Secure Application Roles in SE.
I’m looking for ideas to implement or replicate the behavior of “Secure Application Roles” feature of EE in SE.
Any help/sample are welcome!
Thanks,
Diego.
Unfortunately there are features from the kernel that prevent the use of Application Roles in a Standard Edition. You must upgrade to a Enterprise Edition.
~ Madrid
Similar Messages
-
When i make undeploy of my application my security roles configured disapear.
Can i create the roles independent of my applications?
how do i make it ?
Thanks,
Edited by: Pedro Oliveira on May 13, 2008 9:52 PMHi ken,
I dont think so it can be done in BI administrator,instead can handle in BI answers.
About security go through this so you get an idea out of it.
http://blogs.oracle.com/robreynolds/2010/12/security_in_obiee_11g_part_1.html
hope helps you.
Cheers,
KK -
Webcenter Application Roles not getting imported in UCM on Migration
Hi All,
I migrated the webcenter resources (Service Data, Customizations and security policies) and UCM content (Using configuration utility, Archiver and Folder Archive components). After migration I am able to see the application roles in the destination webcenter spaces instance by navigating to Webcenter Spaces -> Security -> Application Roles, but I am not able to see the corresponding accounts created in the UCM for that particular user.
For Ex: I have a application role: s1a472022_f8bb_48e1_a519_15841780df72#-#Moderator in Webcenter Spaces for user ABC
In UCM I am not able to see the account AUTHEN/s1a472022f8bb48e1a51915841780df72 for the user ABC.
I verified in the source UCM instance and I am able to see the accounts in that instance.
Please help me out. Let me know if extra details required.
Thanks,
SachinHi Srinath,
Yes, I have migrated data from UCM1 to UCM2 using insert script. But, I think there should be some other way also. There may be some options to check while creating export archive. We can migrate UCM schema tables also while migrating the content but I was not able to find USEREXTENDEDATTRIBUTES table. There are some other options like export additional user config, I need to check those options also.
Thanks,
Sachin -
OBIEE 11g Custom Application Roles
Hello Experts,
I would need to create our Custom BI Consumer, Author Application Roles. I have followed the steps are
1) Created an Application Role "Revenue Data Access Role" for Data Level Security and added the users into it
2) Selected the existing BI Consumer Role & Created Like "Revenue Dashboard Consumer Access Role" and added "Revenue Data Access Role" into it.
3) Selected the existing BI Consumer Application Policies & Created like "Revenue Dashboard Consumer Access Role"
After Restarting OBIEE, I could see that Data level security is working fine but the users don't have Consumer Level access at dashboard level. am i missing anything here? Please advice.John,
We can do it in repository level right..Manage---Security-Application Role.... double click the application role there u can set right?Correct me if am wrong?
Thanks,
SN.
Edited by: 926238 on Sep 1, 2012 5:57 PM -
please tell me the basic difference of application roles and user roles in detail
Oracle® Database Concepts
10g Release 2 (10.2)
Part Number B14220-02
Application Roles
You grant an application role all privileges necessary to run a given database application. Then, you grant the secure application role to other roles or to specific users. An application can have several different roles, with each role assigned a different set of privileges that allow for more or less data access while using the application.
User Roles
You create a user role for a group of database users with common privilege requirements. You manage user privileges by granting secure application roles and privileges to the user role and then granting the user role to appropriate users.
http://download-east.oracle.com/docs/cd/B19306_01/server.102/b14220/security.htm#sthref2806 -
Configuring roles and users (adf security) application context wise.
Dear All,
I referred this tutorial (http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html) which shows how to hook up adf security with database schema but at domain level which will be common to all applications in that domain. I want to make it different to each application. (i.e each application will use differene database schema for storing user credientials i.e enterprise roles,application roles and users.)
Can any one please point me to proper way..
Regards,
Santosh
jdev 11.1.1.2.0Dear Frank,
<i>
Instead you have a single identity management system and have the application policies being different for the applications.Using ADF Security, users and groups can have different privileges in different applications
</i>
suppose i have 3 applications that use adf security, the users will be common to all applications. right..?Roles and group can be different for applications.
application polices means roles and group..?
So how it(application polices) can be made different for applications? is it inbuilt or some configurations needed ?. Can you point me to some blogs or tutorials for more reference.
Bet: Incase i hook up adf security with database schema.
Regards,
Santosh. -
Error assigning users to application Role in Obiee 11.1.1.7.0
Hello
I installed Obiee 11.1.1.7.0 both on Windows and Linux platform and after that, I successfully set Active Directory integration. I have a problem assigning users to Application Role in EM. When I'm trying to search a user on Display name, the Principal userName returned is blank and the error is : Java Null Pointer Exception
After that I install a fresh copy of 11.1.6.0. After AD Integration, I was able to assign users to Application Role. I made 11.1.1.7.0 upgrade and same error has come. I think this is a bug because same AD settings on 11.1.1.6.0 works.
The error:
ava.lang.NullPointerException
#{viewScope.emas_pagemodel_security_EditAppRole.searchPrincipal}: java.lang.NullPointerException
Hide Additional Trace Information
javax.faces.FacesException: #{viewScope.emas_pagemodel_security_EditAppRole.searchPrincipal}: java.lang.NullPointerException at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:118) at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:190) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:103) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:97) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.broadcastEvents(LifecycleImpl.java:1086) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:434) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:207) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emSDK.license.LicenseFilter.doFilter(LicenseFilter.java:101) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:128) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446) at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177) at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emas.fwk.MASConnectionFilter.doFilter(MASConnectionFilter.java:41) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:180) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.AuditServletFilter.doFilter(AuditServletFilter.java:179) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.EMRepLoginFilter.doFilter(EMRepLoginFilter.java:203) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.model.targetauth.EMLangPrefFilter.doFilter(EMLangPrefFilter.java:158) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.app.perf.PerfFilter.doFilter(PerfFilter.java:141) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.ContextInitFilter.doFilter(ContextInitFilter.java:542) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119) at java.security.AccessController.doPrivileged(Native Method) at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324) at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460) at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103) at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171) at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209) at weblogic.work.ExecuteThread.run(ExecuteThread.java:178) Caused by: javax.faces.el.EvaluationException: java.lang.NullPointerException at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:51) at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) ... 67 more Caused by: java.lang.NullPointerException at oracle.sysman.emas.model.security.DialogAdminBean$1.compare(DialogAdminBean.java:567) at java.util.Arrays.mergeSort(Arrays.java:1270) at java.util.Arrays.mergeSort(Arrays.java:1281) at java.util.Arrays.sort(Arrays.java:1210) at java.util.Collections.sort(Collections.java:157) at oracle.sysman.emas.model.security.DialogAdminBean.fetchPrincipals(DialogAdminBean.java:563) at oracle.sysman.emas.pagemodel.security.identity.EditAppRolePageModel.searchPrincipal(EditAppRolePageModel.java:496) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(Unknown Source) at com.sun.el.MethodExpressionImpl.invoke(Unknown Source) at org.apache.myfaces.trinidad.component.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:46) ... 68 more
Any suggestion?
Thx
Gabriel
Edited by: Gabbriel on Apr 23, 2013 10:46 PMWe received from Oracle a work-around of this problem.
It seems to be related to the virtualize flag set to true. I f you set it to false the problem disappear (it works for me).
(rif. http://docs.oracle.com/cd/E28280_01/bi.1111/e10543/privileges.htm#BABDCJBH)
There's an open BUG on this problem: Bug 16808088 - 11G JAVA.LANG.NULLPOINTEREXCEPTION ADDING USER TO ROLE AFTER UPGRADE TO 11.1.1.7.
Hope this works.
S. -
Data and Dashboard Security using ROLES Variable in OBIEE 11g
Hi all,
I'm currently using OBIEE 11g. I'm wondering how to implement the security for data and dashboard in the 11g.
Below is the sample of how the security matrix requirement when I use the 10g version. In 10g, we usually use GROUP (for the data filter in RPD) and WEBGROUPS (for dashboard objects) variables in my initialization block to read from database. As we have 2 different variables, it is possible to control security separately for data and dashboard.
GROUP | Country
G1 | US
G2 | FR
G3 | UK
WEBGROUPS | Dashboard
WG1 | D1
WG2 | D1
WG3 | D1
WG1 | D2
WG2 | D2
WG1 | D3
WG3 | D3
WG3 | D4
Now, in 11g, the recommendation is to use ROLES variable (for application role). So, how would I apply the required security matrix above in 11g using just ROLES variable? Do I still create G1, G2, G3, WG1, WG2, and WG3 as application roles then only use G1-3 in the RPD to filter the data and only use WG1-3 in the analytics to serve as webgroups?
Any advice on this? Thank you very much."...Could you elaborate more?"
I mean that role creation and user->role assignment will be managed outside of to the obiee interface - whether that's via the database, LDAP, fmw etc.
Webgroup creation and assignment is managed within the obiee interface and I think that has a lot of benefits - generally you have people responsible for shared folders and dashboard creation, so having them responsible for webgroups and presentation permissions is preferable for me.
"are you saying that I use the role G1-3 only in the RPD, while using the role WG1-3"
Yes .. I'm assuming you have something like
G1 | US
G2 | FR
G3 | UK
WG1 | Finance
WG2 | Marketing
WG3 | Sales
Which becomes
R1 | US
R2 | FR
R3 | UK
R4 | Finance
R5 | Marketing
R6 | Sales
And John belongs to R1 and R4, Fred belongs to R2 and R4 etc. So you would set your data filters against R1-R3 and use R4-R6 like webgroups in the presentation services.
Regards,
Robert -
OBIEE 11g issue - same user assigned to the multiple application role
Hi All,
We are facing an issue when assigning a user to the multiple application role and applying the data level filter on the different column of the same table.
For example, we have a table Department with three columns Department No, Department name, Department location.
Application Role A1 and A2 are created.
Data Level security Applied on the application role A1: Department Name='Finance'
Data Level Security Applied on the application role A2: Department location='US'
The user "User1" is created in LDAP and is assigned to both the Application roles A1 and A2.
When logged in with "User1", none of the filters of Role A1 or A2 is applied in the report. If this user is assigned to only one role, either A1 or A2, then the filter is applied. It seems the filter will not be applied if a user belongs to multiple roles with data filter applied on the same table across these roles.
Please reply if anyone has faced similar issue.Hi All,
Regarding the above issue to update the analysis we came up that the user if assigned to the multiple group with the data filter applied on the same column of the table is getting an *"OR"* join.
We had a requirement to get an "AND" in the query condition. Please let us know if any one faced the issue and the resolution of the same.
Regards,
Jyotshna -
Migrate Application Role from uat to prod in 11.1.1.6.10
Hi All,
We have to migrate the UAT Application Roles to Prod instance. I followed Rittman Mead policy store migration. servers in LINUX
http://www.rittmanmead.com/2011/04/oracle-bi-ee-11g-migrating-security-policy-store-part-2/
But at MigrateSecurityStore step, I am facing an issue with the wlst script which is throwing below error.
I am getting bellow error
wls:/offline> migrateSecurityStore(type="appPolicies",srcApp="obi",configFile="/ usr/app/MW/SecurityMigration/jps-config-policy.xml",src="sourceFileStore",dst="t argetFileStore",overWrite="false")
Oct 17, 2013 11:41:27 AM oracle.security.jps.internal.config.xml.XmlConfigurationFactory initDefaultConfiguration
SEVERE: org.xml.sax.SAXParseException: The XML declaration must end with "?>".
Command FAILED, Reason: The XML declaration must end with "?>".
Traceback (innermost last):
File "<console>", line 1, in ?
File "/usr/app/MW/oracle_common/common/wlst/jpsWlstCmd.py", line 955, in migrateSecurityStore
File "/usr/app/MW/oracle_common/common/wlst/jpsWlstCmd.py", line 927, in migrateSecurityStoreImpl
at oracle.security.jps.internal.tools.utility.source.JpsInitializerSource.getSources(JpsInitializerSource.java:155)
at oracle.security.jps.internal.tools.utility.JpsUtility.<init>(JpsUtilty.java:62)
at oracle.security.jps.internal.tools.utility.JpsUtilMigrationPolicyImpl.migrateAppPolicyData(JpsUtilMigrationPolicyImpl.java:151)
at oracle.security.jps.tools.utility.JpsUtilMigrationTool.executeCommand(JpsUtilMigrationTool.java:231)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
oracle.security.jps.JpsException: oracle.security.jps.JpsException: The XML declaration must end with "?>".
This is config.xml file
<?xml version='1.0' encoding='utf-8'? standalone='yes'?>
<jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd">
<property name="oracle.security.jps.jaas.mode" value="Off"/>
<propertySets>
<propertySet name="sam1.trusted.issuers.1">
<property name="name" value="www.oracle.com" />
</propertySet>
</propertySets>
<serviceProviders>
<serviceProvider type="POLICY_STORE" name="policystore.xml.provider" class="oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider">
<description>XML-based PolicyStore Provider</description>
</serviceProvider>
</serviceProviders>
<serviceInstance name="srcpolicystore.xml" provider="policystore.xml.provider" location="/usr/app/MW/SecurityMigration/uat/system-jazn-data.xml">
<description>File Based Policy Store Service Instance</description>
</serviceInstance>
<serviceInstance name="policystore.xml" provider="policystore.xml.provider" location="/usr/app/MW/SecurityMigration/prod/system-jazn-data.xml">
<description>File Based Policy Store Service Instance</description>
</serviceInstance>
</serviceInstances>
<jpsContexts default="default">
<!-- This is the default JPS context. All the mendatory services and Login Modules must be configured in this default context -->
<jpsContext name="sourceFileStore">
<serviceInstanceRef ref="srcpolicystore.xml"/>
</jpsContext> <jpsContext name="targetFileStore">
<serviceInstanceRef ref="policystore.xml"/>
</jpsContext>
</jpsContexts>
</jpsConfig>
Please let me know if i need to provide further inputs.Appreciate your help.make sure you are running the wlst.sh from this path /MWHOME/Oracle_BI1/common/bin/wlst.sh
you can take a look at this too Migrating Security Policies from Development to Standalone WLS 11g
http://ssssupport.blogspot.com/2013/02/obiee-11g-application-role-migration.html
Obiee11g: Migrating application role from DEV to Prod server in obiee11g -
Assign application roles after authentication
Hi,
It's been some time now I'm struggling with this issue...
I have a client application (not a web one) trying to access an EJB resource.
The EJB is first looked up through jndi and then asked to invoke a method, say test().
In ejb-jar.xml I have the following:
<security-role >
<role-name>AN_APP_ROLE</role-name>
</security-role>
<method-permission >
<role-name>AN_APP_ROLE</role-name>
<method >
<ejb-name>EJB NAME</ejb-name>
<method-intf>Remote</method-intf>
<method-name>test</method-name>
<method-params>
</method-params>
</method>
</method-permission>
I manage to have OID perform the authentication, so that I can perform the EJB lookup and call non protected methods. Issues arise when trying to get the roles working.
I know that i can <security-role-mapping> AN_APP_ROLE to an oid group; what I am trying to accomplish is to have oid do the authentication and be able to fetch the application roles from a database.
As a starting point what I've done is a client LoginModule that first authenticates against the OID (by looking up an EJB resource) and then, in the commit(), do the following:
this.subject.getPrincipals ().add (new RoleExtended("AN_APP_ROLE"));
Nevertheless access is denied when the client tries to access the protected test() method.
It seems that somehow even if the Subject has the role within its principals, the container doesn't threat it such.
I am pretty stuck, and starting to wonder if this is the right approach...Nevertheless I don't think putting the application roles in oid is a good idea, since application roles should remain an application property not a enterprise directory one.
Any hint?!
cheers,
Francesco
p.s: in jazn.xml I have
<property name="role.mapping.dynamic" value="true"/>Hi,
It's been some time now I'm struggling with this issue...
I have a client application (not a web one) trying to access an EJB resource.
The EJB is first looked up through jndi and then asked to invoke a method, say test().
In ejb-jar.xml I have the following:
<security-role >
<role-name>AN_APP_ROLE</role-name>
</security-role>
<method-permission >
<role-name>AN_APP_ROLE</role-name>
<method >
<ejb-name>EJB NAME</ejb-name>
<method-intf>Remote</method-intf>
<method-name>test</method-name>
<method-params>
</method-params>
</method>
</method-permission>
I manage to have OID perform the authentication, so that I can perform the EJB lookup and call non protected methods. Issues arise when trying to get the roles working.
I know that i can <security-role-mapping> AN_APP_ROLE to an oid group; what I am trying to accomplish is to have oid do the authentication and be able to fetch the application roles from a database.
As a starting point what I've done is a client LoginModule that first authenticates against the OID (by looking up an EJB resource) and then, in the commit(), do the following:
this.subject.getPrincipals ().add (new RoleExtended("AN_APP_ROLE"));
Nevertheless access is denied when the client tries to access the protected test() method.
It seems that somehow even if the Subject has the role within its principals, the container doesn't threat it such.
I am pretty stuck, and starting to wonder if this is the right approach...Nevertheless I don't think putting the application roles in oid is a good idea, since application roles should remain an application property not a enterprise directory one.
Any hint?!
cheers,
Francesco
p.s: in jazn.xml I have
<property name="role.mapping.dynamic" value="true"/> -
How to map Application Roles to Enterprise Roles
Hello,
i am having a problem with mapping Application Roles (from ADF Security) to the corresponding Enterprise Roles. I have already seen that it is possible with a tool called Enterprise Manager, but what if i do not have it??
Can i map the roles in WebLogic Server itself? I have searched for such ability and did not found it. Also have not seen any tutorial on the internet. Someone help me pls.
The version i am using is 12.1.2.0.0.Application roles and permissions defined within WebCenter Portal are stored in its policy store and, consequently, apply to the WebCenter Portal application only.
Application Roles : Application roles control the level of access a user has to information and services in WebCenter Spaces. Specifically, application roles determine what a user can see and do in their personal space.
Application Permissions : Again every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in their personal Portal.
Enterprise roles are different. Enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Portal.
2. How and where do we create these 5 Application Roles in WC 11.1.1.8 version ?
You can create an application role from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> Roles -> Create Role
See : Managing Security Across Portals for more info :
http://docs.oracle.com/cd/E29542_01/webcenter.1111/e27738/wcadm_ps_security.htm#WCADM398
3. Last, where and how do we MAP these Application Roles TO Enterprise Roles in 11.1.1.8 version ?
First, You can grant privileges to a specified group (say sales group) of users by granting Enterprise Roles in Enterprise LDAP.
Next, Create custom application roles (say Contributor, Moderator, UIDesigner, Application Specialist, etc) and assign the appropriate permissions as explained above.
Then, You can assign one or more Application Roles to a specified group (say sales group) from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> users & Groups
I hope it helps. -
Weblogic security & EJB role based access
How does (or not) weblogic security tie into the EJB notion of role based
control ? Can we create a 'custom' security mechanism for EJB (which
basically uses the EJB facilities but extends it within the application) by
using custom weblogic realms ?
Thanks
RajuThanks !
"Terry" <[email protected]> wrote in message
news:[email protected]...
comments inline
r <[email protected]> wrote in message
news:[email protected]...
>>
Here are some more specific questions around an 'example' scenario:
The application has an entity bean 'Account' that can be accessed by the
roles 'Bank Employee' and 'Customer'
'Bank Employee' can execute the 'getBalance()' and 'placeOnHold()'
methods on the 'Account' bean
'Customer' can execute the 'withdraw()', 'deposit()', and'getBalance()'
methods on the 'Account' bean
These permissions are set up through the deployment descriptor by
mapping
the 'Bank Employee' and 'Customer' roles
to the particular bean methods that the role should be given access to.
1. How does weblogic provide the facility to map the EJB deployment
descriptor
<security-role> to a particular weblogic principal (user orgroup)
Or, should I say, how do I map the user or group to a
deployment-descriptor defined role?In the deployment tool, once in the jar select the 'Security' item,create
an application role (in your case it is probably best to create 2 security
roles - the bank employee role refering to the bank employee group (usethe
'in role' checkboxes, and the customer role refering to the customergroup -
there may at some point be use for an allUsers role, which includes both
groups, maybe not. What I am saying is that a role is made of a one ormore
of Principals - in our case groups)
In the Account Bean select the method permissions item, and create amethod
permission perm-0, select the perm-0 item that has just popped up in the
left hand window, tick the box for placeOnHold(), and the boxes for<remote>
and <home> one level deeper than this in the tree (as an aside, I have
absolutely no idea why there would be a 'home' box here, ho hum). Selectthe
'bank employee' 'can invoke' tickbox
Create perm-1, and do what you did above for 'withdraw()' and 'deposit()'
methods, and the 'customer' tickbox
I believe the documents say you would have to set up another permission to
allow both groups access to the getBalance method, but in practive Ihaven't
found this the case.
The documentation for this is at
http://www.weblogic.com/docs51/classdocs/API_ejb/EJB_deploy.html#1102211
(or
search for 'Deploying EJBs with DeployerTool'
2. Are there any administrative tools provided by weblogic to do
this
mapping ?The deployer tool. Otherwise I think it's the acse of writing your own xml
files
3. How much effort & complexity is involved in creating a custom
realm
Hmmm, depends - you could have the RDBMSRealm that is provided in'examples'
in half an hour or so (there is a problem with one of the RDBMSUser's
methods - getUserType or something like that - the solution can be foundin
the newsgroups if you search), the same is probably true of the LDAPRealm,
NTRealm etc (although I have never used these).
Which one you choose depends on what equipment you have available,although
I would say that the RDBMSRealm canuse a lot of optimisation
Thanks,Welcome
Raju
"Terry" <[email protected]> wrote in message
news:[email protected]...
The Principals (i.e. groups and users) from your custom realm are used
to
define application roles for the EJBs, but, as far as I am aware youcannot
use a custom implementation for the ACLs for EJBs
terry
r <[email protected]> wrote in message
news:[email protected]...
How does (or not) weblogic security tie into the EJB notion of rolebased
control ? Can we create a 'custom' security mechanism for EJB (which
basically uses the EJB facilities but extends it within the
application)
by
using custom weblogic realms ?
Thanks
Raju -
OBI 11.1.1.6-Restrict visible application roles while sharing customization
Hi,
I am trying to test the security around share customizations functionality accessed through (any)Dashboard -> Page Options -> Save Current Customization -> Save for Others -> Set Permissions -> (+)Add Roles/groups -> Search Application Roles
While searching for the Application roles, user gets to see all Application Roles and can assign the customization to any role. The search should have shown only the Application roles assigned to the user else irrelevant customization can be assigned to other application roles which cannot see the data for the selected filters in the customization
Is there some configuration setting somewhere to restrict the application roles seen in the search option while saving customizations for others?896267 wrote:
Nope. Manage Privileges -> Save Customization feature just provides access to save the customization for the defined role(s).
The question is related to Saving customization for others through the Set Permission dialog box.There is no such setting as the list of application roles and catalog groups are directly sourced from system-jazn-data.xml file and the catalog. In the user trianing, you could probably let the users know to prefix the application role name for that set of filters.
Thanks,
-Amith. -
I create application roles and assign them to an enterprise role at jazn-data.xml in jdeveloper.
However, after deployment I cannot find these application roles. But I can find the enterprise role.Thanks for your reply. I can see application roles in EM.
I have 2 adf applications. Application A has application role A and B. Application B has application role C and D.
How to set the security in Jdevloper, weblogic admin console or EM that :
users in application role A and B can only login to Application A.
users in application role C and D can only login to Application B.
I deploy the sample application of 048. XML Menu Model site menus protected with ADF Security and JAAS of Oracle ADF Code Corner. However, in the EM, I cannot see application roles.
Maybe you are looking for
-
R/3: Cause of generated, but still inconsistent profile?
Hi all, Does anyone know how you can create the following situation: I have a role with profile status "generated" (both SUPC & PFCG show green light). Yet in UST12 I find objects for that profile that are not in AGR_1251 or PFCG. SUIM confirms that
-
Move automation data at same time in differenct tracks?
hi , anyone here can give me some sugesstion ? I want to move the automation data in different track at same time but i cannot find how to make it . I have 7 tracks all written automation volumn data , and now I want to move them all 3 db down in som
-
Thankyou SAP for License re-instatement (NSP et al)
Thanks SAP I DO appreciate the re-instatement of the Licenses. I understand legitimate concerns over "mis-use" of Trial Software and hope that suitable ways can be found for ensuring the mis-users are suitably punished whilst the rest of us who use t
-
Exceptions when RenderedOp.createInstance();
I get a huge list of exceptions (below) when I try to render a PlanarImage from a RenderedOp. If I comment the resultOp.createImage() line, the problem goes away. The problem also goes away if I comment the getQuadToQuad transform function. Interesti
-
Where is my Outbox when using Outlook
Where is my Outbox when using Outlook?