Role Based Access through business roles? Switch b/w business roles?

Similar Messages

• To run OHS at port 80 using solaris role based access control

  Hi.
  I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
  On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
  /etc/user_attr:
  oracle::::type=normal;defaultpriv=basic,net_privaddr
  Change OHS httpd.conf Listen from port 8888 to port 80.
  However, opmnctl startproc process-type=OHS
  failed as below with nothing showing in the diag logs:
  opmnctl startproc: starting opmn managed processes...
  ================================================================================
  opmn id=truffle:6701
  0 of 1 processes started.
  ias-instance id=asinst_1
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  ias-component/process-type/process-set:
  ohs1/OHS/OHS/
  Error
  --> Process (index=1,uid=187636255,pid=25563)
  failed to start a managed process after the maximum retry limit
  Thx,
  Ken

  Just to add my two cents here.
  The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
  # usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
  Restart the opmnctl daemond.
  After that OHS/Apache user can bind to lower TCP ports.
  Regards.
  Edited by: Tuelho on Oct 9, 2012 6:05 AM

• Role Based Access problem in forms

  This would be a long reading.
  I'm having a problem with forms Role Based Access.
  We have two databases, one in London and one in Zurich. We have installed
  application server and oracle forms on London database. We have implemented
  Role Based Access to forms. For this we have created a database role (say ZUR_USER)
  in both databases. The view FRM50_ENABLED_ROLES which is used by forms role based access control
  is also created in both databases with a 'grant select to public'.
  Our form system has a menu and forms under that menu. Both menu and the underlying forms have been
  assigned Menu Security/Item Roles to the above mentioned ZUR_USER role and the role is assigned
  to various users.
  Now a Zurich user is trying to login to Zurich database using the URL for forms installation
  in London server. He can login successfully and can see the menu heading in the main screen but
  when he clicks the menu he doesn't see the underlying forms list.
  When we try the same user id and database from London (using the same URL) we see all the forms.
  Any idea what are we missing. The Menu Security is setup at menu level as well as the form level under
  that menu. User can see the menu but not the form under that menu from Zurich. No such problem while
  login from London.

  I'm using the Forms 10g
  and yes the only difference is between login from Zurich and London.
  Problem definitely is due to Role Based Access setup.
  The user in Zurich can see the Menu but not the items under that menu.
  I have set the security set up at both menu and menu item(i.e. form name) level.

• Role Based Access Control in Java

  Hi,
  we are designing a software solution that makes use of the Role Based Access Control pattern to control access of functions, EJBs, Servlets to certain users based on their "role".
  I have not been able to understand clearly how that pattern can be implemented in Java. In addition, I stumbled on the java.security.acl and I wondering how will the package work together with RBAC pattern (Or is the pattern already implemented in some package)?
  Does any1 have any comments on this? Thnx
  Dave

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• ADF UIX Role Based Access Control Implementation

  Hi,
  Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
  The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
  Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
  Thanks a lot.
  Sathya

  Brenden,
  I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
  If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
  1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
  The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
  2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
  The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
  1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
  Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
  Two links that you might be interested in to read are:
  http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
  http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
  Frank

• Role Based Access in Struts

  Hi,
  I wanted to know how to include Role Based Access in my Struts application.
  Does Struts provide any mechanism to accomplish it?
  If yes then,how can it be done
  Thanks
  kurt

  Hi Velu,
  Yes, this is exactly what Access Manager (now called OpenSSO, btw) can do.
  In your first use case, you would simply create two policies. The first one would allow only users in the admin group access to the admin application (e.g. https://someserver.example.com/admin/*). The second would allow users in the employee group access to the remaining two applications (e.g. https://someserver.example.com/app1/*, https://someotherserver.example.com/app2/*).
  In your second use case, the policies would be similar - first policy would allow users in the admin group to access https://someserver.example.com/app3/*, second policy would allow users in the employee group to access only https://someserver.example.com/app3/employees/*.
  Cheers,
  Pat

• Any best practice to apply role based access control?

  Hi,
  I am starting to apply the access permissions for new users as being set by admin. I am choosing Role Based Access Control for this task.
  Can you please share the best practices or any built-in feature in JSF to achieve my goal?
  Regards,
  Faysi

  Hi,
  The macro pattern is my work. I've received a lot of help from forums as this one and from the Java developers community in general and I am very happy to help others and share my work.
  Regarding the architect responsibility of defining the pages according to the roles that have access to them : there is the enterprise.software infrastructure.facade
  java package.
  Here I implemented the Facade GoF software design pattern in the GroupsAndRolesAccessFacade java class. Thus, this is the only class the developer uses in order to define groups and roles of users and to define their access as per page.
  This is according to Java EE 6 tutorial, section VII Security, page 471.
  A group, role or user is created with an Identity Management application or by a custom application.
  Pages of the application and their sections are defined or modified together with the group, role or user who has access to them.
  For this u can use the createActiveGroup and createActiveRole methods of the GroupsAndRolesAccessFacade class.
  I've been in situations where end users very strict about the functionality of the application.
  If you try to abstract web development, u can think of writing to database, reading from database and modifying the database as actions.
  Each of these actions should have suggester, approver and implementor.
  Thus u can't call the createActiveGroup method for example, without calling first the requestActiveGroupCreationHelper and then the approveOrDeclineActiveGroupCreationHelper method.
  After the pages a group has access to have been defined with the createActiveGroup method, a developer can find out the pages and their sections a group has access to by calling the getMinimumInformationAboutGroup method.
  Further more, if the application is very strict, that is if every action which envolves writing to the database must be recorded, this concept of suggester, approver and implementor is available throught the recordActiveGroupAction method.
  For example, there is a web shop, its managers can change the prices of the products, but the boss will want to know who had the dared to lower prices.
  This action of lowering prices, is an action of modifying the information in the database and u can save in the database who suggested it, who approved it and who implemented it.
  Now that I write about the functionality of the macro pattern, I realise that some methods should have more proper names and I haven't had time to write documentation in the API, but this will be a complete when I add the web pages for the architect to use for defining access control and for the end users to view who and what is doing with their application.

• Database design for Role/User based access to the application..

  We want to implement Role/User based access to the application.
  Can anyone tell me whats the optimized way of storing the data {User, Role, Access_Type etc} in the database.. The Roles might get added in the future so i dont want to maintain a single table to map User-Access_Type..
  Access_Type -->
  AT_1 | AT_2 |AT_N |
  ------- |------- |------- -|------|
  User_1 | | | |
  ------- |------- |--------|------ |
  User_2 | | | |
  ------- |------ -|--------|------ |
  I want to maintain a table which will map user with the Access_Type, which should be mainatained in a different table..
  Any help would be highly appreciated..
  Thanks in Advacnce,
  Shridhar..

  You find your answer here:
  http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html

• Portal and role based access

  We have a requirement to provide role based access to our portal. Employees require full portal access, partners require access to specific applications and resources, while guests should be provided access only to the Internet. People suggested SSL VPN from vendors like Array Networks, Juniper, Portwise etc.
  We are trying to kind of use our portal as a web VPN. Also we wanted to use strong access control.... Are there any ideas other than using SSL VPN's.
  -thanks

  1. You can configure your portal on HTTPS (SSL). That keeps it on secure SSL layer.
  2. Have SSO to distinguish between authenticated_users (logged in users like your employees, partners, etc) and un-authenticated_users (Guest).
  3. Use Groups for translating roles for your users. i.e., Make Groups for your users based on what you called as roles in your message.
  4. Assign access privileges available in portals for pages and portal objects according to your needs to these Groups.
  I dont think VPN will be needed when you are having an extranet-portal (as you hinted internet for guests).
  You can have a darn strong access control using this mechanism.
  hope that helps!
  AMN

• How do I set up a Web-based access page to allow access to the internet through my router?

  My wireless router is a WRT54G.  I own/manage several condos in a building and guests change all the time.  I want to set up a network with internet access similar to hotels and airports where access is granted after being directed to a web page and entering a password.  How do I set this up?  (I have several domains/websites if this is needed.)

  Not with standard firmware and no other equipment.
  If you want standard firmware and warranty and service you have to look at more expensive equipment.
  For some WRT54G you can flash 3rd party firmware which opens up the Linux on the router. See the wikipedia article for "WRT54G" for a start. Also check out dd-wrt. Some people there use the WRT in hotspot setups with dd-wrt. They should be able to point you into the right direction.
  Otherwise, what you are able to do with the WRT and standard firmware is radius authentication with WPA or WEP (called WPA Enterprise or similar...). This however, does not redirect you to access through a web site. You have to enter the username and password when you connect wireless to the router on your computer. If it matches you get access. Again: there is no web site involved here and if you don't know the username/password you cannot access anything not even an internal, free homepage. This also does not work for wired access to the router.
  Message Edited by gv on 11-25-2007 08:44 AM

• Permission based access

  I'm guessing this is a fairly common need, but I'm not sure what the proper
  way to implement it is.
  I need to enable our WL7 application to support users with custom
  permissions. I have already implemented a set of custom security providers
  that allow us to authenticate against our database. The next step is
  supporting "feature" or permission based access to various application
  components. I understand how to configure the security on weblogic
  resources, but that is not granular enough for me.
  In our system, each user is granted a set of features or functions that they
  have access to. This may be a global action, such as "Create a user" or it
  may be very specific such as "Change zip code". Our application logic needs
  to check these permissions (and either deny access or modify a menu or some
  other logic).
  My first pass at this was to get security working at the weblogic resource
  level. Then I wrote a utility class that will take a subject and check if
  it has the permission in our database. This works, but it's done outside of
  the JAAS security model and I'm trying to do this the "right" way. It seems
  to me that I need to setup a JAAS security policy and associate Permission
  objects for the features that I need to secure, but I don't know how to do
  this in the context of a weblogic application.
  What is the proper way to do this? Can someone give me some tips or point
  me towards some usefull documentation?
  Thanx,
  Matt

  I don't have any code that I can send you right now (it would take me too
  long to rip out my companies proprietary stuff), but here's the approach I
  took.
  I started from the sample providers that are available on dev2dev (
  http://dev2dev.bea.com/code/codedirect.jsp?highlight=codedirect ). From
  there, I just removed the providers that I didn't need. In the sample
  framework, there are a set of database classes that implement the user
  storage. In the samples, the users are stored in a properties file on the
  disk. I just replaced the code in those files with the appropriate database
  lookups in my environment.
  Couple things that took me time to work through:
  1. You must create a user that is in the Admin group for the server to start
  under. I was not successfull in separating the authentication mechanism for
  the server id and the users.
  2. You cannot use the weblogic datasources or connection pools to access
  your database. Since the server id is authenticating against your custom
  provider, the datasources and pools have not yet been created.
  3. I had trouble configuring my realm using the console. There seemed to be
  an intermittent bug that kept my realm information from being persisted into
  the security store. I exported the security realm configuration into an xml
  file, modified the xml file to exactly what I wanted, and loaded it back
  into the server. The process for doing this is available in the docs (
  http://e-docs.bea.com/wls/docs70/admin_domain/failures.html#1106023 ).
  I would love a workaround for 1 and 2, but so far I haven't found one.
  Good luck!
  Matt Galvin
  GoSolutions
  "Amit" <[email protected]> wrote in message
  news:[email protected]...
  >
  Hi Matt
  In your mail to BEA groups you have mentioned that you
  have implemented authorization/access privileges
  against your DB.
  I need to implement similar functionality where I need
  to store userid, password, role in the DB and then
  make users access Weblogic 7.0 resources based on the
  roles stored in the DB. Could you provide me some code
  or pointers that would could help me?
  Thanks and regards,
  Amit
  "Matt Galvin" <[email protected]> wrote:
  I'm guessing this is a fairly common need, but I'm not sure what the
  proper
  way to implement it is.
  I need to enable our WL7 application to support users with custom
  permissions. I have already implemented a set of custom security
  providers
  that allow us to authenticate against our database. The next step is
  supporting "feature" or permission based access to various application
  components. I understand how to configure the security on weblogic
  resources, but that is not granular enough for me.
  In our system, each user is granted a set of features or functions that
  they
  have access to. This may be a global action, such as "Create a user"
  or it
  may be very specific such as "Change zip code". Our application logic
  needs
  to check these permissions (and either deny access or modify a menu or
  some
  other logic).
  My first pass at this was to get security working at the weblogicresource
  level. Then I wrote a utility class that will take a subject and check
  if
  it has the permission in our database. This works, but it's done outside
  of
  the JAAS security model and I'm trying to do this the "right" way. It
  seems
  to me that I need to setup a JAAS security policy and associatePermission
  objects for the features that I need to secure, but I don't know how
  to do
  this in the context of a weblogic application.
  What is the proper way to do this? Can someone give me some tips or
  point
  me towards some usefull documentation?
  Thanx,
  Matt

• Access through internet

  Hi all,
         Currently we are having an mainframe application which is accessed through internet. In the website of client there is a link which navigates to this application. Once the user enter the VPN credentials it lets us to access the data.
  But currently they want to integrate this application into portal. Without making portal as external facing is there a way by which they can access this application through their website ->portal.
  Thanks,

  you need not create a role and a page and all that.....
  just create a URL iView for the Portal and preview the iview ...obtain the URL and stick that URL in your website with a proper SSL encryption....
  make sure you understand the concepts of SSL and the use of web disptacher if you plan on using the portal on the internet.....also make sure you have the URL filtering so only specific URL's can be accessed via SSL...

• Access to business partners denied.User "so and so" is not a sales employee

  Hi all,
  I was trying to create a snapshot in outlook in a users computer but unfortunately the system displays a strange message:
  Access to business partners denied.User "so and so" is not a sales employee
  The user is a member of Sales Employees/Buyers-well what i mean is that the sales name is there but not user name ie Frank Blank is there but not FrankB for example.
  Any ideas ?
  Thank you,
  MB

  Hi Matthew,
  Interesting message as we use the O/I ad-on... on the EMD record, go to the Membership tab and add 'Sales Employee' under "Role" to the EMD record. Shot in the dark but that's all I got.
  HTH,
  Heather

• Access Controlled Business Object ??

  Hello,
  Can anyone share few views about Access Controlled Business Object and RBAM Data. I have never used them before and wanted to know more about these like how it affects the security and all.
  Please dont point to any reference links or pdf's to see the info abt Access Controlled BO's becoz I have already read enough material and all I had is confusion .
  So, kindly share your personal views about this topic here rather than referring a document which is somewhere else.
  Thanks in advance.
  regards,
  vatsav

  Hello Vatsav,
  I have used an employee association with access context to "1000 - Employee Self Service" and
  "1003 - Management". It works very well.
  In my case simple business user should see only their own data (1000 - Employee Self Service) and a business user with a management role (1003 - Management) can see all data.
  If you want to use a different logic (such as access context code 1000/1003/1007), maybe you have a problem.
  Regards,
  Kay Kressner

• Internet Access through TMG for all HO & Branch office

  Dear Experts!,
  I am new to the Forefront TMG 2010. Have requirement to implement internet access.
  Head office : 192.168.11.x/24 (192.168.11.1 is the TMG server)
  Branch Office 1: 192.168.12.x/24
  Branch Office 2 : 192.168.14.x/24
  Branch Office 2 : 192.168.16.x/24
  Forefront TMG 2010 standard edition.
  Having 3 NIC's two have different ISP network addresses and one has 192.168.11.1.
  Branch office are connected using MPLS network, the requirement is all branch site internet must be accessed through TMG 2010 server which is homed in Head Office. How to achieve ?
  What needs to be done in external firewall and in TMG for enabling internet access.
  Thanks!
  Regards, Ganesh, MCTS, MCP, ITILV2 This posting is provided with no warranties and confers no rights. Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.

  Hi Ganesh,
  Hope this helps
  1 - If you wish to give internet as Proxy to users.
  Ensure the Below subnet is able to reach TMG Internal Interface that is 192.168.11.1
  Subnet
  Branch Office 1: 192.168.12.x/24
  Branch Office 2 : 192.168.14.x/24
  Branch Office 2 : 192.168.16.x/24
  Configuration
  Enable Proxy in TMG and configure Proper Ports as per your requirements
  On the Client IE – Ensure you put Proxy IP as TMG and Port configured in TMG configuration.
  Enable a Rule
  Access Rule
  Source : Internal
  Destination : External
  Ports : HTTP / HTTPS
  Users : Authenticated Users
  2 As normal Internet as Gateway to users
  You need to request your MPLS provider to change the Default Route of below subnet to 192.168.11.1. By doing this, all the internet request from the below subnet to internet will hit TMG.
  Subnet
  Branch Office 1: 192.168.12.x/24 Default Route 192.168.11.1
  Branch Office 2 : 192.168.14.x/24 Default Route 192.168.11.1
  Branch Office 2 : 192.168.16.x/24 Default Route 192.168.11.1
  IF you have any L3 Switch then you can also make Default gateway as L3 for all the subnet and from L3 device point it to TMG
  Enable a Rule
  Access Rule
  Source : Internal
  Destination : External
  Ports : HTTP / HTTPS
  Users : All Users ( Important )
  Two ISP
  In network Rules : You need to use NAT
  You will have a Rule which NATS internal to  External
  On external - Choose which ISP interface should be used  and Apply NAT rule