNER ITEMS INSERT NO
SQL>
SQL> -- As zowner -----------------------------------------------
SQL> CONNECT zowner/zowner&zdb;
Connected.
SQL> CREATE ROLE zowner_delete;
Role created.
SQL> GRANT delete on items to zowner_delete;
Grant succeeded.
SQL> GRANT zowner_delete to zuser;
Grant succeeded.
SQL>
SQL> -- As zuser (indirect grant: delete ??) --------------------
SQL> CONNECT zuser/zuser&zdb;
Connected.
SQL> delete from owner.items where num=3;
delete from owner.items where num=3
ERROR at line 1:
ORA-00942: table or view does not exist
SQL> commit;
Commit complete.
SQL> select * from zowner.items;
NUM TXT
3 three
1 one
2 two
SQL> -- END OF THE test-roles SCRIPT
SQL> select * from role_sys_privs;
ROLE PRIVILEGE ADM
RESOURCE CREATE SEQUENCE NO
RESOURCE CREATE TRIGGER NO
RESOURCE CREATE CLUSTER NO
RESOURCE CREATE PROCEDURE NO
RESOURCE CREATE TYPE NO
CONNECT CREATE SESSION NO
RESOURCE CREATE OPERATOR NO
RESOURCE CREATE TABLE NO
RESOURCE CREATE INDEXTYPE NO
9 rows selected.
SQL> select * from role_tab_privs;
ROLE OWNER TABLE_NAME COLUMN_NAM PRIVILEGE GRA
ZOWNER_INSERT ZOWNER ITEMS INSERT NO
ZOWNER_DELETE ZOWNER ITEMS DELETE NO
SQL>
SQL>
SQL> desc zowner.items
Name Null? Type
NUM NUMBER(38)
TXT VARCHAR2(32)
SQL> insert into zowner.items (num,txt) values (4,'four');
1 row created.
SQL> commit;
Commit complete.
SQL> select * from zowner.items;
NUM TXT
3 three
4 four
1 one
2 two
SQL> delete from zowner.items where num=4;
1 row deleted.
SQL>

Role Certification search and notification

Hello,
I have configured role certification functionality in GRC-AC v10.0 SP13, and everything works fine.
When the role owner does the certification, by clicking on the certify button and writing some certification text, this text is saved in the Comments History field in the role. It's fine, but I have two questions:
1) Is there a way to search those certification texts easily, like a list of several roles?
2) When the role owner certifies the role, is there a way to configure some notification to anyone?
Thanks in advance for any help.
Regards,
Gabriel Aquino

Dear Gabriel,
reagarding your questions to role certification. I don't think that you can search for comments in the web client. Basically comments are stored in long text and hence searching is not that easy. Probably it is possible to search directly in the tables (e.g. you can create a report to search). If you are interested I can search the tables.
Basically role certification is calculated based on the period and the last certification date. After the defined days an email reminder is automatically sent to the role owner. The reminder template can be customized in SPRO. Further notifications are not possible with standard functionality. I suggest to raise an idea on the idea space: https://ideas.sap.com/SAPAccessControl
Best regards,
Alessandro

Question on Roles

Similar Messages

Maybe you are looking for