Re-using roles

Similar Messages

• Data and Dashboard Security using ROLES Variable in OBIEE 11g

  Hi all,
  I'm currently using OBIEE 11g. I'm wondering how to implement the security for data and dashboard in the 11g.
  Below is the sample of how the security matrix requirement when I use the 10g version. In 10g, we usually use GROUP (for the data filter in RPD) and WEBGROUPS (for dashboard objects) variables in my initialization block to read from database. As we have 2 different variables, it is possible to control security separately for data and dashboard.
  GROUP | Country
  G1 | US
  G2 | FR
  G3 | UK
  WEBGROUPS | Dashboard
  WG1 | D1
  WG2 | D1
  WG3 | D1
  WG1 | D2
  WG2 | D2
  WG1 | D3
  WG3 | D3
  WG3 | D4
  Now, in 11g, the recommendation is to use ROLES variable (for application role). So, how would I apply the required security matrix above in 11g using just ROLES variable? Do I still create G1, G2, G3, WG1, WG2, and WG3 as application roles then only use G1-3 in the RPD to filter the data and only use WG1-3 in the analytics to serve as webgroups?
  Any advice on this? Thank you very much.

  "...Could you elaborate more?"
  I mean that role creation and user->role assignment will be managed outside of to the obiee interface - whether that's via the database, LDAP, fmw etc.
  Webgroup creation and assignment is managed within the obiee interface and I think that has a lot of benefits - generally you have people responsible for shared folders and dashboard creation, so having them responsible for webgroups and presentation permissions is preferable for me.
  "are you saying that I use the role G1-3 only in the RPD, while using the role WG1-3"
  Yes .. I'm assuming you have something like
  G1 | US
  G2 | FR
  G3 | UK
  WG1 | Finance
  WG2 | Marketing
  WG3 | Sales
  Which becomes
  R1 | US
  R2 | FR
  R3 | UK
  R4 | Finance
  R5 | Marketing
  R6 | Sales
  And John belongs to R1 and R4, Fred belongs to R2 and R4 etc. So you would set your data filters against R1-R3 and use R4-R6 like webgroups in the presentation services.
  Regards,
  Robert

• Company code creation for a BP using Role FLVN00

  Hi,
  I am trying to create a BP in a company code as part of Customer Vendor Integration.
  But when i create a BP using role FLVN00 , and select company code tab, enter company code details and save, company code details are cleared out.
  do we have to do any extra setting for that.
  thanks
  sekhar J

  Hi Sekhar,
  Can you tell us how this issue got resolved? We are also getting same error while saving BP.
  Thanks,
  Renu Prasad.

• How to use Role Menu item in BI 7.0

  Hi experts,
  From web applications desiger in version 3.5 we can use Role Menu item to access our querys easily.
  In version 7.0 this item has been deleted from standard items. How can we manage it ? Thanks a lot
  Best regards,
  Santi

  You can use EP role to have the same functionality.
  Another option is to use the 3.X role menu web item after applying note 1075789, in this case role meny web item will display 7.0 objects also.
  Thanks.

• Error in oim Role creation using Role Manager Service API from Standalone Java client

  Hi,
    Facing the following error when trying to create Role using Role Manager Service API from a standalone java client .
  Tried with the solution of changing ,
  Login into the Web Logic Admin Console --> Servers --> OIM Server --> Protocols --> Modify the Maximum Message from 100000000 to 1000000000, but still the problem persists.
  Exception in thread "main" org.omg.CORBA.BAD_PARAM:   vmcid: 0x0  minor code: 0  completed: No
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
  at java.lang.reflect.Constructor.newInstance(Unknown Source)
  at java.lang.Class.newInstance0(Unknown Source)
  at java.lang.Class.newInstance(Unknown Source)
  at com.sun.corba.se.impl.protocol.giopmsgheaders.MessageBase.getSystemException(Unknown Source)
  at com.sun.corba.se.impl.protocol.giopmsgheaders.ReplyMessage_1_2.getSystemException(Unknown Source)
  at com.sun.corba.se.impl.protocol.CorbaMessageMediatorImpl.getSystemExceptionReply(Unknown Source)
  at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.processResponse(Unknown Source)
  at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.marshalingComplete(Unknown Source)
  at com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.invoke(Unknown Source)
  at org.omg.CORBA.portable.ObjectImpl._invoke(Unknown Source)
  at com.sun.org.omg.SendingContext._CodeBaseStub.meta(Unknown Source)
  at com.sun.corba.se.impl.encoding.CachedCodeBase.meta(Unknown Source)
  at com.sun.corba.se.impl.io.IIOPInputStream.getOrderedDescriptions(Unknown Source)
  at com.sun.corba.se.impl.io.IIOPInputStream.inputObjectUsingFVD(Unknown Source)
  at com.sun.corba.se.impl.io.IIOPInputStream.simpleReadObject(Unknown Source)
  at com.sun.corba.se.impl.io.ValueHandlerImpl.readValueInternal(Unknown Source)
  at com.sun.corba.se.impl.io.ValueHandlerImpl.readValue(Unknown Source)
  at com.sun.corba.se.impl.encoding.CDRInputStream_1_0.read_value(Unknown Source)
  at com.sun.corba.se.impl.encoding.CDRInputStream.read_value(Unknown Source)
  at oracle.iam.identity.rolemgmt.api._RoleManager_ogut7n_RoleManagerRemoteRIntf_Stub.createx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
  at $Proxy2.createx(Unknown Source)
  at oracle.iam.identity.rolemgmt.api.RoleManagerDelegate.create(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at Thor.API.Base.SecurityInvocationHandler$1.run(SecurityInvocationHandler.java:68)
  at weblogic.security.subject.SubjectProxy.doAs(SubjectProxy.java:64)
  at weblogic.security.subject.SubjectManager.runAs(SubjectManager.java:262)
  at weblogic.security.Security.runAs(Security.java:48)
  at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
  at Thor.API.Base.SecurityInvocationHandler.invoke(SecurityInvocationHandler.java:79)
  at $Proxy3.create(Unknown Source)
  at com.idm.role.CreateRole.createRole(CreateRole.java:113)
  at com.idm.role.CreateRole.main(CreateRole.java:167)
  Thanks In Advance

  Hi , I have used OIM 11g  R2.
  Please find below the code we have used,
  package com.idm.role;
  import java.util.HashMap;
  import java.util.HashSet;
  import java.util.Hashtable;
  import java.util.Iterator;
  import java.util.Set;
  import java.util.logging.Logger;
  import javax.security.auth.login.LoginException;
  import oracle.iam.identity.exception.NoSuchRoleException;
  import oracle.iam.identity.exception.RoleAlreadyExistsException;
  import oracle.iam.identity.exception.RoleCreateException;
  import oracle.iam.identity.exception.RoleLookupException;
  import oracle.iam.identity.exception.RoleModifyException;
  import oracle.iam.identity.exception.SearchKeyNotUniqueException;
  import oracle.iam.identity.exception.ValidationFailedException;
  import oracle.iam.identity.rolemgmt.api.RoleManager;
  import oracle.iam.identity.rolemgmt.api.RoleManagerConstants;
  import oracle.iam.identity.rolemgmt.vo.Role;
  import oracle.iam.platform.OIMClient;
  import oracle.iam.platform.authz.exception.AccessDeniedException;
  public class CreateRole {
  private final static Logger LOGGER = Logger.getLogger(CreateRole.class .getName());
  OIMClient oimClient = null;
  public OIMClient connectToOIM() {
    LOGGER.info("In connectToOIM ");
    Hashtable env = new Hashtable();
    env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
      "weblogic.jndi.WLInitialContextFactory");
    env.put(OIMClient.JAVA_NAMING_PROVIDER_URL,
      "t3://V-hydidm1.itig.co.in:14000");
    System.setProperty("java.security.auth.login.config",
      "F:\\Projects\\IDM\\Team\\Env_setup\\OIM_Setup\\designconsole\\config\\authwl.conf");
    System.setProperty("java.security.policy",
      "F:\\Projects\\IDM\\Team\\Env_setup\\OIM_Setup\\designconsole\\config\\xl.policy");
    System.setProperty("OIM.AppServerType", "wls");
    System.setProperty("APPSERVER_TYPE", "wls");
    System.setProperty("weblogic.Name", "oim_server1");
    oimClient = new OIMClient(env);
    try {
     oimClient.login("xelsysadm", "Passw0rd".toCharArray());
    } catch (LoginException e) {
     e.printStackTrace();
    System.out.println("Connected");
    return oimClient;
  public void readRoleMetadata() {
    LOGGER.info("in readRoleMetadata ");
    RoleManager roleManagerService = oimClient
      .getService(RoleManager.class);
    try {
     Role roleVo = roleManagerService.getDetails(
       RoleManagerConstants.ROLE_DISPLAY_NAME, "API Role1", null);
     Set attributeNameSet = roleVo.getAttributeNames();
     Iterator it = attributeNameSet.iterator();
     while (it.hasNext()) {
      System.out.println("Attribute Name :: " + it.next());
     // roleVo.setAttribute("ADentitlements", "Security Admin access");
     String adEntitlements = "" + roleVo.getAttribute("ADentitlements");
     System.out.println("AD Entitlements :: " + adEntitlements);
     System.out.println("DB Entitlements :: " + ""
       + roleVo.getAttribute("DBEntitlements"));
     System.out.println("Unix Entitlements :: " + ""
       + roleVo.getAttribute("UnixWindows"));
     System.out.println("VPN :: " + "" + roleVo.getAttribute("VPN"));
    } catch (SearchKeyNotUniqueException e) {
     e.printStackTrace();
    } catch (NoSuchRoleException e) {
     e.printStackTrace();
    } catch (RoleLookupException e) {
     e.printStackTrace();
    } catch (AccessDeniedException e) {
     e.printStackTrace();
  public void createRole() {
    LOGGER.info(" in Create role ");
    RoleManager roleManagerService = oimClient
      .getService(RoleManager.class);
    HashMap<String, Object> roleCreationAttrMap = new HashMap<String, Object>();
    roleCreationAttrMap.put(RoleManagerConstants.ROLE_NAME, "API Role1");
    roleCreationAttrMap.put(RoleManagerConstants.ROLE_DESCRIPTION,
      "This Role is created using API Role1");
    roleCreationAttrMap.put(RoleManagerConstants.ROLE_DISPLAY_NAME,
      "API Role1");
    roleCreationAttrMap.put("ADentitlements", "API Role1 AD Entitlements");
    roleCreationAttrMap.put("DBEntitlements", "API Role1 DB Entitlements");
    roleCreationAttrMap.put("VPN", "No");
    roleCreationAttrMap.put("UnixWindows", "API Role1 Unix Entitlements");
    Role roleVo = new Role(roleCreationAttrMap);
    try {
     System.out.println(" Before Create role *********************************************");
     roleManagerService.create(roleVo);
     System.out.println("Role Created .. ");
    } catch (ValidationFailedException e) {
     e.printStackTrace();
    } catch (RoleAlreadyExistsException e) {
     e.printStackTrace();
    } catch (RoleCreateException e) {
     e.printStackTrace();
    } catch (AccessDeniedException e) {
     e.printStackTrace();
  public void modifyRole() {
    LOGGER.info(" in modifyRole ");
    RoleManager roleManagerService = oimClient
      .getService(RoleManager.class);
    Role roleVo;
    try {
     roleVo = roleManagerService.getDetails(
       RoleManagerConstants.ROLE_DISPLAY_NAME, "API Role1", null);
     String roleKey = roleVo.getEntityId();
     HashMap<String, Object> roleCreationAttrMap = new HashMap<String, Object>();
     roleCreationAttrMap.put("ADentitlements",
       "Updated API Role1 AD Entitlements");
     Set roleKeySet = new HashSet<String>();
     roleKeySet.add(roleKey);
     Role roleVoNew = new Role(roleCreationAttrMap);
     roleManagerService.modify(roleKeySet, roleVoNew);
     System.out.println("Role Modified ..");
    } catch (SearchKeyNotUniqueException e) {
     e.printStackTrace();
    } catch (NoSuchRoleException e) {
     e.printStackTrace();
    } catch (RoleLookupException e) {
     e.printStackTrace();
    } catch (AccessDeniedException e) {
     e.printStackTrace();
    } catch (ValidationFailedException e) {
     e.printStackTrace();
    } catch (RoleModifyException e) {
     e.printStackTrace();
  public static void main(String args[]) {
    CreateRole miscObj = new CreateRole();
    miscObj.connectToOIM();
    miscObj.createRole();
    //miscObj.readRoleMetadata();
  Thanks In Advance .

• How to use 'roles' attribute in action-mapping ?

  Hi,
  Can anybody tell me what are the steps needed to use 'roles' attribute in <action> tag of struts-config.xml file?
  I want to provide Action level security.
  Also pls post an example if u r having.
  Regards
  Veeru

  Hi,
  The RfcAdapter trys to find a Sender Agreement for this RFC call but the lookup failes. The values used for this lookup are:
  Sender Party/Sender Service: The values from Party and Service belonging to the sender channel.
  Sender Interface: The name of the RFC function module.
  Sender Namespace: The fix RFC namespace urn:sap-com:document:sap:rfc:functions
  Receiver Party/Receiver Service: These fields are empty. This will match the wildcard
  Regards,
  Suryanarayana

• Custom security JHeadstart 11gTP1 -Use Role-based Authorization is missing

  In JHeadstart 11g TP1 the option Use Role-based Authorization is missing.
  Will this option only be available in de production release of JHeadstart 11g? What is the reason why this is missing? Is it still possible to use CUSTOM authorization in JHeadstart 11g TP1?

  It is not missing.
  If you turn on custom authorization, you can specify your own roles against groups to access them, and use role names in the insert allowed/update allowed and delete allowed expressions.
  Steven Davelaar,
  JHeadstart Team.

• Need to get IRole object using Roles Display Name

  Hi,
  I need to get IRole object using Roles Display Name. I had the below code in EP 2004 SP12 and it works. But the same code dont work in EP 2004s SP13
  user = request.getUser();
  profile = request.getComponentContext().getProfile();     
  String strRoles = profile.getProperty("Roles");
  String strRole[] = strRoles.split(",");
  IRoleFactory roleFactory = UMFactory.getRoleFactory();
  String roleUniqueId = null;
  int i = 0;
  boolean flagRedirect = false;
  for(i = 0; i < strRole.length; i++){
       try
            com.sap.security.api.IRole role = roleFactory.getRoleByUniqueName(strRole<i>);
            roleUniqueId = role.getUniqueID();
            if(!user.isMemberOfRole(roleUniqueId, true))
                 continue;
            flagRedirect = true;                    
            break;
       catch(UMException ex)
       catch(IOException ex)
  if(!flagRedirect){
  Where property Roles will have comma separated roles display names like "com.ABC.ortho_reports,com.ABC.lawns_ortho_reports,com.ABC.executive_reports"
  Please advise.

  Thanks Mrudula for the response. Sorry for the delay in responding.
  I get UMEException with the message "Role with uniqueName com.ABC.general not found"
  But it works fine if i specify Role unique role (like pcd:portal_content/com.abc.Marketing_Workbench/com.abc.Roles/com.abc.general).
  We are in the process of upgrading Portal environment from EP6.0 SP12 to EP7.0 SP13. Above scenario works fine in the older environment.

• Restrict displayed data in a query using roles

  Hi experts.
  i'm writing to you to explain our trouble.
  We have an infocube with 2 company codes 'A' & 'B'.
  We are trying to display only one of them depending on the user that executes THE SAME query, whitouth using a filter for the company code (0comp_code).
  We have done a couple of roles that restrict that infoobject and we have activated de chekbox in the infoobject properties/reporting "authorization relevant".
  This doesn´t work as well as we wanted, it restricts the access to the data that we don´t specify in the role, but when the query is executed, we obtain a message which says that the user has not authorization to acces data, here is the main problem, we only want to display a company code, but when we execute the query and tries to acces the data that is not defined in the role for that user, the query crashes and doesn't display anything.
  Is there a way to do what we want using role authorizations?
  Thanks in advance.

  Hi,
  Thanks for your answers, but, i am still having the problem.
  We are working with the 3.5 version, so we can not do what you say.
  In the other hand we have already used the transaction rssm to do that, but we are still having the authorization message when we execute the query whitouth a filter and comes data that is not defined int our roles.
  I am not sure, perhaps it is not possible with the 3.5 version.
  Thanks.

• Oim 11g r2: data access restriction using roles instead of organisations

  can i implement data access restriction using roles instead of organisations in oim 11g r2?

  in my use case a particular user can be member of more than one organisation. as far as i know oim does not suoport this use case using organisation, so i decide to use roles to represent my "organizations", but now i loose all the data access restrictions (scope).

• Can't use role-based authorization

  We can't use role-based authorization because the permissions
  and their assignments change frequently. Is there any alternative
  where we can still use WLS to handle security?

  Dave,
  If you're using WLS6 the console supports dynamic user updates so you could
  change each users configuration as needed.
  Alex
  Dave <[email protected]> wrote in message
  news:3a672c81$[email protected]..
  >
  We can't use role-based authorization because the permissions
  and their assignments change frequently. Is there any alternative
  where we can still use WLS to handle security?

• Implementing password policie using Role and CoS

  Hy all,
  I have created a directory with the following partial structure (Sun directory 5.2 patch 2):
  ou=people,o=accounts,c=an
  |----- cn=user1
  |----- cn=user2
  |----- cn=user3
  ou=services,o=accounts,c=an
  |---------cn=user4
  |---------cn=user5
  |---------cn=user6
  I want to assign different password policies based on the ou.
  I read within the admin guide that there is a way to do that through CoS and Role: http://docs.sun.com/source/817-7613/useracct.html#wp19625
  So I create following records:
  - Customized Password Policy Container:
  dn: cn=Customized Password Policy, c=an
  objectClass: top
  objectClass: nsContainer
  cn: Customized Password Policy
  - External User Customized Password Policy: (same as the global one)
  dn: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
  objectClass: top
  objectClass: passwordPolicy
  cn: externalUserPwdPolicy
  passwordInHistory: 5
  passwordWarning: 432000
  passwordExpireWithoutWarning: on
  passwordRootdnMayBypassModsChecks: on
  passwordLockout: on
  passwordMaxFailure: 3
  passwordMaxAge: 5184000
  passwordCheckSyntax: off
  passwordResetFailureCount: 1200
  passwordMinLength: 8
  passwordStorageScheme: SHA
  passwordChange: on
  passwordMinAge: 86400
  passwordMustChange: off
  passwordUnlock: off
  passwordLockoutDuration: 3600
  passwordExp: on
  - Service Account Customized Password Policy: (same as the global one except that there is no expiration for password and the password minimum age is set to 2 days instead of one)
  dn: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
  objectClass: top
  objectClass: passwordPolicy
  cn: serviceAccountPwdPolicy
  passwordInHistory: 5
  passwordWarning: 432000
  passwordExpireWithoutWarning: on
  passwordRootdnMayBypassModsChecks: on
  passwordLockout: on
  passwordMaxFailure: 3
  passwordMaxAge: 5184000
  passwordCheckSyntax: off
  passwordResetFailureCount: 1200
  passwordMinLength: 8
  passwordStorageScheme: SHA
  passwordChange: on
  passwordMinAge: 172800
  passwordMustChange: off
  passwordUnlock: off
  passwordLockoutDuration: 3600
  passwordExp: off
  - External User Role:
  dn: cn=externalUserRole,c=an
  objectclass: top
  objectclass: LDAPsubentry
  objectclass: nsRoleDefinition
  objectclass: nsComplexRoleDefinition
  objectclass: nsFilteredRoleDefinition
  cn: externalUserRole
  nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=people*))
  Description: Filtered role for external users
  - Service Account Role
  dn: cn=serviceAccountRole,c=an
  objectclass: top
  objectclass: LDAPsubentry
  objectclass: nsRoleDefinition
  objectclass: nsComplexRoleDefinition
  objectclass: nsFilteredRoleDefinition
  cn: externalUserRole
  nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=services*))
  Description: Filtered role for external services account
  - Template Container for Customized Password Policy:
  dn: cn=pwdPolTemplateContainer, c=an
  objectClass: top
  objectClass: nscontainer
  - Class of Service (CoS) Definition for password policy:
  dn: cn=PwdPol_CoSDefinition, c=an
  objectClass: top
  objectClass: LDAPsubentry
  objectClass: cosSuperDefinition
  objectClass: cosClassicDefinition
  cn: PwdPol_CoSDefinition
  cosAttribute: passwordPolicySubentry operational
  cosTemplateDn: cn=pwdPolTemplateContainer, c=an
  cosSpecifier: nsRole
  - Class of Service (CoS) Template for ExternalUserRole:
  dn: cn="cn=externalUserRole, c=an", cn=PwdPolTemplateContainer, c=an
  objectClass: top
  objectClass: extensibleObject
  objectClass: costemplate
  objectClass: LDAPsubentry
  cosPriority: 2
  passwordPolicySubentry: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
  - Class of Service (CoS) Template for ServiceAccountRole:
  dn: cn="cn=serviceAccountRole, c=an", cn=PwdPolTemplateContainer, c=an
  objectClass: top
  objectClass: extensibleObject
  objectClass: costemplate
  objectClass: LDAPsubentry
  cosPriority: 2
  passwordPolicySubentry: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
  - The thing is that it does not to work: if I disable the global password policy, I can set a 3 caracters password even if I specified in the sub password policy that passwordminlengnt is equal to 8 caracters.
  Many thanks in advance for your help.
  Gregoire

  Hmm,
  Pretty cool.
  I just finished doing it the hard-way when I saw your post :(.
  I tried it anyways, and it did all the work that I had done by hand in the previous try. Which was ...
  1) Creating the filtered role (same in both approaches).
  2) Creating a Container for COS Templates.
  3) Creating a COS Template with a dn having a cn string of the full dn to the role in 1) above. Had to use generic entry editor to add all the additional attributes as below ...
  dn: cn="cn=TempFilter,ou=people,dc=example,dc=com",
  �cn=PolTempl,dc=example,dc=com
  objectclass: top
  objectclass: extensibleObject
  objectclass: LDAPsubentry
  objectclass: costemplate
  cosPriority: 1
  passwordPolicySubentry: cn=TempPolicy,dc=example,dc=com
  (started with a new costemplate and the added all the above attributes, also involved things like changing the naming attribute - the dn - from cosPriority to the one cn as shown above)
  4) Creatiing a COS with ...
  4.1) passwordpolicysubenty as a generated attribute that is overriding and operation (this is picked from the matched CoS template)
  4.2) Use the template container's dn from 2) above for the TemplateDN value.
  4.3) Use nsrole of the target enty to narrow down to the COS template as in 3) above. I.E. "template"->"attribute name" value is set to "nsRole"
  (So when a user's nsrole maps to a cn value of an entry under the TemplateDN subtree. That template applies.)

• Problems using Role for Security to business area

  I have a role set up with several users in it. User A and user B are both in this business area. When I grant access to a business area using this role, they are unable to see the business area in the user edition. If I specify User A to the business area they can see the business area. This does not seem to happen all of the time. Any solutions for this ?
  Has anyone else come across it ?
  Thanks
  Dennis

  You could try this- Tools -> Priviliges -> (Show Privilege for the ROLE not the USER), then see if "Desktop & Plus Privilege" is checked
  I was just creating/removing EUL's in my test instance and the same thing happened to me.

• Function&procedures using roles or grants

  U cANNOT create a pl/sql function or procedure using a table which is granted to a
  user via a role .
  But there seems no problem in creating a function or procedure via a grant option.
  Why is it so;
  & how

  Hello,
  sqldev should do this. I wonder which no-oracle database you are attmpting to migrate, and possibly
  a concise testcase, in terms of objects involved, that does have this problem.
  I will try to test it here.
  Thanks
  Regards,
  Marcello

• How is OSA using roles from T77HAP_ROLE.

  in the objective setting and aprpaisal (OSA) module, there are several standard roles in table T77HAP_ROLE, like MA=manager and ME=self etc. These roles can be maintained using t-code OOHAP_BASIC.
  I am trying to understand how is OSA using these roles....as per the sap help
  "There is no relation between the roles in the Objective Setting and Appraisals component and the role concept delivered by SAP. " 
  Are these roles mapped to R/3 roles in the backend? are there any evaluation paths that correspond to these roles?
  if I need to create a new custom role for OSA using t-code OOHAP_ADMIN, what else do I need to do apart from creating the role in OOHAP_BASIC (do I need to do any role mapping, create evaluation paths etc) so that the system is able to use the new roles?
  Regards,
  Tiberiu
  Edited by: Tiberiu Sasu on Jan 10, 2011 4:56 PM

  Hi Niel,
  I just tried this and do not get the error you mentioned. The project role ID is exactly the same in the original project that the template was created out of, template and new project. I am on SP09, so if you are on a lower support package it might be a bug.
  However, I did notice that I get the warning if I have the same project role ID withing a project. Since this is only an "external ID" and internally the system does uses GUID, I doubt this would cause any issue. I have not noticed this warning in the past, however, I have seen the functionlity of creating templates out of operational projects and subsequently using those templates without any issues.
  Hope that helps.
  Regards,
  Lashan