Role naming PK attributes

Is there a way to get inherited attributes role named based on either a relationship or a subtype?
Example: Physician is a subtype of Person. PK (Natural Key) of Person is First Name and Last Name. Physician Patient is a child of Physician and inherits the PK from Physician/Person. Would like it to be Physician First Name and Physician Last Name, rather than just First Name and Last Name (since the Patient will have the same columns for its key).
Example 2 (relationship based role): Recursive relationship on Employee to Manager. PK of Employee is Emp Id. Want to role name the FK attribute/column to be Manager Emp Id
Related - is there a way to get the table name (or short name) to prefix all the column names during forward engineering? Thought there was but can't find it.
Thanks!

Hi Kent,
I logged enhancement request on that.
Related - is there a way to get the table name (or short name) to prefix all the column names during forward engineering? Thought there was but can't find it.There is no such option in forward engineering to relational model. However if you define "Short name" for entity it'll be transferred as table abbreviation. Then you can run one of transformation scripts delivered with the product - "Table abbreviation to column".
There is also a transformation script that removes table abbreviation from columns.
Philip

Similar Messages

Can I map iwtUser-role to an attribute in external LDAP???

Hi,
I am using external LDAP for authentication. In the Ext. LDAP I am using
there is an attribute named title in every user cn. I want to use this
attribute for portal to decide which role the user belongs to. I mapped
iwtUser-role to title in Ext. LDAP configuration. When I go to console I
see user(s) under the roles defined in title attribute(in Ext. LDAP).
From console if I try to change the desktop profile of a role and check
'apply changes to all subroles', it's not applying changes to all users
who have the title as that role (even though when I go to that user(s),
I see them under the right tole). However, when I look at the
iwtUser-role attribute in profile LDAP using a LDAP browser it shows
/domainname/defaultRole which is not the value mapped (in Ext. LDAP). Do
you have any idea why it is happeing? I would like to know if mapping
iwtUser-role to an attribute in Ext. LDAP is right thing in the first
place (I am doing this because the Ext. LDAP is already populated, I
have no roles in that, all users are at same level and I have permission
to change title attribute only in Ext. LDAP).
Thanks,
Siva Kancheti.

Block off the default role if you don't want anyone going into that role but only
the ones defined. You can do this by setting the filter to a value that will return
nothing. (example, title=nonexistant), since the search filter will not return
results, no one will be placed in that role (otherwise have to manually go into that
role and 'move' users).
Hope this helps,
Manon
Siva kancheti wrote:
Hi,
I am using external LDAP for authentication. In the Ext. LDAP I am using
there is an attribute named title in every user cn. I want to use this
attribute for portal to decide which role the user belongs to. I mapped
iwtUser-role to title in Ext. LDAP configuration. When I go to console I
see user(s) under the roles defined in title attribute(in Ext. LDAP).
From console if I try to change the desktop profile of a role and check
'apply changes to all subroles', it's not applying changes to all users
who have the title as that role (even though when I go to that user(s),
I see them under the right tole). However, when I look at the
iwtUser-role attribute in profile LDAP using a LDAP browser it shows
/domainname/defaultRole which is not the value mapped (in Ext. LDAP). Do
you have any idea why it is happeing? I would like to know if mapping
iwtUser-role to an attribute in Ext. LDAP is right thing in the first
place (I am doing this because the Ext. LDAP is already populated, I
have no roles in that, all users are at same level and I have permission
to change title attribute only in Ext. LDAP).
Thanks,
Siva Kancheti.

Distinct count of role-played dimension attribute

Needed distinct count of AccountGroup attribute of AccountB dimension which is a role played dimension of Account.
Added measure distinct count of the dimension attribute (AccountGroup). In dimension usage added the main fact table as intermediate for other dimensions with many2many relationships.
The two role played Account dimensions must be related to the new AccountFact table with fact relationship.
But then how will I be able to count distinct attribute of
certain Account dimension (out of the two role played dimensions)???
Namnami

Thanks for the links, they are useful. But still they do not explain how to manage a distinct count of
certain role played dimension attribute.
I gave up on this and added that dimension attribute to the fact table so now I do a regular distinct count on a cube fact measure.
Thanks
Namnami

How to convert javax.naming.directory.Attributes to .String

hi,
i am getting values from ldap server.
but here i want to assin this values to string?
how?
Attributes det1 = ctx.getAttributes("cn="+t1+"", attrIDs3);
String str111=det1;
here i am getting error like this
Incompatible type for declaration. Can't convert javax.naming.directory.Attributes to java.lang.String
can any one help how to overcome and this values how to equal to string?
jpullareddy

now i got answer,i solved
my self for solution
jpullareddy

Filtering Role Content by Attributes

Hi All,
I'm trying to implement advanced Role Content Filtering, by setting Attributes (country, department etc.) to content and users. To do this I need to deploy and assign Java Filters (Factorys and Services). So I wanted to ask if somebody can give me some links to code examples of such Java Filters and maybe to this whole topic.

Hello-
The following two links should help you out.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/ep/code-samples/filtering%20role%20and%20workset%20content.htm
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/5021a57d-0601-0010-6097-ec94a09c626d
Marty

Role Naming convention

Good Morning All..!
I have a brand new sand box SCM, I am creating new roles on the system..
The roles should meet the Global naming standards, team want to go with location, system and org. unit in the naming convention..
I came up with
Eg:
ZM_US_SCM_0101AB_XXXX_ALL (Business role)
Description of above example:
M= Role type..like configure/x, composite/c......
US= location
SCM=system
0101AB=company and dep code
xxxx= role description
I wonder how to customize the naming convention for Basis, Helpdesk, security, abap and configuration
Am I complicating the role name?
Team want location code in the naming, so please suggest how should I go about it......?
Thanks in advance..!

Hi Anil,
I'm sure it is important to you, but please don't forget that a good number of posters on this board are based in Europe and the time you posted is end of working day for those on the mainland.
There are always many ways to do naming conventions and there is no right answer.
First of all, you talk about "global naming convention" - are there other non-SRM implementations that have roles created? If so, what is their naming convention? It may be worth using whatever they are using so as to retain consistency across environments.
What you want from your naming convention is the ability to search easily and to identify the purpose of roles.
Your naming convention contains a load of useful data but depending on how you use it, you may want to move some of the elements around
First of all, they don't have to start with Z. Avoid S but the rest is fair game, though Z is very safe.
Role Type: Stick to the technical type of the role here, don't mix composite and config for example. Composite, derived, parent etc make sense if you need the info.
Location: Is this more important that the system? if you search on US roles then maybe not, your call.
System: as above
Company and dep code: Usually I prefer this later on. This is because I typically search on type of role, func area, variant/description and then company or org unit. Again it is your call and nothing wrong with your suggestion.
Role description: Personally I prefer to use a numerical system here. The reason for this is that role descriptions change and transactions in a role change. By sticking to numbers then I find that when these things are changed, you don't have to worry so much about the role no longer matching the description.
depending on the build requirements, I find something like the following is reasonably flexible
ZS_R3_UK_<process area>_<role number>_<org unit>
where <process area> could be fi, ap, security, basis etc
<role number> is an arbitrary number e.g. 00001 - 99999
<org unit> plant/comp code etc - whatever the role is derived to etc
hope that helps

PCD Attribute not saved for Role Folder

Hello,
I try to change a PCD-Attribute programmaticaly.
If I do it on an iView (e.g. MyIview) - it works fine.
If i try on a Folder in a role (e.g. MyFolder) - it does not work !
I tryed two different approches - same behavour...
Apporach 1
String pcdLocation = "portal_content/MyRole/MyFolder";
//String pcdLocation = "portal_content/MyRole/MyIView";
IUser principalObj = this.getServiceUser("pcd_service");
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, IPcdContext.PCD_INITIAL_CONTEXT_FACTORY);
env.put(Context.SECURITY_PRINCIPAL, principalObj);
env.put("com.sap.portal.jndi.requested_aspect", "com.sap.portal.pcd.gl.PersistencyAspect");
env.put("java.naming.factory.object", "__IPcdContext__");
InitialContext initialContext = new InitialContext(env);
IPcdContext pcmObj = (IPcdContext) initialContext.lookupLink(pcdLocation);
IPcdObjectFactory pcdObjectFactory =
((IPcdGlService) PortalRuntime.getRuntimeResources().getService(IPcdGlService.KEY))
.getPcdObjectFactory();
IPcdAttribute newPcdAttr = pcdObjectFactory.createPcdAttribute(PcdAttributeValueType.BOOLEAN,
"com.sap.portal.navigation.Invisible");
newPcdAttr.set(0, new Boolean(true));
ModificationItem[] mods = new ModificationItem[] {
new ModificationItem(DirContext.REPLACE_ATTRIBUTE, (Attribute) newPcdAttr)};
pcmObj.modifyAttributes("", mods);
Apporach 2
String pcdLocation = "portal_content/MyRole/MyFolder";
//String pcdLocation = "portal_content/MyRole/MyIView";
IUser principalObj = this.getServiceUser("pcd_service");
Hashtable env = new Hashtable();
env.put(Context.SECURITY_PRINCIPAL, principalObj);
env.put(Context.INITIAL_CONTEXT_FACTORY, IPcdContext.PCD_INITIAL_CONTEXT_FACTORY);
env.put("com.sap.portal.jndi.requested_aspect", PcmConstants.ASPECT_ADMINISTRATION);
InitialContext initialContext = new InitialContext(env);
IAdminBase result = (IAdminBase) initialContext.lookup(pcdLocation);
IAttributeSet myIview = (IAttributeSet) result.getImplementation(IAdminBase.ATTRIBUTE_SET);
myIview.putAttribute(IAttriView.ATTRIBUTE_NAVINVISIBLE, "true");
myIview.save();
Any idea how to get NAVINVISIBLE - Attribute saved on a role-folder ?
tnx Johannes

Hi Johannes,
I guess you found a working alternative until now, but if not, you should try the other [modifyAttributes |http://help.sap.com/javadocs/NW04S/current/pc/com/sapportals/portal/pcd/gl/IPcdContext.html#modifyAttributes(java.lang.String,%20int,%20javax.naming.directory.Attributes] method on IPcdContext. Your code could look like this:
IPcdUtils factory = PcdAccess.getPcdUtils();
IPcdAttributes attributes = factory.createPcdAttributes();
IPcdAttribute navInvisibleAttribute =
     factory.createPcdAttribute(
          PcdAttributeValueType.BOOLEAN,
          IAttrPcmNavigation.ATTRIBUTE_NAVINVISIBLE);
navInvisibleAttribute.add(Boolean.TRUE);
pcdContext.modifyAttributes(
     StringUtils.EMPTY,
     IPcdContext.REPLACE_ATTRIBUTE,
     modifiedAttributes);
This works in my application, so I never tried working with ModificationItem again. Maybe the implementation is somehow insufficient, but I didn't investigate it further (time pressure kills us all). However, please notice that REPLACE_ATTRIBUTE will replace or create the attribute as specified in the DirContext. Hope that helps.
Best regards,
Fabian

Custom tag attribute named operation

          Hi,
          I ported a web application from WL6.1sp4 to WL7.0sp2 and expirienced a wired problem.
          All my JSP's did not compile anymore. I received a error message "no setter for
          attribute operation defined", although there was a a method setOperation in the
          current code and there were no code modifications at all.
          After replacing all attributes named operation with opmode the system worked fine
          again.
          Is there any restriction in naming your attributes in custom tags?
          Thanks for help
          Michael


          Me again,
          I checked again the parameters of the VM (Sun JDK 1.3.1_06) and tried the the
          different options of the HotSpot compiler. I found out that the problem I reported
          with the last posting can easily be reproduced if you run the VM in HotSpot-Classic
          mode.
          I suppose it is a bug in Sun's VM for Windows. Does somebody have similar expiriences?
          Michael
          "Michael" <[email protected]> wrote:
          >
          >Hi,
          >
          >I ported a web application from WL6.1sp4 to WL7.0sp2 and expirienced
          >a wired problem.
          >All my JSP's did not compile anymore. I received a error message "no
          >setter for
          >attribute operation defined", although there was a a method setOperation
          >in the
          >current code and there were no code modifications at all.
          >
          >After replacing all attributes named operation with opmode the system
          >worked fine
          >again.
          >
          >Is there any restriction in naming your attributes in custom tags?
          >
          >Thanks for help
          >Michael

Can we rename ABAP roles in GRC Process Control to adhere to naming convntn

Hello,
We are working on a new implementation of the GRC Process Control 2.5 product. It comes with 11 standard roles. I wanted to change the names to adhere to our company's role naming conventions. Will this adversely affect any functionality. I know that in PC, there is a additional level of security that is maintained thru the NWBC. How will that be affected? And is it typical to have a non-sap security team maintain the roles/user thru the NWBC and have SAP Security maintain the ABAP users/roles?
Thanks in advance.

Hi Arvind:
We copied the standard delivered ABAP roles to our namespace, made a few additional changes and are using them no problem. We also copied the NWBC roles to our namespace. We have the default roles as reference. We did this for consistency, but also because ABAP roles and App roles can change as the App roles did in SP04. This way we compare the app roles before and after a SP to make sure we agree with any role changes introduced to default roles. This way, we don't unknowingly introduce changes to our roles based on the changes SAP introduces to their roles at any given point.
As far as the tester role goes, it is at the Process level. If you aren't sure go into the app under User Access => Roles and their tasks like you will assign it and restrict the selection to "proces". You will see it is at the Process level. As far as the rest goes, you seem pretty well versed in the security guide so I'm sure you know this, but as long as the level of the role is equal to or greater than the task you can assign it. Ex: You can assign a control level task to a Corporate level role but not a Corporate level task to a control level role.
I hope this helps.
Matt

Roles and Attributes Maintenance

Dear all, I am a little lost in a current project on this topic. When using ERP 2005 and not using the Virsa Access Enforcer, how and where are roles and especially their attributes maintained?
Do customers create the roles including the attributes usually in a development system and transport it to the productive environment or how is this process handled.
Any information on this would be highly appreciated.
thanks,
Stefan

It's probably best if you start by reading that fine manual [User Administration and Identity Management in ABAP Systems|http://help.sap.com/saphelp_nw70/helpdata/en/fa/f63f4222fab16be10000000a155106/content.htm] which leads you to the detailed description of the [Authorization concept|http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm].

How to add/set attribute "collectiveParentRDN" in DSEE6.3.1 installation.

Hi,
I'm new to DSEE and I have a question ,
I have a code which
1. First it binds to LDAP server through a proxy user.
2. Authenticates a user
3. Gathers all the roles that a user is a member of.
It uses ,collectiveParentRDN as a DN attribute.
For e,g,in following line from the code:
userDN = attrs.get("collectiveParentRDN").get().toString();
But Im getting userDN as null as there is no attribute called collectiveParentRDN in the LDAP schema Im using.
However when I use entryDN instead, it works.
But I need to use collectiveParentRDN . and I'm not able to configure this attribute in the
When I try to add this attribute I get a constraint /schema violation error.
Can anyone please tell me how to add /set this attribute to DSEE6.3.1 LDAP server.?
Here is the complete code snippet:
import java.util.ArrayList;
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
public class LDAPPrototype {
     public static final String LDAP_URL = "ldap://localhost:389";
     public static final String LDAP_LDAPSERVER_SEARCHBASE = "o=MyLDAP";
     public static final String SECURITY_AUTHENTICATION_METHOD = "simple";
     public static final String INITIAL_CONTEXT_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";
     public static final String LDAP_USER_GROUP_ATTR = "nsRole";
     private static final String LDAP_USER_LOGIN = "dsingh1";
     private static final String LDAP_USER_PASSWORD = "password";
     // NOTE: Three new params for authenticating proxy.
     public static final String LDAP_PROXY_PROXYDN = "uid=will,ou=Blue,ou=People,o=MyLDAP";
     public static final String LDAP_PROXY_UID = "will";
     public static final String LDAP_PROXY_PASSWORD = "password";
     // NOTE: TWO new params to get users correct DN after search
     public static final String LDAP_USER_DN_ATTR = "collectiveParentRDN";
     public static final String LDAP_USER_CN_ATTR = "cn";
     public static void ldapAuthentication() {
          Hashtable env = new Hashtable();
          Hashtable cloneEnv = new Hashtable();
          DirContext ctx = null;
          String userDN = null;
          String userCN = null;
          String searchBase = null;
          try {
               env.put(Context.SECURITY_AUTHENTICATION,
                         SECURITY_AUTHENTICATION_METHOD);
               env.put(Context.INITIAL_CONTEXT_FACTORY, INITIAL_CONTEXT_FACTORY);
               env.put(Context.PROVIDER_URL, LDAP_URL);
               cloneEnv = new Hashtable(env);
               env.put(Context.SECURITY_PRINCIPAL, LDAP_PROXY_PROXYDN);
               env.put(Context.SECURITY_CREDENTIALS, LDAP_PROXY_PASSWORD);
               ctx = new InitialDirContext(env);
               System.out.println("Initial bind succesful");
               SearchControls searchCtls = new SearchControls();
               String[] returnedAtts = { LDAP_USER_DN_ATTR, LDAP_USER_CN_ATTR };
               searchCtls.setReturningAttributes(returnedAtts);
               searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
               String searchFilter = "(uid=" + LDAP_USER_LOGIN + ")";
               searchBase = LDAP_LDAPSERVER_SEARCHBASE;
               System.out.println("Checking for user !!!");
               NamingEnumeration answer = ctx.search(searchBase, searchFilter,
                         searchCtls);
               System.out.println("User search successful !!!");
               Attributes attrs = null;
               while (answer.hasMore()) {
                    System.out.println("Searching for user attrributes!!!");
                    // Print all the user attributes
                    SearchResult sr = (SearchResult) answer.next();
                    attrs = sr.getAttributes();
                    System.out.println("Num of attributes = " + attrs.size());
                    // NamingEnumeration attrKeys = attrs.getIDs();
                    // while (attrKeys.hasMore()) {
                    // String at = attrKeys.next().toString();
                    // System.out.println("Key = " + at + ", value = " +
                    // attrs.get(at).get());
                    if (attrs.get(LDAP_USER_DN_ATTR) != null) {
                         System.out.println("User DN found for user: "
                                   + LDAP_USER_LOGIN);
                         userDN = attrs.get("collectiveParentRDN").get().toString();
                         System.out.println("User DN = " + userDN);
                    if (attrs.get(LDAP_USER_CN_ATTR) != null) {
                         System.out.println("User CN found for user: "
                                   + LDAP_USER_LOGIN);
                         userCN = attrs.get(LDAP_USER_CN_ATTR).get().toString();
                         System.out.println("User CN = " + userCN);
                    if ((userDN != null) && (userCN != null)) {
                         break;
               userDN = LDAP_USER_CN_ATTR + "=" + userCN + "," + userDN;
               System.out.println("Modified user DN = " + userDN);
               cloneEnv.put(Context.SECURITY_PRINCIPAL, userDN);
               cloneEnv.put(Context.SECURITY_CREDENTIALS, LDAP_USER_PASSWORD);
               System.out.println("Authenticating user : " + userDN);
               ctx = new InitialDirContext(cloneEnv);
               System.out.println("Authenticated user : " + userDN);
               System.out.println("Get user groups !!!");
               String[] returnedGroups = { LDAP_USER_GROUP_ATTR };
               searchCtls.setReturningAttributes(returnedGroups);
               NamingEnumeration groups = ctx.search(searchBase, searchFilter,
                         searchCtls);
               ArrayList<String> groupList = new ArrayList<String>();
               while (groups.hasMore()) {
                    // Print all the user attributes
                    SearchResult sr = (SearchResult) groups.next();
                    attrs = sr.getAttributes();
                    if (attrs.get(LDAP_USER_GROUP_ATTR) != null) {
                         System.out.println("Num of groups found = " + attrs.size());
                         String groupName = attrs.get(LDAP_USER_GROUP_ATTR).get()
                                   .toString();
                         groupList.add(groupName);
                         System.out.println("Group found = " + groupName);
          } catch (Exception e) {
               System.out.println(e);
               e.printStackTrace();
     public static void main(String[] args) {
          ldapAuthentication();
}Thanks in Advance.
Rahul

You are right, that attribute is not in the schema.
I think perhaps that could be the reason I'm getting an schema violation error when I'm trying to add it.
Can you please tell me how do I add any new attribute to the schema ?
Thanks in advance
Rahul.

OIM 11gR1 : Parallel approval for role assignment.

Hi,
I'd like to add custom attributes to a role : "District security officer" and "Department security officer" (Can those be used for searching users? -- i.e. users lookup)
When the role is to be assigned to a user, I'd like the workflow engine to open tasks for the members entered on those custom attributes.
Also, Is it possible to assign a Role instead of the users in the custom attributes ?
Meaning, Approving user assignment of a role named "Role A" will be done by users that belong to "Role_A_Approvers".
Will appreciate pointers to the online docs, I've search and didn't find information related to the usecase I've described.
Thanks,
Meni,

Bikash Bagaria wrote:
Meni wrote:
Hi,
I'd like to add custom attributes to a role : "District security officer" and "Department security officer" (Can those be used for searching users? -- i.e. users lookup)
When the role is to be assigned to a user, I'd like the workflow engine to open tasks for the members entered on those custom attributes.Try modifying the dataset. But I think there was an issue which someone reported here which said that you cannot add additional attributes to the role dataset. Logically it makes sense because there is no custom attribute for role in OIM so dataset should not allow it either.
I've noticed that the design console allows adding custom attributes to roles.
This can be done via Administration --> User Defined Field Definitions --> UGP (Table name).
Once a field is added, you'll need to choose "Properties" and add a "Visible Field = true" prop to the attribute chosen.
This will add a custom attributes section where your attributes will be shown.
Question is how you can add a "search users" lookup instead of plain string for this custom attribute,
and how those attributes will find their ways into the BPEL composite where business decisions based on those attributes may be taken (assign task per this attribute for an example).
Also, Is it possible to assign a Role instead of the users in the custom attributes ?
Meaning, Approving user assignment of a role named "Role A" will be done by users that belong to "Role_A_Approvers".You can create request for multiple roles in a single request and in your approval process you need to dynamically set the human task assignee based on the role selected. You also need to attach the approval process to orchestration level so that it generates a separate child request for each role selected.
I'm not sure I understand how the proposed approach helps avoid the decoupling of users to role admins attribute.
The intention was to have two roles, "Role_A" and "Role_A_Approver" where people that belong to "Role_A_Approver" will be assigned workflow tasks whenever Role_A is to be granted to end-users.
Currently, each role has a "Role Admin" attribute, this attribute however holds a user and not a container of users (role)..
Will appreciate pointers to the online docs, I've search and didn't find information related to the usecase I've described.
All about requests
Thanks,
Meni,-Bikash

Get iViews from Role

Hi
I want to find out on which page a specific iViews is used, that means, where in the (user specific) navigation the iView will be displayed.
When I traverse the navigation nodes, I get with getName() something like "ROLES://portal_content/folder/page". The problem is, I don't know which iViews lie on that page. How can I get them?
When I find a role (IPortalRole object) in the PCD, I don't know what to do with it - is has no method I can use to get access to its content. Is there any way to do so?
Thank you!
Tobias

Hi Tobias,
In your posts there seems 2 things you want to do:
(1) Find objects in a role.
The objects are just subcontexts within the role context, so you can do something like this:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, Context.PCD_INITIAL_CONTEXT_FACTORY);
env.put(Context.SECURITY_PRINCIPAL, request.getUser());
env.put(Constants.REQUESTED_ASPECT, IPcdAttribute.PERSISTENCY_ASPECT);
InitialContext iCtx = null;
try {
iCtx = new InitialContext(env);
IPcdContext myPcdContext = (IPcdContext) iCtx.lookup("");
javax.naming.NamingEnumeration myEnum = myPcdContext.search("portal_content/DanielContent/DanRole",null);
This returns an enumeration of javax.naming.SearchResult objects, which are the worksets, pages and iViews in the role. You would have to continue to traverse the PCD tree -- that is, do a search of each of these objects to get all the pages and iViews inside these.
(2) Find all objects based on a specific portal component. You could do a similar thing by searching but with attribute filters, something like this:
javax.naming.directory.Attributes myAttrs = new javax.naming.directory.BasicAttributes();
myAttrs.put("com.sap.portal.private.iview.PropertiesUrl","pcd:com.sap.portal.system/applications/HelloWorldProject/components/HelloWorld");
myEnum = myPcdContext.search("portal_content",myAttrs);
The first problem with this is that it only searches the current level. There are other standard JNDI search methods that allow you to specify that you want to search all subnodes, but I have not been able to get it to work for PCD.
The second problem is that I cannot search on CodeLink (which is a PCM attribute) -- I can only search on PCD attributes. So I searched on com.sap.portal.private.iview.PropertiesUrl, but I am not sure this is reliable.
Daniel

Finding participants of an existing role

Hi,
I've got an attribute of a BPM Object, its valid values are generated by a dynamic method
in this method, I've typed:
supList as String[]
supRole as Role
supRole = Role("Supervisor")
partList as Participant[]
partList = supRole.participants
for each p in partList
do
     supList[] = p.id
end
return supList
I've got a role named "Supervisor" and I want this attribute to list all of its participants
when I run it, I've got errors like this:
The task could not be successfully executed. Reason: 'java.lang.IllegalStateException: The component must be invoked on a server-side method.'.
[Error code: workspace-1263359260131
When I debug the method, I found that after code
“    supRole = Role("Supervisor")    ”
was executed, several attributes of "supRole" are null, like roleinterface, paticipants_d...
Is there any error in my code

Hi,
Apart from the error you a getting (Ruben has already posted how to solve it) I want to add an additional comment.
The method getParticipants of the Role object (partList = supRole.participants) is deprecated since it doesn't return all the participants that has that role, it returns all the participants that were loaded into memory that have that role.
In other words, in studio or in small organizations (a very common scenario in development environments) there isn't any issue, but if then you try to deploy your process in a big organization (the typical case is when the engine uses the organization LDAP) you will probably get an incomplete result.
If you asked me if there is another way to get that information, I would say "yes, but it is a very very expensive operation that you have to implement yourself".
I know some customer cases that tried to implement that function (just to display a combo box to user) and they finally had very serious performance issues.
So, my suggestion is try to think in the use case to see if you can implement it without that information.
Hope this helps,
Ariel

Integrate IdM roles with Sun Access Manager roles

Hi all,
I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
What are the important differences between static and dynamic roles in AM?
Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
Thanks.

I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
About directory server roles:
http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
Forum thread reference:
http://forums.sun.com/thread.jspa?threadID=5208694
Here are roughly the steps I followed to get this working.
Access Manager roles setup:
1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
Identity Manager roles setup:
1. Create a new role in Identity Manager: tab Roles, click New....
2. Assign the LDAP resource to synchronize the role with.
3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
* In the column Value override, select Text.
* In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
* In the text box, enter the role DN text (ex: cn=test_role,dc=com).
5. Save the role. You can now add the role to a user.

Role naming PK attributes

Similar Messages

Maybe you are looking for