Role grants problem.

Hi everybody,
I have this strange problem:
I've an owner schema owning most of my db's tables: "SALE". SALE is a DBA and creates the rest of db users. I also have a qrya_rl owned by SALE. I grant selects on SALE tables to this qrya_rl and assign it to users whenever necessary.
Strange thing is in a 10gr2 database, everything is fine and users can select from SALE.xxxxx tables (through a public synonym of course). In 11g r2 however, users are able to select from SALE tables but are not able to compile functions, procedures and packages with references to SALE objects?!?
Compile error says: unknown table or view : SALE.xxxxx.
It finally exhausts me and I assign selects on SALE tables directly to users or to Public. Function and packages compile fine!
My db is a huge transactional database with many users. I do not want to assign privileges to public and having a growing number of users, I do not want to assign privileges directly so I'm stock in here!
Any ideas?
Edited by: Ali on Jun 1, 2011 9:29 PM
Edited by: Ali on Jun 1, 2011 9:35 PM

Any ideas?privileges acquired via ROLE do not apply within PL/SQL named procedures.

Similar Messages

Missing Role Grants after datapump

Hello OTN-Community,
I have a problem with datapump. I am using some include filters to get the relevant data exported. One of these filters inlcudes the ROLES of my database which starts with a certain expression.
After the export into another database these roles exists but all of the role grants and the grants to other users misses. The object grants are exported correctly.
What am I doing wrong?
The export script:
declare
/*some declare specification are not copyed*/
cursor curSchema is
select
distinct
t.Mdbn_Name Name
from
ProphetMaster.Dat_MdBn t
where
Upper(t.MDBN_Name) not in ('****', '***');
begin
-- Schemas festlegen
SchemaList := '''****'',''***''';
if ExportAllProphetUsers then
for recSchema in curSchema loop
      SchemaList := SchemaList||','''||recSchema.Name||'''';
end loop;
end if;
-- Dateigröße
FileSizeStr := to_char(MaxFileSize)||'M';
-- Verzeichnis
DirectoryName := 'PHT_PUMP_DIR';
execute immediate 'create or replace directory "'||DirectoryName||'" as '''|| PumpDir||'''';
-- JobName
JobName := 'PHT_EXPORT'||DateStr;
-- Filename
if not FilenameWithDateTime then
DateStr :='';
end if;
Filename := 'PHTDB'||DateStr||'_%U.DMP';
Logfilename := JobName||'.LOG';
-- Job festlegen und Ausführen
h1 := dbms_datapump.open (operation => 'EXPORT', job_mode => 'FULL', job_name => JobName, version => 'COMPATIBLE');
dbms_datapump.set_parallel(handle => h1, degree => ParallelExecutions);
dbms_datapump.add_file(handle => h1, filename => Logfilename, directory => DirectoryName, filetype => 3);
dbms_datapump.set_parameter(handle => h1, name => 'KEEP_MASTER', value => 0);
--10g
--dbms_datapump.add_file(handle => h1, filename => Filename, directory => DirectoryName, filesize => FileSizeStr, filetype => 1);
--11g
dbms_datapump.add_file(handle => h1, filename => Filename, directory => DirectoryName, filesize => FileSizeStr, filetype => 1, reusefile =>OverwriteFiles);
dbms_datapump.set_parameter(handle => h1, name => 'INCLUDE_METADATA', value => 1);
dbms_datapump.set_parameter(handle => h1, name => 'DATA_ACCESS_METHOD', value => 'AUTOMATIC');
-- Include Schemas
--dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'IN('||SchemaList||')', object_type => 'DATABASE_EXPORT/SCHEMA');
dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'IN('||SchemaList||')', object_type => 'DATABASE_EXPORT/SCHEMA');
dbms_datapump.metadata_filter(handle => h1, name => 'INCLUDE_PATH_EXPR', value => 'IN(''DATABASE_EXPORT/SCHEMA'')');
--Include Profiles
dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'like ''PROFILE_%''', object_type => 'PROFILE');
dbms_datapump.metadata_filter(handle => h1, name => 'INCLUDE_PATH_EXPR', value => 'IN(''PROFILE'')');
--Include Roles
dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'like ''***%''', object_type => 'ROLE');
dbms_datapump.metadata_filter(handle => h1, name => 'INCLUDE_PATH_EXPR', value => 'IN(''ROLE'')');
-- Größenabschätzung
dbms_datapump.set_parameter(handle => h1, name => 'ESTIMATE', value => 'BLOCKS');
--Start Job
dbms_output.put_line('Import Job started; Logfile: '|| LogFileName);
dbms_datapump.start_job(handle => h1, skip_current => 0, abort_step => 0);
-- Wait for ending and finishing job
dbms_datapump.wait_for_job(handle=>h1,job_state =>job_state);
dbms_output.put_line('Job has completed');
dbms_output.put_line('Final job state = ' || job_state);
dbms_datapump.detach(handle => h1);
The Import Script:
begin
dbms_output.Enable(buffer_size => null);
-- Verzeichnis
DirectoryName := 'PHT_PUMP_DIR';
execute immediate 'create or replace directory "'||DirectoryName||'" as '''|| PumpDir||'''';
-- JobName
JobName := 'PHT_IMPORT'|| to_char(sysdate,'_yyyy-MM-DD-HH24-MI');
--FileNames
Filename    := 'PHTDB'||FileNameDateStr||'_%U.DMP';
LogFilename := JobName||'.LOG';
h1 := dbms_datapump.open (operation => 'IMPORT', job_mode => 'FULL', job_name => JobName, version => 'COMPATIBLE');
--Wenn der Datapumpimport auf einer Standardversion ausgeführt wird, muss diese Aufrufzeizeile genutzt werden
--h1 := dbms_datapump.open (operation => 'IMPORT', job_mode => 'FULL', job_name => JobName, version => '10.2');
dbms_datapump.set_parallel(handle => h1, degree => ParallelExecutions);
dbms_datapump.add_file(handle => h1, filename => Logfilename, directory => DirectoryName, filetype => 3);
dbms_datapump.set_parameter(handle => h1, name => 'KEEP_MASTER', value => 0);
dbms_datapump.add_file(handle => h1, filename => Filename, directory => DirectoryName, filetype => 1);
dbms_datapump.set_parameter(handle => h1, name => 'INCLUDE_METADATA', value => 1);
dbms_datapump.set_parameter(handle => h1, name => 'DATA_ACCESS_METHOD', value => 'AUTOMATIC');
dbms_datapump.set_parameter(handle => h1, name => 'REUSE_DATAFILES', value => 0);
dbms_datapump.set_parameter(handle => h1, name => 'TABLE_EXISTS_ACTION', value => 'REPLACE');
dbms_datapump.set_parameter(handle => h1, name => 'SKIP_UNUSABLE_INDEXES', value => 0);
--Start Job
dbms_output.put_line('Import Job started; Logfile: '|| LogFileName);
dbms_datapump.start_job(handle => h1, skip_current => 0, abort_step => 0);
-- Wait for ending and finishing job
dbms_datapump.wait_for_job(handle=>h1,job_state =>job_state);
dbms_output.put_line('Job has completed');
dbms_output.put_line('Final job state = ' || job_state);
dbms_datapump.detach(handle => h1);

Has no one any idea?

Find the roles granted on tables in oracle 10g

Hi,
I need to find what roles granted to what tables in a schema. I try to query dba_tab_privs but this will give what roles granted to tables, but i want to find what tables are missing these roles in a schema?
any help is appreciated.
Thanks...

789287 wrote:
i have another scenario where i have 2 different schemas such as TEST_A ans TEST_B. here TEST_B. at TEST_B user have 2 roles B_query and b_update and granted these roles to TEST_B user.
TEST_A need to access the TEST_B objects, when i grant the A_QUERY, A_UPDATE to TEST_A user. then i login as TEST_A user to access the TEST_B objects gets an eror object doesn't exist.
i dont want to grant privileges directly on to the TEST_B objects to TEST_A user. is there anyway i can accomplish this through the role?
i thought it would appropriate to ask the question here rather opening a thread.
Thanks...consider to actually post the actual SQL & complete error response from Oracle.
How do I ask a question on the forums?
SQL and PL/SQL FAQ

Script for Users, Roles,Grant,Tablespace

Hi,
Please guide me on the following .
I am moving database to new Unix server .
so can I create the script which will check the existing Users, Roles, Grants, Tablespaces from current database and store that data.
And using same soared data I want to create the same " Users, Roles, Grants, Tablespaces" using the script.
Can i do this. Please guide me how to do this so I will help me to move database
Thanks,
Amol

You should run ?\rdbms\admin\utlrp (note the ?, which is shorthand for ORACLE_HOME) from the database server. to make sure you have the correct script. You can call sqlplus from Toad easily.
The script affects PL/SQL only. PL/SQL resides in the SYSTEM tablespace in the SYS schema. You don't have 400G of PL/SQL. It should take a few minutes only.
The SYSTEM schema WILL be imported. SYS will not be imported, but automagically recreated. The only thing you will miss is Grants which have been made by SYS directly to end-users or roles, outside those defined in catalog.sql
Sybrand Bakker
Senior Oracle DBA

UME Roles/Groups problem

UME Roles/Groups problem
I have installed an ABAP +J2EE instance with the view of using it for Adobe Document Services.
While following the Adobe Document Services configuration guide, Step 3.2.1.1:
I'm creating a role in the ABAP engine, creating a user (ADSUser); creating and assigning the role (ADSCallers) to it.
When I start visual admin, i expect the user to be shown under the 'group': ADSCallers.
While I can see the user in visual admin, I'm unable to see the group (role in ABAP instance)
I'm on SP19 NW2004. Any views???

There is a delay before roles show up as groups on the Java side. The delay runs about 30 minutes. See http://help.sap.com/saphelp_nw04s/helpdata/en/45/af3ac012d32e78e10000000a155369/frameset.htm
-Michael

Expdp users, roles, grants (privs)

(sorry for the cross-posting - I'm not sure how to delete or move threads and I posted this in the general questions forum thinking I was in this forum)
So, I think this works - still in the process of testing - but what I want to do is the following:
1) Export ONLY users, passwords, and privs from TEST
2) Clone PROD --> TEST
3) Drop all users in TEST excluding system users.
4) Import original users file from Step 1.
I think I've got it with the following. Am I missing anything? I'm testing, but if someone else has done this, I would be happy to hear from something I may be missing.
JOB_NAME=EXPDP_USERS
DIRECTORY=DTPUMP
REUSE_DUMPFILES=Y
FULL=Y
DUMPFILE=users_test.dmp
LOGFILE=users_test_expdp.log
INCLUDE=SCHEMA:"IN (SELECT USERNAME FROM dba_users where default_tablespace NOT in('SYSAUX','SYSTEM'))",ROLE,USER,SYSTEM_GRANT,ROLE_GRANT,DEFAULT_ROLE,TABLESPACE_QUOTA

Pl do not post duplicates - expdp users, roles, grants (privs)

ERM 5.3 (SP12) Derived Role Update Problem

Hello Experts,
I have a question.
We have a master role/derived role set up in the back-end system. We are trying to update a master role and its derive roles in ERM via PFGC sync.
Our problem:
We can add a transaction to a master role no problem in ERM via PFCG sync (adding a transaction code in the back-end and sync to ERM) However, we are unable to update the transaction for derived roles (nothing happens for derived roles in ERM).
If I am correct, we don't have to add a transaction to each derived role manually, and we should be able to update derived roles automatically once we update a transaction in a master role.
Please just note that we successfully imported all the master/derived roles from our back-end system, and we are not try to create a derived role in ERM at this time. All we want right now is to update a master role and its derived roles in ERM via PFCG sync.
If you can, please advice.
HM

Go to the TXT file , cut the last line from the AGR_1252 (rtable and insert it to the top of the lines ( AGR_1252) , and reimport it will work I had the same problem in my previous implementation.
try for one parent & child role
This is a known problem with SAP they will rectify it in SP12/SP13 or so

Enterprise Role grants in jazn-data fail for AD Provider User Accounts?

Hello All,
I have enterprise roles defined within my jazn-data.xml for my 11.1.1.4 web application. We just recently switched user accounts over to an active directory provider for authentication. So, I have user accounts associated with the active directory provider that are assigned to my enterprise roles. This is working fine because all of my EL expressions of the form #{securityContext.userInRole['EnterpriseRoleName']} are working great.
However, all of the grants in jazn-data.xml for pages that should only be viewable by users with this role are now not working. Users with this role see a "Internal Server 500" error with the message "oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed", rather than the related pages. This all used to work when the user accounts were not coming from the active directory provider.
As a work around, I've had to grant test-all view access to all pages, but hide controls and portions of pages that non-authorized users should see using EL like what I printed above.
This can't be right. Why are AD user accounts treated differently by WebLogic Server, when the security context indicates that the user has the proper role?
Thanks

Haha... nice one. This is a low-key production app that is internal to this company. I can't have users with AD accounts, who used to have WLS internal accounts when the jazn grants worked, just stop using the application until some solution comes about. It may take days. I don't understand why you would leave such an unhelpful comment and then leave the discussion. Is this a precedence that you want set within your forum? Please help me to understand why this is a bad workaround. I'm just at the beginning of trying to figure out the root cause of this issue. A search didn't reveal any obvious answers, so I thought I'd reach out to my knowledgeable ADF friends on the forum to see if this was something that could easily be fixed.
Back to your comment -- why is this a mistake? I have always used the rendered attribute value to hide navigation points to pages that are supposed to be accessible to users with the enterprise role (e.g. rendered="#{securityContext.userInRole['EnterpriseRoleName']}"). This still works fine in the context of this problem, because the security context is working properly -- it's picking up user membership to enterprise roles. It's the jazn grants that are not working for the AD provider related users.
In this context, if some really smart user guesses the URL of a page I don't want them on because they don't have the role, then why can't I simply set rendered="#{securityContext.userInRole['EnterpriseRoleName']}" on the PGL that presents the body of the page? The content of the page isn't rendered. That's the point of the "rendered" attribute, right? Better yet, I could have a nice message that says that aren't authorized to view the page, rather than put a Java stack trace in their face. Why, then, as a temporary workaround, is this such a bad idea?
Thank you "sameera.sac" for the links. I'd seen the first one before posting and it wasn't pertinent. But I'll certainly research the others you provided.
Thanks

Creating objects only with role grants.

Good afternoon, everybody.
I'm having a problem to compile some procedures in a scheme, let's call it scheme A.
This scheme A is receiving privileges to execute a function(B.get_date) of other scheme, let's call it scheme B, through a role B_STUFF.
When I try to compile a procedure from scheme A that uses the function B.get_date, it doesn't compile because there are
insufficient privileges for scheme A to execute that function, but I already gave that privilege through the role B_STUFF.
Nevertheless it only works when I give direct grant execute on function B.get_date to schema A.
Here is the example of my problem:
create function B.get_date return date
is
Begin
return sysdate;
end;
grant execute on function B.get_date to B_STUFF;
grant B_STUFF to A;
create procedure A.proc
is
begin
....uses the function B.get_date....
end;
Invalid object.
Is there a way to do this without having to give direct privilege of an object to a schema?
Thanks for the attention...
Regards...

Is there a way? Yes. But it's probably not what you want...
SQL> ed
Wrote file afiedt.buf
1 create or replace procedure a.proc
2    authid current_user
3 is
4    l_dt date;
5 begin
6    execute immediate 'select b.get_date from dual' into l_dt;
7    dbms_output.put_line( l_dt );
8* end;
SQL> /
Procedure created.
SQL> set serveroutput on;
SQL> exec a.proc;
06-FEB-13
PL/SQL procedure successfully completed.will work. Any user that wants to execute the A.PROC procedure will need to have the ability to call B.GET_DATE (either directly or via a role).
In general, since roles can be enabled or disabled in a session, password protected, made default or non-default, etc. you can't use them when you're creating persistent objects. Otherwise, if A has two sessions open and in one session B_STUFF is enabled and in the other the role is disabled, Oracle would have a very hard time figuring out whether the A.PROC procedure should be valid or not. And then what happens when both of those sessions are terminated-- which set of roles should Oracle then use for A's persistent objects? That's why Oracle generally depends on privileges that are granted directly to a user when you're trying to create persistent objects.
Justin

Recursive Role grants

Hi everyone,
I'm hoping someone can help me with this problem. No one in my office can figure it out.
Scenario:
Amy has been granted Role1 and Role1 has been granted Role2 and Role 2 has been granted Role3
Role3 -> Role2 -> Role1 -> Amy
dba_role_privs table gives:
grantee granted_role
Amy Role1
Role1 Role2
Role2 Role3
My question is, what is the sql that I can use to link Amy to Role3??
grantee granted_role
Amy Role3
Please help!!
Thanks,
Mary

The following example should help you.
SQL> create role role1;
Role created.
SQL> create role role2;
Role created.
SQL> create role role3;
Role created.
SQL> grant role1 to role2;
Grant succeeded.
SQL> grant role2 to role3;
Grant succeeded.
SQL> grant create session to amy identified by amy;
Grant succeeded.
SQL> grant role1 to amy;
Grant succeeded.
SQL> select grantee, c.role
2 from dba_role_privs a, role_role_privs b,role_role_privs c
3 where a.granted_role = b.granted_role
4 and b.role = c.granted_role
5 and a.grantee = 'AMY';
GRANTEE ROLE
AMY ROLE3

Role grants to roles being deprecated

I have just read with concern in the release notes for Oracle Database 10.1 (paragraph 7.1) that the ability to grant "application role to another role will not be allowed in future Oracle database releases". Why will we be unable to nest roles in the way we have been doing for years? I can see many problems with this loss of functionality, or is there a cleverer way of organising security being introduced to replace roles?

I cannot find it online either. It is in the README that comes with the download of 10G from OTN. The document part number is B12304-01 and it is the README for Oracle Database 10G Release 10.1 dated January 2004. It is in the section on Database Security, paragraph 7.1. The exact text of the bullet point is, "Grants of password protection or application role to another role will not be allowed in future Oracle Database releases".

Asking for ROLES granted to the current user

I am trying to trigger an ALTER SESSION SET NLS_DATE_FORMAT ... for users in a particular database role. I can write some PL/SQL which properly captures a user's roles. When the same code isinvoked from a LOGON trigger, though, it doesn't find any roles:
SQL> create global temporary table hold_roles (role varchar2(30));
Table created.
SQL> create or replace
2 package          oper_logon_trigger_pg_delete
3    authid current_user
4 as
5    procedure MAIN;
6 end oper_logon_trigger_pg_delete;
7 /
Package created.
SQL> create or replace
2 package body          oper_logon_trigger_pg_delete
3 as
4
5    procedure MAIN
6    is
7      l_str varchar2(4000);
8    begin
9      for row in (select granted_role from user_role_privs)
10      loop
11        insert into hold_roles values (row.granted_role);
12      end loop;
13
14    end MAIN;
15
16 end oper_logon_trigger_pg_delete;
17 /
SQL> exec oper_logon_trigger_pg_delete.main;
PL/SQL procedure successfully completed.
SQL> select * from hold_roles;
ROLE
CKR_REPOS_MANAGER
CONNECT
DBA
PLUSTRACE
SQL> CREATE OR REPLACE TRIGGER LOGON_ALT
2 AFTER LOGON ON DATABASE
3
4 BEGIN
5
6    OPER_LOGON_TRIGGER_PG_DELETE.MAIN();
7
8 END LOGON_ALT;
9 /
Trigger created.
SQL> disconnect
Disconnected from Oracle Database 10g Enterprise Edition Release 10.1.0.4.0 - 64bit Production
With the Partitioning, OLAP and Data Mining options
SQL> connect r25u7@dev
Enter password: **********
Connected.
SQL> select * from hold_roles;
no rows selectedWhy the difference in behavior? Same code, just one is called directly, vs from a LOGON trigger...
Thanks,
--=Chuck

chuckers wrote:
How does that circumvent the concept that " First trigger is fired and roles are not included into context."?
Won't the same fundamental problem be true if I just move that code directly into the trigger?OK. I will explain it in details. Trigger, as I already mentioned, is always executed with definer rights which means it is executed on trigger owner's behalf. Now package has AUTHID CURRENT_USER which means it will be executed on package caller's behalf. And since your package is called from the trigger, package is executed on trigger owner's behalf, not on logon user's behalf. As a result, querying USER_ROLE_PRIVS will go against trigger owner's roles. So you are querying wrong user's roles. As you can see, you can't use user_role_privs. That is why you need to go against DBA_ROLE_PRIVS (and do not forget to grant select on DBA_ROLE_PRIVS directly to trigger owner). Your second issue is GTT. AFAIK after logon trigger is executed aftr user is logged in but before session is fully instantiated and GTT does not work yet. Anyway:
SQL> connect sys/******** as sysdba
Connected.
SQL> grant select on dba_role_privs to scott
2 /
Grant succeeded.
SQL> connect scott/******
Connected.
SQL> drop role CHANGE_NLS_DATE_FORMAT
2 /
Role dropped.
SQL> create role CHANGE_NLS_DATE_FORMAT
2 /
Role created.
SQL> grant CHANGE_NLS_DATE_FORMAT to u1
2 /
Grant succeeded.
SQL> drop table hold_roles
2 /
Table dropped.
SQL> create table hold_roles(role varchar2(30))
2 /
Table created.
SQL> grant insert,select on hold_roles to public
2 /
Grant succeeded.
SQL> create or replace
2 package oper_logon_trigger_pg_delete
3    authid current_user
4 as
5   procedure MAIN;
6 end oper_logon_trigger_pg_delete;
7 /
Package created.
SQL> create or replace
2 package body          oper_logon_trigger_pg_delete
3 as
4    procedure MAIN
5    is
6      l_str varchar2(4000);
7    begin
8      for v_rec in (select granted_role from dba_role_privs where grantee = user)
9      loop
10        insert into hold_roles values(v_rec.granted_role);
11      end loop;
12    end MAIN;
13 end oper_logon_trigger_pg_delete;
14 /
Package body created.
SQL> CREATE OR REPLACE
2    TRIGGER LOGON_ALT
3      AFTER LOGON ON DATABASE
4      BEGIN
5          OPER_LOGON_TRIGGER_PG_DELETE.MAIN();
6 END LOGON_ALT;
7 /
Trigger created.
SQL> truncate table hold_roles
2 /
Table truncated.
SQL> connect u1/****
Connected.
SQL> select * from scott.hold_roles
2 /
ROLE
CHANGE_NLS_DATE_FORMAT
SQL> select granted_role from user_role_privs
2 /
GRANTED_ROLE
CHANGE_NLS_DATE_FORMAT
SQL> SY.
P.S. Now, when the issue is explained, you could simplify whole thing. You do not need package at all. Just create the trigger:
CREATE OR REPLACE
TRIGGER LOGON_ALT
    AFTER LOGON ON DATABASE
    BEGIN
        insert into hold_roles
          select granted_role from dba_role_privs where grantee = user;
END LOGON_ALT;
/

Role granting issue

Hi,
I have created one role with some system privileges like create any table,dubug any procedure etc and with some object prvileges like select grant on DBA_TABLES, DBA_JOBS etc. Now I have granted the role to a different user where I have written a package which consist of few procedures, one of the procedures in package spec like below :
PROCEDURE REGISTER (
p_Owner IN ORBIT_DELTA_CNTL.OWNER%TYPE,
p_Object IN ORBIT_DELTA_CNTL.NAME%TYPE,
p_Type IN ORBIT_DELTA_CNTL.OBJECT_TYPE%TYPE,
p_RefreshInterval IN DBA_JOBS.INTERVAL%TYPE,
p_PurgeInterval IN DBA_JOBS.INTERVAL%TYPE,
p_Tablespace IN DBA_TABLES.TABLESPACE_NAME%TYPE DEFAULT NULL
which throws a error during compilation "PLS-00201: identifier 'DBA_JOBS' must be declared". Can any one please explain why this error is coming though I have granted the role to that user.
Regards,
Koushik

Koushik,
The reason is probably dependencies related. When an object gets invalid, all dependent objects get invalid et cetera. When objects could be valid because of a grant via a role, this means that an object could get invalid by revoking a grant from a role. Because granting user access via a role should not make big parts of the database invalid, it is only allowed via direct grants.
Regards,
Rob.

ARQ: Default Role Provisioning Problem in Access Request???

Hi,
This Business Scenario is very common to have default role(s) assigned to a User at the back end system. So I have the same requirement. In achieving this, I followed below thread here:
MSMP Issue - GRC 10
I have also followed the note#1616092 for configuring the Default Roles.
I have performed below activities:
1. Param#2009 = YES
2. Param#2010 = 001
3. Param#2011 = REQUEST
4. Param#2013 = SYSTEM
5. Param#2038 = YES
6. Imported a test role and NO ROLE OWNER is maintained.
7.In NWBC->-AM->RM, I maintained a test role as a default.
Now when I raise a request, application is successfully adding the default role to the request. However, the problem I am facing is that, one Manager approves the request, it is getting failed.
The Audit Log says that, the STAGE is "Completed" but I could also see "No Agent Found, Cancelling path XYZ (in stage no. 002- GRAC_ROLEOWNER)
May I know what I am missing here? Why I am getting error and how can I resolve it?
Please advise.
Regards,
Faisal

Hi Faisal,
sorry for late resposne I was away traveling.
default roles are being added by default to access request
Yes, these roles are added to the access request.
FN: OK
and this roles are following your normal paths which I guess assumes manager and role owner.
How such roles (not having role owner) will follow the normal path Manager->Role Owner if we are enabling routing (Rule ID: GRAC_MSMP_ROUTE_NO_ROLEOWNER) at manager stage level? Can you please help me understand this?
FN: OK If you enable routing it will go to routing path. I have understood your post as you put in question the behavior of default roles and my point was - they act exacly the same like regular roles.
- request is going to detour path
Does it answer my question?
FN: My point was default roles like all other will go to detur path (assuming you setup it globaly)
Deafault roles can have separate path (in my case) where only supervisor is approving it.
Instead of "GRAC_MSMP_ROUTE_NO_ROLEOWNER" I believe we can have our own rule to have a separate path for such default roles based upon business requirement. Correct me, if required.
FN; correct
It was design in way that initiator rule based on role crtivality is sending this rule to separate path without role owner.
Again, I believe you have enabled your custom rule here to achieve your business requirement instead standard rule id.
correct
If you do not have separate path - this role like any other will follow standard path you have.
Here, I had used a stage called "ZNO_STAGE_PATH" for routing the system line item, which does not have any owner. I used the same path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER"Rule ID and it is working fine as of now.
FN: good
My question is that, do you think if I don't use "ZNO_STAGE_PATH" as Path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, should it follow the standard Manager->Role Owner path and these default roles get approved and assigned automatically?
FN: You should use the path ZNO_STAGE_PATH as path ID for routing rule.
If the role does not have role owner it will not allow you the even get to Role Onwer stage - request will be detured.
My point from the begining was - instead of using the routing rule - in our case we used separate path for default roles without role owner:) only consisted with manager stage. Again your approach is different but also will work.
Then which Path ID should I use for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, as it is mandatory?
Should I use my current path for New/Change Account where at Manager level this was routed due to non availability of role owner?
Are you asking for default roles?
Please advise.
Regards,
Faisal

Role Grants to Bounded Task Flow not Recognized on standalone WLS 10.3

Jdeveloper 11G Build 1188
Weblogic 10.3
I receive this error
oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: '/WEB-INF/menuflow.xml#menuflow' 'VIEW'.
This occurs before and after security migration.
I have spent 4 days on this problem and read and re-read Jdeveloper and Weblogic docs and all the blogs I could find as well as this forum.
The security works fine using Integated WLS.
It seems to me that the roles in Jazn and the roles I setup in Weblogic are NOT being associated
I followed step by step the blogs concerning security migration, weblogic standalone install, weblogic setup as to rolls and groups, etc.
Before I go through every step I took, I would like to know If anyone has received this error.
Chuck

Hi Frank,
I copied the <jazn-policy> section from the jazn-data.xml to system-jazn-data.xml and it is working
So as expected something wrong with the migration...I will check what
Thanks
Jamil

Role grants problem.

Similar Messages

Maybe you are looking for