Reconcile role members
Hi all,
We encounter some problems when adding a privilege (a SAP technical role) to a business role: the users who are assigned to this business role, do not receive the privilege.
So when we add the privilege to the role, the task "reconcile role members" starts, but nothing happens. However, after the assignment, when we reconcile the users seperately, then they do get the privilege...
Do you guys have an idea what could be the problem here?
Thanks for your help!
Kind regards,
Kenny
There should be no need for jobs, event tasks or workflow tasks calling the reconcile functions in sp7.
In sp7 there should be a housekeeping tab on the dispatchers node in the management console.
By default there is a task there named "reconcile dirty entries" that is scheduled to run every minute.
Make sure you have a dispatcher running and that its policy allows "Housekeeping actions"
That the housekeeping interval is 1 minute or less (30 seconds is default).
Br,
Chris
Similar Messages
-
SSAS cube role members magically disappear overnight
Hello,
We are running SQL Server 2008 SP1 CU4 and I have been experiencing an occasional issue whereby our cube role members disappear - resulting in the user-dashboards failing on our website, so I am keen to resolve this.
Some background:
-We have two roles, one with 2 members and one with about 15-20. When the issue occurs, both roles lose their members but the roles themselves remain.
-The SSAS database is set to do a full process every night at 11pm.
-I deploy cube changes by backing up the cube from my development machine, and restoring to the server. My dev machine is on a different Windows domain. When I restore I select "overwrite security information" but am always very careful to select
"Skip Membership". The restores always complete successfully, and I can immediately re-process the cube and confirm that the original members are still there and functioning normally.
-I suspect that this issue is related to the nightly re-process of the database, however I have tested this theory by checking the membership the day after I've completed a cube deployment and everything is still Ok.
-This just happened again last night. I reviewed the server logs and saw that the server rebooted last night at 9pm, followed by the cube re-process at 11pm.
-I noted this morning that the role membership has a single SID listed, and I can confirm that this is the SID of my local user account on my local machine. So it appears that when the issue exhibits itself, the cube is reverting back to the role membership
contained in the restored database, even though I told it to skip membership.
To fix it this morning, I re-added the members and have saved a script to automate the process next time it occurs. I am aware I could run this script after every re-process just to be safe - but I'd rather stop unpredictably losing the configuration
than automate the re-establishment of it!
What gives!? Any suggestions appreciated.
MichaelHi Abbas,
We're clear on the difference between "build" and "process" right?
In my case, the cube processes every night - whereas we only change the design of the cube occasionally, maybe once every 2-3 months - therefore we are only
building it every 2 or 3 months.
Because my dev machine is on a totally different domain to the SSAS server, I can't (or at least I didn't think I could) specify the accounts that are members of the various roles during development. I do this with the aid of a script every time we
deploy out a new version of the cube to the SSAS server.
So, after a build and deploy - the cube role membership is perfectly fine and behaves as expected for all users. The thing that's puzzling us is that the role membership occasionally appears to unpredictably revert to prior settings (i.e. reverting
back to my deployed role membership config prior to running my script to set the correct role membership).
The cube can be running fine for several months and then suddenly I get a call in the morning about users not being able to access the cube. I find that the server was rebooted overnight and the role memberships have disappeared - this is not an immediate
result of a BIDS build/deploy as I think you are suggesting Abbas.
This hasn't occurred again since my last post in March this year, fingers crossed the problem has gone away.
Thanks,
Michael -
Error in reconcilation Function - Job "Reconcile roles and privileges"
SAP NW 7.0 SP2 Patch 3
Roles contain Privileges
Help file says: "If you are using roles and privileges, you will need to perform a reconciliation of the roles/privileges assigned to the users in the identity store after the roles are modified. "
Job imported as described.
When I let the job run on the ID-Store, for each entry, the following error message occurs:
runFunctionsInString($FUNCTION.reconcile( MSKEY )$$) got exception
org.mozilla.javascript.NotAFunctionException: reconcile( MSKEY )
...where MSKEY is, of course, the MSKEY of the entry.
If I let run the job with the Windows-Dispatcher and as a VB-script, it produces no error; however, in the output file, there are a lot of Messages like
"!ERROR: Invalid use of Null"
Only some entries (of Type MX_PERSON) show the "Priviliege added: (...)" output. But the job does not add the Privileges assigend to the role, as it should.
So, I would suggest that one redefines the SQL-Query of the Job so that it runs only on MX_PERSONS. But then, still, in my case, it does nothing.
Has anyone better experiences with the Job?
Edited by: Thomas P. Felder on Sep 25, 2008 10:32 AMThe job when imported by default uses java runtime engine but the script is written in vbscript syntax so you have to change the engine or the script syntax.
When you did your select statement did you use SELECT DISTINCT. That will also cause errors. I do not narrow the entry type to MX_PERSON.
I'm installing the patch now; I will see if I get any errors. -
How can I add a user Role member that is from a different domain
We are currently building out SCOM 2012 R2 to provide monitoring as a service to some of our customers. As of now we have the RMS on our own department's domain (Domain A) which we have full control of and we have a gateway server that is on the company
wide domain (Domain B) so that we can monitor other departments devices as the leverage this system.
Monitoring is working just fine on both domains and we are just working on fine tuning SCOM so that we can roll it out as a service we offer to our customers. One of the next steps we are working on before rolling it out is giving specific users access
to view only their own devices, dashboards, and groups. So I created a Read-Only profile and went to add a user to test it out, but that user is on Domain B and SCOM is unable to resolve this account. I'm seeing Event ID 26319 with Error Code 1332.
How can I get SCOM to discover devices on a different domain so that I can give them different permissions for accessing the Operations Console and/or Web Console? Is this possible?
Here is the Error I'm seeing.
Log Name: Operations Manager
Source: OpsMgr SDK Service
Date: 2/4/2015 1:11:59 PM
Event ID: 26319
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: xxxxx.xxxx.xxxxxxxx.xxx
Description:
An exception was thrown while processing UpsertUserRolesV2 for session ID uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40.
Exception message: The creator of this fault did not specify a Reason.
Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
Unable to resolve the user [email protected] associated with the user role. Error code 1332. Check your active directory configuration.).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="OpsMgr SDK Service" />
<EventID Qualifiers="49152">26319</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-02-04T21:11:59.000000000Z" />
<EventRecordID>172748</EventRecordID>
<Channel>Operations Manager</Channel>
<Computer>xxxxx.xxxx.xxxxxxxx.xxx</Computer>
<Security />
</System>
<EventData>
<Data>UpsertUserRolesV2</Data>
<Data>uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40</Data>
<Data>The creator of this fault did not specify a Reason.</Data>
<Data>System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
Unable to resolve the user [email protected] associated with the user role. Error code 1332. Check your active directory configuration.).</Data>
</EventData>
</Event>
Thanks for any help I can get in resolving this issue.
JakeThe SCOM Management Server is in Domain A. I've tried it already and it has failed.
So just to clarify the method I used was to go to Administration>Security>User Roles. Then New User Role>Read-Only Operator. In the Create User Role Wizard I then gave the User Role a name, Clicked "Add" under User Role Members.
Then the Select Users or Groups window pops up and I changed the Locations from Domain A to Domain B and searched for the user, which it's able to find, then clicked "OK" to add it to the User Role members which it does just fine. On
the next page which is Group Scope I checked the one group I want this account to have access to and then click next. This brings me to Dashboards and Views where I click the radio button for "Only the dashboards and views selected in each tab are
approved" and chose the folder of dashboards I want this account to access and then click next. This brings me to the Summary and I click "Create". At this point it thinks for a moment then closes out the wizard but the new Read-Only
Operator does not appear. I then look in Event Viewer and see the Event I pasted above.
Am I doing something wrong here? Any guidance on how to get around this issue would be much appreciated.
Thanks,
Jake -
I learned that roles in DS are scoped to where they are created. Meaning if I create a managed role called role1 in ou=Roles,dc=sun,dc=com only entries (ie users and groups) under the ou=Roles branch will have visibility to role1. But since all my users are created underneath a different ou (ie ou=People), how do I get role1 to be visible to the users under ou=People? From a day's worth of reading, this doesn't seem possible. The only way around is to create the role under the ou=People branch. In this approach, all the member searches are behaving correctly. My concern is we will have thousands of roles, what's the scalability of having that many roles mingled with all 750,000 user entries under ou=People...
Any help is appreciated!The problem with that is the nsRole virtual attribute never gets >calculated. While, the nsRoleDN will allow me to find all the roles for a >given user with a search filter like this:
uid=user1 nsRoleDN
I need the nsRole virtual attribute to find role members (all members >with a particular role)
for example, using this search filter
nsRole=cn=role1,ou=roles,dc=sun,dc=com
to retrieve all members of role1. and this does not work unless role1 >was in the same scope as the user or aboveWhat about using
nsRoleDN=cn=role1,ou=roles,dc=sun,dc=com
It should return all members of role1. In the same time usage of on-the-fly computed nsRole attribute in searches isn't supported - please see Note 2 in the same link:
http://docs.sun.com/source/816-5606-10/roles.htm#1117631 -
Modify Script to Create User Role on Single Database.
Hi All,
Below is the script to create user role on database. Here problem is when I execute this script, it creates user role for all database within an instance and I want it to create user role only on 2 database say TEST1 and TEST2
Can anyone help me to modify the script?
--===================================================================================
-- Description
-- Database Type: MSSQL
-- This script creates a role called 'gdmmonitor' for ALL databases.
-- It grants some system catalogs to this role to allow Classification and Assessment on the database.
-- It then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.
-- before runnign this script
-- you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
-- This sqlguard login doesn't need to be added to any database or given
-- any privilege. The script will take care of that.
-- Note:
-- If you wish to use a different login name (instead of 'sqlguard') you need to change
-- the value of the variable '@Guardium_user' in the script below;
-- (Look for the string: "set @Guardium_user = 'sqlguard'" and replace the 'sqlguard')
-- after runnign this script
-- Nothing to do, the script already creates the db user
-- User/Password to use
-- User: sqlguard (or any other name, if changed)
-- Pass: user defined
-- Role: gdmmonitor
--===================================================================================
PRINT '>>>==================================================================>>>'
PRINT '>>> Creating role: "gdmmonitor" at the server level.'
PRINT '>>>==================================================================>>>'
-- Change to the master database
USE master
-- *** If a different login name is desired, define it here. ***
DECLARE @Guardium_user AS varchar(50)
set @Guardium_user = 'sqlguard'
DECLARE @dbName AS varchar(256)
DECLARE @memberName AS varchar(256)
DECLARE @dbVer AS nvarchar(128)
SET @dbVer = CAST(serverproperty('ProductVersion') AS nvarchar)
SET @dbVer = SUBSTRING(@dbVer, 1, CHARINDEX('.', @dbVer) - 1)
IF (@dbVer = '8') SET @dbVer = '2000'
ELSE IF (@dbVer = '9') SET @dbVer = '2005'
ELSE IF (@dbVer = '10') SET @dbVer = '2008'
ELSE IF (@dbVer = '11') SET @dbVer = '2012'
ELSE SET @dbVer = '''Unsupported Version'''
IF (@dbVer != '2000')
BEGIN
-- This privilege is required to peform a specific MSSQL test.
-- Test name: SQL OLEDB disabled (DisallowAdhocAccess registry key)
-- Procedure execute: EXEC master.dbo.sp_MSset_oledb_prop
-- Purpose: To display provider property, not changing anything.
PRINT '==> Granting MSSSQL 2005 and above setupadmin server role'
EXEC master..sp_addsrvrolemember @loginame = @Guardium_user, @rolename = N'setupadmin'
END
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if they exist
CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL)
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND mbr.groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the role gdmmonitor on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the role gdmmonitor on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.spt_values TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysconfigures TO gdmmonitor
GRANT SELECT ON dbo.sysdatabases TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syslogins TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
-- Grant execute privileges to the role for MSSql Common
PRINT '==> Granting common EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON sp_helpdbfixedrole TO gdmmonitor
GRANT EXECUTE ON sp_helprotect TO gdmmonitor
GRANT EXECUTE ON sp_helprolemember TO gdmmonitor
GRANT EXECUTE ON sp_helpsrvrolemember TO gdmmonitor
GRANT EXECUTE ON sp_tables TO gdmmonitor
GRANT EXECUTE ON sp_validatelogins TO gdmmonitor
GRANT EXECUTE ON sp_server_info TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sql_logins TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
GRANT SELECT ON sys.server_role_members TO gdmmonitor
GRANT SELECT ON sys.configurations TO gdmmonitor
GRANT SELECT ON sys.master_key_passwords TO gdmmonitor
GRANT SELECT ON sys.server_principals TO gdmmonitor
GRANT SELECT ON sys.server_permissions TO gdmmonitor
GRANT SELECT ON sys.credentials
TO gdmmonitor
--This is called by master.dbo.sp_MSset_oledb_prop.
--By defautl it should have already been granted to public.
GRANT EXECUTE ON sys.xp_instance_regread TO GDMMONITOR
GRANT EXECUTE ON sys.sp_MSset_oledb_prop TO GDMMONITOR
END
-- Re-add the dropped members
IF EXISTS (SELECT 1 FROM #rolemember)
BEGIN
PRINT '==> Re-adding the role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- END of role creation on database
PRINT '==> END of role creation on: ' + @dbName
PRINT ''
-- Change to the msdb database
USE msdb
set @memberName = ''
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if it exists
TRUNCATE TABLE #rolemember
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM .dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the gdmmonitor role on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the gdmmonitor role on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
GRANT SELECT ON dbo.backupset TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
-- Grant execute privileges to the role for MSSql 2005 or above
PRINT '==> Granting MSSql 2005 and above EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON msdb.dbo.sp_enum_login_for_proxy TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
END
IF (@dbVer > '2000' and @dbVer < '2012')
--This sp is not available in SQL 2012
BEGIN
GRANT EXECUTE ON sp_get_dtspackage TO gdmmonitor
END
-- Re-add the dropped members
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Re-adding the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the temporary table
DROP TABLE #rolemember
-- END of role creation on database
PRINT '==> END of gdmmonitor role creation on: ' + @dbName
-- Role creation complete
PRINT '<<<==================================================================<<<'
PRINT '<<< END of creating role: "gdmmonitor" at the server level.'
PRINT '<<<==================================================================<<<'
PRINT ''
PRINT '>>>==================================================================>>>'
PRINT '>>> Starting application database role creation'
PRINT '>>>==================================================================>>>'
use master
DECLARE @databaseName AS varchar(80)
DECLARE @executeString AS varchar(7950)
DECLARE @dbcounter as int
set @dbcounter = 0
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases where name not in ('master', 'msdb')
and not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @dbcounter = @dbcounter + 1
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'PRINT ''>>> Starting MSSql ' + @dbVer + ' role creation on database: ' + @databaseName + ''' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'/* Variable @memberNameDBname must be declare within the string or else it will fail */ ' +
'DECLARE @memberName' + cast(@dbcounter as varchar(5)) + ' as varchar(50) ' +
'/*find any members of the role if it exists*/ ' +
'CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL) ' +
'INSERT INTO #rolemember ' +
'SELECT DISTINCT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr ' +
'WHERE usr.uid = mbr.memberuid ' +
'AND groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'/*Drop the Role Members If they exist*/ ' +
'IF EXISTS (SELECT * FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Dropping the role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Dropping member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_droprolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/*drop the role if it exists*/ ' +
'IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'BEGIN ' +
'PRINT ''==> Dropping the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_droprole ''gdmmonitor'' ' +
'END ' +
'/* Create the role */ ' +
'PRINT ''==> Creating the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_addrole ''gdmmonitor'' ' +
'/* Grant select privileges to the role for MSSql Common */ ' +
'PRINT ''==> Granting common SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON dbo.sysmembers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysobjects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysprotects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysusers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON dbo.syspermissions TO gdmmonitor ' +
'/* Check if the version is 2005 or greater */ ' +
'IF (' + @dbVer + ' != ''2000'') ' +
'BEGIN ' +
'/* Grant select privileges to the role for MSSql 2005 and above */ ' +
'PRINT ''==> Granting MSSql 2005 and above SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON sys.database_permissions TO gdmmonitor ' +
'GRANT SELECT ON sys.all_objects TO gdmmonitor ' +
'GRANT SELECT ON sys.database_principals TO gdmmonitor ' +
'GRANT SELECT ON sys.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON sys.database_role_members TO gdmmonitor ' +
'END ' +
'/* Re-add the dropped members */ ' +
'IF EXISTS (SELECT 1 FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Re-adding the gdmmonitor role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Re-adding member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_addrolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/* drop the temporary table */ ' +
'DROP TABLE #rolemember ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT ''<<< END of role creation on: ' + @databaseName + ''' ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT '' ''' +
'PRINT '' '''
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
-- Adding user to all the databases
-- and grant gdmmonitor role, only if login exists.
PRINT '>>>==================================================================>>>'
PRINT '>>> Add and Grant gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '>>> on all databases.'
PRINT '>>>==================================================================>>>'
USE master
/* Check if @Guardium_user is a login exist, if not do nothing.*/
IF NOT EXISTS (select * from syslogins where name = @Guardium_user)
BEGIN
PRINT ''
PRINT '************************************************************************'
PRINT '*** ERROR: Could not find the login: ''' + @Guardium_user + ''''
PRINT '*** Please add the login and re-run this script.'
PRINT '************************************************************************'
PRINT ''
END
ELSE
BEGIN
DECLARE @counter AS smallint
set @counter = 0
-- This loop runs 4 time just to make sure that the @Guardium_user gets added to all db.
-- 99% of the time, this is totally unnecessary. But in some rare case on SQL 2005
-- the loop skips some databases when it tried to add the @Guardium_user.
-- After two to three executions, the user is added in all the dbs.
-- Might be a SQL Server bug.
WHILE @counter <= 3
BEGIN
set @counter = @counter + 1
set @databaseName = ''
set @executeString = ''
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases
where not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'/*Check if the login already has access to this database */ ' +
'IF EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'/*Check if login already have gdmmonitor role*/ ' +
'IF NOT EXISTS (SELECT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr WHERE usr.uid = mbr.memberuid ' +
'AND mbr.groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'AND usr.name = ''' + @Guardium_user + ''') ' +
'BEGIN ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END ' +
'END ' +
'IF NOT EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'PRINT ''==> Adding user [' + @Guardium_user + '] to database: ' + @databaseName + ''' ' +
'execute sp_adduser [' + @Guardium_user + '] ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END '
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
END -- end while
-- Required for Version 2005 or greater.
IF (@dbVer != '2000')
BEGIN
-- Grant system privileges to the @guardium_user. This is a requirement for >= SQL 2005
-- or else some system catalogs will filter our result from assessment test.
-- This will show up in sys.server_permissions view.
PRINT '==> Granting catalog privileges to: ''' + @Guardium_user + ''''
execute ('grant VIEW ANY DATABASE to [' + @Guardium_user + ']' )
execute ('grant VIEW ANY DEFINITION to [' + @Guardium_user + ']' )
END
PRINT '<<<==================================================================<<<'
PRINT '<<< Finished Adding and Granting gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '<<< on all databases.'
PRINT '<<<==================================================================<<<'
PRINT ''
END
GOThanks a lot Sir... it worked.
Can you also help me in troubleshooting below issue?
This script is working fine on all databases except one MS SQL 2005 database. build of this database is 9.00.3042.00
SA account with highest privileges is been used for script execution. errors received are as follow:
>>>==================================================================>>>
>>> Creating role: "gdmmonitor" at the server level.
>>>==================================================================>>>
==> Granting MSSSQL 2005 and above setupadmin server role
==> Starting MSSql 2005 role creation on database: master
(0 row(s) affected)
==> Dropping the gdmmonitor role members on: master
==> Creating the role gdmmonitor on: master
Msg 15002, Level 16, State 1, Procedure sp_addrole, Line 16
The procedure 'sys.sp_addrole' cannot be executed within a transaction.
==> Granting common SELECT privileges on: master
Msg 15151, Level 16, State 1, Line 117
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 118
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 119
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 120
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 121
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 122
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 123
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 124
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 125
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 126
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
==> Granting common EXECUTE privileges on: master
Msg 15151, Level 16, State 1, Line 130
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 131
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 132
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 133
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 134
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 135
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 136
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission. -
Hi ,
Doubt 1:
I have one cube and no roles defined as of now. We got a situation to access the cube to only 10 users . I can see roles option in Cube and as well as I can see the same in SSMS. Which is the best option for creating roles and what is the difference
Doubt 2 :
Preapring ssrs , MDX report. Usually in sql SSRS report we prepare one query for splitting parameter values and after that we join using Join(abc,",") . How we do this in ssrs , MDX reports.
Thanks in advance,
Hari.Hi Roles in SSAS,
Doubt 1:
The best option to create roles is in the cube itself by the developer. This is because developers tend to change stuff from time to time. What developers than can do is send the role.file to the administrator and he simple has to add memberships
only.
If a roles&members would be made by the administrator, and developers change the role afterwards administrators can than do everything from scratch again. There is of course a workaround where you can save the script once everything is setup, and than
do manual changes in the script to the changes by the developer. If a lot has changed of course you have to do everything from scratch.
Doubt 2: Srry i don't understand the question, can you rephrase or give example pls? -
Dear Experts,
I am presently creating the workflow template for mapping the (FI)reconciliation process of GL's. The scenario what I am having is for a GL, different reconciler roles and approver roles have been assigned(tran PO13). The process is as defined below
The workflow will be initiated in the background for an event. Each GL has to be approved by the reconcilers assigned. After each reconciler, Approvers has to approve the same as assigned in the Organization Object. A single reconciler can have multiple approvers and viceversa als. How we will be able to identify the Reconciler or Approvers in runtime inorder to map the workflow process?
Can anyone help me with some sample codes for the same.
Thanks in advance.
Regards
Cesilhi,
the problem is there are multiple approvers.
lets look this way :
event gets triggered, and 'n' GLs are output
N ' GLs are input for 'm' Reconcilers
m' reconcilers have 'p' approvers and here the relation is m<-> p.
so create two separate roles for both reconcilers and Approvers.and each reconciler is related to one or more approvers.and vice versa.
lets take n= 3.
so create a multi container element, so that multiple workitems get created for each of the reconciler , and create a mutli container element so that multiple workitem gets created for each of the approvers.and the concerned approver can be found out using the rule.If there are multiple approvers, then multiple workitems are sent.Here a use a flag such that dependent on the number of approvers, that many workitems are created.
even though reconciler and approvers have one to many relation, this can be sorted placing fork at reconciler and approver level.
and individually,in the container depending on the workitem, we can find out the reconciler and approver for every gl.
i hope this answers your query.
Regards,
Saujanya -
Getting users for a role in EJB
Hi
How do I get the list of users associated with a particular role
Ex: There is a requirement where I need to get all the users belonging to the
admin role in a Sessionbean.
How do I do this?"madhav" <[email protected]> wrote in message
news:[email protected]..
>
Hi
How do I get the list of users associated with a particular role
Ex: There is a requirement where I need to get all the users belonging tothe
admin role in a Sessionbean.
How are you defining the role? Does it correspond to a group or are you
using an expression?
For the default role mapper provider, it may be difficult as it evaluates
role membership based on expressions
and does not have a fixed set of role members. -
Roles/Privileges provisioning to unrelated systems
Hello IDM Gurus,
I set up an IDC config and connected it to 3 SAP target systems, say A, B and C. Each of the repositories/target systems have linked up to default provisioning/deprovisioning/modify tasks from the SAP provisioning framework. I have imported privileges from each of these systems; I have contained a basic user privilege from each target system within its own simple role through the role members section of each privilege. Provisioning the role related to a specific system should ideally provision to only the related system; instead I'm encountering the weird error of provisioning Role A (containing privilege A) to a user but instead of just provisioning to system A, the user gets provisioned to systems A, B and C. This made absolutely no sense to me, so I went through and checked to see if there were any rogue links between the other privileges and roles, but there were none. I tried to simplify things and tried provisioning just the privilege directly to the user and it did the same thing; provisioning privilege A to a user ends up automatically provisioning the user to system A, B and C.
Are the repositories messed up? Should they be created from scratch?
I'm stumped; any ideas/suggestions?
i would appreciate any help with the issue! Thanks in advance!
Best regards,
SandeepThanks a lot for your quick response Paul!
I checked the privileges as well as the initial load jobs and the privileges are set to Inherited/None for Provision and Deprovision and already set to None for the Modify task; this is happening as you suggested through our initial load jobs which set the Modify Task to -1. Unfortunately, adding a privilege still seems to be triggering the other systems' provisioning tasks as well; add the privilege for system A and the "Group System Provisioning" task kicks off and fires all 3 systems provisioning tasks.
Is there any other property on the privileges or repository that I should be checking or fixing in order to prevent this behavior? Or is there anything else that I haven't thought of checking that could be causing this behavior?
I would really appreciate any ideas/suggestions.
Thanks much for your time and help!
Cheers!
Sandeep -
I have a need to send approval requests out to a group of people, not just to an individual. The first person that responds can process the approval. It is not a multi-step requirement.
In ORM, I can create Approver roles and use a query to populate the approver role members. I cannot figure out how to assign the approval requests to the approver group. How is the Approval Role assigned to a Business Role?
KCLet me clarify my need.
When a manager in a business line identifies the need for a new business role, I need a workflow mechanism by which they can request a new role be created in ORM and specify the IT Roles that should comprise that business role. This request step is separate from the actual role definition itself that would occur in ORM after the request was approved. -
IDM70: MX_ROLE assignment does not assign MX_AUTOPRIVILEGE
Hi there
I used the SAP-Provisioning-Framework InitialLoad-Jobs to create Privileges (MX_PRIVILEGE) for ABAP and ADS.
When I assign these privileges directly to an IdentityStore user he gets provisioned to the corresponding systems.
Now I created a simple Role-Structure (MX_ROLE) for testing: "ROLE:SuperUser", and nested wihtin that "ROLE:NormalUser".
In the Role-tab of ome of the imported privileges I added these Roles.
I add one of the Roles (no matter which one) to a brand new IdentityStore user and nothing happens (only the ModifyUser Task is run).
I can verify in MonitoringUI that this user has the Role-entry in MXREF_MX_ROLE and MX_AUTOROLE but he isn't assigned to the privileges and hence not provisioned to the systems.
What am I doing wrong?
Is there some option I have to set in MX_PRIVILEGE or MX_ROLE?
Any help appreciated
Regards
MichaelMichael,
We had the same issue at first - associate the privilege with role on the Role Members tab rather than the Roles tab.
Additionally, if the user already had the role assigned to them you'll need to run the reconcile to see the privilege changes - use have the global constant for Reconcile turned on in dev but otherwise you can just remove the role and then add it back to the user.
-Geoff -
Issue in creating OPSS Schema with rcu.
Hi,
There is an issue in creating the OPSS schema in oracle DB 11.2.0.3.0 even though the rcu (Oracle Fusion Middleware Repository Creation Utility 11g (11.1.2.1.0)
completed it without any error with status of success opss schema at the end of it's creation operation.
But the validation of opss schema is getting Failed as shown by this query ! I 've refferenced this Doc's Configuring the OPSS Security Store
SQL> desc jps_dn;
ERROR:
ORA-04043: object jps_dn does not exist
There is no error in rcu log And in opss.log as well. Also There is NO issue in createing the Other schema's like OIM,OAM,OAAM
Wonder what am missing here that causing the shema not reflecting or Validation of it getting Failed in the database.
Also i 've tried by changing this sec_case_sensitive_logon value to False from true in the DB but to no effect.
in both cases the OPSS schema validation is getting failed.
Greately appreciate any suggestion.
Please see the following summary of rcu operation
Repository Creation Utility: Create - Completion Summary
Database details:
Host Name : ebs.oracle.com
Port : 1521
Service Name : IAM.ORACLE.COM
Connected As : sys
Prefix for (prefixable) Schema Owners : DEV
RCU Logfile : /data/Rootdownloads/rcuHome/rcu/log/logdir.2013-09-25_04-57/rcu.log
Component schemas created:
Component Status Logfile /data/Rootdownloads/rcuHome/rcu/log/logdir.2013-09-25_04-57/opss.log
Oracle Platform Security Services Success
Please suggest.
Thanks
PriyaHi,
Thanks for the response Hussein and Helios,
I am able to solve the issue as it was due to incorrect rcu version.
But I am really struggling to Configure Policy store for the last 10 days with the following Error. I would be highly obliged if you could guide me on this issue.
I am getting stuck at this Error while running configureSecurityStore.py. for the error I 've refferenced these Metalink Note ID's
But to No Avail.
configureSecurityStore.py Fails With ORA-00001: unique constraint (DEV_OPSS.IDX_JPS_RDN_PDN) violated. (Doc ID 1547423.1) (1549203.1)
Summarining
The steps that I 've followed
1. Created the Schema's Using rcu 11g (11.1.2.0.0) on 11.2.0.3.0 Oracle DB. (OS :RHEL 64 bit)
2. Insatlled Weblogic 10.3.6
3. Installed Oracle Identity and Access Management 11g (11.1.2.0.0) And SOA 11.1.1.7.0
4. Run config.sh to create OIM,OAM and OAAM domains
5. Run setDomainEnv.sh from user_projects/domains//bin
After that I tried to Configure the DB Policy store before starting the Admin Server. But getting the same error. every time it get failed
I 've dropped schemas and Reinstall the WLS,IAM,SOA software again But got the same Error.
at least 20 times in the last 10 days I 've Dropped schema even created New DB and Reinstalled All the IAM Software But to No Avail
Please see the following Exact Error. And I would be highly Obliged if you could drop few lines as what I am missing here in the entire process.
[oracle@ebs Middleware]$ /oracle/Middleware/oracle_common/common/bin/wlst.sh /oracle/Middleware/Oracle_IAM/common/tools/configureSecurityStore.py -d /oracle/Middleware/user_projects/domains/IAMDomain/ -c IAM -p welcome1 -m create
CLASSPATH=/oracle/Middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/oracle/Middleware/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/oracle/jdk1.6.0_30/lib/tools.jar:/oracle/Middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:/oracle/Middleware/modules/features/weblogic.server.modules_10.3.6.0.jar:/oracle/Middleware/wlserver_10.3/server/lib/webservices.jar:/oracle/Middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/oracle/Middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar:/oracle/Middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/oracle/Middleware/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/oracle/jdk1.6.0_30/lib/tools.jar:/oracle/Middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:/oracle/Middleware/modules/features/weblogic.server.modules_10.3.6.0.jar:/oracle/Middleware/wlserver_10.3/server/lib/webservices.jar:/oracle/Middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/oracle/Middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar:/oracle/Middleware/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/oracle/Middleware/patch_ocp371/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/oracle/jdk1.6.0_30/lib/tools.jar:/oracle/Middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:/oracle/Middleware/modules/features/weblogic.server.modules_10.3.6.0.jar:/oracle/Middleware/wlserver_10.3/server/lib/webservices.jar:/oracle/Middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/oracle/Middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar::/oracle/Middleware/oracle_common/modules/oracle.jrf_11.1.1/jrf-wlstman.jar:/oracle/Middleware/oracle_common/common/wlst/lib/adfscripting.jar:/oracle/Middleware/oracle_common/common/wlst/lib/adf-share-mbeans-wlst.jar:/oracle/Middleware/oracle_common/common/wlst/lib/mdswlst.jar:/oracle/Middleware/oracle_common/common/wlst/resources/auditwlst.jar:/oracle/Middleware/oracle_common/common/wlst/resources/igfwlsthelp.jar:/oracle/Middleware/oracle_common/common/wlst/resources/jps-wlst.jar:/oracle/Middleware/oracle_common/common/wlst/resources/jps-wls-trustprovider.jar:/oracle/Middleware/oracle_common/common/wlst/resources/jrf-wlst.jar:/oracle/Middleware/oracle_common/common/wlst/resources/oamap_help.jar:/oracle/Middleware/oracle_common/common/wlst/resources/oamAuthnProvider.jar:/oracle/Middleware/oracle_common/common/wlst/resources/ossoiap_help.jar:/oracle/Middleware/oracle_common/common/wlst/resources/ossoiap.jar:/oracle/Middleware/oracle_common/common/wlst/resources/ovdwlsthelp.jar:/oracle/Middleware/oracle_common/common/wlst/resources/sslconfigwlst.jar:/oracle/Middleware/oracle_common/common/wlst/resources/wsm-wlst.jar:/oracle/Middleware/utils/config/10.3/config-launch.jar::/oracle/Middleware/wlserver_10.3/common/derby/lib/derbynet.jar:/oracle/Middleware/wlserver_10.3/common/derby/lib/derbyclient.jar:/oracle/Middleware/wlserver_10.3/common/derby/lib/derbytools.jar::
Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Info: Data source is: opss-DBDS
Info: DB JDBC driver: oracle.jdbc.OracleDriver
Info: DB JDBC URL: jdbc:oracle:thin:@ebs.oracle.com:1521/iam.oracle.com
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] checkServiceSchema - Store schema has been seeded completely
Sep 26, 2013 1:35:36 AM oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigurator schemaCompatibleHandler
INFO: Credential store schema upgrade not required. Store Schema version 11.1.1.6.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] seedSchemaAndCreateDIT - done
Sep 26, 2013 1:35:40 AM oracle.security.jps.internal.tools.utility.JpsUtilMigrationCredImpl migrateCredentialData
INFO: Migration of Credential Store data in progress.....
Sep 26, 2013 1:35:40 AM oracle.security.jps.internal.tools.utility.JpsUtilMigrationCredImpl migrateCredentialData
INFO: Migration of Credential Store data completed, Time taken for migration is 00:00:00
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] migrateData - done
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] testJpsService - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator] checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator] checkServiceSchema - Store schema has been seeded completely
Sep 26, 2013 1:35:41 AM oracle.security.jps.internal.config.ldap.LdapKeyStoreServiceConfigurator schemaCompatibleHandler
INFO: Keystore schema upgrade not required. Store Schema version 11.1.1.6.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator] updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator] seedSchemaAndCreateDIT - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator] migrateData - done
[oracle.security.jps.internal.config.db.DbKeyStoreServiceConfigurator] testJpsService - done
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator] checkServiceSetup - done
Sep 26, 2013 1:35:45 AM oracle.security.jps.internal.config.ldap.LdapPolicyStoreServiceConfigurator schemaCompatibleHandler
INFO: Policy schema upgrade not required. Store Schema version 11.1.1.6.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator] checkServiceSchema - Store schema has been seeded completely
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator] updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator] seedSchemaAndCreateDIT - done
WLS ManagedService is not up running. Fall back to use system properties for configuration.
Sep 26, 2013 1:36:00 AM oracle.security.jps.internal.tools.utility.destination.apibased.JpsDstPolicy migrateDataInternal
INFO: Migration of Admin Role Members started
Sep 26, 2013 1:36:00 AM oracle.security.jps.internal.tools.utility.destination.apibased.JpsDstPolicy migrateDataInternal
INFO: Migration of Admin Role Members completed in 00:00:00
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator] migrateData - done
[oracle.security.jps.internal.config.db.DbPolicyStoreServiceConfigurator] testJpsService - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator] checkServiceSetup - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator] checkServiceSchema - Store schema has been seeded completely
Sep 26, 2013 1:36:00 AM oracle.security.jps.internal.config.ldap.LdapAuditServiceConfigurator schemaCompatibleHandler
INFO: Audit store schema upgrade not required. Store Schema version 11.1.1.6.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator] updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator] seedSchemaAndCreateDIT - done
Sep 26, 2013 1:36:00 AM oracle.security.jps.internal.audit.AuditServiceImpl registerInternal
WARNING: Cannot register to audit service for component "JPS".
Sep 26, 2013 1:36:00 AM oracle.security.jps.internal.tools.utility.JpsUtilMigrationAuditStoreImpl migrateAuditStoreData
INFO: Migration of Audit Store data in progress.....
Sep 26, 2013 1:36:51 AM oracle.security.jps.internal.tools.utility.JpsUtilMigrationAuditStoreImpl migrateAuditStoreData
INFO: Migration of Audit Store data completed, Time taken for migration is 00:00:50
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator] migrateData - done
[oracle.security.jps.internal.config.db.DbAuditStoreServiceConfigurator] testJpsService - done
persist to output: /oracle/Middleware/user_projects/domains/IAMDomain/config/fmwconfig - done
INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] checkServiceSetup - done
Sep 26, 2013 1:36:55 AM oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigurator schemaCompatibleHandler
INFO: Credential store schema upgrade not required. Store Schema version 11.1.1.6.0 is compatible to the seed schema version 11.1.1.4.0
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] checkServiceSchema - Store schema has been seeded completely
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] updateServiceConfiguration - done
[oracle.security.jps.internal.config.db.DbCredStoreServiceConfigurator] seedSchemaAndCreateDIT - failed JPS-10000: There was an internal error in the policy store.
Exception in thread "main" java.lang.RuntimeException: JPS-10000: There was an internal error in the policy store.
oracle.security.jps.internal.api.common.JpsCredentialStoreLdapNodeCreationException: JPS-10000: There was an internal error in the policy store.
at oracle.security.jps.internal.common.rdbms.util.JpsDbBootstrapImpl.createJpsCredentailStoreInLdap(JpsDbBootstrapImpl.java:303)
at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigurator.addServiceStoreBase(LdapCredStoreServiceConfigurator.java:113)
at oracle.security.jps.internal.config.ldap.LdapCredStoreServiceConfigurator.seedSchemaAndCreateDIT(LdapCredStoreServiceConfigurator.java:142)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler.runConfiguration(LdapServiceEnabler.java:484)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler.configureCredentialStoreService(LdapServiceEnabler.java:232)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler.configureSecurityServices(LdapServiceEnabler.java:170)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler.main(LdapServiceEnabler.java:129)
Caused by: oracle.security.jps.service.policystore.PolicyStoreConnectivityException: JPS-10000: There was an internal error in the policy store.
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.handleRollbackException(JpsDBDataManager.java:1345)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.internalCommitTxn(JpsDBDataManager.java:1508)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commitTransactionInDoAs(JpsDBDataManager.java:1475)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.commitTransaction(JpsDBDataManager.java:1466)
at oracle.security.jps.internal.common.rdbms.util.JpsDbBootstrapImpl.createJpsCredentailStoreInLdap(JpsDbBootstrapImpl.java:296)
... 6 more
Caused by: javax.persistence.RollbackException: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (DEV1_OPSS.IDX_JPS_RDN_PDN) violated
Error Code: 1
Call: INSERT INTO JPS_DN (ENTRYID, PARENTDN, RDN) VALUES (?, ?, ?)
bind => [3 parameters bound]
Query: InsertObjectQuery(EntryId=11437:rdn=cn=credentialstore:pdn=cn=jpsroot,cn=jpscontext,cn=iam,: JpsStore Entry={[EntryId = 11437:Attribute RowId = 45348
dn = cn=CredentialStore,cn=IAM,cn=JPSContext,cn=jpsroot, EntryId = 11437:Attribute RowId = 45349
objectclass = top, EntryId = 11437:Attribute RowId = 45350
objectclass = orclContainer, EntryId = 11437:Attribute RowId = 45351
cn = CredentialStore]})
at org.eclipse.persistence.internal.jpa.transaction.EntityTransactionImpl.commitInternal(EntityTransactionImpl.java:102)
at org.eclipse.persistence.internal.jpa.transaction.EntityTransactionImpl.commit(EntityTransactionImpl.java:63)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager$8.run(JpsDBDataManager.java:1487)
at oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.internalCommitTxn(JpsDBDataManager.java:1492)
... 9 more
Caused by: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (DEV1_OPSS.IDX_JPS_RDN_PDN) violated
Error Code: 1
Call: INSERT INTO JPS_DN (ENTRYID, PARENTDN, RDN) VALUES (?, ?, ?)
bind => [3 parameters bound]
Query: InsertObjectQuery(EntryId=11437:rdn=cn=credentialstore:pdn=cn=jpsroot,cn=jpscontext,cn=iam,: JpsStore Entry={[EntryId = 11437:Attribute RowId = 45348
dn = cn=CredentialStore,cn=IAM,cn=JPSContext,cn=jpsroot, EntryId = 11437:Attribute RowId = 45349
objectclass = top, EntryId = 11437:Attribute RowId = 45350
objectclass = orclContainer, EntryId = 11437:Attribute RowId = 45351
cn = CredentialStore]})
at org.eclipse.persistence.exceptions.DatabaseException.sqlException(DatabaseException.java:324)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.executeDirectNoSelect(DatabaseAccessor.java:840)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.executeNoSelect(DatabaseAccessor.java:906)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.basicExecuteCall(DatabaseAccessor.java:592)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.executeCall(DatabaseAccessor.java:535)
at org.eclipse.persistence.internal.sessions.AbstractSession.basicExecuteCall(AbstractSession.java:1717)
at org.eclipse.persistence.sessions.server.ClientSession.executeCall(ClientSession.java:253)
at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism.executeCall(DatasourceCallQueryMechanism.java:207)
at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism.executeCall(DatasourceCallQueryMechanism.java:193)
at org.eclipse.persistence.internal.queries.DatasourceCallQueryMechanism.insertObject(DatasourceCallQueryMechanism.java:342)
at org.eclipse.persistence.internal.queries.StatementQueryMechanism.insertObject(StatementQueryMechanism.java:162)
at org.eclipse.persistence.internal.queries.StatementQueryMechanism.insertObject(StatementQueryMechanism.java:177)
at org.eclipse.persistence.internal.queries.DatabaseQueryMechanism.insertObjectForWrite(DatabaseQueryMechanism.java:472)
at org.eclipse.persistence.queries.InsertObjectQuery.executeCommit(InsertObjectQuery.java:80)
at org.eclipse.persistence.queries.InsertObjectQuery.executeCommitWithChangeSet(InsertObjectQuery.java:90)
at org.eclipse.persistence.internal.queries.DatabaseQueryMechanism.executeWriteWithChangeSet(DatabaseQueryMechanism.java:287)
at org.eclipse.persistence.queries.WriteObjectQuery.executeDatabaseQuery(WriteObjectQuery.java:58)
at org.eclipse.persistence.queries.DatabaseQuery.execute(DatabaseQuery.java:844)
at org.eclipse.persistence.queries.DatabaseQuery.executeInUnitOfWork(DatabaseQuery.java:743)
at org.eclipse.persistence.queries.ObjectLevelModifyQuery.executeInUnitOfWorkObjectLevelModifyQuery(ObjectLevelModifyQuery.java:108)
at org.eclipse.persistence.queries.ObjectLevelModifyQuery.executeInUnitOfWork(ObjectLevelModifyQuery.java:85)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.internalExecuteQuery(UnitOfWorkImpl.java:2871)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuery(AbstractSession.java:1516)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuery(AbstractSession.java:1498)
at org.eclipse.persistence.internal.sessions.AbstractSession.executeQuery(AbstractSession.java:1449)
at org.eclipse.persistence.internal.sessions.CommitManager.commitNewObjectsForClassWithChangeSet(CommitManager.java:224)
at org.eclipse.persistence.internal.sessions.CommitManager.commitAllObjectsForClassWithChangeSet(CommitManager.java:191)
at org.eclipse.persistence.internal.sessions.CommitManager.commitAllObjectsWithChangeSet(CommitManager.java:136)
at org.eclipse.persistence.internal.sessions.AbstractSession.writeAllObjectsWithChangeSet(AbstractSession.java:3799)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.commitToDatabase(UnitOfWorkImpl.java:1415)
at org.eclipse.persistence.internal.sessions.RepeatableWriteUnitOfWork.commitToDatabase(RepeatableWriteUnitOfWork.java:636)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.commitToDatabaseWithChangeSet(UnitOfWorkImpl.java:1505)
at org.eclipse.persistence.internal.sessions.RepeatableWriteUnitOfWork.commitRootUnitOfWork(RepeatableWriteUnitOfWork.java:267)
at org.eclipse.persistence.internal.sessions.UnitOfWorkImpl.commitAndResume(UnitOfWorkImpl.java:1143)
at org.eclipse.persistence.internal.jpa.transaction.EntityTransactionImpl.commitInternal(EntityTransactionImpl.java:84)
... 12 more
Caused by: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (DEV1_OPSS.IDX_JPS_RDN_PDN) violated
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:445)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:396)
at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:879)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:450)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:192)
at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:531)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:207)
at oracle.jdbc.driver.T4CPreparedStatement.executeForRows(T4CPreparedStatement.java:1044)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1329)
at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:3593)
at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePreparedStatement.java:3674)
at oracle.jdbc.driver.OraclePreparedStatementWrapper.executeUpdate(OraclePreparedStatementWrapper.java:1354)
at org.eclipse.persistence.internal.databaseaccess.DatabaseAccessor.executeDirectNoSelect(DatabaseAccessor.java:831)
... 45 more
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler.throwExceptionWithStackTrace(LdapServiceEnabler.java:145)
at oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler.main(LdapServiceEnabler.java:137)
Error: Failed to initialize security store.
Error: Create operation has failed.
[oracle@ebs Middleware]$
Also OPSS schema is FIne as it's get validated by this query.
SQL> select * from JPS_DN where rdn like '%cn=credentialstore%';
ENTRYID
RDN
PARENTDN
3004
cn=credentialstore
cn=oracleschemaversion,cn=opss,
5004
cn=credentialstore
cn=jpsroot,cn=jpscontext,cn=iam,
ENTRYID
RDN
PARENTDN
Please suggest.
Thanks
Priya -
SharePoint Search Service Application Restore Is Failing
Issue:
When performing a Search Service restore with the CA UI, the restore is failing. The backup was generated from a Full level backup that is run nightly from the cmdlet Backup-SPFarm. The Farm is running SharePoint 2013 SP1, Windows Server 2012 And SQL
Server 11.0.3128. Both Production and the test environment have the same topology.
The sprestore.log file shows the following error message:
[12/17/2014 12:37:51 PM] Verbose: [Search Service Application] The default endpoint id for this application is 'b8b92dc6-38b3-49bf-90bc-d9ea64dcf928'.
[12/17/2014 12:37:51 PM] Verbose: [Search Service Application] Re-parented endpoint 'b8b92dc6-38b3-49bf-90bc-d9ea64dcf928' to this application.
[12/17/2014 12:37:51 PM] Verbose: [Search Service Application] The default endpoint has been found and set. NOTE: The id of the default endpoint will be different than specified in the logs if
the restore mode is not 'overwrite'.
[12/17/2014 12:37:51 PM] Verbose: [Search Service Application] Re-parented endpoint 'bb456994-47ac-4bad-9197-9a4d5b39bf5c' to this application.
[12/17/2014 12:37:55 PM] FatalError: Object Search Service Application failed in event OnPostRestore. For more information, see the spbackup.log or sprestore.log file located in the backup directory.
SqlException: The database principal owns a database role and cannot be dropped.
User does not have permission to perform this action.
[12/17/2014 12:37:55 PM] Debug: at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj,
Boolean& dataReady)
at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean
asyncWrite, SqlDataReader ds)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout,
Task& task, Boolean asyncWrite)
at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(TaskCompletionSource`1 completion, String methodName, Boolean sendToPipe, Int32 timeout, Boolean asyncWrite)
at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
at Microsoft.Office.Server.Data.SqlSession.ExecuteNonQuery(SqlCommand command)
at Microsoft.Office.Server.Data.SqlDatabaseManager.GrantAccess(String user)
at Microsoft.Office.Server.Search.Administration.SearchDatabase.GrantAccess(String username, String role)
at Microsoft.Office.Server.Search.Administration.SearchDatabase.SynchronizeAccessRules(SearchServiceApplication searchApp)
at Microsoft.Office.Server.Search.Administration.SearchServiceApplication.SynchronizeDatabases()
at Microsoft.Office.Server.Search.Administration.SearchServiceApplication.Provision()
at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.Microsoft.SharePoint.Administration.Backup.IBackupRestore.OnPostRestore(Object sender, SPRestoreInformation info)
A SQL Profile was run beginning at 12/18/2014 11:11.
A SQL exception can be found at 11:20:03 with the error:
The database principal owns a database role and cannot be dropped.
The issue has to do with the SQL statement just prior to the exception:
declare @p4 int
set @p4=NULL
declare @p5 int
set @p5=NULL
exec sp_executesql N'declare @db_user_name sysname
select @db_user_name = name from dbo.sysusers where sid = SUSER_SID(@user_name) and hasdbaccess = 1
if (@db_user_name is null)
begin
if exists(select * from dbo.sysusers where name = @user_name)
exec @revoke_result = sp_revokedbaccess @user_name
exec @grant_result = sp_grantdbaccess @user_name, @db_user_name output
end',N'@user_name nvarchar(128),@revoke_result int output,@grant_result int output',@user_name=N'----\sp2013uatfarmacct',@revoke_result=@p4 output,@grant_result=@p5 output
select @p4, @p5
I highlighted the row in red causing the issue. For some reason SharePoint during the Search Restore process try’s to delete the user “------\sp2013uatfarmacct” from the database Search_Service_Application_DB_60bb9889222841aa94f59aed71349a6b
And re-add them again. But the reason for the failure is because the user “------\sp2013uatfarmacct” is the owner of the database role “SPSearchDBAdmin”, so it cant.
I checked all other Service databases that contain the role SPSearchDBAdmin and they all correctly have the owner as dbo
NOT ------\sp2013uatfarmacct.
Further checking the SQL trace log a SQL batch is executed at 12/18/2014 11:19:59.790 that states the following:
-- Drop existing role members
IF EXISTS (SELECT * FROM sys.database_principals WHERE name = N'SPSearchDBAdmin' AND type = 'R')
Begin
DECLARE @RoleMemberName sysname
DECLARE Member_Cursor CURSOR FOR
SELECT [name]
FROM sys.database_principals
WHERE
principal_id IN
SELECT member_principal_id
from sys.database_role_members
where role_principal_id in (
select principal_id
FROM sys.database_principals where [name] = N'SPSearchDBAdmin' AND type = 'R' ))
OPEN Member_Cursor;
FETCH NEXT FROM Member_Cursor
into @RoleMemberName
WHILE @@FETCH_STATUS = 0
BEGIN
exec sp_droprolemember @rolename=N'SPSearchDBAdmin', @membername= @RoleMemberName
FETCH NEXT FROM Member_Cursor
into @RoleMemberName
END;
CLOSE Member_Cursor;
DEALLOCATE Member_Cursor;
End
-- Drop/Create role
IF EXISTS (SELECT * FROM sys.database_principals WHERE name = N'SPSearchDBAdmin' AND type = 'R')
DROP ROLE [SPSearchDBAdmin]
CREATE ROLE [SPSearchDBAdmin]
I highlighted the statement in red that is eventually causing the SP restore to fail. For some unknown reason to me when this statement is executed the new ROLE SPSearchDBAdmin owner is -----\sp2013uatfarmacct
instead of dbo.
As a test I executed via SQL Management Studio “CREATE ROLE [SPSearchDBAdmin]” and it correctly created the owner as dbo.
So the problem and my question is why when the SP Search Service is restored is the ROLE SPSearchDBAdmin owner being set to “-----\ sp2013uatfarmacct”, which in turn seems to be causing the restore failure?Hi!
I believe it is trying to delete a user who owns the schema of the database. You can try changing the schema owner to some other user like "dbo", and then drop the first user.
Below are a few links that can help you with much more details.
http://blogs.technet.com/b/mdegre/archive/2010/12/19/the-database-principal-owns-a-schema-in-the-database-and-cannot-be-dropped.aspx
http://littletalk.wordpress.com/2009/11/09/fix-for-the-database-principal-owns-a-schema-in-the-database-and-cannot-be-dropped-error-in-sql-server-2005/
http://dotnetgun.blogspot.com/2011/02/database-principal-owns-schema-in.html
Thanks,
Owens
Owens G. Jesse -
How can we add a control on our .jsp webpage for uploading several image fi
How can we add a control on our .jsp webpage for uploading several image files as done in gmail attachment, Where a Remove button also appears if we wanna remove the particular attachment.
The SCOM Management Server is in Domain A. I've tried it already and it has failed.
So just to clarify the method I used was to go to Administration>Security>User Roles. Then New User Role>Read-Only Operator. In the Create User Role Wizard I then gave the User Role a name, Clicked "Add" under User Role Members.
Then the Select Users or Groups window pops up and I changed the Locations from Domain A to Domain B and searched for the user, which it's able to find, then clicked "OK" to add it to the User Role members which it does just fine. On
the next page which is Group Scope I checked the one group I want this account to have access to and then click next. This brings me to Dashboards and Views where I click the radio button for "Only the dashboards and views selected in each tab are
approved" and chose the folder of dashboards I want this account to access and then click next. This brings me to the Summary and I click "Create". At this point it thinks for a moment then closes out the wizard but the new Read-Only
Operator does not appear. I then look in Event Viewer and see the Event I pasted above.
Am I doing something wrong here? Any guidance on how to get around this issue would be much appreciated.
Thanks,
Jake
Maybe you are looking for
-
Formatting an external HD for mac AND pc?
I need to use my 500g external hard drive on both macs and pcs for mostly music files. I cannot modify ntsf files on my mac and my pc will not even read the mac format. I heard that the FAT32 is supported by both systems but how do i use disk utility
-
What are the odds,my computer crashed at the same I switched to the 4s. I had to download and start all over with Itunes. My question is how do I upload from my old Iphone into Itunes so I can get my music off the old phone?
-
How to create a table which contains relational data and Document data
hai all i need to create a table which contains relational data(i mean coulumns whose data types are type NUMBER,VARCHAR) and documents(like xml file/html file/image)using iFS. when i store the document data(xml data/html data) in the iFS ,it will be
-
Number Range Interval Deactivated
Dear Experts, Could anybody suggest on this problem as follows: While configuring Number range interval to GL Account, the interval buttons(create) is deactivated and error message showing as No. Range is locked by sapuser for maintenace Srinivas
-
IPhone SDK 7 installation hangs on "configuring installation"
I'm running an iMac 20" Intel, 10.5.3, and a previous iPhone SDK. I've the installer all night, but to no avail.