Rule for Assign Roles Portals

Similar Messages

• Using URL Alias in "main rule" for a new portal desktop.

  Hi
  I am having a scenario :
  I am having two different business functionality. For accessing them separately i have to create to different portal desktops. Each one will have there own iviews and roles.
  BUT
  They can have similar user ids.
  I.e. same user can access both the deskops based on option selected by him.
  Supposed Implementation which i am thinking :
  i will create a html page with 2 buttons :
  1st button : Application 1
  2nd button : Application 2
  I will map these buttons/Links to following URL.
  Application 1 : irj/poral/application1
  Application 2 : irj/poral/application2
  On clicking either of these buttons/Links user will get a login screen for SAPNETWEAVER PORTAL.
  After login which desktop to be displayed will be decided using following MASTER RULE :
  Now i will create a master rule with "URL ALIAS" in IF condition.
  My Master rule will look like this :
  IF URLAlias =  irj/poral/application1 THEN desktop = Application1
  IF URLAlias =  irj/poral/application2 THEN desktop = Application2
  Now I am having 2 questions in mind :
  Is this possible ?
  How to create URL Alias for a desktop ?? (Or do i need to create a URL alias for desktop !!)
  I cant try it until and unless i am sure !!
  Please comment on my scenario....
  Or tell me if there are some other options.........!!

  Saurabh,
  yes this should work, you have to create the aliases application1 & application2 in the web.xml (see http://help.sap.com/saphelp_nw70ehp1/helpdata/de/48/1d5d0171364269e10000000a421937/frameset.htm)
  I think, the initial page with the buttons shouldn't be located in the portal, because then the users would be already logged on (but you can place it on the java-stack at the plain http anyway)
  but keep in mind, that you have to create an alias in web.xml & a master rule for each alias you want to have.
  kr, achim

• Typing rules for assigning non-wildcards to wildcards

  Hi all,
  I have the following code:
  public class A<T extends Number> {
       T t;
       public void foo() {
            Number number = null;
            Integer integer = null;
            A<? extends Integer> a1 = null;
            A<? super Integer> a2 = null;
            a1.t = null; // OK
            a1.t = integer; // Error
            a2.t = number; // Error
            a2.t = integer; // OK
  }The code contains four assignments of a non-wildcard type to a wildcard type. Two of them are correct, two are wrong. Now, intuitively, the following rules seem to hold for such assignments to upper/lower bounded wildcards:
  - Only the null-type can be assigned to an upper bounded (or unbounded) wildcard.
  - A non-wildcard type can be assigned to a lower bounded wildcard iff it can be assigned to the wildcard's lower bound.
  I think that the rules are quite intuitive but I would be interested in finding the formal typing rules for such assignments in the JLS. Can anyone provide a reference into the
  JLS which which cover the semantics of the above assignments?
  Any help would be really appreciated. Thanks a lot in advance!

  kablair & dannyyates,
  first of all, thanks a lot for taking you the time to explain the things to me that clearly! Sorry also for the somewhat confusing example by having chosen the final class Integer which is some kind of a special and limiting case.
  In any case, I have gone through the JLS yesterday as I was particularly interested in the role of capture conversion to formally explain the correctness of the above code and here are my conclusions I want to share with you: Actually, there seem to be no subtyping rules for wildcards because you always apply capture conversion (JLS3 5.1.10) to wildcards before looking for their subtype relationship to other types. Capture conversion converts each wildcard to a new fresh synthetic type variable which has appropriate upper bounds and also a lower bound. Now, in the very last sentence of section 4.10.2 of the JLS3, it is stated that a type variable is a direct supertype of its lower bound which I think is the key point. This means that you can assign something to a type variable iff you can assign it to its lower bound.
  Now, capture conversion converts every unbounded or lower bounded wildcard into a type variable which has the null type as its lower bound. This formally shows that you can really just assign null to them as in the code above. Contrary, every lower bounded wildcard is capture converted to a type variable whose lower bound is the lower bound of the wildcard. So, again, you can assign it every type you can assign to that lower bound. This is also reflected in the above code.
  So, that's maybe the formal explanation for something which is intuitively clear anyway...

• SECATT for assigning roles to users

  Hi All,
  How do we make the ECATT to work for the below scenario:
  Users already have roles assigned to them. We need to add a new roles to the users which can vary in number based on the users job.
  A simple ECATT script that was developed to add a single role to a new user does not work in the above case and gives an error of invalid batch input. How do I create a ECATT to assign role to user who already has a set of roles assigned (number of roles assigned to users differ, so I cannot assume to train the ECATT to assign a role on line X). Is there something I am missing while the ECATT script creation?
  We are doing this from a CUA and its very difficult to assume how many roles a user could have.
  Thanks,
  Jay

  Thanks Alex for the insight. For some reason SU10 is slow in the CUA environment and I wanted to avoid it but yes I finally had to use SU10. Talking to one of our ABAPer I came to know that even in their BDC recordings they get the error which I receeived, but he changes his program to skip all the lines with data and then fill the empty line.
  In CUA environment, how do we create ECATT to delete a role from many users?
  Thanks,
  Jay

• One CUP request for assigning role to multiple users

  Hi,
  We assign roles to users in production only through CUP requests.. We use GRC 5.3
  Here we have a case where we need to assign one role to  60 users in production(each user may have different  roles assigned in the back end) . I can raise one CUP request for all users using " multi-user" option in Copy request . But when we want to make a risk analysis , it will not show risks at user level as each user had different roles and may get different risks by adding new role.
  Instead it will give risks if any for only that new role which want to assign. Our manager is not accepting as this is not giving complete picture of risks for each user when we add new role.
  Please suggest me if there is any other way where I can make a risk analysis for each user when I created a CUP request for multiple users.
  Or the only solution is to create 60 CUP requests ?? this would be too manual
  Regards ,
  jaags

  Raghu,
  thanks for the reply, you are right as per the audit .But suppose if it is for 200 users ,creating 200 CUP requests will be impractical right.
  there should be some solution for this , because there will be many situations practically where we have to assign roles to N number of users.
  Is this possible in GRC 10 ? any idea ?
  Regards,
  Jaags

• Thumb rule for assigning auth values after t-code addition to a role

  Hello everyone,
  Could you please share your expertise on this. When a transaction is added to (the menu of )a role in PFCG, it automatically pulls in its corresponding authorization objects. So my question is what values should be given to these newly pulled in auth objects. Is there any guideline to be followed? Any disucssion would be greatly appreciated. Thanks a lot!

  There really is no general rule.
  There are two things you need to prepare to work on authorizations:
  1. A list of critical authorization objects, such as S_DEVELOP, S_RFC and the like. In every role that you touch, these need to be managed properly. If you find that the default values in PFCG are not according to your policy, change them in SU24
  2. A list of authorization values that you have determined are necessary for control purposes, i.e. cost centers and other org values. These need to be set according to the desird usage of the role.
  Oh, there is ONE general rule: DO maintain SU24, i.e. manage what gets into PFCG in the first place. Make sure it's what your security design requires.
  Hope that helps,
  Frank.

• Creation of auto approval process for assigning role for a user in oim11g

  currently i'm doing a scenario like a user must be automatically assigned to a role by using approval policy where the user is already there in oim and then we use csv file in that we take 2 columns like userlogin and role name so by running this scheduled task user must be automatically approved to that role.But i have to use the default auto approve policy in oim without creating any bpel process for that so can any one suggest me how to proceed with this scenario.
  Thanks in Advance for quick response.

  If I understand correctly, You have users and their respective roles in csv file. Users are present in OIM. You want to assign those roles in csv file to respective users?
  If this is the scenario, you need to write a custom code for schedule task which will read data from your csv file, create roles and assign them to respective users.
  to create custom schedule task in OIM 11g, you may refer to:
  http://docs.oracle.com/cd/E21764_01/doc.1111/e14308/scheduler.htm
  regards,
  GP

• Issue while changing validity date for assigned roles: SAP IDM 7.2 SP8

  Hello Experts
  I assigned the Task on repository for validity modification for Roles as in below screenshot:
  When I modify the role validity, Task defined for Validity modification doesnt get triggered and IDM executes the tasks defined as Modify Task and fails with below errors:
  1. Could not obtain repository name from Pending object.
  2. Error ! Audit id , Variable doesnt exist in MXPT_GET_ENTRYTYPE.
  I tried checking provisioning audit logs but could'nt find any Audit ID created for validity modification and I guess due to this tasks are getting cancelled.
  Why the task defined in Modify Valdity tasks doesnt get triggered when I modify the Role assignment validity ?
  Am I doing anything wrong with the SAP Standard way of working ?
  Regards
  Deepak Gupta

  Hi Deepak/Chris,
  We are also facing a similar issue in our project where modifying validity of the role does not trigger any task. We then changed the Modify attribute(in task tab) on the priveleges to "inhereted".
  The modify task is now triggered and completes successfully. However, no changes occur in backend.
  We need unedrstand where do we maintain the setting to define which attributes(if changed) will trigger an event task in the provisioning framework. the "check attributes modification" task within the provisioning framework executes the below query:
  select COUNT(VarName) from mxpv_audit_variables where AuditID=%AUDITID% and VarValue='%MSKEY%' and VarName='MARK_EXEC_MODIFY_ATTR%MSKEY%'
  The query gives the result as "False" in case we only modify the validity of the role assigned to user. Thus no event tasks are executed for the same.
  Can anyone please share where do we define the attributes for this query to give "True" as result for role validity modification.
  regards,
  Nits

• List of Portal users with the assigned Roles.....

  Hello All,
  I am working on EP6 SP9 and want to know from where can I get a list of all Portal users along with the assigned roles for each of them.
  One way I found is by searching for all users in User Administration role and along with the searched users, there is also an icon for Assigned roles.
  Apart from the above mentioned way, is there any other way by which I can get a direct list of the same. Is there a Java sample code for this.....?
  Please help.
  Awaiting Reply.
  Thanks and Warm Regards,
  Ritu R Hunjan

  Hi Ritu,
  Yes it is possible to get the roles of the users. You can try the following java code.
  package com.hcl.user;
  import java.util.Iterator;
  import java.util.Vector;
  import com.sap.security.api.IRole;
  import com.sap.security.api.IRoleFactory;
  import com.sap.security.api.IRoleSearchFilter;
  import com.sap.security.api.ISearchResult;
  import com.sap.security.api.IUser;
  import com.sap.security.api.IUserAccount;
  import com.sap.security.api.IUserFactory;
  import com.sap.security.api.UMFactory;
  import com.sapportals.portal.prt.component.AbstractPortalComponent;
  import com.sapportals.portal.prt.component.IPortalComponentRequest;
  import com.sapportals.portal.prt.component.IPortalComponentResponse;
  public class role_member extends AbstractPortalComponent {
  public void doContent(
  IPortalComponentRequest request,
  IPortalComponentResponse response) {
  try {
  IUserFactory userfactory = UMFactory.getUserFactory();
  IRoleFactory rolefactory = UMFactory.getRoleFactory();
  IRoleSearchFilter rolefltr = rolefactory.getRoleSearchFilter();
  rolefltr.setMaxSearchResultSize(2000);
  ISearchResult result = rolefactory.searchRoles(rolefltr);
  while (result.hasNext()) {
  response.write("<table border=0>n");
  String uniqueid = (String) result.next();
  IRole role = rolefactory.getRole(uniqueid);
  response.write("<tr><td bgcolor=Red>"+ role.getDisplayName()+ "</tr></td>n");
  Iterator users = role.getUserMembers(true);
  while (users.hasNext()) {
  String unique_user = (String) users.next();
  IUser user = userfactory.getUser(unique_user);
  IUserAccount account[] = user.getUserAccounts();
  response.write(
  "<tr><td>" + account[0].getLogonUid() + "</tr></td>n");
  response.write("</table>n");
  response.write("</br>n");
  } catch (Exception e) {
  This code gives you the list of all the users of your portal along with the roles assigned to them.
  Apart from this if you want you want to know all the roles assigned to the user on portal itself then the way you mentioned is the correct method.
  Regards
  Pravesh
  PS: Please consider awarding points.

• How to Assign Roles for maintaining possible agents?

  Hi all,
  I was trying to assign Roles to maintain agent assignment and I was not able to assign role to Task -> Additional data -> Agent Assignment -> Maintain -> Create agent assignment -> selected role but it's not displaying the roles available in the client.
  There is no org. structure in our client.
  So, What all settings do i need to make the roles display and select?  please let me know in detail if possible.
  Regards,
  Sateesh

  Hi,
  I haven't created any org structure or any role and there are no org structures in our client.
  To get roles displayed on search do we need to create an org structure. I don't think so.
  Is any authorization required for a user or any settings need to be made to get roles displayed when searched for roles for assigning role in maintaining agent assignment for a task.
  i even checked with basis person with his id but it is the same problem.
  As far as i know these roles are basis roles only and there are number of roles in our client but its strange it doesn't display any roles( not even a single role when i searched with  ' * ').
  please help me..
  Regards,
  sateesh

• Query regarding approval policies for custom Role

  Hi ,
  1.In OIM 11g R2 . I have created a Role named SecurityAdmin. Assigned it to a user named User1.
  Logged in as User1 and searched for another user say User2
  2.Modified its Profile and when clicked on save .Request was created and went to approval process.
  Similar thing happened when i tried to disable the user and assign roles to User2.(Note : I am logged in as User1 not xelsysadm)
  Created two auto approval policies for assign roles and Modify user profile
  Query : Do i have to create approval policy for each process like Disable User, Enable user , etc ?
  Is there any generalized way that i make a policy on high level that if Role is Security admin Request goes to Auto Approval.
  Please help.
  Thanks in advance.

  >
  Query : Do i have to create approval policy for each process like Disable User, Enable user , etc ?You have to create approval policy for each of these request types.
  Is there any generalized way that i make a policy on high level that if Role is Security admin Request goes to Auto Approval.
  Please help.In approval policies you can select Auto Approval checkbox and write a rule Requester.Role Name Equals Security admin

• Customizing display profile for a role ends with a blank portal

  I have a custom TabContainerProvider with 4 tabs (containers with two channels). I need one of them to be visible only to a specific role. So I created a role (static), assigned this role to users, and in portal console with the role selected I've put the 4th container with its two channels to the TabContainerProvider. When I log in as a user with the role, I see "The desktop you are using is not yet configured with any channel in it. To get started with deploying sample content, see below."
  When I do the same, but with the users selected (so I enable the container with its channels to all of the users with the role but not for the role itself), it works.
  What can be wrong? Where should I look for hints?

  Please make sure the Parent Container for the role is set correctly. When you create a new role, the Parent Container will be set to DefaultChannel by default. To verify this,
  1. launch the portal admin console, i.e. http://host/psconsole
  2. goto portals --> portalID --> specify your role for the Select DN drop down
  3. verify that the Parent Container setting for the role is not DefaultChannel, instead it should be set to the Parent Container used by your portal.
  Hope this helps. dean.

• Weird problem with role assignment in Portal

  Hi,
  In our newly installed Portal for eRecruitment Production System we encounter a weird problem with assigning roles to users.
  When I open User Administration and search for roles, it displays the Portal roles perfectly.
  However, when I search for a user in User Administration and click on it when found, I am unable to find any roles to assign! So I am unable to find any roles, when I want to modify the assigned roles for a particular user, while the roles do exist and can be found on its own. How is this possible? Am I missing something here?
  We have installed SPS 15 and use ABAP as user store. We have used reverse proxy and web dispatchers in this case.
  Thanks in advance and best regards,
  Jan Laros

  Found some entries in the default trace from this morning:
  #1.#005056A15F78006A000004F400006D310004520B11DB3CE8#1216107404407#com.sap.security.core.jmx.impl.CompanyPrincipalFactory#sap.com/tc~wd~dispwda#com.sap.security.core.jmx.impl.CompanyPrincipalFactory.static Set evaluateDatasourcesToSearchFor(String[] requestDatasourceIds,     String privateType, Locale locale)#JALAROS#58762##nun.efteling.nl_POP_9750151#JALAROS#581700b0524011ddc029005056a15f78#SAPEngine_Application_Thread[impl:3]_36##0#0#Error##Java###Error while connecting to remote producer {0}
  [EXCEPTION]
  {1}#2#PRODUCER_0KTHQ3YTJV#com.sap.security.core.persistence.remote.CommunicationException: Cannot display remote roles of selected producer. The producer has removed your consumer instance from their portal.
          at com.sap.portal.ivs.global.roles.RemoteProducerAccessImpl.sendToRemote(RemoteProducerAccessImpl.java:497)
          at com.sap.portal.ivs.global.roles.RemoteProducerAccessImpl.checkConnectivity(RemoteProducerAccessImpl.java:220)
          at com.sap.security.core.jmx.impl.CompanyPrincipalFactory.evaluateDatasourcesToSearchFor(CompanyPrincipalFactory.java:656)
          at com.sap.security.core.jmx.impl.CompanyPrincipalFactory.simplePrincipalSearchByDatasources(CompanyPrincipalFactory.java:3172)
          at com.sap.security.core.jmx.impl.JmxSearchHelper.getSimpleEntitySearchResult(JmxSearchHelper.java:74)
          at com.sap.security.core.jmx.impl.JmxSearchHelper.calculateSimpleEntityTable(JmxSearchHelper.java:1182)
          at com.sap.security.core.jmx.impl.JmxServer.calculateSimpleEntityTableByDatasources(JmxServer.java:1061)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
          at java.lang.reflect.Method.invoke(Method.java:391)
          at com.sap.pj.jmx.introspect.DefaultMBeanInvoker.invoke(DefaultMBeanInvoker.java:58)
          at javax.management.StandardMBean.invoke(StandardMBean.java:286)
          at com.sap.pj.jmx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:944)
          at com.sap.pj.jmx.server.interceptor.MBeanServerWrapperInterceptor.invoke(MBeanServerWrapperInterceptor.java:288)
          at com.sap.engine.services.jmx.CompletionInterceptor.invoke(CompletionInterceptor.java:409)
          at com.sap.pj.jmx.server.interceptor.BasicMBeanServerInterceptor.invoke(BasicMBeanServerInterceptor.java:277)
          at com.sap.jmx.provider.ProviderInterceptor.invoke(ProviderInterceptor.java:258)
          at com.sap.engine.services.jmx.RedirectInterceptor.invoke(RedirectInterceptor.java:340)
          at com.sap.pj.jmx.server.interceptor.MBeanServerInterceptorChain.invoke(MBeanServerInterceptorChain.java:330)
          at com.sap.engine.services.jmx.MBeanServerSecurityWrapper.invoke(MBeanServerSecurityWrapper.java:287)
          at com.sap.engine.services.jmx.ClusterInterceptor.invoke(ClusterInterceptor.java:776)
          at com.sap.pj.jmx.server.interceptor.MBeanServerInterceptorChain.invoke(MBeanServerInterceptorChain.java:330)
          at com.sap.security.core.jmx._gen.IJmxServer$Impl.calculateSimpleEntityTableByDatasources(IJmxServer.java:717)
          at com.sap.security.core.wd.jmxmodel.JmxModelCompInterface.calculateSimpleEntityTable(JmxModelCompInterface.java:396)
          at com.sap.security.core.wd.jmxmodel.wdp.InternalJmxModelCompInterface.calculateSimpleEntityTable(InternalJmxModelCompInterface.java:443)
          at com.sap.security.core.wd.jmxmodel.wdp.InternalJmxModelCompInterface$External.calculateSimpleEntityTable(InternalJmxModelCompInterface.java:746)
          at com.sap.security.core.wd.umeuifactory.UmeUiFactoryCompInterface.getSimpleEntityTable(UmeUiFactoryCompInterface.java:471)
          at com.sap.security.core.wd.umeuifactory.wdp.InternalUmeUiFactoryCompInterface.getSimpleEntityTable(InternalUmeUiFactoryCompInterface.java:517)
          at com.sap.security.core.wd.umeuifactory.wdp.InternalUmeUiFactoryCompInterface$External.getSimpleEntityTable(InternalUmeUiFactoryCompInterface.java:894)
          at com.sap.security.core.wd.relaterole.RelateRoleComp.searchNewRoles(RelateRoleComp.java:259)
          at com.sap.security.core.wd.relaterole.wdp.InternalRelateRoleComp.searchNewRoles(InternalRelateRoleComp.java:282)
          at com.sap.security.core.wd.relaterole.AssignParentRolesView.onActionSearchNewRoles(AssignParentRolesView.java:215)
          at com.sap.security.core.wd.relaterole.wdp.InternalAssignParentRolesView.wdInvokeEventHandler(InternalAssignParentRolesView.java:261)
          at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.invokeEventHandler(DelegatingView.java:87)
          at com.sap.tc.webdynpro.progmodel.controller.Action.fire(Action.java:67)
          at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doHandleActionEvent(WindowPhaseModel.java:420)
          at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:132)
          at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
          at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
          at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:313)
          at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingPortal(ClientSession.java:733)
          at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:668)
          at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
          at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
          at com.sap.tc.webdynpro.clientserver.session.core.ApplicationHandle.doProcessing(ApplicationHandle.java:73)
          at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.sendDataAndProcessActionInternal(AbstractApplicationProxy.java:860)
          at com.sap.tc.webdynpro.portal.pb.impl.localwd.LocalApplicationProxy.sendDataAndProcessAction(LocalApplicationProxy.java:77)
          at com.sap.portal.pb.PageBuilder.updateApplications(PageBuilder.java:1257)
          at com.sap.portal.pb.PageBuilder.SendDataAndProcessAction(PageBuilder.java:325)
          at com.sap.portal.pb.PageBuilder$1.doPhase(PageBuilder.java:826)
          at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processPhaseListener(WindowPhaseModel.java:755)
          at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doPortalDispatch(WindowPhaseModel.java:717)
          at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:136)
          at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
          at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
          at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:313)
          at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713)
          at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666)
          at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
          at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
          at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
          at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
          at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
          at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
          at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
          at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
          at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
          at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
          at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
          at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
          at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
          at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
          at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
          at java.security.AccessController.doPrivileged(AccessController.java:180)
          at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
          at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  #1.#005056A15F780060000004FD00006D310004520C6A35F87C#1216113181849#com.sap.engine.services.security.roles.SecurityRoleReference##com.sap.engine.services.security.roles.SecurityRoleReference#J2EE_GUEST#0####399cb180524e11dd9849005056a15f78#SAPEngine_Application_Thread[impl:3]_37##0#0#Error#1#/System/Security/Audit/J2EE#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}] referencing J2EE security role [{3} : {4}].#5#ACCESS.ERROR#service.naming#jndi_all_operations#SAP-J2EE-Engine#administrators#
  #1.#005056A15F78005C00000C0500006D310004520C6A394185#1216113181992#com.sap.engine.services.jmx.connector.p4.P4ConnectorServerImpl##com.sap.engine.services.jmx.connector.p4.P4ConnectorServerImpl#J2EE_GUEST#0####39aa6d20524e11ddaee2005056a15f78#SAPEngine_Application_Thread[impl:3]_29##0#0#Error#1#/System/Server#Java###Runtime exception occurred while processing external JMX request [ JMX request (java) v1.0 len: 150 |  src: 2 target-node: 9750150 req: getAttribute params-number: 2 params-bytes: 0 |  ]
  [EXCEPTION]
  {0}#1#com.sap.engine.services.jmx.exception.JmxSecurityException: Caller J2EE_GUEST not authorized, only role administrators is allowed to access JMX
          at com.sap.engine.services.jmx.EngineAuthorization.checkMBeanPermission(EngineAuthorization.java:88)
          at com.sap.engine.services.jmx.auth.UmeAuthorization.checkMBeanPermission(UmeAuthorization.java:77)
          at com.sap.engine.services.jmx.JmxServerFrame.checkMBeanPermission(JmxServerFrame.java:98)
          at com.sap.engine.services.jmx.MessageClientSecurityWrapper.checkPermissions(MessageClientSecurityWrapper.java:76)
          at com.sap.engine.services.jmx.MessageClientSecurityWrapper.invokeMbs(MessageClientSecurityWrapper.java:38)
          at com.sap.engine.services.jmx.ClusterInterceptor.invokeMbs(ClusterInterceptor.java:196)
          at com.sap.engine.services.jmx.ClusterInterceptor.getAttribute(ClusterInterceptor.java:512)
          at com.sap.engine.services.jmx.MBeanServerInterceptorInvoker.invokeMbs(MBeanServerInterceptorInvoker.java:84)
          at com.sap.engine.services.jmx.connector.p4.P4ConnectorServerImpl.invokeMbs(P4ConnectorServerImpl.java:61)
          at com.sap.engine.services.jmx.connector.p4.P4ConnectorServerImplp4_Skel.dispatch(P4ConnectorServerImplp4_Skel.java:64)
          at com.sap.engine.services.rmi_p4.DispatchImpl._runInternal(DispatchImpl.java:313)
          at com.sap.engine.services.rmi_p4.DispatchImpl._run(DispatchImpl.java:199)
          at com.sap.engine.services.rmi_p4.server.P4SessionProcessor.request(P4SessionProcessor.java:136)
          at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
          at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
          at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
          at java.security.AccessController.doPrivileged(AccessController.java:180)
          at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
          at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)

• OIM 11g: Issue while evaluating rule for Role Membership

  Hello All,
  I have configured few General Rules using 2 of our User Defined Fields, these general rules are used to determine role membership.
  What we observed that once "Identity Status" attribute is set to "Disabled" for OIM User Profile then OIM stops evaluating these configured General Rules for Role Membership.
  Env Details:
  Product Version: Oracle Identity Manager 11.1.1.5.0
  App Server: WebLogic Server Version: 10.3.5.0
  OS: Red Hat Enterprise Linux Server release 5.5
  Database: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64 bit
  Please let me know if any of you have encounter this issue and if there is any workaround available for it.
  Thanks,
  Shyam

  Re: OIM11g: Resource not revoked if the Identity Status is DISABLED
  XL.EvaluateMembershipForInactiveUser
  Workaround:
  You can make you of Event Handler and assign that group with APIs.

• Assigned users for a role

  Hi
  I am looking for auditing feature in Portal. I created a portal role,say ABC in portal and added an iView to that role. When ever I create any user, I am assigning this role to that user. Now I want to know the users associated to this role ABC. Under User Administration tab, when I look at Assigned Users for this role, I don't see any users. But when I see the roles assigned to any user, I can see this role assigned to this user. I don't want to go to all users and check whether this role is assigned or not.
  Also, I want to know the users who all are accessing the iview in role ABC currently. Can you please help me with these points.
  Thanks in advance
  Tejo

  Hi Tejo,
  check below thread
  Read all the users assigned to a portal role
  Koti Reddy