Role Definitions

When I create a new role definition in german 3 access rights are not visible (as seen in the attached screenshots). Then i switch to englisch and get 3 points not checked.

kulo74,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/

Similar Messages

Add a base permission to an existing role definition in sharepoint using CSOM

I have to add a base permission to an existing role definition in sharepoint using CSOM Managed API in SP2013, to update base permission of a permission level. I did use below code . But Role definition is not getting updated. What could be the reason? I
have updated RoleDefinition and Web as well but it did not help.
RoleDefinition rd = oClientContext.Web.RoleDefinitions.GetByName("My Permission");
if (!rd.BasePermissions.Has(PermissionKind.ManagePermissions))
rd.RoleTypeKind.ToString();
rd.BasePermissions.Set(PermissionKind.ManagePermissions);
rd.Update();
oClientContext.Web.Update();
oClientContext.ExecuteQuery();
Ashish Baranwal To know what you know and what you do not know, that is true knowledge

Hi Ashish,
I tested the same scenario per your post in my environment, and I got the same results as you got.
As a workaround, I recommend to delete the permission level and then recreate the permission level with the needed permissions:
ClientContext ctx=new ClientContext("http://sp");
RoleDefinition rd=ctx.Web.RoleDefinitions.GetByName("My Permission");
ctx.Load(rd);
ctx.ExecuteQuery();
if(!rd.BasePermissions.Has(PermissionKind.ManagePermissions))
rd.DeleteObject();
BasePermissions permissions = new BasePermissions();
//add the permissions needed
permissions.Set(PermissionKind.ManagePermissions);
RoleDefinitionCreationInformation roleDefinitionCreationInfo = new RoleDefinitionCreationInformation();
roleDefinitionCreationInfo.BasePermissions = permissions;
roleDefinitionCreationInfo.Name = "My Permission";
roleDefinitionCreationInfo.Description = "My Custom Permission Level";
RoleDefinition roleDefinition = context.Web.RoleDefinitions.Add(roleDefinitionCreationInfo);
context.ExecuteQuery();
Best regards.
Thanks
Victoria Xia
TechNet Community Support

BHOLD Modelgenerator / Modelloader: missing application name in permission in the Role definition of the exportflie.

I have 2 applications (SAP-T and SAP-R) stored in BHOLD Core with same permission: Administrator.
I have 2 roles (Koos Test1 and Koos Test2) stored in BHOLD Core. "Koos Test1" role has been connected to
permission Administrator belonging to application SAP-R and the "Koos Test2" role has been connected to permission Administrator belonging to application SAP-T.
When I make an export with BHOLD Model Generator, these permissions have correctly been stored:
<application name="SAP-T" module="" parameter="0" protocol="DCOM">
<Permission name="Administrator" description="Administrator" />
</application> <application name="SAP-R" module="" parameter="0" protocol="DCOM">
<Permission name="Administrator" description="Administrator" />
</application>
But the 2 roles are not correctly been stored in the export file:
<role name="Koos Test1">
<task name="Administrator" description="Administrator" />
</role> <role name="Koos Test2">
<task name="Administrator" description="Administrator" />
</role>
The missing link is the definition of the application to which the permission belongs.
This means that the role model is not correct when I import this generated export file into another BHOLD environment
with Modelloader.

Koos,
I just went through this and I definitely see unexpected behavior but not quite like yours........When I do this, the roles are added fine and the applications are added fine. However, it only makes one 'Administrator' permission to me and links it to both
roles. Not sure if this is related to using same name for permissions with different apps or what. My version of BHOLD I am testing this with is 5.0.2724.......this is the pertinent contents of my export file:

<application name="SAP-T" module="" parameter="SAP-T" protocol="DCOM">
    <Permission name="Administrator" description="Administrator" />
</application>
<application name="SAP-R" module="" parameter="SAP-R" protocol="DCOM">
    <Permission name="Administrator" description="Administrator" />
</application>

<role name="Koos Test 1">
    <task name="Administrator" description="Administrator" />
</role>
<role name="Koos Test 2">
    <task name="Administrator" description="Administrator" />
</role>

One thing..........I used 'Administrator' as both permission name and description. Perhaps if the descriptions are different but the names are the same, it would show the expected results.......I will have to test this later......

RAR - Attached file to the role definition

Hi,
In the "Configuration" tab -> Miscellaneous.
I don´t understand what´s the function of the option "Allows you to attach files to the role definition".
You can attach files only in the Testing stage, but if chose "Yes" or "No" in this option, the system allows you to attach files in this stage.
Please, someone knows the real function of this option?
Thanks!
Kind regards,
Sergio

On which SP level are you?
I'm on SP10 and I don't see such an option in RAR->Configuration->Miscellaneous.
Thank you,
Partha

DFD diagram and ER crossmatrix for role definitions and role's privileges on objects

Hello,
Having the question on derivative use of combination of DFDs and ER diagrams ( let us be more fixes and focus on Relational model ).
In DFD there are defined external entities and functions, data flows and data stores that are forming processes.
Functions represents procedures, transactions, transformations.
Dataflows presents procedures parameters, intermediate reports, temporary table data, data that is passed , retrieved/written, signals, triggers/events that controle or trigger function...
Context of my question is focused on external entities.
External entity suppose to denote the sourced or destinationed system ( for example Archiving system ) or operator, system that is out of scope of the DFD and it is mentioned just as target or destination or source of dataflow or control flow.
In context of these understandings I am using external entitiy also for types of users of the system: staff that is triggering functions or schedulers or job managers, or reporting systems ( or components of reporting systems like for example business intelligence extraction processes ).
What is my problem that on basis of external entity definitions and E/R model also define roles and privilege classes for access to data objects.
And from those generating ddls for database roles, privileges on entitities to those roles.
But in privileges granting to role having two different kind of privileges on data objects:
- privileges that are granted on various schema objects
For example role1 has grant on tab1, view2, procedure1, package3,
- the other type of privilega is based on the scope or range of semantically defined scope or semantic area.
Semantic area is scattered through tables because of normalisation and using semantic area as entity of which primary key is
partitioning the table data through many semantic areas.
So this privilege should be granted on basis of the rows in table not column ( more semantically then structurally ...row oriented more than column ).
Both privileges that are granted to roles are also basis for functional roles
( privilege that is granted that functional role has grant to trigger or execute some function or process ).
My question is?
How do you handle modeling technology for analysis and design for role privileges and consolidation between database and functional roles ?
Grateful for any idea, experience and suggestions.

Hello,
Guess I was looking for the formal sequence of steps that would bring me to the
ddls for "create role ..." and "grant privileges to role".
You can do that.
1) I assume you have logical model and it's engineered to relational model, also you have data flow diagram created
2) You need to define information structures for flows connecting "Information store" to primitive process - attribute usage of particular entities should be defined for those "information structures" processed in flows
3) You need to define create, update and delete operation for flow going from primitive process to store - read is assumed in opposite direction
4) create a role in Process model and assign primitive processes to it - list of available processes to add depends on current data flow diagram
5) You need an open physical model for your relational model
6) Select "transfer process model roles to physical model roles" from context menu of top level DFD - select roles, relational and physical model there - roles with related permissions will be created in physical model
Entity1 is divided in several subtypes for different business areas.
And account manager for business_area1 is allowed to work on subtype1 ( view on prime table )...
Different implementation of entity hierarchies are not processed correctly in that wizard - i.e to get permissions to table corresponding to child entity - that entity should be used in information structure and flow.
Philip

PFCG - ROLES DEFINITION FOR ABAP TEAM

Dear SAP Professionals,
I would like to know your thoughts, ideas, templates and resources, on authorization objects and roles we should define and / or create in the company for ABAP development team.
Also, it will be very valuable being able to receive information about that definition, for BASIS team.
Look forward for your answer, and if you need further explanation pls feel free to make it.
Thanks in advance,
Rodolfo

The SAP_BC_DWB_WBDISPLAY is ABAP display only I think (pls correct me if I'm wrong) and this will give to little authorizations to display in production for them.
We used the display roles in production that we have created per module (FI, MM, et cetera). and assigned them to one composite display role.
The template roles can be a good start for the non production systems, but in our case they where to limited and they needed more authorizations, also for the functional modules. So we ended up creating a new developer composite role that was a combination of the basic ABAPdeveloper role with additional functional roles.
The result is that they have many authorizations in the non production system and additional compensenating controls where needed to minimize the risk. The good thing is that they don't need critical authorizations in the production system and we can monitor the usage of the firefighter use in the production system.

Role definition

Hi,
on 10g R2 on AIX
in which table can I find the definition of a role ? I mean the script used to create it ?
Thank you.

user522961 wrote:
Hi,
on 10g R2 on AIX
in which table can I find the definition of a role ? I mean the script used to create it ?
I can't recall there is any table that does stores it, I may not be knowing about it either but the dbms_metadata package should work fine as Osama mentioned,
SQL> create role test;
Role created.
SQL> select dbms_metadata.get_ddl('ROLE','TEST') from dual;
DBMS_METADATA.GET_DDL('ROLE','TEST')
CREATE ROLE "TEST"HTH
Aman....

MS Excel cannot read the Roles definition on Analysis Service cube

Hello,
While using Analysis Service connection via Excel, apparently it does not automatically provide Roles or EffectiveUserName in the connection string based on username/password we provide. We must manually edit the connection string.
Does this thing already defined as bugs, or there is other explanation ? Is there any related with this ?
Thanks.

Hi Prayijana,
In your scenario, you said that you need to manually edit the connection string for different users to connect to SQL Server Analsysi Services Multidimensional database, right?
When using excel to interact with a SSAS cube, we can use the default settings "Use the authenticated user's account". In this case, excel will use the current account to connect SSAS cube. If the account has a matched role on the databse,
then he can access to the cube.
If this is not what you, please provide us more informantion, so that we can make further analysis.
Regards,
Charlie Liao
TechNet Community Support

Where can I get the visitor role definition?

Hi, In the portal database I see P13N_ENTITLEMENT_ROLE have all the roles. But I don't see how the roles are defined. Is there a way to query how the roles are defined? I would like to clean up some of my unused properties. Thanks!

in MAPVIEWER_HOME/web/WEB-INF/admin/mcsdefinition.sql
Use that file. Run the relevant commands as sys or a privileged user.

Map security roles to group within LDAP using external 3rd Party LDAP

I'm haveing a problem mapping my logical role defined in my web.xml to a role within Active Directory. I'm currently authenticating using Active Directory succsfully, however after the user is authenticated I get a message from the OC4J container that my role can not be found. Can you map a logical role to group within Active Directory? Below are details about my configuration.
Any help would be greatly appreciated.
Log.xml log entry that confirms webtA is communicating successfully with AD.
SG_TEXT>JAAS-LDAPLoginModule: authenticating user wmgraham</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>JAAS-LDAPLoginModule: DN for user wmgraham is cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
Error reported in the log
<MESSAGE>
<HEADER>
<TSTZ_ORIGINATING>2008-08-27T11:38:05.991-04:00</TSTZ_ORIGINATING>
<COMPONENT_ID>j2ee</COMPONENT_ID>
<MSG_TYPE TYPE="TRACE"></MSG_TYPE>
<MSG_LEVEL>16</MSG_LEVEL>
<HOST_ID>F2287032-W</HOST_ID>
<HOST_NWADDR>30.30.16.14</HOST_NWADDR>
<MODULE_ID>security</MODULE_ID>
<THREAD_ID>14</THREAD_ID>
<USER_ID>wmgraham</USER_ID>
</HEADER>
<CORRELATION_DATA>
<EXEC_CONTEXT_ID><UNIQUE_ID>30.30.16.14:59560:1219851485804:6</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>for group=[JAZNGroupAdaptor: webta] there's no matching role found.</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
Web.xml Logical Role definition
<security-constraint>
<web-resource-collection>
<web-resource-name>allpages</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>WEBTA_J2EE_USER</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>WEBTA_J2EE_USER</role-name>
</security-role>
Orion-web.xml This file maps the logical role defined in webxml to a group within Active Directory.
<security-role-mapping name="WEBTA_J2EE_USER">
<group name="webta"/> <-- Group defined in AD -->
</security-role-mapping>

What is the name of the group in AD (provide the DN) that you want to map the j2ee logical role WEBTA_J2EE_USER? What are the group search base and group mapping attribute?
When wmgraham logs into the app, the 3rd party ldap login module will attempt to query for the groups wmgraham is a member of - this is done using the group search base configuration for the provider.
In this example, the DN is "cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and likely user search base is set to "ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi".
Assuming group search base is (say) "ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and and group mapping attr is "cn", then the role mapping you mention should work for group DN "cn=webta,ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi"

Report of User role details

i have to report the role details of user...based on user given on selection screen.
transactions assigned to user and object in that role and fileds in the object and values in fields....
user | Transaction code | Object |   Field |    actual field values | assigned field values |
please tell me in which table we can this data...........

Hi,
There are lots of tables connected to roles. These were usefull for me:
AGR_DEFINE - Role definition
AGR_PROF - Profile name for role
AGR_USERS - assignment of roles to users    "<- this one you need
AGR_1251 - roles with authorization objects and value (as seen in su01 -> roles)
AGR_1016 - Name of the activity group profile
USR10     - User master authorization profiles
UST12     - user master authorizations
USOBT     - Relation transaction > authorization object; which objects are checked
Regards
Marcin

How mapping role defined in JDeveloper to LDAP

Hi,
I'm trying to understand how to map the roles definited during design of BPM process and the LDAP.
I've deployed process on soa server, I can see the ear on Console page.
I did the following:
1. Log in to Oracle BPM workspace (http://localhost:8001/bpm/workspace/) as WebLogic user.
2. Click on the administration link.
3. Click on Roles, in the Administration Areas panel on the left, to list all the different roles across all the deployed processes.
but I do not see my deployed process.
Do you know why this is? In my process I've just added my roles to the swimlane. Is this correct? Why I do not see any roles deployed?

Hi Fairlie,
in order to successfully build your BPM project you need to implement all activities (interactive and non-interactive) in your process model and/or mark part of the activities as draft. By implementing I mean binding definitions of service tasks, business rules, scripts, human tasks, etc. to the respective activities. Implementing human task form UI is an additional step. As Dan mentioned if you skip this step then your users will not be able to interact with the task. They rather would see it as an assigned task in the workspace without being able to use/see the user interface.
Cheers,
Anatoli

What's manageddisabledrole different from other role?

I tried to understand what exactly the manageddisabledrole is different from other custom role? Maybe some ACL controls this role? How does the users got disabled by being a member of this role?
So if i don't like the manageddisabledrole, can i create a new role and make it function just like manageddisabledrole?
Anyone here gives me an insight to this? I cannot find any docs that explains about this.
Thanks

Thanks for your reply, but I'm still confuse. I still
have few more questions to be clarify.
1. By definition, CoS allows you to share attributes
between entries. In this case, the
nsAccountInactivation_cos shares the nsaccountlock
attribute between entries. Is this correct?Correct.
2. If so, where do I find the template entry? If it
works right, the template entry must have the
atttribute nsaccountlock with the value = true in it.
How do I locate this template entry in the
directory?CoS and Role definition and template entries usually have objectclass ldapSubentry - this is a special objectclass used to create administrative entries (like operational attributes, only entries). In order to do a search to find these entries, you must include the filter (objectclass=ldapSubentry) in your search request. So, if you wanted to find these definitions under your suffix, do a search like this:
ldapsearch -s one -b dc=yoursuffix,dc=com -D "cn=directory manager" -w password "objectclass=ldapSubentry"
The CoS template entry is as specified in the CoS definition entry:
cn="cn=nsDisabledRole,<your suffix>",cn=nsAccountInactivationTmp,<your suffix>"
3. How does this nsAccountInactivation_cos CoS
related with the nsManagedDisabledRole role? I don't
see any relationship between these two. Maybe I
still don't understand well about Cos and Role.They are not easy to understand, but then, many powerful features are not easy to understand at first.
>
Thanks alot

Which table has Role Type and Validity

I do have role name - agr_name, which table will hold the role type - Single or Composite and Valid till date?

Welcome to SDN.
Check following tables -
AGR_AGRS                       Roles in Composite Roles
AGR_AGRS2                      Role definition
AGR_ATTS                       Role attributes
AGR_CUSTOM                     Role Customizing objects
AGR_DATEU                      Personal settings for roles
AGR_DEFINE                     Role definition
AGR_FAVOS                      Personal settings for PFCG
AGR_FLAGS                      Role attributes
AGR_FLAGSB                     Role attributes
AGR_USERS                      Assignment of roles to users
AGR_USERT                      Assignment of roles to users
Regards,
Amit

In which tabels the Roles, Usernames, Transaction codes, Change Queues

Hi All,
    These questions are based on basis:
     WIl any one tell me where the Roles, User Names for that role, tcodes, change queues are stored.
     how they interlink to each other, how can we find the single and composite roles in the table. how can we find what time it is created and when it is changed.
      how can we find how much time the request in change queue....
Thanks,
Ravi

Hi
check the following Tables
AGR_DEFINE - Role definition
AGR_USERS - Assignment of Roles to users
AGR_TEXTS - Role Descriptions
AGR_TCODES - Assignment of Roles to Tcodes
AGR_PROF - profile Name for Role
AGR_1250 - Authorization data fro activity group
AGR_1252 - Orgn elements for Authorizations
USR10 - Role Definition
UST12 - User Master Authorizations
<b>Reward points for useful Answers</b>
Regards
Anji

Role Definitions

Similar Messages

Maybe you are looking for