Reg Role
Hi,
User U1 has default privileges assigned to him through a role R1. There is a table named T1. U1 is able to access T1 through Sql plus and not through Pl/sql.
Can anyone tell me what is the privilege he is missing?
Thanks
First of all SQL Plus is different and SQL is different. SQL Plus is editor provided by oracle to test/execute simple queries. SQL is the actual query language.
Actually my previous statement is only partially correct.
Subprograms are classified into Anonymous Blocks and Named Subprograms.
Anonymous blocks means PL/SQL script with no name associated with it. They will not be stored in database. They will get compiled and executed every time you run it.
Named subprograms means packages, procedures and functions. Generally we will have logic implemented in procedures and functions.
Again these procedures and functions are classified into invoker right subprograms and definer right subprogram. There is a clause called AUTHID in procedure/function spec.
By default or if AUTHID is not specified it is definer rights which means that when procedure is invoked it will be executed with the privileges of the user/schema who created that procedure.
Eg: For suppose there are 2 schemas A and B
We create procedure by name proc in A with definer rights. Let us assume that table Table1 is used in A on which A has all the privileges. Once procedure is created in A and execute grants are given to B, B can invoke the procedure any time.
Schema A
proc1
delete from table1;
end;
grant on proc1 to B
Now when B invoke the procedure even though B didnt have any privileges the data is deleted.
Keep in mind that this is default behavior of stored proc.
Invoker rights means we need to specify AUTHID current_user in proc/func spec.
In this case the procedure will fail as B didnt have privileges on table1.
Now come to the point, privileges granted over role will work in anonymous blocks and invoker right subprograms. But in case of definer rights it wont work.
The reason for this (1 example):
For suppose A is SYSDBA (DBA is a role) which will have lots of Predefined Package developed in SYSDBA which will play around actual tables.
For suppose there is a procedure proc1 which will truncate aud$ (important base table)
Now every one who got execute privileges can the procedure and truncate aud$.
If in this case only direct privileges work, then it will never happen.
If B has to do that specific operation related to aud$ we can directly grant to that. All the other users/schemas who try to invoke will fail.
I hope you understand what I mean.
You can refer
http://download-east.oracle.com/docs/cd/B10501_01/appdev.920/a96624/08_subs.htm#18575
Similar Messages
-
Reg- Role of Supporting Con about CIF
hi to All Sap ppl
a Supportng Proj consutant just have to work on scheduling jobs,monitoring and COnsistency check of ECC ,apart from this do also he do CIFing( Transfrng M & T-Data) or basis people do this job.
Thnak u in advc
Karan
Edited by: karan.sap on Feb 28, 2010 3:51 AMKaran,
"Supporting Consultant" is a vague term. A consultant that is assigned a support task can be asked to do many things.
In some companies, the supporting consultant may be asked to be a point of contact for all issues generated by the users. He may be asked to answer simple questions, and he may be responsible for directing the inquiry to the next level of support if the issue exceeds his capabilities.
In addition, as you suggest, he may be asked to perform general maintenance tasks, and to monitor the health of the applications. In each consulting company, the tasks can be assigned differently. In addition, in a single consulting company, the support person's tasks may change over time. Generally, the above mentioned support people should be prepared to deal with users.
A second type of supporting Project consultant would be a junior consultant assigned to a senior consultant, or to a consulting team. In this role, he would be expected to receive assignments directly from the senior team members. Such tasks might be to set up less complex configuration, or to perform programming tasks under the direct supervision of a senior team member.
If you are considering applying for a job as a 'supporting consultant', you should ask the employer exactly what are his expectations.
Rgds,
DB49 -
Hello Guru's,
1. In the process of using NWDI and NWDS for the development/ customizations what is the role of TCS Deployer?
When Checkin the activity from NWDS the requests gets queued in TCS Deployer. What is the main role of TCS Deployer and what are the functionalities.
2. Assume we have xyz software component which we have added as dependent in the track and now we want to upgrade the SC and deployed the same on the server.
My Question is when modifying the DC which version of SC will it be checking is it the SC which is added as dependent in the track or the latest version of SC which is deployed on the server?
3. If we want to have the latest version to be used in the track can we modify the existing track or do we need to create New Track to incorporate the latest SC into the track.
Best Regards,
PramodHi Pramod,
if you want to just change some dependent SCs to a higher patch level inside your track, but these will have the very same SP, then I think you can go for this option:
1. obviously you need to copy these files physically to the CMS inbox folder
2. then you trigger a Restore System State for DEV and COS ("Restore..." button in your transport studio, on the tabs DEV and CONS)
3. Check-in the new files (check-in tab in transport studio of CMS webui)
4. import into DEV and CONS (Development and Consolidation tabs)
5. reimport the development config for each developer (on client side in the NWDSs of the developers)
NOTICE: when you do this, avoid ongoing development, and when the developers are reimporting their development configurations, ask them not to have any open activities.
If the distance between the current dependent SCs and the SCs you want to add is larger, then rather use the blog I mentioned before, and notice that if you go for that option, then a new track need to be created with version 2.0 and the version history will be lost.
Regarding the Red State in the CMS webui, this usually means that the SC definition in CMS differs from the one maintained in the SLD. You can use the "Synchronize SC definition" feature (you can find on the track data tab of the landscape config of CMS webui) when editing the track in question. If you press this button (need to be in change modus) then a popup comes where you'll find a dropdownlist, and in there there's an option "SCs out of Sync with SLD". Do not press any other buttons here, but if you expand the appeared SC node, you'll see in this table which SCs are in SLD and not in CMS or vica versa. I recommend you to overview this and try to answer yourself why the difference. If you found the problem, I suggest you that after you have triggered an "Update CMS" (on the domain data tab), then remove the problematic SC from the track data tab (landscape configurator) and readd the SC (Add SC... on track data tab). Then the inconsistency should be resolved. Do not use the button "Define Dependencies..." on the Track Data tab (which you find next to Add SC... button).
I hope this answers your question.
Best Regards,
Ervin -
Simple authentication and authorization with a servlet and a filter
Could somebody point me to code example that do simple authentication/authorization using one servlet and one filter? (without Spring, Struts, JSF or any framework)
I’m having a lot of problems with that, apparently, easy task.
These are the rules:
- A simple login page
- Two roles (admin, registered).
- If the user loged is an admin, redirect to his entry page (private/admin/index.jsp).
- If the user loged is of role registered, redirect him to his entry page (private/registered/index.jsp).
- If it’s not a valid user, redirect again to login page.
- Admin’s users cannot go to private/registered/ area.
- Registered users cannot go to private/admin/ area.
- Non authenticated user cannot go to private/ area
Thanks a lot in advance!
Edited by: JLuis on 25-ago-2010 15:27AccessControl.java:
package com.tlsformacion.security;
import java.io.IOException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.tlsformacion.utils.Log;
public final class AccessControl extends HttpServlet {
private static final long serialVersionUID = 5741058615983779764L;
private static final String USERNAME_ATTR = "username";
private static final String PWD_ATTR = "password";
private static final String LOGIN_PAGE_ATTR = "login_page";
private static final String ROL_ATTR = "role";
private boolean isAuthentic = false;
private String role = null;
private String loginPage = null;
public AccessControl() {
super();
public void init(ServletConfig config) throws ServletException {
loginPage = config.getInitParameter(LOGIN_PAGE_ATTR);
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
debug("Inside doGet");
doAccessControl(request, response);
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
debug("Inside doPost");
doAccessControl(request, response);
private void doAccessControl (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
debug("Inside doAccessControl");
doAuthentication(request, response);
if (isAuthentic) { //Authentic user
doAuthorization(request, response);
} else { //User NOT authentic
doRejection(request, response);
private void doAuthentication(HttpServletRequest request, HttpServletResponse response) {
debug("Inside doAuthentication");
String requestedURI = request.getRequestURI();
if (requestedURI.contains("/AccessControl")) { //Comes from login page
debug("Comes from login page");
String username = request.getParameter(USERNAME_ATTR);
String pwd = request.getParameter(PWD_ATTR);
role = getRole(username, pwd);
if (role != null) {
isAuthentic = true;
request.getSession().setAttribute(ROL_ATTR, role);
} else { //Doesn't comes from login page
debug("Doesn't comes from login page");
if (isInSession(request)) {
debug("Rol is in session");
isAuthentic = true;
} else {
debug("Rol is NOT in session");
private void doAuthorization(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
debug("Inside doAuthorization");
String requestedURI = request.getRequestURI();
debug("requestedURI: " + requestedURI);
if (requestedURI.contains("/AccessControl")) { //Comes from login page
goHomePage(request, response);
} else if (requestedURI.contains("/private/" + role)) { //Trying to access his private area
goRequestedPage(request, response);
} else { //Trying to access other roles private area
goLoginPage(request, response);
private void doRejection(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
debug("Inside goRejection");
role = null;
goLoginPage(request, response);
private void goHomePage(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
debug("Inside goHomePage");
String homePage = "private/" + role + "/index.jsp";
goPage(request, response, homePage);
private void goLoginPage(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
debug("Inside goLoginPage");
goPage(request, response, loginPage);
private void goRequestedPage(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
debug("Inside goRequestedPage");
String contextPath = request.getContextPath();
debug("contextPath: " + contextPath);
String requestedPage = request.getRequestURI().replace(contextPath + "/", "");
goPage(request, response, requestedPage);
private void goPage(HttpServletRequest request, HttpServletResponse response, String page) throws IOException, ServletException {
debug("Inside goPage ...trying to go to: " + page);
//Option A
response.sendRedirect(page);
//Option B
//RequestDispatcher requestDispatcher = request.getRequestDispatcher(page);
//requestDispatcher.forward(request, response);
private boolean isInSession(HttpServletRequest httpRequest) {
boolean inSession = false;
role = (String)httpRequest.getSession().getAttribute(ROL_ATTR);
if (role != null && !role.equals("")) {
inSession = true;
return inSession;
//PENDIENTE: mock method!
private String getRole(String username, String pwd) {
String role = null;
if (username.equals("admin") && pwd.equals("admin")) {
role = "administrator";
} else if (username.equals("regis") && pwd.equals("regis")) {
role = "registered";
return role;
private void debug(String msg) {
Log.debug(msg);
}Proyect Folder Structure:
WebContent
login.html
private
administrator
index.jsp
registered
index.jspBasically, the problem is that if you try to log as admin/admin (for example) the servlet AccessControl executes infinitely
Edited by: JLuis on 26-ago-2010 8:04 -
Hi all,
I have implemented ACL authorization (Restricted only), and have just created a new ACL scheme in my app is the name of "Registration" same copy of EDIT scheme, I have set following users with these roles:
USERS with roles
=============
1. Admin with Administrator.
2. Guest with Registration.
3. Frank with Edit.
I have create a Navigation List entries (for redirection) on my home page with following entries with restricted roles:
Navigation List :
============
Administration (for Administrator only ) assigned 'ADMIN' role
New Registration (for 1 time user registration) assigned 'REGISTRATION' role
Student Schedule (for existing users) assigned 'EDIT' role
Student Semester Result (for existing users) assigned 'EDIT' role
Student Attendance (for existing users) assigned 'EDIT' role
Problem:
========
When I set REGIS role to guest user , all entries of navigation list ( i mentioned above) except Administration Entry are shown on this page.
I want to restrict guest user, who can only see Registration Link only. How can I do this ??
help me out
waiting for your prompt reply
regards n thanks
qamarThanks for your reply scott, at least someone is there to understand it :).
Well ok just forget everything and focus on it, I am using apex version Apex 3.0.1 with Oracle 9.2.0.1.0, my question is simple as i had stated above long time ago, I have added a new scheme/role 'REGIS' as same as EDIT role and changed EDIT to REGIS on that scheme/role, through this I just want to access only guest user to log in temporarily and create its account in our application and log out, and when he registered in our application, a role EDIT will assigned him automatically and he will be able connect our portal with EDIT role now.
I had created a simple HTML page and created a Navigation List on it.
there are 5 list entries on this page .
1. Administration
2. New User Registration.
3. Student schedule.
4. Student results
5. Student attendance.
-Administration
(assigned ADMIN , so only administrator can see this link and all the entries)
-New User Registration
(only guest user with REGIS role can see this link)
-3,4,5
(only registered users with EDIT role can see these links)
I have set these authorization in every list entry with authorization schemes mentioned above.
Q. But the problem in this situation is that when I assign REGIS scheme to my 2 list entry, all other entries (3,4,5) including 2nd entry are also visible to guest user who has REGIS scheme assigned.
I hope now you can understand clearly what I am trying to say and understand it.
Hoping for your prompt reply.
regards
qamarsyed -
Hi All,
Oracle Portal 10.1.4.2.0 (Build: 197)
I have a user that is moving a substantial chunk of pages around on our company portal (example moving http://companyportal/portal/page/portal/pageGroupA/path/to/sectionA to http://companyportal/portal/page/portal/pageGroupA/new/structure/sectionA).
We have changed the top page of the old structure to be a notice saying "These pages are out of date. Click here to go to the new section.". However, there are a lot of pages under the "old" structure, and I want to know if I can get a redirect happening so that anyone who goes to a page under the old structure will be redirected back to the top of the old structure and thus see the out of date message and be forced to change their bookmarks etc.
SO, anyone going to http://companyportal/portal/page/portal/pageGroupA/path/to/sectionA/blah/someOtherPage will then be redirected to http://companyportal/portal/page/portal/pageGroupA/path/to/sectionA and see the "out of date" message.
Thanks for any assistance!
RobThanks for your reply scott, at least someone is there to understand it :).
Well ok just forget everything and focus on it, I am using apex version Apex 3.0.1 with Oracle 9.2.0.1.0, my question is simple as i had stated above long time ago, I have added a new scheme/role 'REGIS' as same as EDIT role and changed EDIT to REGIS on that scheme/role, through this I just want to access only guest user to log in temporarily and create its account in our application and log out, and when he registered in our application, a role EDIT will assigned him automatically and he will be able connect our portal with EDIT role now.
I had created a simple HTML page and created a Navigation List on it.
there are 5 list entries on this page .
1. Administration
2. New User Registration.
3. Student schedule.
4. Student results
5. Student attendance.
-Administration
(assigned ADMIN , so only administrator can see this link and all the entries)
-New User Registration
(only guest user with REGIS role can see this link)
-3,4,5
(only registered users with EDIT role can see these links)
I have set these authorization in every list entry with authorization schemes mentioned above.
Q. But the problem in this situation is that when I assign REGIS scheme to my 2 list entry, all other entries (3,4,5) including 2nd entry are also visible to guest user who has REGIS scheme assigned.
I hope now you can understand clearly what I am trying to say and understand it.
Hoping for your prompt reply.
regards
qamarsyed -
Using Role as WF Admin for a specific workflow - Reg
HI All,
I am trying to define a WF Admin for a specific workflow. I know we can maintain a USER ID or EXPRESS(WFsyst-agent) or Rule for this in the Version Dependent tab of Basic Data for wflow template.
But, when i give a Role(Custom R:XXXXXXX role), and do the syntax check, it is giving me the following error and am not able to proceed further.
"Organizational object 'R:PR044_TRAVEL_MANAGER' not available".
My guess is the agent that you give here should be an Org. Obj. For ex., when we specify a USER ID, then the Admin for this witem is shown as "ORGUSXXXXX" and similarly when we assign this custom role, may be it is trying to find if this role is an org. obj (which is obviously not) and hence the error.
Have any of you tried this ROLE option here and can you pl explain me what is wrong with my setting.
I'd appreciate your quick response as this is very critical for me.
Thanks in advance.
venuMike,
I thought i had solved it. But, when i am trying now with a role "RXXXXXXX" that is 14 char, its not working again.
Can anybody tell me if there is any limitation on the role name (should start with Y or Z) or char length (14 char or 12..).
Your immediate response is greatly appreciated.
========
Hey, i just foudn that its the limitation with 12 char ..not Y or Z..and also found this OSS note 860251. It discussed the issue, but not a solution other than choosing a 12 char length for Role name.
Anybody, any ideas ?
Thanks in advance,
venu
Edited by: Venugopal Jogi on Jul 14, 2008 6:07 PM -
Reg:Auto Approve Roles without Approvers for GRC 10.0
Hello,
Is anyone using this option on GRC 10.0 as according to my understanding , if someone selects a role and it has no approver then the role has to be assigned to the user automatically but it is not happening in my system..The request is going to decision pending and it is still looking for role approver.
Can someone provide their expertise on this issue .
Thanks
UdayHi Uday,
I have not used that functionality myself, as I find it too risky if a SOD or Critical risk would be introduced by assigning that role.
I would have thought that by setting the correct values in SPRO would have enabled this functionality. It might be worth checking the settings again and resaving it.
However, if you are purposly leaving the approver value blank for non-risky roles, as an alternativethe document below is worth a consideration for implementing via BRF+ in GRC 10. (I know the document is more GRC 5.3 related, but the concept is valid).
Link: [http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/203d2716-ef84-2d10-3f81-a6f6643e308d?QuickLink=index&overridelayout=true] -
Hi Experts,
I have made changes to a role and I was waiting for approval to move that particular changes to
Production system. In the meantime other person who is working on the same role made some changes and he had moved his change to the production system.
Problem is when he released the Transport to Production, changes moved along with changes what I made to the role.
This would be dangerous if suppose my changes were rejected to move to production system.
Can any one advise me 1) How to Transport roles only with changes made by particular user were transported instead of transporting the entire role ? so that only If my transport is released, changes gets effected into the production system.Is there any mechanism in SAP for it.
2) should I follow some other process to avoid two people working on the same role.
Kindly clarify my doubts. Awaiting for your replies.
Thanks,
Sanjeev anandHi Sanjeev,
This issue with roles is compounded by the fact that roles may be downloaded from one system and uploaded in another, leaving no transport trace. Of course download/upload can be prevented.
One approach would be for the Security and Authorization team to take care of changes in roles.
But many organizations would not have such a team. Another approach would be for custom roles to be changed only by the creator or last changed person as far as possible. This would of course be a matter of discipline.
Mathew. -
Reg:Howq to set Default role on SSO Authentication
We have a scenario where Default roles should be set to Contributor on SSO Authentication(not using LDAP). I have the below configuration
SSO_DefaultRoles=contributor
SSO_ModifyExtraParams=true
SSO_SetAuthInfo=true
SSO_IsSimpleAuth=false
in oraclessopluginfilter_environment.cfg. But on SSO login, I see that users are assigned only guest role because of which they don't have check in option. Can you please help me out with how to set up default roles on SSO authentication.
Thanks in advance for your time and effort
PraveenHi Jon,
For any code changes in bsp components we need it's z-instance and that we get after enhancing the respective entity for eg views, context nodes etc..
In case you are not familiar with the enhancement, please refer to some thread which explain about the component enhancement concept.
Coming to this requirement..
You need to enhance bp_roles component, then enhance rolelist view and roles context node.. redefine the GET_V_PARTNERROLE method.. copy the parent class code and do the necessary changes to manipulate the entries in gt_ddlb_add
Check the statement at line no 107..
gr_ddlb_roles->set_selection_table( it_selection_table = gt_ddlb_add ).
Just before above statment call, manipulate gt_ddlb_add to keep the required role value at index 1..
Another thing in my test system i can't see any role as "Account" under SPRO customizing "Business Partner Roles" instead "Business Partner (Gen.)" is available, don't know if you are able to see Account Role in the Roles DDLB..
i would suggest debug the get_v_partnerrole method once at line no 107 see the entries in gt table you will get an idea what you need to change.
Hope this helps..
Cheers,
Sumit Mittal -
Reg: Mass generation of roles with open authorization
Hi,
Is there an option to mass generate roles with open authorizations ?
It would be helpful if it there exists some transactions or reports that would help in doing so unlike CATT scripts or batch sessions.
Regards,Hi Arravind,
Why cant you correct the roles by filling up those open fields?? I guess you can create a CATT script to acheive your objective but I suggest better to check why there are open fields in the role then generating them blindly.
Do let us know if you need any more information from our side. If you want to know how to create a CATt script then search for it in SDN/Google you will surely get your answer. -
Hi All
If i import BW Roles in EP, automatically it will create iviews, worksets and as Roles in EP.
My Question is, if at any point of time BW roles are changed in BW. does it get effected automatically or again do i need to import the BW roles into EP.
Pl let me know
Help appreciated with Reward points.
Pradeep
Message was edited by: Pradeep ReddyIt will not be effected in EP dynamically.
You can try this on ur own.
Import the roles and then add 1 BW report iview in the BW side and check. -
Hai.. how to create a composite role..and how to assign for perticular user..? am created composite role for ABAP.and assigned to user these roles.when i compare to user comparision the system shows these roles are does not exist for ABAP.
I assained exist roles. ( sap providing single roles ).
i could not find out where i do wrong..plz provides solutions for this one.and provide any documentation r step by step procedure.
Thanks and Regards.
MANNYHi
Create the role in PFCG, then assign the roles from the copymenus i.e from roles, assign the authorization data, mention the users to get effected and do comparision.
So that composite role is assigned, before that check that whether the single roles are existing or not, and having right access or not.
Check the ROLE_PFCG_DEPENDENCY is scheduled or not.
Regards
Bhaskar.
Edited by: bhaskar1818 on Jun 5, 2008 3:03 PM -
Reg:Assigning users to roles dynamically
Hi all,
i've different set of users for whom i can assign the roles based on their functionality. But the thing is that i can create them and add delta links in the portal. But i don't want to do this as manually .. and let me know in detail UME...
Can we assign roles to users based on some logic or conditions.If yes ...Please direct me how to do it..
Reply awaited....
Regards,
sitara
Edited by: sitara kola on Mar 8, 2008 2:47 PMI do not know if this works for you but you can use virtual groups to automatically assign users to groups. Say you want to group users by department. Create virtual groups for the department attribute. Then assign the roles you want to assign to the marketing virtual group and the sales virtual group. When you create a new user and assign them to the marketing department, the user is automatically assigned to the marketing group as recieves the required roles.
See the documentation: http://help.sap.com/saphelp_nw04s/helpdata/en/43/fcfa2942ed7067e10000000a1553f6/frameset.htm
-Michael -
Reg Authorisation presence in a role
I have an authorisation called S_RS_HIER to be given to a person. Is there any SAP created roles which contains this authorisation so that i can assign it to him
Where can i see the SAP created roles and authorisation(any document) .Please let me know
Please reply
Thanks in advanceTry in SUIM to find the role,if at all any exists.
Maybe you are looking for
-
FI data validation in shopping cart
Hi, We are using SRM 4.0 (Server 5.0) and ECC 5.0 in the back end. We enabled the FI validation in back end system in SRM configurtion. While creating the shopping cart it is validating only the cost elements and G/L account are available in SAP. But
-
HP Officejet wont print in black and white!
I have had an HP OfficeJet 6600 printer for a couple of years now and it has shocked me how many times I have had to replace color cartridges that I really never use. I am a high school teacher who does a lot of work from home and I only need to pri
-
Can I change export properties ? ?
I wish make a file .mov, with transparent background, and LT make it, but the file are more heavy, this is the reason of my question. Livetype can change properties export, to make a file ??. How I do ??. Or I need use QT 7.0.2 Pro, to do it ?? in th
-
SAVE EXCEPTIONS when fetching from cursors by BULK COLLECT possible?
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production Hello, I'm using an Cursor's FETCH by BULK COLLECT INTO mydata... Is it possible to SAVE EXCEPTIONS like with FORALL? Or is there any other possibility to handle exceptions
-
I have used includes with .shtml, .asp and now I am working in php. The way DW puts the include is <?php require_once('includes/includefile.inc'); ?> Is this the way it is included in a php file?