Role within a role, seperate permissions

Hi there
I have a role, HR, which must appear in the top level navigation. That is simple to do ... create the role, add iviews etc., mark as entry point and assign users to the role ... displays nicely.
Now, as part of the HR section, we would like another section, namely Payroll, which is only accessible to certain people.
I can create a new role, called Payroll, and assign certain users to that role.
I then add the Payroll role to the HR Role ... Payroll now appears in the detailed navigation as required, but all users have access to the iviews within the Payroll role, which is not what we want.
If I mark the Payroll role as an entry point, then it only appears in the top level navigation for users who have been assigned to the role.
This makes me think I have the permissions configured correctly.
What do I need to do to make detailed navigation rely on the role permissions? It would appear the permissions are being "inherited" from the parent Role, which is not what I want.
Is there a way to get a role within a role to keep its permissions and ignore the parent permissions?
Can I do this in the detailed navigation, or should I be trying something else?
Should this perhaps be done at a workset level instead?
Any help would be greatly appreciated (and no doubt points awarded)

Thanks Marty
I had forgotten about Merging, and that seems to have gotten me most of the way.
I can successfully merge, and the new item only appears for the relevant users, but it merges quite high.
I would like the merging to happen in the detailed navigation, but I can't seem to get this right.
At the moment, I have 2 worksets, namely Home and Payroll. I set the merge properties on these 2 worksets. Home workset is then assigned to the HR Workbench role. When I log in as a user who has access to the Payroll role, then I see the HR Workbench role, and in the second level navigation, I see Home and Payroll (worksets).
What I would like, is to have the Payroll workset appearing in the detailed navigation.
I have tried merging on the folders in the Home workset, but still don't see anything in the detailed navigation.
Do you know if it is possible to merge in the detailed navigation, or only top level navigation?
Thanks for the answer ... I will reward points now

Similar Messages

  • Nesting Roles within Roles, is it used in practice ?

    Can the Oracle DBA community comment of the practice of nesting one or more roles within another role. Said another way, the concept of creating "super-group" role and assigning "sub-group" roles beneath them.
    1. Is this concidered to be good or bad practice ?
    2. Would you consider this easy to maintain, and report on, would you concider this be effective for security and administration of security policies ?
    3. Are there known issues (technical, performance, security, bugs, other) when nesting roles within another "super-group" role for Oracle 8i, 9i, 10g ?

    I would certainly consider it good practice if your organization is structured such that the role heirarchy makes sense. If your organizational structure doesn't support this kind of hierarchy, though, it is probably a bad idea.
    If you have just a few types of users for your system-- a couple of developers, some reporting users, and a DBA or two-- having three distinct roles makes more sense to me than would giving developers the reporting user role plus access to a bunch of stored procedures. If you have more fine-grained job roles, however, it would make sense to nest roles-- a senior developer role might have the developer role plus some additional privileges to enable tracing or to do some "Jr DBA" tasks like creating a new reporting user.
    It seems easiest to me to match your privilege management to your organization and application structure-- if there are roles whose function is logically "all the responsibilities of another role plus some additional responsibilities", nest your roles. Otherwise, I would keep them separate. If you start nesting things too deeply, and you start getting down to object-level permissions, I would consider moving to something like fine-grained access control (FGAC).
    Justin
    Distributed Database Consulting, Inc.
    http://www.ddbcinc.com/askDDBC

  • How to fetch iView Properties within a Role?

    Hi,
        I have Role-A. PCD path of this role is known. With this information, programmatically I should be able to fetch a few properties of all the iViews within this Role. An iView can be at any level with in this Role-A ( like RaleA- Workset-Page-iView or Role-Page-iView) . Is it possible to fetch the properties dynamically? Do we have APIs to do this? Any help is much appreciated.
    Regards,
    Nag.

    A Good starting point is this:
    Browse Roles, Folders, Pages & iViews assigned to a user: EP6 SP2
    Once you get the iView object it's not difficult to get the properties.
    Thanks
    Prashant

  • Cannot trace the transaction code within a role

    Hello All,
    We, in our project trying to trace out various transaction codes assigned to each of roles.
    I have an issue tracing an transaction code FB60. When i searched in suim for transaction codes within the role, I could see FB60 listing in the results.
    But when i go to role through pfcg and see in the menu tab i cannot find the transaction code there.
    what went wrong here? Now i want to remove the transaction code from the role so that next time when i use suim it wont be listed in the results.
    Kindly advice.
    Regards,
    Brahmeshwar Poloju

    HERE IS THE OUTPUT.
    OBJECT     AUTH         VARIANT FIELD      LOW                                      HIGH
    S_TCODE    T-DC84003900         TCD        SCPE*
    S_TCODE    T-DC84003900         TCD        SDD1*                                    SE03
    S_TCODE    T-DC84003900         TCD        SE07                                     SE16N
    S_TCODE    T-DC84003900         TCD        SE17                                     SECQ*
    S_TCODE    T-DC84003900         TCD        SEEF*                                    SI24_12
    S_TCODE    T-DC84003900         TCD        SI2414                                   SIBU
    S_TCODE    T-DC84003900         TCD        SIC_*                                    SLAT
    S_TCODE    T-DC84003900         TCD        SLG0                                     SLIB_*
    S_TCODE    T-DC84003900         TCD        SLIN                                     SLXT
    S_TCODE    T-DC84003900         TCD        SM30
    S_TCODE    T-DC84003900         TCD        SM31                                     SM37
    S_TCODE    T-DC84003900         TCD        SM50
    S_TCODE    T-DC84003900         TCD        SM51
    S_TCODE    T-DC84003900         TCD        SMAR*                                    SMEZ
    S_TCODE    T-DC84003900         TCD        SMTH*                                    SNLS
    S_TCODE    T-DC84003900         TCD        SNRO                                     SO99
    S_TCODE    T-DC84003900         TCD        SOACARRY*                                SOTR*
    S_TCODE    T-DC84003900         TCD        SP02
    S_TCODE    T-DC84003900         TCD        SCUS*                                    SDCA*
    S_TCODE    T-DC84003900         TCD        /*                                       DA_*
    S_TCODE    T-DC84003900         TCD        DC*                                      PFCF*
    S_TCODE    T-DC84003900         TCD        PFD*                                     RYZ*
    S_TCODE    T-DC84003900         TCD        RZZ*                                     SAIM*
    S_TCODE    T-DC84003900         TCD        SAIO*                                    SAK*
    S_TCODE    T-DC84003900         TCD        SAM*                                     SAPTE*
    S_TCODE    T-DC84003900         TCD        SARJZ*                                   SARTN*
    S_TCODE    T-DC84003900         TCD        SASAPCATT                                SBEA
    S_TCODE    T-DC84003900         TCD        SBI*                                     SC2_*
    S_TCODE    T-DC84003900         TCD        SCA*                                     SCBZ*
    S_TCODE    T-DC84003900         TCD        SCDO                                     SCI*
    S_TCODE    T-DC84003900         TCD        SCTS*                                    SCU3
    S_TCODE    T-DC84003900         TCD        SWF_TR*                                  SYNT
    S_TCODE    T-DC84003900         TCD        SZG*                                     TRBS
    S_TCODE    T-DC84003900         TCD        TRCM*                                    UR_M*
    S_TCODE    T-DC84003900         TCD        USRM*                                    _Z*
    S_TCODE    T-DC84003900         TCD        SWF_CN*                                  SWF_RE
    S_TCODE    T-DC84003900         TCD        SPEC*                                    SPERS*
    S_TCODE    T-DC84003900         TCD        SPP*                                     SPROJE
    S_TCODE    T-DC84003900         TCD        SQ00                                     SRT*
    S_TCODE    T-DC84003900         TCD        SSC                                      SSDZ*
    S_TCODE    T-DC84003900         TCD        SST0                                     ST05*
    S_TCODE    T-DC84003900         TCD        ST14                                     ST62
    S_TCODE    T-DC84003900         TCD        STCU                                     STKZ*
    S_TCODE    T-DC84003900         TCD        SV*                                      SWF_BA
    S_TCODE    T-DC84003900         TCD        SURAD                                    SURVEY
    S_TCODE    T-DC84003900         TCD        SU50                                     SU52
    S_TCODE    T-DC84003900         TCD        SU3
    S_TCODE    T-DC84003900         TCD        SU2
    S_TCODE    T-DC84003900         TCD        SU0
    S_TCODE    T-DC84003900         TCD        STS*                                     STYLE*
    Regards

  • Segregate access to Plant within same role (Organisation level)

    Hi
    I don't seem to find out whether it is possible to segregate the access to plants in the same role
    I have a role which gives Full Access to all plants. One of them now is being closed down therefore needs to be locked down for changes and can only be given with display
    We have about 150 roles like this so the option of creating a new role to display that specific plant is not an auspicable...
    How can I do so?
    Thanks for any hint!
    Nadia

    Segregating the access within a role itself doesn't seem to be feasible.
    If you want to restrict access to that plant, you need to update the roles to exclude that plant value
    and setup a display role for that plant value.
    Regards,
    Zaheer

  • Easy Question: How to identify user roles within form?

    Hi folks,
    I would like to display/hide button which calls static data maintenance form (from other form) based on current user roles.
    If user has role "STATIC_DATA" granted then DISPLAY button (which calls static data form), else DO NOT DISPLAY it.
    Any example, how to get user roles within form?
    Thanks,
    Tomas

    I can do it with below code:
    declare
      l_cnt number;
    begin
      select count(*)
         into l_cnt
         from user_role_privs
      where granted_role = 'STATIC_DATA';
      if l_cnt > 0 then
            -- display it
      else
         -- do not display
      end if;
    end;I think, above should work.
    Thanks,
    Tomas

  • Room within a Role

    Hi,
      I have  a room which should be accessible to all users.So I am thinking of assigning it to a role which a user can access easily. I did this by using a url iview,But the problem is within that role the masthead and all the roles are displayed once again. I want only the room content to be displayed in that role. Can anybody tell me how to go about this?
    Regards
    Vineeth

    Hi Vineeth,
    Almost right.You have to modify the PCD ID in order to call the object via URL.
    You should replace the colon by "!3a" and each slash by "!2f".
    <b>Example</b>
    PCD ID:
    <i>pcd:portal_content/FolderA/com.sap.iview</i>
    Modified PCD-ID:
    <i>pcd!3aportal_content!2fFolderA!2fcom.sap.iview</i>
    URL prefix:
    <i>http://<portalserver>:<port>/irj/servlet/prt/portal/prtroot/</i>
    Final URL -> check with new browser instance:
    <i>http://<portalserver>:<port>/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fFolderA!2fcom.sap.iview</i>
    In earlier versions of NW you could get this URL by clicking on the preview button of an iview... And be sure to have the right security settings to execute an iView in this way.
    Hope this helps.
    Stefan

  • Same user different roles within different organizations

    Hello All,
    We have requirement where Same user has to have different roles within different organizations.
    What will be the solution to handle this situation using SUN IDM ?
    Any inputs are greatly appreciated.
    Thanks,
    Akeel

    Let me simplify this,
    We have requirement where a user can work for different organizations , which can be achieved in SIM using membership rules.
    Say a user works for two organizations Say Org1 and Org2.
    The user can have different roles in these 2 different organizations. For example user can have Role1 in Org1 and Role2 in Org2.
    Role1 and Role2 both are available for assignment for respective admins of both Org1 and Org2.
    Suppose Admin of Org1 assigns the user Role1; and admin of Org2 assigns the user Role2.
    Now waveset.roles will have Role1 and Role2, but it can not tell the user has which role in which organization.
    How do i specify the relationship between the role and organization ? The number of organizations are very large 70000+ and Number of identified roles around 51.
    I dont think this can be implemented in Sun Identity Manger. Anybody has done this? Or any inputs are highly appreciated.
    Regards,
    Akeel

  • How to map Application Roles to Enterprise Roles

    Hello,
    i am having a problem with mapping Application Roles (from ADF Security) to the corresponding Enterprise Roles. I have already seen that it is possible with a tool called Enterprise Manager, but what if i do not have it??
    Can i map the roles in WebLogic Server itself? I have searched for such ability and did not found it. Also have not seen any tutorial on the internet. Someone help me pls.
    The version i am using is 12.1.2.0.0.

    Application roles and permissions defined within WebCenter Portal are stored in its policy store and, consequently, apply to the WebCenter Portal application only.
    Application Roles : Application roles control the level of access a user has to information and services in WebCenter Spaces. Specifically, application roles determine what a user can see and do in their personal space.
    Application Permissions : Again every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in their personal Portal.
    Enterprise roles are different. Enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Portal.
    2. How and where do we create these 5 Application Roles in WC 11.1.1.8 version ?
    You can create an application role from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> Roles -> Create Role
    See : Managing Security Across Portals for more info :
    http://docs.oracle.com/cd/E29542_01/webcenter.1111/e27738/wcadm_ps_security.htm#WCADM398
    3. Last, where and how do we MAP these Application Roles TO Enterprise Roles in 11.1.1.8 version ?
    First, You can grant privileges to a specified group (say sales group) of users by granting Enterprise Roles in Enterprise LDAP.
    Next, Create custom application roles (say Contributor, Moderator, UIDesigner, Application Specialist, etc) and assign the appropriate permissions as explained above.
    Then, You can assign one or more Application Roles to a specified group (say sales group) from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> users & Groups
    I hope it helps.

  • How to restrict selected Role under a Role???

    Hi Friends,
    I have 3 roles, which are Role-1, Role-2, Role-3.
    Role-2 & Role-3 are Under/Part of Role-1.
    Now, I have assigned Role-1 to a user. By doing this, When he logs in he is able to see the Role-2 and Role-3 also eventhough we havent assigned Role-2&3.
    Now My question is, How to restrict a role under a role. For example, I dont want to show Role-3.
    When i checked the user roles assigned, i see only Role-1 but not 2 other roles.
    Could anyone advice on how to make unwanted role in role. Assuming, no one is going to assign directly with Role-2 & Role-3. They got assigned only Role-1.
    Thanks for u r time!!
    Thanks,
    Raghavendra.P

    Hi Praveen,
    Thanks for important/useful information. I really dont understand is., Inspite of giving the properties to the each of role/workset, How do we call the approprite under the role. for example :
    If we have Role-2 with propery dept=sd,
    and Role-3 with propert dept=xi, etc.
    Now i have Role-1, within which i have Role-2 and Role-3.
    Now, if i want to see only roles with dept=xi then where should i mention and what should i mention.
    I understood till creating the properties, assigning the properties to roles/worksets, giving values to properties.
    Only i doesnt understood is how to activate which we want in the scenario.
    Thanks for your time..!!!
    Thanks,
    Raghavendra Pothula

  • Mapping security roles to other roles

    I found the security newsgroup and posted the question there under the same topic. Kindly respond there.
    Message was edited by:
    jheinone

    Hi Sebastian,
    yes, it is possible to do such mapping. And here how it works:
    1. define security roles in the ejb-jar.xml within the <security-role>. For example:
    <security-role>
         <role-name>test</role-name>
    </security-role>
    2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
    <security-permission>
       <security-role-map>
          <role-name>test</role-name>
          <server-role-name>myUMErole</server-role-name>
       </security-role-map>
    </security-permission>
    the myUMErole must be defined in the UME!
    Does this answer your question?

  • Scaling of VM Roles and Worker Roles, why divide by total?

    I am trying to tweak with the auto-scale settings and it is my understanding that the CPU load is divided among the total number of instances within the Role.
    I get this in concept. 
    However, what I am seeing is that if I have two instances in my availability group, and I have one instance running.  That if I set the CPU load slider too high, my new instance never turns on / provisions.
    It is as if the calculation is always averaging among the total possible - therefore if one is at 100% CPU, then that equates to 50% CPU.  And if my slider is set to 60%, my second VM never turns on. (I left it running all night this way once to see).
    Where what I think the slider should mean is that I never want a single instance to go beyond 60% utilization, if it does then give me another instance.
    Am I following this properly?
    Since I only have the scaling metric of CPU (since I don't have a Service Bus queue) I have to use it wisely and make sure that it reacts when appropriate - and in my case I might want it to scale out at 40% to ensure that there is no negative
    user experience.
    And right now, I am not seeing that I can make that happen.
    Brian Ehlert<br/> http://ITProctology.blogspot.com<br/> Learn. Apply. Repeat. <br/&gt

    hi
    autoscaling per CPU is compared with the average CPU usage of all instances of the role.
    so if you set the bottom bar is 20% and have 2 instances running there with CPU usage 37% and 4%, azure fabrci will autoscale it to 3 instances, because average cpu is 20.5% and beyond the bottom bar.
    actually, autoscaling based on cpu works as below:
    All instances are included when calculating the average percentage of CPU usage and the
    average is based on use over the previous hour. Depending on the number of instances that your application is using, it can take longer than the specified wait time for the scale action to occur if the wait time is set
    very low.
    As a result, if you have an app that is at 0% load, and then start running a load test to make it go to 100% (and have a scale-up target of 80%) it will take at least 45 minutes before
    the scale action will start. However, this is not a typical real-world scenario. It’s more likely that your load is already high (say 75%). In this scenario, it would take much less time to trigger the scale action.
    One of the reasons that we do an hourly average is, with the current platform, it’s impossible to get metrics from Virtual Machines  or Cloud Services under a 15 minute latency.
    So, if we scaled based just on the last 5 or 10 minutes, we would never have data to scale on. You can see this in the screenshot below, it was taken around 5:30, but the most recent data point is at 5:15.
    In the future, the azure platform is looking at ways to speed up metric collection, but this is likely not coming for quite some time. As a result, the best we can do is a rolling
    average over a larger time window.
    let me know if there is any question.
    best regards
    Jian

  • Creating Single Role from Many Roles

    Hi,
    Can we created a single role(not composite) from many roles?? i.e. all the authorisations of n roles being copied into a single new role??

    You can create a composite role in PFCG and just include the other roles within it. But there is no functionality to merge roles into one another.
    If you need more detail, the I suggest you ask your question in the Security Forum.
    Hope that helps.
    J. Haynes
    Denver CO US

  • Funktion Roles and Value Roles

    Hello,
    i read in a SAP Press book something about funktion roles and value roles.
    Can someone explain me how this work.
    kind regards,
    Bernhard

    I would suggest taking preventative legal action against anyone who even mentions "functional and value" roles - particularly if they give the impression that transaction codes, activities and org-levels can be built in seperate roles - because when the concept goes downhill (which it will!) then they will unlikely be around to clean up the mess nor take responsibility for it.
    Rather steer well clear of this type of concept.
    Cheers,
    Julius

  • Max enabled Roles and sub-roles

    IS it possible to split the max enabled roles and the sub- for a given user: I have specified 60 as max enabled roles,
    The user in question is assigned to some user groups where there is a large number or sub-roles, If I increase the max_enabled_roles_in the initxxx.ora to a figure which would permit the roles and subroles to work, it makes the max enabled roles quite large several hundred, which affects database performance.
    I thought of splitting the user into several accounts, defined by user group, but I fear the user will not remember what he has been assigned to.
    Any suggestions, (apart from throwing the user out of the window)?
    Is there a mehtod in which I can split sub roles?
    Thanks

    Option 1 - Rationalize and reconstruct your current role plan. We did this here, and cut the number of roles we were using in half.
    Option 2 - Use programming to enable only the required roles (set default role), for the application/form/report that is currently being run by the user.

Maybe you are looking for