Role assignment request
hi guys,
In my scenario, roles are given to end users by their manager. The thing that I'm really confused of, is that the manager should only see users that are part of his team in order to assign them roles.
I saw it's possible to set up restriction at manage tab level by modifying the MX_PERSON entry type but I'm not sure if it's well adapted for a manager / user restriction.
I know it's possible to set up "access control" on the assign role task but manager will still see people that are not in his team.
Have you ever been though that kinf of requirement? do you have ideas?
Thanks!!
guillaume
Thanks for your answers!!
I did as you told me.
I use the MX_FS_PERSONNEL_NUMBER_OF_MANAGER attributes as search attribute and MX_FS_PERSONNEL_NUMBER as user attribute. In that way, it allows a manager to see only people from its team.
But it's quite rigid and it becomes really hard to set up a more complexe filter (for example, see the all hierarchy under a given manager)
Thank you!
guillaume
Similar Messages
-
Role info not appearing once role assignment request is submitted from UI
Hi Everyone,
We have a strange problem in our project in IDM 7.2 SP8 where IDM role concept is used which contains privileges (could be role/profile) of backend systems.
Usually when ever a role (i.e IDM role) assignment request is submitted from UI, the activity with the associated info (like user details, role details, audit ID) should be stored in MXI_LINK table from where the info will be fetched and used in next stages of the processing
Even though the information is getting available for most of the cases for all users but some times for few users once the role assignment request is initiated from UI there is no info is getting available in MXI_LINK table corresponding to this activity which is strange.
Because of this problem even though user submits role assignment request no role info getting passed to IDM, set to pending state for the user which is getting meaning of user not submitted any role assignment request at all.
Can any one suggest what are the things that gets involved between these two steps and any troubleshooting hints are highly appreciable.
Regards,
Venkata BavirisettyIs this a situation you recreate at will? In other words, is it always happening on the same users? If so, you could put a trace on that user's account then try to add the role and see what that trace log shows. Additionally, you could just follow the links in the chain of the various tasks that kick off when you do a role assignment and check each task / job's job log and see what that tells you. There's got to be an error somewhere along the way that's preventing this from executing properly.
-
OBPM 10gR3 Dynamic Role Assignment at user login
Hi,
For all the great integration with LDAP in 10gR3, unfortunately, the system is unable to deal with dynamically-defined LDAP groups.
Our goal is to apply a BPM Role to ALL humans defined in our LDAP.
All humans happen to already be defined by a dynamically-defined LDAP group called 'AllPeople'.
It would have been perfect if we could simply assign our BPM Role, 'Employee', to the LDAP group, 'AllPeople'. Sadly you can't (one for the next release pls).
So as a workaround, what we want to do instead is assign the BPM Role 'Employee' to each individual user dynamically when they first login.
Since the FDI library is useless outside of a BPM context (you'll find that some of the familiar methods of RoleAssignment are missing), We opted to create an actual BPM process to conduct role assignments, and we would then trigger it via PAPI.
The question then was, where/when do we invoke the process such that it does the role assignment quickly and soon enough for the appropriate views and applications to appear in their workspace straight after login?
We opted for a customised implementation of the SSOWorkspaceLoginInterface class.
However, we tried making the invocation in the setupAuthenticatedSession() and the processRequest() methods but, although the role assignment was successfully done in either case, sadly the user's session was loaded without the new changes - perhaps loaded quicker than the role assignment could be fed back through the directory.
Therefore, we dumped the invocation in the actual constuctor - and this seems to work for the most part. Yet on the odd ocassion, the role assignment is not quick enough to be realised in the user's workspace session - the user has to logout and back in before the changes are realised.
We've even tried to get the execution to sleep for a second or two, while the PAPI thread goes about doing the role assignment - again not much success.
So I really have 2 questions:
1. Where during login can we make a PAPI call to do a role assignment so that it should be picked up by the time the session is created? perhaps we already are doing it in the right place.
2. How could we refresh/request a new session cookie without explicitly logging out and back in again? Note, page refresh is not enough.
Thanks for reading.Sorry for the belated response - I don't get notified of replies.
The code for my custom SSOLoginModule class is:-
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.Properties;
import fuego.workspace.security.SSOWorkspaceLoginInterface;
import fuego.papi.Arguments;
import fuego.papi.CommunicationException;
import fuego.papi.InstanceInfo;
import fuego.papi.OperationException;
import fuego.papi.ProcessService;
import fuego.papi.ProcessServiceSession;
import fuego.sso.SSOLoginException;
import fuego.sso.SSOUserLogin;
import fuego.jsfcomponents.Util;
import fuego.workspace.model.common.WorkspaceApplicationBean;
public class CustomSSOWorkspaceLogin extends SSOUserLogin implements SSOWorkspaceLoginInterface {
private ProcessService pService;
private ProcessServiceSession pServiceSession;
private Properties properties;
public SSOWorkspaceDBLogin() {
//Do the role assignment here because it works, and does not work in the ideal location of setupAuthenticatedSession method
pService = createProcessService();
pServiceSession = createProcessServiceSession();
assignDefaultRole(Util.getHttpServletRequest().getRemoteUser());
private ProcessService createProcessService() {
return WorkspaceApplicationBean.getCurrent().getProcessService();
private ProcessServiceSession createProcessServiceSession() {
return pService.createSession("yourdirectoryusername","yourdirectorypassword",null);
//This method is used to remotely invoke a BPM process to do the role assignment - no external API to do this directly!
private void assignDefaultRole(String email) {
try {
String processId = "myRoleAssignmentProcessId";
String argumentName = "argumentName"; //the name of the input argument to feed in the participant
String argumentValue = email;
Arguments arguments = Arguments.create();
arguments.putArgument(argumentName, argumentValue);
InstanceInfo instance = pServiceSession.processCreateInstance(processId, arguments);
Long waitTime = new Long(1000);
Long timeLimit = new Long(5000);
boolean roleAssigned = false;
boolean timeLimitExceeded = false;
Long startTime = System.currentTimeMillis();
//Allow role assignment thread to complete
while (!roleAssigned && !timeLimitExceeded) {
try {
Thread.sleep(waitTime);
if (pServiceSession.processGetInstance(instance.getId()).isCompleted()) {
roleAssigned = true;
if (System.currentTimeMillis() - startTime > timeLimit) {
timeLimitExceeded = true;
} catch (InterruptedException e) {
e.printStackTrace();
//close process service session
pServiceSession.close();
//Do not close the service itself as it is shared with the Workspace itself!
//pService.close();
} catch (Exception e) {
e.printStackTrace();
public void setupAuthenticatedSession(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
//Unfortunately, the below does not work here because the role assignment is not fast enough
//The result is that the user logs in but cannot see any applications because the role assignment has not been made in time.
//Therefore, we run the below statements from the constructor - ugly but functions.
//pService = createProcessService();
//pServiceSession = createProcessServiceSession();
//assignDefaultRole(httpservletrequest.getRemoteUser());
public void processRequest(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws SSOLoginException {
} -
Role Approval request not visible in Role Approvers ToDo tab
Hi IDM Experts,
We have implemented IDM 7.2 SP8 in our project. We have performed the basic configuration for Identity center and IDM UI. The initial load from CRM is also completed successfully.
We followed the steps in guide https://scn.sap.com/docs/DOC-26322 to configure workflow such that in case role is requested to be assigned to user, the request goes to role approver(in his todo tab) for approval. The access will then be provisioned into backend CRM system on successfully
approval. However, we are facing an issue where the Role approver does not get anything in "TODO" tab for approval. The request shows in "Pending" status and logs show that tthe request is pending approval, however, it never appears in role approvers queue.
Kindly help on the issue. Please provide below information:
1) We can check in logs that the request is pending approval. Is there any way we can check where is the request routed to and whoose approval is pending here if it did not goto "Role Approver" for approval.
2) Any trouble shooting mechanism/tool available in IDM to debug issues like this.
Thanks in advance for your help.
Thanks and regards,
NitinHi Nitin,
How do you assign the role to the user? if it's trought IDM UI, you loggin with which user?
There is a limitation on approval with SP08 : the requestor of the assignement can not be define as an approver.... but in this case the approval is automaticaly rejected by the system ...
in which logs / table can you see that your request is "pending for approval" ?
I also would recomand you to use the simple scenario "get approver from role/privs" of as krishna mentioned. (unless you need to do more custum actions)
Besides, you can check approval entries and status in DB views :MXWV_ApprovalQueue ...
Fadoua -
GRC 10 BRM - Approve Single Role assignment in Business Roles
Hello,
I want to set up a workflow where any Single Role assigned to a Business Role requires an approval of the Single Role Owner.
The thing is that my customer doesn't have a Security Administrator, so what they want is that each Single Role Owner could be aware when their roles are assigned to a Business Role, especially when the Business Role Owner is another person.
Once the Business Role is created, the provisioning would be in charge of Business Role Owners.
Do you know any way to configure this?
Thanks,
FernandoHi Claudio - thanks for breaking it down
@ Fernando - for the Role Approval Methodology you need to split your approval out to be based on request type. Claudio has shown this up above already. In continuing his example, where the business role goes to path C - you would then have Path C do a line by line approval based on the single role owners
By using this role approval methodology your single role approvers are indirectly allowing any user who are approved the business role via an access request and that request is approved by business role owner (which is role owner).
As mentioned - you are using two different workflow process ids
Role Build - using BRM to approve the single roles being part of the business role
Access Assignment - approving the user to receive the business role which includes the single roles
Regards
Colleen -
Approval Task for role assignment
Hello again,
is there any manual for approval tasks with the SAP Provisioning Framework? There is a task group called Request new business role, but if I use this, the approver approves the request, but the status of the role assignment is "in process"and never changed to "OK".
I only found these manuals:
- How To... Create Approval Tasks in SAP NetWeaver Identity Management
- Implementing role approvals
But both documents didn't show an end-to-end role-request-and-approval workflow.
Thanks in advance.Hello Matt, hello Peter,
the web-enabled task "Request New Business Role" and the including approval task are only examples.
To create own approval processes for your projects you have to understand how approval tasks and pending values work.
The following document shows the basics of PVOs (pending value objects).
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0d6b459-3456-2b10-209e-9e78ec9fd97b?quicklink=index&overridelayout=true
This is documentation of the release 7.0, which is not updated to 7.1. But basics of PVOs are still the same.
There is also a document which describes approval task for Release 7.1:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/20b67ad5-c69a-2c10-9da2-9721b1cf749c?quicklink=index&overridelayout=true
Also a "How-To Guide" is available:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/904deabf-73b9-2c10-e8bb-8514dc3757f2?quicklink=index&overridelayout=true
I think this is enough to learn to create workflows in SAP IdM.
There is also a nice book available with detailed information:
EN: http://www.sap-press.com/products/Understanding-SAP-NetWeaver-Identity-Management-.html
DE: http://www.sap-press.de/2007
I think this will help you.
Best regrads,
Christoph Reckers -
No Portal Roles assigned issue
Hi Experts ,
We had recently integrated CRM with portal , but some users inspite of having the portal roles assigned to their id were getting an Access Denied page (we had customized the "no portal roles assigned " error page ) . Knowing the dependency of portal on IE and browser settings , this issue is sometimes resolved by clearing cache , cookies , and changing a few browser settings etc on IE 6.0 . If this doesn't work then upgrading to IE 7.0 definetly helps . Since this is just a workaround , I would like to know if anyone has experienced such a thing before and has a solution for this . Your inputs will be highly appreciated .
Regards
MayankHi Mayank,
This is an error which happens when there is No roles assigned to the user. I am not sure how your systems are designed for User Management. Say for example in some cases LDAP is used to maintain Group to User Relationships and Portal Roles are connected to Groups therfore all users in the group is assigned to the Role. In some cases UME is used.
Having said that you can disable the cache for the browser. You have to compromise with the performance however, this will ensure that everytime the user logs in, the request will always go to the server.
Regards
Avik -
Need procedure for creation of BW Roles, Assigning Queries,Publishing Roles
Hi Experts,
Could you please let me know the procedure for creation of BW Roles, Assigning Queries,Publishing Roles in Business Explorer (BEx - BW 3.5)
Thanks in advance,
AndyHi,
Creating BW Roles
http://help.sap.com/saphelp_nw04/helpdata/en/52/6714b6439b11d1896f0000e8322d00/frameset.htm
Assigning Queries
After creating the query, save the query to a role from the query designer.
Publishing Roles in Business Explorer
https://websmp101.sap-ag.de/~sapdownload/011000358700002894802003E/HowToBIPortal1.pdf
Hope this helps you..!
-Pradnya -
Background job fails for BDC profile creation and role assignment
Hi Experts,
I have created a BDC Function module for Tcode 'PFCG' for profile creation and role assignment, and called this FM in my zprogram. the problem is that when i run this program in foreground it executes succesfully, but if i schedule it in background it fails throwing error in job log 'Role 'Z...' does not contain any active authorizations'. But i have created one more program to create authorization objects which runs before this zprogram.I have also checked the authorization object in 'RSECADMIN', it reflects active. I dont understand whats happening exactly when it runs background.
Below is the process of job
1. ZMIS_AUTH_OBJECT_CREATE
Variant : auth-create
2. ZMIS_AUTH_ASSIGN_TO_ROLE
Variant : auth-assign
The problem is in second program, runs in foreground but fails in background.
Code which i have written in my second program
***BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
***Generation of Profile created
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14 .
Experts please help me out its very urgent. your help is appreciated and rewarded. Thanking you in advance.
Regards,
ChetanHi Praveen,
Yeah definately, my requirement is that I have to access of some BI reports to certain users, so contract data will be downlaoded from ECC on application server, need to read that file from application server and for the each contract i ahould create a authorization object, role creation and assigning of role to the user and profile generation and activation.
To achieve this i have written two programs
1) ZMIS_AUTH_OBJECT_CREATE- This program will create the Authorization Object using BDC and Role creation Using the BAPI
"" Creation of Authorization Object
CALL FUNCTION 'ZAUTHOBJ'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
g_authname_001 = 'ZDUMMY_MIS'
g_targetauth_002 = wa_tab-auth
g_authtxt_003 = wa_tab-short_desc
g_authtxtmd_004 = wa_tab-med_desc
marked_04_005 = 'X'
g_authtxt_006 = wa_tab-short_desc
g_authtxtmd_007 = wa_tab-med_desc
tctiobjnm_04_008 = 'ZBUS_UNIT'
g_authtxt_009 = wa_tab-short_desc
g_authtxtmd_010 = wa_tab-med_desc
marked_05_011 = ''
opt_01_012 = 'EQ'
low_01_013 = wa_tab-bu
g_authtxt_014 = wa_tab-short_desc
g_authtxtmd_015 = wa_tab-med_desc
marked_04_016 = 'X'
g_authtxt_017 = wa_tab-short_desc
g_authtxtmd_018 = wa_tab-med_desc
tctiobjnm_04_019 = 'ZCONTRCT'
g_authtxt_020 = wa_tab-short_desc
g_authtxtmd_021 = wa_tab-med_desc
marked_05_022 = ''
opt_01_023 = 'EQ'
low_01_024 = lv_contract
g_authtxt_025 = wa_tab-short_desc
g_authtxtmd_026 = wa_tab-med_desc
g_authtxt_027 = wa_tab-short_desc
g_authtxtmd_028 = wa_tab-med_desc
g_authname_029 = wa_tab-auth
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
"" Creation of role
LOOP AT it_role INTO wa_role.
CLEAR wa_text.
wa_text-text = wa_role-desc.
wa_text-langu = 'E'.
APPEND wa_text TO it_text.
wa_jobrole-agr_name = wa_role-role_name.
wa_parentrole-agr_name = 'ZM_CT_DUMMY_MIS'.
wa_method-usmethod = 'CHANGE'.
CALL FUNCTION 'ZBAPI_JOBROLE_CLONE'
EXPORTING
jobrole = wa_jobrole
parent = wa_parentrole
method = wa_method
TABLES
* RETURN =
shorttext = it_text
* LONGTEXT =
* MENU_NODES =
* MENU_TEXTS =.
ENDLOOP.
2) ZMIS_AUTH_ASSIGN_TO_ROLE - This program will generate the profile created assign it to the role.
""*BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message .
COMMIT WORK AND WAIT.
""*Generation of Profile created
LOOP AT it_role INTO wa_role.
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
ENDLOOP.
For creating authorization objects, role & profile i have created one dummy auth, dummy role & dummy profile respectively.
i have created dummy objects to copy the roles from dummy object and assign the same to new Auth obj, role & profile.
Let me know what needs to be done. because these both the programs run perfectly in foreground, but fails in background.
Regards,
Chetan -
Role Assignment Discovery Issue for Files and Folders through Sharepoint REST services
To preface, I am a decided Sharepoint newbie in every sense. I am trying to use the Sharepoint REST services (Sharepoint 2013) to walk the folder and file structure of my Sharepoint server and, determine as I go, the Role Assignments (and subsequently
Permissions) on those folders and files. I'm using an Administrator credentials and I'm actually able to successfully do it but I've run into some caveats. All the caveats begin with this; when I'm examining a folder, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/ListItemAllFields
I receive either an empty list or an error response doc when following the link supplied for ListItemAllFields. When following that kind of link for folders, I either get:
<d:ListItemAllFields
m:null="true"
/>
or an error response document that says "The object specified does not belong to a list." When I hit the /ListItemAllFields endpoint for files, I receive a response with a link for Role Assignments which subsequently also works and I get the
info I need. So, is this a bug? Why does the link returned from Sharepoint work for files and not folders? So, google, google, google, and I discover that there is another possible way to get at the Role Assignments (and that the object does, indeed, belong
to a list!).
If I know the Title (or the guid) of the folder in question, I can use the following endpoint:
/_api/Web/Lists/GetByTitle('Development')
If I use that endpoint, I get the information I would have expected to get from following /ListItemAllFields and the subsequent Role Assignments links all work and I get what I need. If there's a bug and this is how I have to work around it, that's fine
but I have yet to discover how to dynamically determine the Title of a given folder nor am I sure if all Titles are supposed to be unique within a given Sharepoint server. I'm assuming that the folder name as represented in the server relative URL and the
Title may be different and this is where my newbishness may start to shine if I'm misunderstanding what a "List" is supposed to be in Sharepoint. Anyway, I did find that I could use the Properties endpoint to perhaps get the Title, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/Properties
gives me:
<d:vti_x005f_listtitle>Development</d:vti_x005f_listtitle>
whose value I assume I could then supply to the /GetByTitle endpoint and be golden. However, "vti_x005f_listtitle" just sounds a little too deep to be something I should be relying on but maybe that's kosher. That's part of what I'm trying to
find out. Also, if there is a way to use the Sharepoint REST API to discover the guid of a given object, then I could look it up in that way.
So, in summary:
1. Am I going about getting folder Role Assignment information in the wrong way? Based on the CSOM examples I've seen, I believe I'm doing it correctly and that the answer to #2 below is a resounding "Yes!" :)
2. Is it a bug if I'm not able to use /ListItemAllFields on folders using the server relative url?
3. If I'm supposed to use GetByTitle as a workaround, am I discovering that Title correctly through /Properties? Seems quite circuitous and awkward. Are Titles required to be unique throughout a given Sharepoint server?
4. If I'm supposed to use the guid, how can I use the REST interface to discover an object's guid? Once we get down to the Role Assignments and other links, the guid appears in those links but I don't know how to discover it independently if that's the
path I should use to get the data I described above.Upon further research, I'll answer my own question for the benefit of some other potential future newbie. The answer to question number 1 above is "Not exactly.". The server relative URLs I was using corresponded to lists (which are
returned as a collection through /_api/web/lists). I was treating them mentally like regular folders. That, coupled with the fact that accessing their data as I showed above returns a ListItemAllFields link, made me think that was the way to get
the Role Assignments just as I would for files and, as it turns out, "real" folders and sub-folders created under these lists. That was the other problem with thinking of these lists as regular folders. So, ListItemAllFields works on
all files and folders in a list. However, if you want Role Assignments for the lists themselves, you can keep track of the Titles and\or Guids from the /_api/web/lists that you're interested in (in my case, all non-hidden "document library"
type lists) and then access those Role Assignments as I discussed in questions 3 and 4 above. For example, from the /_api/web/lists collection from my test server, the "Development" document library Role Assignments are accessable via /_api/Web/Lists(guid'cd242eeb-aafa-4efa-aecc-9bbdf8e3d459')/RoleAssignments
or /_api/Web/Lists/GetByTitle('Development')/RoleAssignments. -
FPN - error trying to lookup object - remote role assignment not working
Hello everyone,
We have implemented a Federated Portal Network connection in our landscape between our portals.
We use only remote role assignment functionality.
Everything was working fine, but since 2 days we encounter the following error in the Default trace.
Error trying to lookup object: alias: <role name>
It is possible to open the producer portal in the Portal Content Administration and also searching for the Producer portal roles is possible in User administration. But when we assign the remote role the tab is not displayed in the portal only the above mentioned error is shown in the default trace. Our portals run SP 12 and BI Java SP14.
Is there a solution or workaround for this issue ?
MartinHi,
I have the same issue as you, I cannot see role tabs in Consumer portal and I get the same error in the defaulttrace as you.
What did you do to resolve this issue?
Many thanks
Gordon -
Report to see user type and roles assigned to users in EP?
Hi,
a) Is there any reporting mechanism in EP? Any specific report which throws up user types and roles assigned to the users? There is an option of 'Export' in the user management role but unfortunately it does not give information on User Type.
b) If the group is assigned a role, How can we see ( in any report) the roles assigned to a group? In the 'export' option of the 'User Management' this information does not come.By default Portal UME comes along with the installation of portal.
Sometimes we may integrate external users using LDAP. At that time users come from ABAP stack or some active directories. But you can also create users in the portal UME. The purpose of using LDAP is to maintain the users centrally rather than creating again in portal.
You can check them in user administration->identity management and search for the users.
THere you can see some users will be from UME and some from LDAP.
User Admin tool is nothing but User Administration only.
Raghu -
Mass Change for Indirect Role Assignment
Hi all,
I am in the process of changing the companys authorisations from a standard SU01 role assignment to a position based indirect role assignment.
At the moment I am using PFCG going to the Org Mg button under the User tab then attaching the position that way. Is there a way of assigning more than one role to a position at the same time?
Is there a Mass Assignment option in PFCG or is there a separate transaction available to make this process quicker??
Thanks for your help
Ianyou can mass-assign people and roles if you go to transaction PPOME instead of PFCG. to make role assignments from PPOME please apply note 578271 first. be careful whilst implementing this <insert nasty word here> note because some of those view-clusters tend to refuse to load your changes = you can see them, but they don't work - might be you will have to flush table buffers for the changes to take effect.
-
Security-role and security-role-assignment not working in WL7.0
Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.comBelow are the screen shots for PFCG:
-
How to get the list of roles assigned to a user in all the child systems
how to get the list of roles assigned to a user in all the child systems from CUA SYSTEM
Try transaction SUIM in your CUA system. Go to user, cross-system information, users by roles. If you run it wide open, you'll get all users and all roles assigned for all systems managed in your CUA.
Krysta
Maybe you are looking for
-
HT204088 how can i make complain about purchasing an item in app store
i have a problemi purchase an item for one time but every month they take from my accounts money to renewal and i dont want that i need to stop it
-
Env variable confusion - newbie install
Hello, I have completed the installation sequence for db 10g (10.2.0.1) on RHEL 4.3 (x86_64). I am somewhat confused by this installation procedure wrt env. variables such as ORACLE_HOME, ORACLE_SID, ORACLE_BASE, etc. The pre-installation guidelines
-
When we configure copy controls we have a field "COPY QUANTITY" this is left blank when copying from sales order to another sales order, from QT to OR we make +ve and from contract to Return we make it -ve. Can anybody explain me the logic behind th
-
It seems that the installation is complete,but it is not working,i still can't watch videos @ youtub
while installing the flash player 10.1,i have followed all the instructions properly & it seems & it shows that the installation is done.but i still couldn't find the programme in my 'control panel'..... & still can't watch videos @ youtube etc. it s
-
I´ve bought a lenovo G400S Core I7 and then bought one extra 4GB RAM memory module. Notebook only recognizes one module of memoy. It seems that second slot is disabled. Anyone know something about memory limits for this notebook? Solved! Go to Soluti