Role within a role, seperate permissions
Hi there
I have a role, HR, which must appear in the top level navigation. That is simple to do ... create the role, add iviews etc., mark as entry point and assign users to the role ... displays nicely.
Now, as part of the HR section, we would like another section, namely Payroll, which is only accessible to certain people.
I can create a new role, called Payroll, and assign certain users to that role.
I then add the Payroll role to the HR Role ... Payroll now appears in the detailed navigation as required, but all users have access to the iviews within the Payroll role, which is not what we want.
If I mark the Payroll role as an entry point, then it only appears in the top level navigation for users who have been assigned to the role.
This makes me think I have the permissions configured correctly.
What do I need to do to make detailed navigation rely on the role permissions? It would appear the permissions are being "inherited" from the parent Role, which is not what I want.
Is there a way to get a role within a role to keep its permissions and ignore the parent permissions?
Can I do this in the detailed navigation, or should I be trying something else?
Should this perhaps be done at a workset level instead?
Any help would be greatly appreciated (and no doubt points awarded)
Thanks Marty
I had forgotten about Merging, and that seems to have gotten me most of the way.
I can successfully merge, and the new item only appears for the relevant users, but it merges quite high.
I would like the merging to happen in the detailed navigation, but I can't seem to get this right.
At the moment, I have 2 worksets, namely Home and Payroll. I set the merge properties on these 2 worksets. Home workset is then assigned to the HR Workbench role. When I log in as a user who has access to the Payroll role, then I see the HR Workbench role, and in the second level navigation, I see Home and Payroll (worksets).
What I would like, is to have the Payroll workset appearing in the detailed navigation.
I have tried merging on the folders in the Home workset, but still don't see anything in the detailed navigation.
Do you know if it is possible to merge in the detailed navigation, or only top level navigation?
Thanks for the answer ... I will reward points now
Similar Messages
-
Nesting Roles within Roles, is it used in practice ?
Can the Oracle DBA community comment of the practice of nesting one or more roles within another role. Said another way, the concept of creating "super-group" role and assigning "sub-group" roles beneath them.
1. Is this concidered to be good or bad practice ?
2. Would you consider this easy to maintain, and report on, would you concider this be effective for security and administration of security policies ?
3. Are there known issues (technical, performance, security, bugs, other) when nesting roles within another "super-group" role for Oracle 8i, 9i, 10g ?I would certainly consider it good practice if your organization is structured such that the role heirarchy makes sense. If your organizational structure doesn't support this kind of hierarchy, though, it is probably a bad idea.
If you have just a few types of users for your system-- a couple of developers, some reporting users, and a DBA or two-- having three distinct roles makes more sense to me than would giving developers the reporting user role plus access to a bunch of stored procedures. If you have more fine-grained job roles, however, it would make sense to nest roles-- a senior developer role might have the developer role plus some additional privileges to enable tracing or to do some "Jr DBA" tasks like creating a new reporting user.
It seems easiest to me to match your privilege management to your organization and application structure-- if there are roles whose function is logically "all the responsibilities of another role plus some additional responsibilities", nest your roles. Otherwise, I would keep them separate. If you start nesting things too deeply, and you start getting down to object-level permissions, I would consider moving to something like fine-grained access control (FGAC).
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC -
How to fetch iView Properties within a Role?
Hi,
I have Role-A. PCD path of this role is known. With this information, programmatically I should be able to fetch a few properties of all the iViews within this Role. An iView can be at any level with in this Role-A ( like RaleA- Workset-Page-iView or Role-Page-iView) . Is it possible to fetch the properties dynamically? Do we have APIs to do this? Any help is much appreciated.
Regards,
Nag.A Good starting point is this:
Browse Roles, Folders, Pages & iViews assigned to a user: EP6 SP2
Once you get the iView object it's not difficult to get the properties.
Thanks
Prashant -
Cannot trace the transaction code within a role
Hello All,
We, in our project trying to trace out various transaction codes assigned to each of roles.
I have an issue tracing an transaction code FB60. When i searched in suim for transaction codes within the role, I could see FB60 listing in the results.
But when i go to role through pfcg and see in the menu tab i cannot find the transaction code there.
what went wrong here? Now i want to remove the transaction code from the role so that next time when i use suim it wont be listed in the results.
Kindly advice.
Regards,
Brahmeshwar PolojuHERE IS THE OUTPUT.
OBJECT AUTH VARIANT FIELD LOW HIGH
S_TCODE T-DC84003900 TCD SCPE*
S_TCODE T-DC84003900 TCD SDD1* SE03
S_TCODE T-DC84003900 TCD SE07 SE16N
S_TCODE T-DC84003900 TCD SE17 SECQ*
S_TCODE T-DC84003900 TCD SEEF* SI24_12
S_TCODE T-DC84003900 TCD SI2414 SIBU
S_TCODE T-DC84003900 TCD SIC_* SLAT
S_TCODE T-DC84003900 TCD SLG0 SLIB_*
S_TCODE T-DC84003900 TCD SLIN SLXT
S_TCODE T-DC84003900 TCD SM30
S_TCODE T-DC84003900 TCD SM31 SM37
S_TCODE T-DC84003900 TCD SM50
S_TCODE T-DC84003900 TCD SM51
S_TCODE T-DC84003900 TCD SMAR* SMEZ
S_TCODE T-DC84003900 TCD SMTH* SNLS
S_TCODE T-DC84003900 TCD SNRO SO99
S_TCODE T-DC84003900 TCD SOACARRY* SOTR*
S_TCODE T-DC84003900 TCD SP02
S_TCODE T-DC84003900 TCD SCUS* SDCA*
S_TCODE T-DC84003900 TCD /* DA_*
S_TCODE T-DC84003900 TCD DC* PFCF*
S_TCODE T-DC84003900 TCD PFD* RYZ*
S_TCODE T-DC84003900 TCD RZZ* SAIM*
S_TCODE T-DC84003900 TCD SAIO* SAK*
S_TCODE T-DC84003900 TCD SAM* SAPTE*
S_TCODE T-DC84003900 TCD SARJZ* SARTN*
S_TCODE T-DC84003900 TCD SASAPCATT SBEA
S_TCODE T-DC84003900 TCD SBI* SC2_*
S_TCODE T-DC84003900 TCD SCA* SCBZ*
S_TCODE T-DC84003900 TCD SCDO SCI*
S_TCODE T-DC84003900 TCD SCTS* SCU3
S_TCODE T-DC84003900 TCD SWF_TR* SYNT
S_TCODE T-DC84003900 TCD SZG* TRBS
S_TCODE T-DC84003900 TCD TRCM* UR_M*
S_TCODE T-DC84003900 TCD USRM* _Z*
S_TCODE T-DC84003900 TCD SWF_CN* SWF_RE
S_TCODE T-DC84003900 TCD SPEC* SPERS*
S_TCODE T-DC84003900 TCD SPP* SPROJE
S_TCODE T-DC84003900 TCD SQ00 SRT*
S_TCODE T-DC84003900 TCD SSC SSDZ*
S_TCODE T-DC84003900 TCD SST0 ST05*
S_TCODE T-DC84003900 TCD ST14 ST62
S_TCODE T-DC84003900 TCD STCU STKZ*
S_TCODE T-DC84003900 TCD SV* SWF_BA
S_TCODE T-DC84003900 TCD SURAD SURVEY
S_TCODE T-DC84003900 TCD SU50 SU52
S_TCODE T-DC84003900 TCD SU3
S_TCODE T-DC84003900 TCD SU2
S_TCODE T-DC84003900 TCD SU0
S_TCODE T-DC84003900 TCD STS* STYLE*
Regards -
Segregate access to Plant within same role (Organisation level)
Hi
I don't seem to find out whether it is possible to segregate the access to plants in the same role
I have a role which gives Full Access to all plants. One of them now is being closed down therefore needs to be locked down for changes and can only be given with display
We have about 150 roles like this so the option of creating a new role to display that specific plant is not an auspicable...
How can I do so?
Thanks for any hint!
NadiaSegregating the access within a role itself doesn't seem to be feasible.
If you want to restrict access to that plant, you need to update the roles to exclude that plant value
and setup a display role for that plant value.
Regards,
Zaheer -
Easy Question: How to identify user roles within form?
Hi folks,
I would like to display/hide button which calls static data maintenance form (from other form) based on current user roles.
If user has role "STATIC_DATA" granted then DISPLAY button (which calls static data form), else DO NOT DISPLAY it.
Any example, how to get user roles within form?
Thanks,
TomasI can do it with below code:
declare
l_cnt number;
begin
select count(*)
into l_cnt
from user_role_privs
where granted_role = 'STATIC_DATA';
if l_cnt > 0 then
-- display it
else
-- do not display
end if;
end;I think, above should work.
Thanks,
Tomas -
Hi,
I have a room which should be accessible to all users.So I am thinking of assigning it to a role which a user can access easily. I did this by using a url iview,But the problem is within that role the masthead and all the roles are displayed once again. I want only the room content to be displayed in that role. Can anybody tell me how to go about this?
Regards
VineethHi Vineeth,
Almost right.You have to modify the PCD ID in order to call the object via URL.
You should replace the colon by "!3a" and each slash by "!2f".
<b>Example</b>
PCD ID:
<i>pcd:portal_content/FolderA/com.sap.iview</i>
Modified PCD-ID:
<i>pcd!3aportal_content!2fFolderA!2fcom.sap.iview</i>
URL prefix:
<i>http://<portalserver>:<port>/irj/servlet/prt/portal/prtroot/</i>
Final URL -> check with new browser instance:
<i>http://<portalserver>:<port>/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fFolderA!2fcom.sap.iview</i>
In earlier versions of NW you could get this URL by clicking on the preview button of an iview... And be sure to have the right security settings to execute an iView in this way.
Hope this helps.
Stefan -
Same user different roles within different organizations
Hello All,
We have requirement where Same user has to have different roles within different organizations.
What will be the solution to handle this situation using SUN IDM ?
Any inputs are greatly appreciated.
Thanks,
AkeelLet me simplify this,
We have requirement where a user can work for different organizations , which can be achieved in SIM using membership rules.
Say a user works for two organizations Say Org1 and Org2.
The user can have different roles in these 2 different organizations. For example user can have Role1 in Org1 and Role2 in Org2.
Role1 and Role2 both are available for assignment for respective admins of both Org1 and Org2.
Suppose Admin of Org1 assigns the user Role1; and admin of Org2 assigns the user Role2.
Now waveset.roles will have Role1 and Role2, but it can not tell the user has which role in which organization.
How do i specify the relationship between the role and organization ? The number of organizations are very large 70000+ and Number of identified roles around 51.
I dont think this can be implemented in Sun Identity Manger. Anybody has done this? Or any inputs are highly appreciated.
Regards,
Akeel -
How to map Application Roles to Enterprise Roles
Hello,
i am having a problem with mapping Application Roles (from ADF Security) to the corresponding Enterprise Roles. I have already seen that it is possible with a tool called Enterprise Manager, but what if i do not have it??
Can i map the roles in WebLogic Server itself? I have searched for such ability and did not found it. Also have not seen any tutorial on the internet. Someone help me pls.
The version i am using is 12.1.2.0.0.Application roles and permissions defined within WebCenter Portal are stored in its policy store and, consequently, apply to the WebCenter Portal application only.
Application Roles : Application roles control the level of access a user has to information and services in WebCenter Spaces. Specifically, application roles determine what a user can see and do in their personal space.
Application Permissions : Again every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in their personal Portal.
Enterprise roles are different. Enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Portal.
2. How and where do we create these 5 Application Roles in WC 11.1.1.8 version ?
You can create an application role from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> Roles -> Create Role
See : Managing Security Across Portals for more info :
http://docs.oracle.com/cd/E29542_01/webcenter.1111/e27738/wcadm_ps_security.htm#WCADM398
3. Last, where and how do we MAP these Application Roles TO Enterprise Roles in 11.1.1.8 version ?
First, You can grant privileges to a specified group (say sales group) of users by granting Enterprise Roles in Enterprise LDAP.
Next, Create custom application roles (say Contributor, Moderator, UIDesigner, Application Specialist, etc) and assign the appropriate permissions as explained above.
Then, You can assign one or more Application Roles to a specified group (say sales group) from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> users & Groups
I hope it helps. -
How to restrict selected Role under a Role???
Hi Friends,
I have 3 roles, which are Role-1, Role-2, Role-3.
Role-2 & Role-3 are Under/Part of Role-1.
Now, I have assigned Role-1 to a user. By doing this, When he logs in he is able to see the Role-2 and Role-3 also eventhough we havent assigned Role-2&3.
Now My question is, How to restrict a role under a role. For example, I dont want to show Role-3.
When i checked the user roles assigned, i see only Role-1 but not 2 other roles.
Could anyone advice on how to make unwanted role in role. Assuming, no one is going to assign directly with Role-2 & Role-3. They got assigned only Role-1.
Thanks for u r time!!
Thanks,
Raghavendra.PHi Praveen,
Thanks for important/useful information. I really dont understand is., Inspite of giving the properties to the each of role/workset, How do we call the approprite under the role. for example :
If we have Role-2 with propery dept=sd,
and Role-3 with propert dept=xi, etc.
Now i have Role-1, within which i have Role-2 and Role-3.
Now, if i want to see only roles with dept=xi then where should i mention and what should i mention.
I understood till creating the properties, assigning the properties to roles/worksets, giving values to properties.
Only i doesnt understood is how to activate which we want in the scenario.
Thanks for your time..!!!
Thanks,
Raghavendra Pothula -
Mapping security roles to other roles
I found the security newsgroup and posted the question there under the same topic. Kindly respond there.
Message was edited by:
jheinoneHi Sebastian,
yes, it is possible to do such mapping. And here how it works:
1. define security roles in the ejb-jar.xml within the <security-role>. For example:
<security-role>
<role-name>test</role-name>
</security-role>
2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
<security-permission>
<security-role-map>
<role-name>test</role-name>
<server-role-name>myUMErole</server-role-name>
</security-role-map>
</security-permission>
the myUMErole must be defined in the UME!
Does this answer your question? -
Scaling of VM Roles and Worker Roles, why divide by total?
I am trying to tweak with the auto-scale settings and it is my understanding that the CPU load is divided among the total number of instances within the Role.
I get this in concept.
However, what I am seeing is that if I have two instances in my availability group, and I have one instance running. That if I set the CPU load slider too high, my new instance never turns on / provisions.
It is as if the calculation is always averaging among the total possible - therefore if one is at 100% CPU, then that equates to 50% CPU. And if my slider is set to 60%, my second VM never turns on. (I left it running all night this way once to see).
Where what I think the slider should mean is that I never want a single instance to go beyond 60% utilization, if it does then give me another instance.
Am I following this properly?
Since I only have the scaling metric of CPU (since I don't have a Service Bus queue) I have to use it wisely and make sure that it reacts when appropriate - and in my case I might want it to scale out at 40% to ensure that there is no negative
user experience.
And right now, I am not seeing that I can make that happen.
Brian Ehlert<br/> http://ITProctology.blogspot.com<br/> Learn. Apply. Repeat. <br/>hi
autoscaling per CPU is compared with the average CPU usage of all instances of the role.
so if you set the bottom bar is 20% and have 2 instances running there with CPU usage 37% and 4%, azure fabrci will autoscale it to 3 instances, because average cpu is 20.5% and beyond the bottom bar.
actually, autoscaling based on cpu works as below:
All instances are included when calculating the average percentage of CPU usage and the
average is based on use over the previous hour. Depending on the number of instances that your application is using, it can take longer than the specified wait time for the scale action to occur if the wait time is set
very low.
As a result, if you have an app that is at 0% load, and then start running a load test to make it go to 100% (and have a scale-up target of 80%) it will take at least 45 minutes before
the scale action will start. However, this is not a typical real-world scenario. It’s more likely that your load is already high (say 75%). In this scenario, it would take much less time to trigger the scale action.
One of the reasons that we do an hourly average is, with the current platform, it’s impossible to get metrics from Virtual Machines or Cloud Services under a 15 minute latency.
So, if we scaled based just on the last 5 or 10 minutes, we would never have data to scale on. You can see this in the screenshot below, it was taken around 5:30, but the most recent data point is at 5:15.
In the future, the azure platform is looking at ways to speed up metric collection, but this is likely not coming for quite some time. As a result, the best we can do is a rolling
average over a larger time window.
let me know if there is any question.
best regards
Jian -
Creating Single Role from Many Roles
Hi,
Can we created a single role(not composite) from many roles?? i.e. all the authorisations of n roles being copied into a single new role??You can create a composite role in PFCG and just include the other roles within it. But there is no functionality to merge roles into one another.
If you need more detail, the I suggest you ask your question in the Security Forum.
Hope that helps.
J. Haynes
Denver CO US -
Funktion Roles and Value Roles
Hello,
i read in a SAP Press book something about funktion roles and value roles.
Can someone explain me how this work.
kind regards,
BernhardI would suggest taking preventative legal action against anyone who even mentions "functional and value" roles - particularly if they give the impression that transaction codes, activities and org-levels can be built in seperate roles - because when the concept goes downhill (which it will!) then they will unlikely be around to clean up the mess nor take responsibility for it.
Rather steer well clear of this type of concept.
Cheers,
Julius -
Max enabled Roles and sub-roles
IS it possible to split the max enabled roles and the sub- for a given user: I have specified 60 as max enabled roles,
The user in question is assigned to some user groups where there is a large number or sub-roles, If I increase the max_enabled_roles_in the initxxx.ora to a figure which would permit the roles and subroles to work, it makes the max enabled roles quite large several hundred, which affects database performance.
I thought of splitting the user into several accounts, defined by user group, but I fear the user will not remember what he has been assigned to.
Any suggestions, (apart from throwing the user out of the window)?
Is there a mehtod in which I can split sub roles?
ThanksOption 1 - Rationalize and reconstruct your current role plan. We did this here, and cut the number of roles we were using in half.
Option 2 - Use programming to enable only the required roles (set default role), for the application/form/report that is currently being run by the user.
Maybe you are looking for
-
Notebook moddel hp mini 110-3100 sound software
download notebook moddel hp mini 110-3100 sound software(window xp)
-
I recently updated both my iPhone and iPad to ios6 but since doing this I can no longer send or receive e-mails. I get the following message:- the mail server is not responding , verify that you have entered the correct account info in Mail setting -
-
How to lock a row in a db2/400
Hi all, Could someone show me how to lock a row in the database DB2/400 The scenario: DB.beginTransaction User 1 gets a row with a column bill_number "select bill_number from numbers where pk = xxx for update" aux_bill_number = bill_number USER 1 upd
-
Change the owner of a project.
I reinstalled my system. However, I changed my user name from jerry to home. Now I am unable to open any old iDVD projects. iDVD displays the message: Project locked by other user The project Belvin and Katrina # 1 is locked by the user jerry (user I
-
Have a region generate result of expression on data reference
within a region, is there a suggested way to generate an evaled javascript output? spry:content doesn't really do it. say i have a function makePrettyName(name) that returns a string i'd like to insert the result of makePrettyName( {dsPerson::name} )