Role Based workflows & Sync Options

Similar Messages

• Design pattern for role based workflows

  Hello,
  I'm new to APEX and I am wondering whether it is easily possible to design a multi role workflow application without creating a new page for each workflow step.
  I'll try to explain what I mean:
  Assume we have 2 roles and a workflow with several steps. The 2 roles work on one single document, and they complete it step by step. In each step, additional information is added to the document by one of the roles while information already entered is visible, but cannot be changed any more (except if the user goes one step back to a state where the information can be edited).
  Is there an easy way to define such a flow of steps (which can be modeled by a state machine) ?
  Is there an easy way to define which fields in a page are visible or editable depending on the current step (i.e. on the state of the document) ?
  Is there an easy way to define which fields in a page are visible or editable depending on the role of the user ?
  Maybe you can point me to some documentation or give me some APEX specific key words as a hint.
  Thank you,
  Markus

  I am wondering whether it is easily possible to design a multi role workflow application Depends on your definition of easily ;-)
  >
  I'll try to explain what I mean:
  Assume we have 2 roles and a workflow with several steps. The 2 roles work on one single document, and they complete it step by step. In each step, additional information is added to the document by one of the roles while information already entered is visible, but cannot be changed any more (except if the user goes one step back to a state where the information can be edited).
  Is there an easy way to define such a flow of steps (which can be modeled by a state machine) ?
  >
  Not clear on what's really involved here. Could you expand on what you mean by "document"? What's involved in completing a step? Do you have an existing implementation of a "state machine"?
  without creating a new page for each workflow step.Can you clarify this requirement? All steps in a workflow are shown on one page? Or you want a generic workflow application (based on an underlying flexible data model/"state machine"?) rather than an APEX application that automates one particular workflow?
  Is there an easy way to define which fields in a page are visible or editable depending on the current step (i.e. on the state of the document) ?Yes. See Conditional Rendering and Processing and Displaying Read Only Page Items.
  Is there an easy way to define which fields in a page are visible or editable depending on the role of the user ?Yes. See Authorization.

• Roles vs Workflow for manual update record issue

  I am sorry for taking your time but I need some HELP as we go life with MDM and there is still one open topic that is connected to workflow implementation. 
  Do you have maybe someone who can advice me a solution or workaround to solve this issue. See description below.
  We are using role based workflow (few of workflows triggered one by one depends on the task that needs to be performed)
  As agreed with our client the several users are not allowed to:
  Modify (add/remove) original records
  Start workflows
  Check out / roll back records 
  Our solution provides them with option to do any kind off modification on Check Out records, and that action is triggered as automatic result of import records.
  NOW a small issue appeared since the import from MDP is made based on a new rapport that does not have several fields that we where using to determinate what items from materials will change. 
  So the next idea was to do that manually since it happens only few times a year for more or less 10 items. And that is where the problems started.
  I want to have a small workflow that will do as follows:
  Check Out Record -> Allowed to make changes -> Send to the next step (Approval process will be started)
  but we do not want to allow them do Checkout record or add to job
  (It can be only acceptable if we can allow them to add to ONE of the workflows but not all of them)
  I tried also to use the trigger actions Record Update2 but Workflow checkout occurs after record update (update applied to original record) so that is not applicable to, as since we want to keep original data in case someone rejects the new changes (that way we can always go back to original records). I would rather need something like Record Import only without the import part (it checks out the record and only then it allows to do any changes). ;P
  If the description is not clear let me know I will try to “translate it to easier English”
  Hope to hear from someone soon 
  Aleksandra

  From reading your question, I gather the following:
  You would like for users to be able to edit a record, which will automatically trigger a workflow, and if it's rejected then it should roll back the changes.  However, the user should not be able to manually start the workflow, it must be started and launched automatically on record edit.  Does that sound correct?
  If so, then you may have an issue.  While an edit can be used to launch a workflow, the workflow is not geared towards approving that edit.  It's assumed that other changes will be made, and those changes are the ones that will be approved or rejected.  This seems a bit strange I know, and hopefully this issue will be addressed in future versions.  However, I think you're only alternative is to have the users be able to start their own workflows.  You can probably use a security role such that a user can't modify normal records, but can only modify records that are checked out to them.  Then you would have to modify your workflow such that it only contains one record at a time, this way the user would not be able to add multiple records to the workflow.
  Does that make sense?  I hope this helps.

• Roles based ' N 'step BADI

  Hi,
  Could any one tell, how to do the role based workflow using 'N'step BADI and also send sample code.
  Thanks.
  Prasad.

  Check with SRM forum I think this question was discussed there. It seems some parameters in BADI needs to be populated for this issue.
  Thanks
  Arghadip

• Assign the roles based on organisation structure

  hi all,
  i am sukumar new to GP and CAF i have a problem with the user management .
  scenarios is HR process without the SAP HR module.
  we have to integrate the user roles with the each activities based on the
  login in runtime.
  Example: a org contains a different departments.
                 but GP process flow is same but the approver role is different for each department. i am not interested to create the each role for each department.
  please advice how to integrate the single process role with organisaton structure
  thanks in advance
  Sukumar

  we have the scenarioas below
  need to integrate the third party HR system ORG structure entity to the Role based travle management approval task.
  but the process and workflow structure for all the department are same.
  only the roles are different for each user.
  no need to disple the standard  approval role in Process initiation.
  Custom role should be populated based on the selection from the first action.
  example: if the user need cash and he should select the cash need option from
                first action then the finace approver should appear in next action.
                if not it should not appear.
  please advice which GP callable object is best for this process.
  i have the plan to use the webdynpros..
  regards
  Sukumar

• How to access same iPhoto library from MacBook and iPad without making a copy (sync option)

  I have a simple question to you guys (tried to sort it out with Apple tech support but no luck there!)
  How can I set up iPhoto in a way that I can have access to the same files from iPhoto on MacBook and from iPhoto app on iPad? I do not wish to sync files as this will create a copy of a file and also when for example you do editing of an image on Mac you want that to automatecly reflect on a file being viewed later on on iPad (and the other way around) without the need of a sync. option
  I tested this with photo stream but the problem there is that in order to make any changes to an image you HAVE to do it in the library folder you can not do it in the photostream i.e you took a pix on your iPhone, - photostream pushed it to your iPad and to your Mac, - you've desided to let's say to crop the image on Mac then you've closed that image. When then you open the same image on your iPad (or iPhone) the image is not cropped, why? becouse you've edited an image inside the iPhoto library on the Mac and didn't sync it with iPad.
  So it would be great if iPhone and Mac worked with the same library - save space and cleaner workflow!

  And again
  there is no solution today
  You can not - there is no commonality between iPhoto on the Mac and on the iPad except the name
  You can sync - you can use PhotoStream - you can not share a library - and IOS devices can not access external hard drives and if they could they can not read the contents of the iPhoto library since there is no commonality between iPhoto on the Mac and on the iPad except the nameYou can put your iPhoto library on an external drive if you wish as long as the volmne it is on is formattted Mac OS extended (journaled) - but that does not change the fact that neither the iPad nor the iPhone can access it since there is no commonality between iPhoto on the Mac and on the iPad except the nameIt really is extremely simple - you can not do it today
  Period
  LN

• Renumbering with ACL-Friendly Role-Based Addressing or...?

  We are a mid-sized manufacturing firm operating out of three locations and we are in the process of making plans to restructure and renumber our networks so as to better facilitate automated configuration management and security, in addition to easing our deployment of IPv6.  Currently, at each site the L3/L2 boundary resides at the network core, but increasing traffic/chatter has us considering moving the L3/L2 boundary to the access layer(s), which consist of 3560-X units in the wiring closets that are supporting edge devices either directly or via 8-port 3560-C compact switches in the further reaches of our manufacturing and warehouse spaces.
  As we contemplate moving to a completely routed network, the big unknown we're struggling with is whether or not it is safe or even desirable to abandon ACL-friendly addressing, and whether, in doing so, we can expect to run into hardware limitations resulting from longer ACLs.
  Currently, each of our site-wide VLANs gets a subnet of the form 10.x.y.0/24, where x identifies the site and y identifies the class of equipment connected to said VLAN.  This allows us to match internal traffic of a given type with just a single ACE, irrespective of where the end-point device resides geographically.  Moving L3 routing decisions out to the access switches will require that we adopt smaller prefix assignments, with as many as 8 distinct subnets on each of our standard-issue 3560CG-8PC compact switches.  Why so many, you ask?  We currently have more than 30 ACL-relevant classifications of devices/hosts - a number that will only grow with time, and to maximize the availability of all services, it is our policy to physically distribute edge devices of a given class (eg. printers, access points, etc) over as many access switches as possible.
  From what I can see, we have three options, each of which present trade-offs in terms of management complexity and address utilization efficiency: 
  Option 1: Stick with ACL-friendly addressing, both for IPv4 and IPv6, and allocate uniform prefixes to each access switch.  For IPv4, within the 10.0.0.0/8 block we would probably allocate 8 bits to the site ID (/16), followed by 6 bits as the switch ID (/22), and 7 bits to identify the equipment/host classification (/29), for a maximum of 5 available addresses for a given class of devices on a given access switch.  For IPv6, assuming we have a /48 block for each site, we would use the first two bits to identify the type of allocation, the following 6 as the switch ID (/56), and the following 8 as the equipment/host classification (/64).
  Option 2: Abandon ACL-friendly addressing and dynamically allocate standard-sized prefixes from a common pool to each VLAN on a given switch.  The advantages of this approach are increased utilization efficiency and more addresses available within each VLAN, but it comes at the cost of non-summarizable routing tables and ACLs, and even if the hardware can handle this, it means we're talking about a more complex configuration management system and less ease in troubleshooting problems.
  Option 3: Do something similar to option 1, but with the L2/L3 boundary positioned at the distribution layer rather than the access layer.  I'm disinclined to go this route, as it seems to require the same, if not more, management complexity than we'll encounter with option 1, with only marginal benefits over keeping things the way they are currently (L2/L3 boundary at the network core).
  Thoughts?  What issues have we neglected to consider?  No matter which approach we select, it shall be assumed that we will be building a system to track all of these prefix assignments, provision switches, and manage their configurations.  From a standpoint of routing protocols, we would probably be looking at OSPFv2/v3.  It can also be assumed that if we encounter legacy devices requiring direct L2 connectivity to one another that we already have ways of bridging their traffic using external devices, so as far as this discussion is concerned, they aren't an issue.
  Thanks in advance for your ideas!
  -Aaron

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• Time Based Workflow - how to make it work?

  Hello,
  Has anyone successfully built a Time Based Workflow? Could you share your examples?
  For me it does not work properly.
  I have tried to set up 2 workflows: on Opportunity Close Date and Account Contract Expiration Date.
  - Account Contract Expiration Date: I want an Account Owner to get an email notification exactly 6 months before the contract with his client expires. However - the email is triggered each time the record is modified - so I have seen in the workflow monitor that users on the date of contract expiration - 180 days will receive as many emails as many times they modified the record! Is there a way to avoid this situation?
  - Opportunity Close Date - I want to send an email to Opportunity Owner's Manager - 10 days after the opportunity was closed. However - there will be the same issue as above + the wait action is not working with a PRE function.
  Please let me know what you think and if you have already built a Time Based Workflow that works correctly.
  Edited by: MagdaR on May 18, 2010 1:57 AM

  Let's start with the workflow for Opty Close Date.
  There are a lot of ways to do this, so you'll need to evaluate which way is best for your case, but the basics are to check to ensure that the opty is closed for the first time, then set the flag. In order to accomodate for the opty being closed when it is created, you will have to consider a post default for the flag in addition to the workflow.
  In this case, you could create a workflow on Opty using the before modified record saved trigger event. In the Rule Condition, have the workflow check for a closed opty and if the status changed to closed during this modification. There are a number of options to validate this, including sales stage = Closed/Won or Lost, Closed Date is populated for the first time, Status is closed. In any case, just validate that the opty was closed for the first time using the PRE Function (i.e., PRE(Closed Date) is null and PRE(Closed Date)<>Closed Date). When your condition is met, set a flag that will trigger the event. You could also add a date that the wf conditions were met the first time, to ensure that you track when the rule was originally triggered.
  The next step is to have a workflow that unsets the flag if the conditions are not met. Set the order on this one to follow the rule above.
  The last rule is the wait/email rule and it uses the when modified record saved event. This rule triggers on the flag being checked, then waits to send the email.
  Test this and validate that it will work for your purposes. Based on this workflow, you should be able to create the other one, and I can help if you have any issues.
  Good Luck,
  Thom

• Role based data visibility is not working in Round manager

  I am looking for role based data visibility in Syclo round manager application where technician will see the data which is assigned to his name only (not all the data)  I have created one custom role in SAP system and it's working fine .It's showing the below message :
  Now I want to implement the same in syclo round manager .So I went to the SAP configuration panel and set the same user role on the security setting in class handler .Z_SYCLO_RM_ROLE is the custom role which I mentioned earlier .I tried with different option in this tab but it's not working .
  Please let me know if I missed something to mention or is there any other process I need to follow .
  Tags edited by: Michael Appleby

  is not working Insufficient information. In what way is it "not working"? The page doesn't render as required? There's an error message? The browser crashes? The server room has been trampled into dust by a herd of buffalo?
  >
  I am unable to make it as page form / report.
  v1 := v1 || ' ' ||'<input inline type =submit style="color:BLUE;background-color:RED" value='||c2.plot_id||'>';
  ...It is not possible to generate form elements in an APEX page in this way. The [APEX_ITEM API|http://download.oracle.com/docs/cd/E14373_01/apirefs.32/e13369/apex_item.htm#CACEEEJE] is the only way to create APEX items in PL/SQL. However it contains no procedures to generate button items, so an alternative design is required in this case, e.g. a report with links.
  (Also what is the intention of "inline" in the above code? [There is no *inline* attribute|http://www.w3.org/TR/1999/REC-html401-19991224/interact/forms.html#h-17.4].)

• EAM ID based or Role based? Why settle for just one?

  G'Day All,
  I've raised a question in the following blog, however I would like to open it up to other people as well so they might get something out of it and in the process might share their own thoughts on the matter at hand.
  ID-Based Firefighting vs. Role-Based Firefighting
  So this is where I am at this point:
  From what I can gather so far, my understanding of EAM ID/ROLE based is as follows:
  - Id Based: Logs in using own U.ID and through GRAC_SPM accesess FFID from the GRC Server and logs into the system assigned to them (ECC, SRM, CRM etc)
  Only one user at a time can use a FFID.
  Firefighter need not exist in every system assigned to them due to central logon however they need to exist in the GRC system
  Knows exactly when FFID is being used as he/she has to login so has a psychological effect (good thing)
  Better tracking of FF tasks - Specific log reports with Reason Codes. Bonus point from Auditors!
  Two Log ins so potential to commit fraud. (1 action using own UserID and 1 action using FFID)
  Could be hard to track and find out when a fraud has been committed so can be a problem with auditors.
        ID Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFIDs assigned to you
        ID Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> You can see  the FFIDs assigned to you
  - Role Based: Logs into the remote system only using U.ID, so everything gets logged against that one ID. 
  Multiple users can use the FFROLE at once.
  Firefighter has to exist in every system assigned to them - so multiple logons.
  Hard to differentiate between FF tasks and normal tasks as no login required  So easy to slip up
  Time consuming to track FF tasks - No Specific log reports. No Reason Codes
       R.Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFROLEs
       R.Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> Not applicable so wont work
  So based on this there are pros and cons in both however according to SAP only one can be used. To me personally,  it makes more sense to get the best of both the worlds right? So here is my question why can’t we just use both?
      . Really critical tasks -> FFID
      . Normal EAM tasks -> FFRole
  Alessandaro from the original post pointed this out:
  "Per design it isn't possible to achieve both types of firefighting at the same time. It's a system limitation and hence to configurable."
  Well this is what I can't seem to get my head around. For a FFID, there is a logon session so it has to be enabled and as far as I can tell there is no way around it.
  However for FFRole, there isn't such limitations/restrictions like starting a separate session. FFRole is just assigned to an end user for him/her to perform those tasks using their own user ID.
  So in what way is it different from any of their other tasks/roles, other than the fact that they've got an Owner/Controller assigned to the FFRole? and
  What is stopping us from using it when ID based is the default?
  If I were to do the following does it mean I can use both ?
      . Config Parameter: 4000 = 1 (GRC System) -> ID Based
      . Config Parameter: 4000 = 2 (Plug-In)  - > Role Based
  Please excuse me if my logic is a bit silly, Role Based firefighting is only done on Plug-in systems so the following should work just fine:
     . Config Parameter: 4000 = 2 (Plug-In)  - > Role Based
  However for ID based, it is a Central Logon, so the following is a must:
      . Config Parameter: 4000 = 1 (GRC System) -> ID Based
  Which means both ID/Role based can be used at the same time, which seems to be working just fine on my system. Either way I leave it you experts and I hope you will shed some light on it.
  Cheers
  Leo..

  Gretchen,
  Thank you for thoughts on this.
  Looks like I'm failing to articulate my thoughts properly as the conversation seems to be going in a different direction from what I am after. I'll try once more!
  My query/issue is not in regards to if/what SAP needs to do about this or why there isn't more support from Companies/Organizations and not even, which one is a better option.
  My query is what is stopping us(as in the end users ) from using both ID/Role based at the same time?
  Now before people start referencing SAP documentation and about parameter 4000, humour me with the following scenario please. Again I would like to reiterate that I am still in the learning phase so my logic might be all wrong/misguided, so please do point out to me where I am going wrong in my thought process as I sincerely would like to know why I am the odd one out in regards to this.
  Scenario
  I've created the following:
  FFID
  FFROLE
  Assigned them to, two end users
  John Doe
  Jane Doe
  I set the Configuration Parameters as follows: 
  IMG-> GRC-> AC-> Maintain Configuration Settings -> 4000:1 - ID Based
  IMG-> GRC (Plug-in)-> AC-> Maintain Plug-In Configuration Settings-> 4000:2 - Role Based
  User1
  John Doe logs into his regular backend system (ECCPROD001)-> executes GRAC_SPM-> Enters the GRC system (GRCPROD001)-> Because the parameter is set to ID based in the GRC Box, so he will be able to see the FFID assigned to him-> and will be presented with the logon screen-> Logs in -> Enters the assigned system (lets say CRMPROD001) At this point the firefighting session is under progress
  User2
  Jane Doe logs into her regular backend system (ECCPROD001) -> (can execute GRAC_SPM to check which FF Role has been assigned to her but she can see that in her regular menu, so there is no point) -> Executes the transactions assigned in FFROLEThis is done at the same time while FFID session is in progress
  So all I want to know is if this scenario is possible? if the answer is No, then why not?
  I physically carried out this scenario in my system and I had no problems(unless I am really missing the plot here), which brings me back to my original question: Why settle for just one?
  Again to reiterate I am not getting into the efficacy or merits of this or even if one should use this. Just want to know if it is possible/feasible or not.
  So there you have it. That's the whole enchilada(as they say there in Texas). I tried to word my thoughts as concisely as I can, if there are still any clarifications, more information you or anyone else reading this would like, please do let me know.
  Regards,
  Leo..

• OBIEE SSO enabling and role based reporting

  Hi,
  I had installed SOA10.1.3.1.0 and OBIEE10.1.3.4.0 already on my WINDOWS. I understand that I need to install 10.1.4 infrastructure to enable SSO in OBIEE, can you please tell me what is 10.1.4 infrastructure? is it equivelent to Oracle Identity Management Infrastructure and Oracle Identity Federation 10.1.4? I tried to download this from OTN since last night, but the page is always unaccessible. Where can I download 10.1.4 infrastructure except otn?
  I have another question regarding to the role based reporting with SSO. We want users to see different reports based on their roles once they login. What options do we have to implement this? From my understanding, we need to maintain a user role mapping table in our database, create groups in OBIEE and map the user role with the group in OBIEE? Is it true? Are there other options? Is there a existing product we can use to implement this?
  Thanks,
  Meng

  have a look on page 137 and further http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/b31770.pdf

• GRC10 Firefighter - Role-based & ID-based

  GRC Gurus,
  I am looking for a solution or at least theoretical discussion about a scenario in which GRC 10 system is connected to more than 1 target system and in one system I want to use FFID-based option where as in other system it is FF-Role based. For example, in a system where all the users are logging in through SAP GUI, it will be better to have FFID-based firefighter where as in system where most of the users are logging in through portal it will be better to have role-based firefighter. under GRC5.3 it was pretty simple as RTAs were independent in each separate system but in GRC10 since type of firefighter is controlled by single parameter, what will be a way to implement such hybrid approach.
  Regards,
  Shivraj

  Thanks Anji,
  Thanks for the response, I am aware of the 4000 situation, I was just wondering if someone has figured out any workaround for this. Because otherwise, it is a step backward for new version as under 5.3, systems could have been on different setups whereas under GRC10 that is not possible.
  Regards,
  Shivraj Singh

• Role Based FireFighter

  Greetings All,
  We are doing SAP GRC Access Control implementation in our company. We have Modulewise Master Roles working as firefighter Roles. In emergency we assign it to a user for 24 hours. Now when we are implementing FireFighter we want to keep existing Role Model but use the funcationality of FF. Have anyone gone through this scenario, do let me know the steps we need to configure the existing model with new FF Model and AE.
  Thanks in advance,
  Regards,
  Sabita Das

  Try Firefighter roles instead of Firefighter users.
  FF access via role assignments can be approved and provisioned in Access Enforcer (AE). Firefighter access can also be removed via Access Enforcer by submitting a request to remove the firefighter roles. FF access approvals are captured in the AE audit trail. The business reason for requesting/approving the access can also be captured in the comment section of AE.
  FF access could be granted only after appropriate approvals EVERY time a user needs FF access. Each time a request for the FF role through AE (the request could go through a separate workflow path) and the request will be approved before being provisioned to the user. The approver can change the validity dates on the role assignment so that it can be provisioned for one day, for a week, a month, etc... An audit trail in AE will provide the approver information for historical purposes. This meets the policy of approvals every time FF access is provided instead of the 24/7 master data set-up in the original Firefighter process.
  When running an SOD risk analysis on the user, the report will show the SODs the user has including their Firefighter access. (These SODs would then be mitigated per user even though they are a Firefighter.) There is a risk to the company when a firefighter can do one half of the risk on their own user ID and the second half of the risk on their Firefighter ID. Although this could still be caught, it would take some manual analysis. By using role-based Firefighter, all activities are performed and recorded under the user's normal user ID.
  The Firefighter does not need to "check-out" a Firefighter ID the access is on their normal user ID.
  The standard SAP audit trails have the user IDs instead of the firefighter IDs, so when researching the change, the firefighter logs don't need to be analyzed to see which user had used that Firefighter ID at that time.

• ADF UIX Role Based Access Control Implementation

  Hi,
  Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
  The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
  Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
  Thanks a lot.
  Sathya

  Brenden,
  I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
  If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
  1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
  The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
  2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
  The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
  1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
  Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
  Two links that you might be interested in to read are:
  http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
  http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
  Frank

• SOD Detour in Role Approval Workflow possible?

  Hello GRC Experts,
  we have implemented an Access Request Approval Workflow with a Detour Rule (GRAC_MSMP_DETOUR_SODVIOL).
  The second workflow we are working at is the Role Approval Workflow. Is it possible to use the SOD Detour Rule also in Role Approval Workflow? I didnt find the SOD Detour Rule in the MSMP Role Approval Workflow.
  We would like to implement a following Scenario:
  if the role contains an SOD the request should take Path 1 and if not Path 2.
  Is it in MSMP Standard possible or should we use BRF+ for creating a Detour Rule?
  Thanks,
  Best Regards
  Sabrina

  Hi Sabrina,
  For Access Request workflow, we generally use GRAC_MSMP_DETOUR_SODVIOL to implement routing rule(based on detour condition - risk found). Purpose of same (if I am not mistaken) is to through the request to another level of approver wherein mitigation monitor agent reviews the mitigation performed by role owner stage and approve/reject the request.
  But, when we create a role same is not the condition as we do not mitigate role level risk thus no need to go for mitigation monitor stage. May be you have some business scenario, if you can let us know will be gr8.
  For the rule ID, did you try adding the rule ID ?(you may already know, still would like to cross check with you).
  GRAC_MSMP_DETOUR_SODVIOL under list of rules for "
  Role Approval Workflow" In the screenshot you have shown, just click on ADD feed -
  Rule ID -GRAC_MSMP_DETOUR_SODVIOL.
  Rule description - same as Access request.
  Rule type - Function module based
  rule kind - routing rule.
  Add this and check if it works and let us know the result too.
  Regards,
  Nishant