Role base security & authorization

Similar Messages

• Is role base security supported by WLS 5.1?

  To what extent is role based security supported by servlets under WLS 5.1?
            Declarative role based security does not seem to be supported?
            Are any of the following methods supported?
            HttpServletRequest.isUserInRole()
            HttpServletRequest.getUserPrincipal()
            If so, where are the roles declared? Where is the role/principal mapping
            done? Does getUserPrinicipal() return the principal using the WLS security
            realm?
            Thank you.
            Marko.
            

  Cool. Bonus mystery feature. I will call support.
            Thanks Winston.
            Marko.
            Winston Koh <[email protected]> wrote in message
            news:[email protected]...
            > no, i am not referring to ACL. to my knowledge, the servlet security
            > features docs do not make it into the WLS 5.1. I understand its a bit hard
            > to use the features properly without proper documentation. contact support
            > for more info
            >
            > thanx
            >
            > Winston
            > Marko Milicevic <[email protected]> wrote in message
            > news:[email protected]...
            > > The only servlet authorization mechanism I can see documented is ACL's.
            > Is
            > > this what you are referring to Winston? If so, I believe ACL are
            > different
            > > than declarative role based security. An ACL grants access to a servlet
            > for
            > > a set of principals (users and/or groups). But a role is not a
            > prinicipal.
            > > A role name is mapped to a set of principals.
            > >
            > > If you are referring to roles, can you give a URL to the documentation
            > which
            > > discusses this?
            > >
            > > Thanks Winston.
            > >
            > > Marko.
            > > .
            > >
            > > Winston Koh <[email protected]> wrote in message
            > > news:[email protected]...
            > > > both declarative and programmtic based security roles are supported by
            > WLS
            > > > 5.1.
            > > >
            > > > if you don't specify any specific security realm in the
            > > weblogic.properties
            > > > file, a default WebLogic Security realm is assumed. you could specify
            > the
            > > > group and its associated users and passwords there in the properties
            > file.
            > > > in the web.xml file associated with each web app, you could speciify
            the
            > > > security constraints for each servlet
            > > >
            > > > I would imagine when accessing a secured servlet within a web app, a
            > > client
            > > > would supply her credentials thru some sort of authentication, and
            based
            > > on
            > > > the credentials, we find out the role name from the
            weblogic.properties
            > > file
            > > > which in turn mapped to the web.xml which specify the security role
            that
            > > > could access the particular servlet. if the role matches, access to
            the
            > > > servlet is granted
            > > >
            > > > refer to WL Docs for more specific details
            > > >
            > > > thanx
            > > >
            > > > Winston
            > > > Marko Milicevic <[email protected]> wrote in message
            > > > news:[email protected]...
            > > > > To what extent is role based security supported by servlets under
            WLS
            > > 5.1?
            > > > >
            > > > > Declarative role based security does not seem to be supported?
            > > > >
            > > > > Are any of the following methods supported?
            > > > >
            > > > > HttpServletRequest.isUserInRole()
            > > > > HttpServletRequest.getUserPrincipal()
            > > > >
            > > > > If so, where are the roles declared? Where is the role/principal
            > > mapping
            > > > > done? Does getUserPrinicipal() return the principal using the WLS
            > > > security
            > > > > realm?
            > > > >
            > > > > Thank you.
            > > > >
            > > > > Marko.
            > > > > .
            > > > >
            > > > >
            > > > >
            > > >
            > > >
            > >
            > >
            >
            >
            

• Role Base Security SSAS Tabular and PPS not working

  Hi,
  I am having SSAS (Tabular Model) with Role based Security. It is working fine with Powerview and PowerPivot.
  But when i am  using same with PPS. it is giving me error like 'Data source not accessible'.
  If i don't Provide Role while connecting and if i select
  unattended account, it is working but no security.
  Please help me out on this situation or provide any steps with snapshot(if possible), how to make pps
  working with SSAS Tabular model with Role.
  Thanks in Advance
  Pinak kakadiya

  Hi Vishal,
  According to your description, you are trying to use time intelligence functions in SQL Server Analysis Services Tabular model without success, right?
  In order to use time intelligence functions in DAX formulas, you must specify a date table and a unique identifier (datetime) column of the Date data type. Once a column in the date table is specified as a unique identifier, you can create relationships
  between columns in the date table and any fact tables. Please refer to the links below to see the details steps to use time intelligence functions in DAX formulas.
  https://msdn.microsoft.com/en-us/library/hh758415.aspx?f=255&MSPPError=-2147217396
  http://blog.gbrueckl.at/2013/02/fiscal-periods-tabular-models-and-time-intelligence/
  If the issue persists, please provide us more information about your tabular structure, so that we can make further analysis.
  Regards,
  Charlie Liao
  TechNet Community Support

• Role base Security

  Hello,
  My question is I want to create a role which should make sure through this role if a user is an authorized user, and logging from authorized server(could be IP verification).  once the condition satisfies through this role, then it should enable the for that particular user can select or update objects from that user.
  say for example,  USER "A"  has access to "TEST" schema in a test database.
  there is 1 role test_a which has select privileges on TEST schema objects, which is granted to User "A".
  Here I want to check first through another role say for example CK_TEST role which should make sure if User "A" is an authorized user, if so is user "A" logging from authorized client or server, if so then enable the TEST_A role to User 'A".
  can someone give me an example how toaccomplish this.
  Thanks a lot....

  I'm assuming that user A is a database user, not an application user.  If that's the case, what does it mean for A to be an "authorized user"?  If the session has been created, then A must be a valid database user and whoever is logging in must have provided the correct password.  If A has been granted the TEST_A role, what more is required for A to be an "authorized user"?
  Having the database verify that a client is "authorized" is a bit problematic simply because the client is providing all the information that you'd be checking in the database.  An attacker could easily spoof or change their IP address, for example.  Validating the IP address can be useful if you want to prevent people from doing things inadvertently (i.e. preventing a DBA from inadvertently logging in to prod from their laptops if that's something that you want to avoid) but isn't particularly good at preventing attackers from getting in.
  You can make TEST_A a password-protected role.  You can create a VPD policy on the objects in TEST that requires a user to call a procedure that you've defined that does whatever validation you want before setting the context to allow access to the data in those tables.  You can create a logon trigger that tries to prevent users from logging in from the "wrong" IP address (with the caveats above that this isn't particularly good at keeping attackers out).  Or you can restrict what machines can access the database at the SQL*Net layer or, preferrably, by putting a firewall in front of the database.
  Justin

• Security Authorizations for IDOC

  can anybody explai me following.
  Roles and responsibility wrt the Security Authorizations the user should have to process the IDOCs at the receiving end and also the monitoring the IDOCs
  Regards,
  Rahul

  Hi Shesha,
  I presume you have the SAP Integration kit intalled and configured, and imported the BW roles in the CMC... you are also login with the SAP user account (User1, User2). This would be a base requirement to make this work.
  In your OLAP universe, you need to set the connection properties of the connection to. Select Use Single Sign On when refreshing reports at view time to allow the user to benefit from SAP SSO.
  You have currently used User1 for the connection and saved the universe with this user id, thus, when the connection is made to BW, it is User1 with its role permissions accessing the data, even if you are logged on as User2, User1 is being authenticated.
  Hope this helps
  Jacques

• Security-role and security-role-assignment not working in WL7.0

  Hello all..
  Some EJB components that worked fine in WebLogic 6.1 no longer work in
  WL7.0. It has to do with the security-role and security-role-assignment
  descriptor elements no longer allowing anonymous users to be included in the
  authorization for a bean.
  For example, in WL6.1 placing these items in ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <role-name>Employees</role-name>
  </security-role>
  <method-permission>
  <role-name>Employees</role-name>
  <method>
  <ejb-name>CustomerEJB</ejb-name>
  <method-name>*</method-name>
  </method>
  </method-permission>
  and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
  <security-role-assignment>
  <role-name>Employees</role-name>
  <principal-name>guest</principal-name>
  <principal-name>system</principal-name>
  </security-role-assignment>
  worked fine for clients creating their context using a simple
  InitialContext() constructor without specifying SECURITY_PRINCIPAL or
  SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
  the security-role-assignment element above told WebLogic that "guest" was in
  the Employees role for purposes of this EJB archive.
  Worked in WL6.1, no longer works in WL7.0. Client receives typical
  permission exception:
  java.rmi.AccessException: Security violation: insufficient permission to
  access method 'create'
  If I explicity connect as "system" things are fine, or I can create a new
  user in the default realm in WebLogic, put a matching <principal-name>
  element in the section above, and connect as that user. Note that if I leave
  off the <security-role> section completely, or set the required role name to
  "everyone", the anonymous access works fine. Apparently the anonymous user
  is a member of "everyone" behind the scenes even though "everyone" does not
  appear in the realm list of groups or roles.
  So, my question boils down to this: Is there a "magic" username in WL7 like
  "guest" was in WL6.1 that can be mapped to the required role name, or must
  every client connection use a true weblogic-created user with appropriate
  role assignments used to map it to the required role name.
  -Greg
  P.S. Note that none of the EJB examples provided with WL used
  <security-role>..
  Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
  www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

  Below are the screen shots for PFCG:

• Error in Role Based security using weblogic 9

  Hi All,
  Currently I am working with Weblogic Server 9. I am trying to use role based security. Below is the entries for web.xml.
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>Success</web-resource-name>
            <url-pattern>/form.jsp</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
            <role-name>admin</role-name>
       </auth-constraint>
       <user-data-constraint>
  <transport-guarantee>INTEGRAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>myrealm</realm-name>
  </login-config>
  <security-role>
       <role-name>admin</role-name>
  </security-role>
  When I am calling form.jsp from the browser it is asking for the username and password, but after giving the username and password it is showing the followig error:
  Error 403--Forbidden
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.4 403 Forbidden
  The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
  So can any one provide me the solution for the above problem.
  Thanks in advance.
  By,
  Sandip Pradhan

  Here is a blog post for the backend (WebLogic Admin GUI) http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-role.html and a blog post for the web.xml in your project http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-ear.html.

• Use of default XACML with custom role mapper and authorization provider

  Hi,
  Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
  My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
  Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?

  I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
  Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
  The chosen approach depends on where you're getting the role information from.

• Role Mapper and Authorizer

  At one point I posted a forum entry and posted a solution for my entry regarding keeping the app deployments around while recreating/overwriting the domain using WLST offline. Keep App Deployments while recreating the domain in WLST offline
  Things seems to work, except that I noticed that the XACML Role Mapper and Authorizer that were created the first time around (when there is no domain folder) are getting replaced by default Role Mapper and Authorizer (on subsequent runs when the domain folder already exists and we overwrite the domain)
  Basically the first readDomain is causing this. without reading the domain, I cannot get the app list.
  System.setProperty("com.bea.cie.script.throwException","true")
  appdeps={}
  try:
    readDomain('c:/temp/basicWLSDomain')
    cd('/AppDeployments')
    apps=ls(returnMap='true')
    for app in apps:
    appdeps[app]=ls(app,returnMap='true', returnType='a')
  except:
    pass
  try:
    closeDomain()
  except:
    pass
  #=======================================================================================
  # Open a domain template.
  #=======================================================================================
  readTemplate("c:/wls11/wlserver_10.3/common/templates/domains/wls.jar")
  #=======================================================================================
  # Configure the Administration Server and SSL port.
  # To enable access by both local and remote processes, you should not set the
  # listen address for the server instance (that is, it should be left blank or not set).
  # In this case, the server instance will determine the address of the machine and
  # listen on it.
  #=======================================================================================
  cd('Servers/AdminServer')
  set('ListenAddress','')
  set('ListenPort', 7001)
  create('AdminServer','SSL')
  cd('SSL/AdminServer')
  set('Enabled', 'True')
  set('ListenPort', 7002)
  #=======================================================================================
  # Define the user password for weblogic.
  #=======================================================================================
  cd('/')
  cd('Security/base_domain/User/weblogic')
  cmo.setPassword('weblogic11g')
  #=======================================================================================
  # Create a JMS Server.
  #=======================================================================================
  cd('/')
  create('myJMSServer', 'JMSServer')
  #=======================================================================================
  # Create a JMS System resource.
  #=======================================================================================
  cd('/')
  create('myJmsSystemResource', 'JMSSystemResource')
  cd('JMSSystemResource/myJmsSystemResource/JmsResource/NO_NAME_0')
  #=======================================================================================
  # Create a JMS Queue and its subdeployment.
  #=======================================================================================
  myq=create('myQueue','Queue')
  myq.setJNDIName('jms/myqueue')
  myq.setSubDeploymentName('myQueueSubDeployment')
  cd('/')
  cd('JMSSystemResource/myJmsSystemResource')
  create('myQueueSubDeployment', 'SubDeployment')
  #=======================================================================================
  # Create and configure a JDBC Data Source, and sets the JDBC user.
  #=======================================================================================
  cd('/')
  create('myDataSource', 'JDBCSystemResource')
  cd('JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
  create('myJdbcDriverParams','JDBCDriverParams')
  cd('JDBCDriverParams/NO_NAME_0')
  set('DriverName','com.pointbase.jdbc.jdbcUniversalDriver')
  set('URL','jdbc:pointbase:server://localhost/demo')
  set('PasswordEncrypted', 'PBPUBLIC')
  set('UseXADataSourceInterface', 'false')
  create('myProps','Properties')
  cd('Properties/NO_NAME_0')
  create('user', 'Property')
  cd('Property/user')
  cmo.setValue('PBPUBLIC')
  cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
  create('myJdbcDataSourceParams','JDBCDataSourceParams')
  cd('JDBCDataSourceParams/NO_NAME_0')
  set('JNDIName', java.lang.String("myDataSource_jndi"))
  cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
  create('myJdbcConnectionPoolParams','JDBCConnectionPoolParams')
  cd('JDBCConnectionPoolParams/NO_NAME_0')
  set('TestTableName','SYSTABLES')
  #=======================================================================================
  # Target resources to the servers.
  #=======================================================================================
  cd('/')
  assign('JMSServer', 'myJMSServer', 'Target', 'AdminServer')
  assign('JMSSystemResource.SubDeployment', 'myJmsSystemResource.myQueueSubDeployment', 'Target', 'myJMSServer')
  assign('JDBCSystemResource', 'myDataSource', 'Target', 'AdminServer')
  #=======================================================================================
  # Write the domain and close the domain template.
  #=======================================================================================
  setOption('OverwriteDomain', 'true')
  setOption('CreateStartMenu', 'false')
  writeDomain('c:/temp/basicWLSDomain')
  closeTemplate()
  #=======================================================================================
  # Exit WLST.
  #=======================================================================================
  exit()
  So I thought I will create the XACML Authorizer and Role Mapper myself instead of letting the default domain creation process do it. but that is resulting in duplicates on the first run (when the domain folder does not exist) and in the subsequent runs (when the domain folder already exists), I see one XACML and one default.
  cd('/')
  create('base_domain', 'SecurityConfiguration')
  cd('SecurityConfiguration/base_domain/Realm/myrealm')
  ls('a')
  create('XACMLAuthorizer', 'weblogic.security.providers.xacml.authorization.XACMLAuthorizer','Authorizer')
  create('XACMLRoleMapper', 'weblogic.security.providers.xacml.authorization.XACMLRoleMapper','RoleMapper')
  I am going no where with Oracle Support. I am wondering if anyone ran into this before.

  com.oracle.cie.config-wls-schema_10.3.6.0.jar has various SecurityConfiguration XML fragments and the wrong fragment is being used when the domain is recreated.
  I am thinking it is a logic issue in domain creation.

• RBAC / Role Based Security Set Up in R12

  We are working with a 3rd party consulting organization to implement Role Based Access Control in E-Business Suite R12. We have approximately 50 users and with 35 responsibilities today and are currently in the process of designing our role based security set up. In advance of this the consulting company has provided us with effort estimates to cutover from the current responsibility structure to RBAC. We are told this must be done while all users are off the system. The dowtime impact to the business is very high, expecially considering our small user base.
  With RBAC cutover downtime estimates such as these I can't understand how any company larger than ours could go live with it?
  Does anyone have previous Role Based Access Control implementation experience in EBS R11i or R12 and could provide some insight on their experience and recommendations, best practice for cutover to mitigate impacts to the business as we cannot accept the 90 hours of downtime outlined by the consulting company below?
  Disable users old assignments:
  *12.00 hours*
  Disable Responsibilities targeted for the elimination:
  *12.00 hours*
  Disable Responsibilities targeted for the elimination:
  *16.00 hours*
  Setup OUM options and profiles:
  *6.00 hours*
  Setup Roles and Hierarchies:
  *14.00 hours*
  Grant Permissions:
  *12.00 hours*
  Setup Functional Security and disable the obsolete responsibilities:
  *12.00 hours*
  Setup Data Security and disable the obsolete data accesses:
  *6.00 hours*
  Total *90 hours*
  Note - all activities must be performed sequentially*
  Any advice or experiences you could share would be extremely valuable for us. Thank you for taking the time advance to review & respond.

  On Srini`s comments "Creating Roles.. will have to be done manually "... I would like to know will the same approach be followed for PRODUCTION instance also. Say if we need to create 35 responsibilities and 50 roles so should this be done manually in PRODUCTION.
  I have not worked on this but I know that in my previous company this was done using scripts. Need to find more on this.

• JDev11 R.1. ADF Security Authorization

  Hi,
  I would like to know if it might be possible to use authenticatication via RDBMS authentication provider of Weblogic App. Server and ADF Security Authorization together in a JDev 11 application?. I am reading documentation and it says that; 'ADF Security relies on the jazn-data.xml file for the policy store whether you are using the XML-based identity store or the LDAP identity store. One could define roles and its access rights in jazn-data.xml and might expect authentication and isUserInRole services coming from the authentication service without defining users (role members) at design time. Is it or will it be possible in future?
  Best Regards.

  Hi
  I think it is too early and I don't know if they will ever build this. ( because they also have to support other app servers). Is RDBMS authentication provider of Weblogic App. Server a JAAS implementation?
  in TP4 you had a db login module , don't know if this is supported in 11g production.
  jps-config.xml
  <serviceInstance provider="jaas.login.provider" name="testlogin">
  <description>Sample LoginModule</description>
  <property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
  <property value="REQUIRED" name="jaas.login.controlFlag"/>
  <property value="ovs_user" name="table"/>
  <property value="jdbc/OVSDS" name="data_source_name"/>
  <property value="role_name" name="groupMembershipGroupFieldName"/>
  <property value="password" name="passwordField"/>
  <property value="ovs_user_role_view" name="groupMembershipTableName"/>
  <property value="role_name" name="usernameField"/>
  <property value="role_name" name="pw_encoding_class"/>
  <property value="oracle.security.jazn.login.module.db.util.DBLoginModuleMD5Encoder" name="groupMembershipGroupFieldName"/>
  </serviceInstance>
  <serviceInstance provider="jaas.login.provider" name="oracledb.loginmodule">
  <property value="true" name="debug"/>
  <property value="true" name="addAllRoles"/>
  <property value="passwd" name="passwordField"/>
  <property value="role_name" name="groupMembershipGroupFieldName"/>
  <property value="jdbc/authschemaDS" name="data_source_name"/>
  <property value="REQUIRED" name="jaas.login.controlFlag"/>
  <property value="application_roles" name="groupMembershipTableName"/>
  <property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
  <property value="FINEST" name="log.level"/>
  <property value="username" name="usernameField"/>
  <property value="application_users" name="table"/>
  <property value="username" name="user_pk_column"/>
  <property value="username" name="roles_fk_column"/>
  <property value="tolower" name="casing"/>
  <property value="oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder" name="pw_encoding_class"/>
  </serviceInstance>
  thanks Edwin
  Edited by: biemond on Oct 19, 2008 10:50 AM

• Roles and their authorization profiles time period

  Can roles and their authorization profiles be assigned to a user for a limited time period?
  please reply
  Thanks
  Edited by: tracey_hrecc6.0 on Nov 1, 2010 5:24 PM

  Hi,
  It is possible.
  Read below links for more details
  http://help.sap.com/saphelp_mic10/helpdata/en/69/1810a4c51144dc833353183155ec88/content.htm
  http://www.sap-img.com/basis/frequently-asked-questions-on-authorization.htm
  http://help.sap.com/saphelp_wp/helpdata/en/cd/cc5664d22a11d296110000e82de14a/content.htm
  Regards
  S.Ravi
  Edited by: S.Ravi-at-SAP on Nov 25, 2010 5:36 AM

• SAP Basis Security in Sales order pricing - Help required

  Hi,
  My requirement goes like this:
  The ability to view cost and margin should be restricted
  The ability to add discounts and update price should be restricted
  Sales Directors, Sales Managers, Revenue Recognition and members of the Sales Ops team will be allowed to view cost and margin
  Sales Directors will have the ability to add controlled discounts (i.e. up to a pre-defined % value)
  Sales Ops will have the ability to add discounts without restriction
  Sales Ops will have the ability to maintain price overrides
  These are governed by Condition types such as PR00 etc., can you control it by using Authorization objects in sales order Item Condition tab for the particular USER?
  In T.code: V/06
  For E.., EK01/EK02, double click on it....You can find a sub screen "Changes which can be made". There u can enable whatever required by tick marking ...e.g., amount, value, delete etc.,
  Pricing procedure will be normally designed for a sales AREA and group of customers/Documents.
  Condition type values are stored in the form of condition record by using T.code: VK11. It is stored in table KONV and KONP.
  So, actually client needs like:
  Some users should NOT be allowed to change the price/discount.
  Also some are to shown in DISPLAY mode only.
  Some can add some conditions types too.
  Is it possible through SAP BASIS security?
  I am waiting for your valuable suggestions.
  Regards,
  Anbu

  Yes it is possible to restrict authorizations for condition types using authroization objects. Some user exits need to be used to meet the requirement. Refer OSS Note 105621 which gives a detailed procedure for customizing Authorization check for the condition screen.
  Regards,
  GSL.

• JHeadStart Security problem-error page cannot be found- role based security

  JHeadStart Security problem-error page cannot be found- role based security
  Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
  Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

  Thand you very much for your reply! Unfortunately there is a specific restriction-convention in the project I work in. I am supposed to perform role based security with my own tables and no by the jheadstart’s ones. Could you find out what is my fault with the steps I follow trying to perform the process?
  To remind you my steps I paste the following again:
  JHeadStart Security problem-error page cannot be found- role based security
  Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
  Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

• HR Position Base Security Discussion

  Hello all,
  We all know the beauty of using HR position base security vs manual role assignments to user IDs.  Roles are automatically assigned and removed during a move with HR position base security.
  Recently a question came up regarding HR position base security and I have a few ideas on how to address the question but Iu2019m just curious how some of you have dealt with this issue.  This thread will be more of a discussion than a question.
  Issue/Example in regards to HR position base security:
  User-A is in position#1 and has been granted access to SAP after successfully completing SAP Accountant Training.
  Position#1 have the following roles:
  Z-Accountant
  Position#2 have the following roles:
  Z-Finance-Director
  If User-A got a promotion and is moved to position#2, he will automatically inherit Z-Finance-Director and assignment Z-Accountant will be removed. 
  How can you justify assigning Z-Finance-Director even though User-A did not take the SAP Finance Director training?
  Your response will be appreciated.
  Regards,
  John N.

  >
  Morten Nielsen wrote:
  > Hello John
  >
  > Well at the end of the day the roles are always assigned to the user.
  >
  > But what you can do is create a reletaion between the Role and an entity in you HR-OM System. Based on that, and an evaluation path, you can retrive the required role for the user and let the workflow assign it automatically. (You might need a HR consultant to help you out here).
  >
  > So infact you can decide if you want to map the roles to a Position, an organizational unit, a Job etc. (but as always it's a good idea to to decide on a strategi otherwise it can endup in a big mess )
  >
  > regards
  > Morten Nielsen
  Morten,
  If we decide to assign the roles to the HR position after the completion of the workflow it should assign the roles to the UMR (using RHPROFL0 & PFUD) automatically which is great.  But now that the roles are assigned to the position aren't we back on the same vicious cycle of a user authomatically inheriting roles on the position and at times not having training on the roles automatically assigned.
  Perhaps I just need to research the the following that you mentioned. 
  >
  Morten Nielsen wrote:
  >
  > But what you can do is create a reletaion between the Role and an entity in you HR-OM System. Based on that, and an evaluation path, you can retrive the required role for the user and let the workflow assign it automatically. (You might need a HR consultant to help you out here).
  >
  > regards
  > Morten Nielsen
  Again thanks for the suggestion.
  Regards,
  -John N.