Role and Privileges for OLAP metadata

Similar Messages

• Roles and Privileges for 10g AWR and ASH reports

  Are there specific roles and privileges are required for one to run AWR and ASH reports for users who don't have DBA roles? If so, I would like to know about them.

  I think sysdba privilege need to run AWR report.
  Also check, how privilege is granted to PERFSTAT user in $ORACLE_HOME/rdbms/admin/spcuser.sql, you might get some clue!!!
  Cheer,
  Virag

• Export and Import of Roles and Privileges

  Hi,
  We're nearing the end of our development phase and are now preparing for initial load in our QA / Test environment.
  Is there a way to export the Roles and Privilege metadata from one environment to import them into the other. The Staging guide states you need to create them before importing your Identity Stores. I was hoping we didn't need to do this as it's a time consuming task to create them manually.
  Thanks
  Paul

  What I've seen is Business Role Export / Import functionality. It is pretty straight-forward to do, just export the Business Roles in a job (limit what to export in the source SQL) to a CSV-file, then read it back in to different environment in similar job.
  When we were exporting the Business Roles we expored the privilege-references as MSKEYVALUEs not MSKEYs. Note how you have named your repositories in different environments (as you know the name of the MX_PRIVILEGE differs if your ERP repository in development is eg ERP100 and in Q/A ERP200), you may need to convert the privilege names accordingly in export or import.
  One more thing you need to keep in mind is to pay attention whether your data has CR+LFs, which will break the CSV, we tackled this by encrypting/decrypting the data that had line feeds (DESCRIPTION-attribute).

• Error in reconcilation Function - Job "Reconcile roles and privileges"

  SAP NW 7.0 SP2 Patch 3
  Roles contain Privileges
  Help file says: "If you are using roles and privileges, you will need to perform a reconciliation of the roles/privileges assigned to the users in the identity store after the roles are modified. "
  Job imported as described.
  When I let the job run on the ID-Store, for each entry, the following error message occurs:
  runFunctionsInString($FUNCTION.reconcile( MSKEY )$$) got exception
  org.mozilla.javascript.NotAFunctionException: reconcile( MSKEY )
  ...where MSKEY is, of course, the MSKEY of the entry.
  If I let run the job with the Windows-Dispatcher and as a VB-script, it produces no error; however, in the output file, there are a lot of Messages like
  "!ERROR: Invalid use of Null"
  Only some entries (of Type MX_PERSON) show the "Priviliege added: (...)" output. But the job does not add the Privileges assigend to the role, as it should.
  So, I would suggest that one redefines the SQL-Query of the Job so that it runs only on MX_PERSONS. But then, still, in my case, it does nothing.
  Has anyone better experiences with the Job?
  Edited by: Thomas P. Felder on Sep 25, 2008 10:32 AM

  The job when imported by default uses java runtime engine but the script is written in vbscript syntax so you have to change the engine or the script syntax.
  When you did your select statement did you use SELECT DISTINCT.  That will also cause errors.  I do not narrow the entry type to MX_PERSON.
  I'm installing the patch now;  I will see if I get any errors.

• Role and privilege used by JDBC

  Is there any reqiured role and privilege used by JDBC?
  I use Oracle JDBC9203 for Oracle to connect Oracle8163, when executing certion codes, the JDBC raise a exception as below:
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:134)
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:179)
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:269)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.initCollElemTypeName(OracleTypeCOLLECTION.java:1026)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.getAttributeType(OracleTypeCOLLECTION.java:1056)
       at oracle.jdbc.oracore.OracleNamedType.getFullName(OracleNamedType.java:110)
       at oracle.jdbc.oracore.OracleTypeADT.createStructDescriptor(OracleTypeADT.java:2262)
       at oracle.jdbc.oracore.OracleTypeADT.unpickle81(OracleTypeADT.java:1656)
       at oracle.jdbc.oracore.OracleTypeUPT.unpickle81UPT(OracleTypeUPT.java:466)
       at oracle.jdbc.oracore.OracleTypeUPT.unpickle81rec(OracleTypeUPT.java:416)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81_imgBody_elems(OracleTypeCOLLECTION.java:979)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81_imgBody(OracleTypeCOLLECTION.java:923)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81(OracleTypeCOLLECTION.java:743)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION._unlinearize(OracleTypeCOLLECTION.java:242)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.unlinearize(OracleTypeCOLLECTION.java:208)
       at oracle.sql.ArrayDescriptor.toJavaArray(ArrayDescriptor.java:963)
  I decompile "OracleTypeCOLLECTION.class", in funtion "initCollElemTypeName", i see a SQL as "select elem_type_name, elem_type_owner from all_coll_types where ....", this sql raise the error.
  Since all_coll_types is a system view of Oracle, i think the user connect to Oracle must have some role and privilege, it has connect role and execution privileges on some user-defined packages, is there any other role and privilege it needs? I don't like to grant DBA role to it for security reason.
  Very thanks for your reply.

  Can you post the code (Java and PL/SQL) that is being executed when this error is thrown? You don't need any particular privilege to execute PL/SQL via JDBC-- just the privileges you'd need to execute it in SQL*Plus or anywhere else.
  Justin
  Distributed Database Consulting, Inc.
  www.ddbcinc.com/askDDBC

• Mapping a user's role and privilege to another

  Hi all,
  Is there a command/way to map the role and privileges of a current user to a new user? I am new to oracle, I did read through the online docs but was not able to figure it out.
  Thank you very much!

  Check this link would help: Check the part where they are copying roles and grants for the users using dbms_metadata. You can limit this to one user you want by adding additional where clause like "where username = <username>
  Copying Oracle Users

• Create new user same as a existing roles and Privileges

  Hi Team,
  I am a junior DBA. New user Joined in Application team. So, Client requested me.....
  Crerate new user with same privileges as like as existing user.
  As of now i am creating user like "create user username identified by "password". Then grant privileges to that user. earliar I never comapare or copied users.
  Please suggest any one how to create new user as like as existing user roles and privileges.
  Thanks,
  Venkat

  For basic cloning:
  select dbms_metadata.get_ddl('USER', '...') FROM DUAL;
  SELECT DBMS_METADATA.GET_GRANTED_DDL('ROLE_GRANT','...') FROM DUAL;
  SELECT DBMS_METADATA.GET_GRANTED_DDL('SYSTEM_GRANT','...') FROM DUAL;
  SELECT DBMS_METADATA.GET_GRANTED_DDL('OBJECT_GRANT','...') FROM DUAL;
  SELECT DBMS_METADATA.GET_granted_DDL(‘TABLESPACE_QUOTA’, ‘...’) FROM dual;
  Then just replace the username with the new one you want to create.

• Defining roles and access for OWB Designer

  Hi,
  Can i Define roles and access rights to different on 1 OWB Designer repository?
  I want to send my mappings for code review but i dont want them to log into the OWB designer with write access.
  How can i achieve this in the same OWB designer repository as the one i am using?
  I am using OWB 10.1.
  I found some table - WMP_USER_ROLES,WMP_GROUP_ROLES,WMP_GROUP_REPOSITORIES
  when i logged into the designer schema through sqlplus
  Thanks
  Sagar

  Hi Sagar,
  Yes you can do that. Basically you can create a db user, and then register the user with a repository. By default that user has all privileges, however it now is audited per user as to what he/she did. How to do this look at the doc (find SecurityHelper)
  To enable you to protect metadata there are a couple of strategies (implemented via a simple PL/SQL API). For an example (this one works with policies on the module level) take a look here (http://www.oracle.com/technology/sample_code/products/warehouse/files/Dev_Status_Policy.SQL)
  This would work as follows:
  - Create user REVIEW
  - Register user REVIEW to repos QA
  - For a module you want review for, set the status to QA
  Now the REVIEW user logs in and he can look at QA but cannot touch.
  Hope this helps,
  Jean-Pierre
  In your situation

• Trying to auto generate roles and privileges

  Greetings All,
  Oracle Enterprise 11g v11.2.0.1.0 on Windows Server 2008
  I have a database with many schemas. One of the schemas is referred to as the CM_MASTER schema in that it has been granted the following: dba, create user, drop user, alter user, create any table, select any table, and a few others, all with the “with admin option” clause.
  We have developers that need select only access to the tables and views of the non-master schemas. My plan was to create a unique ROLE for each schema, then grant select on each table and view in that schema to that unique role. Then grant the appropriate role(s) to each developer hence giving them read only access.
  I can accomplish the above manually while logged on as the CM_MASTER schema.
  I am trying to create a procedure owned and executed only by the CM_MASTER schema that creates a new role and then grants to that role. The procedure accepts a parameter containing the user name of the target schema. The procedure is able to create the role (create role scott_r) successfully.
  However, I am getting an insufficient privileges error (see below) after the role has been created, when trying to issue the “grant select on scott.some_table to scott_r” command via "execute immediate".
  Any ideas what privilege(s) the CM_MASTER user needs in order to be able to issue the grant(s) to the role?
  Error message below:
  exec gen_schema_role('scott');
  Error report:
  ORA-01031: insufficient privileges
  ORA-06512: at "CM_MASTER.GEN_SCHEMA_ROLE", line 30
  ORA-06512: at line 1
  01031. 00000 - "insufficient privileges"
  The procedure code is below:
  The utl_file.put_line commands were added for debugging but nothing gets output.
  When the "execute immediate" lines are commented out, the output from the utl_file.put_line commands displays the correct SQL create and grant statements.
  create or replace
  procedure gen_schema_role(p_db_user in varchar)
  as
  v_role_name varchar2(30);
  v_bat_out utl_file.file_type;
  cursor get_object_names is
  select object_name from dba_objects
  where owner = upper(p_db_user)
  and object_type in ('TABLE','VIEW')
  and status = 'VALID'
  and object_name not like 'DR$%'
  and object_name not like 'XT%';
  begin
  v_bat_out := utl_file.fopen('SR_BACKUP', 'Create_Roles.sql', 'W');
  v_role_name := substr(p_db_user,1,28) || '_r';
  utl_file.put_line(v_bat_out, ' ');
  utl_file.put_line(v_bat_out, 'create role '||v_role_name);
  execute immediate 'create role '||v_role_name; <<-- This seems to work, the role gets created
  for a in get_object_names
  loop
  utl_file.put_line(v_bat_out,' grant select on ' || p_db_user || '.' || a.object_name || ' to ' || v_role_name);
  execute immediate 'grant select on ' || p_db_user || '.' || a.object_name || ' to ' || v_role_name;
  end loop;
  utl_file.fclose(v_bat_out);
  end gen_schema_role;
  Thanks,
  Snyds

  sb92075,
  I just tried, and YES the SQL is able to apply the "grant select" statements to the newly created role.
  I wanted to call this new procedure from the procedure that creates a new user by scheduling a job to perform an IMPDP job to import a base schema (using the remap schema clause).
  Any suggestions how to automate generating this role?
  Thanks,
  Snyds

• SAP Roles and Access for SAP Implementation team members

  Hi,
  Is it correct practice to give SAP_ALL role access for all SAP Implementation team members in Dev and QA?
  If not, what is the correct practice?
  Kindly let me know

  Madhu,
  It is NOT correct practice to give anyone SAP_ALL in any of the systems; not DEV, not QAS, and certainly not PRD. However, many implementation teams (and particularly consultants from SIs) insist that they cannot possibly do their jobs without it. This is completely incorrect as there are specific roles for them to use for that purpose. The only circumstance where it could be justified is if you require a special "firefighter" role - and even then, I would still be a bit doubtful.
  You should also consider that once you have given someone SAP_ALL, they will fight tooth and nail to keep it. It also means that they probably are not testing the user roles correctly. Most of those that insist they need it simply do not understand the security issues and probably don't care.
  Just think; if they have access to do soemthing that they shouldn't and then cause a big problem, are they the ones that will have to fix it or are they going to expect you to do it? If they expect you to clear up after them, then you have the right to insist on restricting their access to cause issues in the first place.
  But I know just how demanding they can be....
  Best of luck
  Tony

• Roles and Rules for workflow.

  Hi,
      I have some basic conpectual problem about roles and rules.
      What is the diffrenece between roles and rules in sap business workflow ?  What is the Tcode for Role creation/Change/Display and Rule creation/Change/Display ? 
  I am using a standard workflow for PR Release "WS20000077".
  I have done all the setting except this agent assignment using roles or rules. The default rules used in the task "TS20000159" is "20000026". The Binding from workflow to rules container is also defined by the workflow itself.
  This rules is defined using a function module.When I am putting a breakpoint in this function module and tring to execute my workflow it is not going to the given breakpoint but the workflow is running successfully as shown in the event trace "SWE2".
    What could be the problem..Pls suggest?

  Hi Tanuja,
  Go through this link for [Rule Documentation|http://help.sap.com/saphelp_nw04/helpdata/en/bb/bdc296575911d189240000e8323d3a/frameset.htm]
  And
  http://help.sap.com/saphelp_nw2004s/helpdata/en/95/ed94ee764c11d3b535006094b9c9b4/frameset.htm
  Go through this link for [Roles in Workflow|http://help.sap.com/saphelp_nw04/helpdata/en/f4/4a5536ad3d2a17e10000009b38f839/frameset.htm]
  Hope this would help you.
  Good luck
  Narin

• Standred Roles and profiles for OSS Connection User

  Dears,
  We open OSS connections several times for SAP support in which we also provide login credentials to SAP to login in our system.
  Is there any standred roles or profile for this user in QAS and PRD that we can give to maintain our servers confidentiality.
  Please suggest.
  Shivam

  Not really. A note related to your question popped up in a previous discussion:Re: Exclude T-code from SAP all
  > If you take a look at [SAP Note 1118396 - Roles for support activities|https://service.sap.com/sap/support/notes/1118396] you will see this explained nicely...

• AE - Can we setup a system to only approve some roles and not for others ?

  I would like to setup a test system with no approval of roles access except for some of them ?  Will that be possible and how ?
  Any suggestion ?
  I would appreciate any feedback.
  Thanks.

  Hello Frank,
  Thanks for the information and nice suggestion. This infact is a limitation. We can use this only in case our request has other roles, which have Role owners.
  Dear Patrick,
  Now you may use any of the options mentioned as per what kind of access requests comes in your organization but better to use the one which Frank suggested as this would hold true in all teh cases.
  Regards,
  Hersh.

• ABAP User Roles and Query for accessing particular T- codes and Reports

  dear Gurus
  I have one problem, i want to know about ABAP User Query ,i have one requirement my user wants to Lock all the HR Std versus Customized reports in T- code SQ01,other department peoples also see the Payslips and Hr personal reports which is harmfull to the dept so i want to Lock all the reports in Std T- code in SQ01 and i have created one Customized User Roles or Query in which the T-codes and Reports are assigned only those particular user can access the T-codes and Std reports .how can it be possible i dont have any idea about user roles and Queries .
  kindly help me out or send me some documents related to user roles and queries
  regards ritesh sharma

  Hi Ritesh,
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/103cafc2-7a64-2b10-14b3-eddb7d324561
  Regards,
  Flavya

• Extraction list roles and users for entreprise portal.

  Hi Everyone,
  I work on Enterprise Portal only java.
  I want to extract the list of all these users with their roles
  How do I proceed?
  Thanks for the help!
  Regards Giglio

  Giglio,
  Its possible to access the list of user and their roles from portal in several ways:-
  Approach 1:
  User Admin -> Import/Export -> User Data Export -> Press Export Button -> Copy the user content and store in a seperate file -> Done.
  Approach 2:-
  You can write a custom progrram in Java using UME API to get the portal user information. You can use webdynpro for java or JSP Dynpage/abtract portal component to use UME API.
  Ram