Security: obtaining user roles (JAZNUserAdaptor)

Similar Messages

• Problem while loading security information (users/roles) from repository

  Iview have stopped connecting to our MDM, All repositories, all IViews Very strange
  Here is what I see in the logs.... Any ideas? Please if you have seen this before only
  Marty
  com.sap.mdm.extension.MetadataException: Problem while loading security information (users/roles) from repository 'PORTAL_CUSTOMERS'
  at com.sap.mdm.extension.MetadataManager.loadRoleCache(MetadataManager.java:559)
  at com.sap.mdm.extension.MetadataManager.internalGetRoleSet(MetadataManager.java:502)
  at com.sap.mdm.extension.MetadataManager.getRoleSet(MetadataManager.java:471)
  at com.sap.mdm.extension.MetadataManager.createMetadataKey(MetadataManager.java:464)
  at com.sap.mdm.extension.MetadataManager.getRepositorySchema(MetadataManager.java:197)
  at com.sap.mdm.uwl.MdmUwlConnector.createUserSessionContext(MdmUwlConnector.java:1463)
  at com.sap.mdm.uwl.MdmUwlConnector.new_retrieveItems(MdmUwlConnector.java:546)
  at com.sap.mdm.uwl.MdmUwlConnector.getItems(MdmUwlConnector.java:129)
  Caused by: com.sap.mdm.commands.CommandException: com.sap.mdm.net.ConnectionException: java.io.IOException: Unexpected socket read.  Result is -1.
  at com.sap.mdm.security.commands.GetUserListCommand.execute(GetUserListCommand.java:72)
  at com.sap.mdm.extension.MetadataManager.loadRoleCache(MetadataManager.java:526)
  Caused by: com.sap.mdm.net.ConnectionException: java.io.IOException: Unexpected socket read.  Result is -1.
  at com.sap.mdm.internal.protocol.manual.AbstractProtocolCommand.execute(AbstractProtocolCommand.java:102)
  at com.sap.mdm.security.commands.GetUserListCommand.execute(GetUserListCommand.java:69)
  at com.sap.mdm.internal.net.DataSocket.receiveData(DataSocket.java:62)
  at com.sap.mdm.internal.net.ConnectionImpl.readInt(ConnectionImpl.java:497)
  at com.sap.mdm.internal.net.ConnectionImpl.readInt(ConnectionImpl.java:490)
  at com.sap.mdm.internal.net.ConnectionImpl.nextMessage(ConnectionImpl.java:629)
  at com.sap.mdm.internal.net.ConnectionImpl.receiveMessage(ConnectionImpl.java:572)
  at com.sap.mdm.internal.net.ConnectionImpl.send(ConnectionImpl.java:233)
  at com.sap.mdm.internal.protocol.manual.AbstractProtocolCommand.execute(AbstractProtocolCommand.java:99)
  com.sap.mdm.commands.CommandException: com.sap.mdm.net.ConnectionException: java.net.SocketException: There is no process to read data written to a pipe.

  Early this month we upgraded the MDM server to:
  MDM Server version: 5.5.63.57
  And the portal components:
  MDM 5.5 SP06 Technology Patch 3 (Build 5.5.63.57)
  MDM 5.5 SP06 Application Patch 3 (Build 5.5.63.57)
  MDM 5.5 SP06 Java API Patch 3 (Build 5.5.63.57)
  However the issue just began 2 days ago?
  We started intgrating MDM Workflow with UWL and assigned Roles and Iviews to the Universal Worklist Configuration
  It seems the Iviews work for a while and then after some time everything gives up? Very confounding
  And yes we are using standard Iviews (search, Result and detail)
  Thanks
  Edited by: Marty Monroe on Oct 31, 2008 3:07 PM

• ¿How to use user-roles in Ironport WSA (7.6) using ACS 4.1?

  Hello,
  I want to give a client access to a S370 WSA quarantine and I am using an ACS 4.1 for external authentication; that would be used for administrators and for the client access (non-administration access).
  I have created a user-role in the WSA that has access to the quarantine I want, but I need the user to be in the ACS. I created the user in ACS but my question is, what should I configure or change in the ACS in order for the WSA to recognize the user with the specific role I created and not like an administrator role.
  Thanks for your help!
  Sergio

  Hi,
  This can be done by configuring the Radius Class attribute on the ACS and mapping it with the user roles on the WSA.
  "To map RADIUS users to different Web Security appliance user role types, you assign a role type, such
  as Administrator and Operator, to a RADIUS CLASS attribute. Mapping different role types lets you
  specify the authorization level for each RADIUS user."
  Please go to Page 26-12 of the WSA user guide http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-5/user_guide/WSA_7-5-0_UserGuide.pdf for more information under the section "Using External Authentication".
  Regards,
  Kush

• Cisco Security Manager Local RBAC Authentication Radius assign user role

  Is it possible to use Cisco Security Manager with local RBAC, authenticate the user to Radius and retrieve it's role from Radius. Getting the authentication to work isn't the problem, but is it also possible to return the role the user has (i.e. Super Admin) via Radius, without having to create all the users one-by-one in the local CSM database with the correct role.
  Can i use a certain Cisco-AV-Pair attribute to return the user role via Radius?

  I just got asked to look at the same situation by one of our security people.
  We have exactly the same problem but it reports a username of "*****" and we are running CSM 4.7 (upgraded last week)

• Security Issues with the BP Internet user role creation--SU01

  Hi All,
  We are implementing the B2B Internet sales scenario using CRM 4.0. we
  have contact persons who logs in and chose the distributor and then
  start placing orders or look at product catalog .... Now contact person
  is created as a BP in CRM and relation ship is maintained to sold to
  (bp). During this process the contact person should be created under
  the Internet user role which uses the SU01. so we will be able to
  change password or change the roles of the users while creating BP
  under the internet user role -- same as what we do in SU01.
  This is now a security Issue because who ever can access the BP
  (create/change) will be able to do the things we can do under
  transaction SU01. But we still need to access the Internet user role in-order to assign the user id to the contact person . Is there any other
  way of doing this.
  Please advice ASAP.
  Thanks
  Vasu

  Hi Ashwini,
  you need to modify the logon routine and then in the user management (isauseradmin application) to do this. Then there are likely changes to the catalog identification, and very likely to most processes in the shop. I really wouldn't advise doing so. As accounts usually have contact persons: Why does your client insist in providing a login for the organization and not for a person?
  To achieve something that looks almost like the desired solution you, e.g., could model a dummy contact person for each account that shall get a logon, that then does the job. The contact person could be named like the company and then you are back to plain standard.
  Rgds
  Thomas

• End User Roles Tab: Link to security roles on ECC?

  Hi-
  There is a configurable value in the End User Roles tab where you can populate Roles. However when you select the values they only pull in roles loaded on the SolMan system. How can I access roles in target systems, so they can be mapped to my process hierarchy?

  Hi
  what do u mean by target systems... satellites systems.......i think you are confused somehow
  this tab is used for learning map user roles
  check this out and read it completely
  http://help.sap.com/saphelp_sm32/helpdata/en/ee/4344ed87a24d8da937c565bf572408/frameset.htm
  Learning map use
  You want to send the learning map to a group of users with the same business role, e.g. to all accountants in your company, or to the purchasing department. You copy existing business roles in the Solution Manager, or create new ones.
  Hpoe it clarifies ur doubt
  regards
  prakhar

• How to hide custom fields in Shopping cart depening on user role

  Hi,
  We have some custom fields in shopping cart for basic view. Every thing works fine. Now client is asking to hide all the custom fields based on user role.
  I found some function module to fund roles. now my main problem is unable to find the cusotm filed screen field name.
  When I tryed to find the screen field name using BBPSC02/03, its giving 'GT_DISPLAY_100-FIELD'. If I try to use this field, its not working.
  Could you pls tell me how to find custom screen filed name to hide in shopping cart.
  Thanks,
  Ram

  Hi Ram,
  As Laurent suggested,to hide the custom fields based on the user role,you need to implement the logic in BADi "BBP_CUF_BADI_2".
  You have the importing parameter IV_USER in this BADI.
  Pass this parameter to tables AGR_USERS and AGR_USERT  to get the user role
  OR
  Use FM: BAPI_USER_GET_DETAIL
  with USERNAME= user id and can retrieve Table: ACTIVITYGROUPS Field:AGR_NAME
  if you want the otherway around
  you can also use FM: RSRA_USERS_OF_AGR_GET
  with I_AGR_NAME= role and you can retieve Table: ACTIVITY_GROUPS_USERS Field: UNAME(usr Id)
  Then check the value for the User role as obtained using the above steps and accordingly set the property for the custom fields to hide them.
  BR,
  Deepti.

• How can I add a user Role member that is from a different domain

  We are currently building out SCOM 2012 R2 to provide monitoring as a service to some of our customers.  As of now we have the RMS on our own department's domain (Domain A) which we have full control of and we have a gateway server that is on the company
  wide domain (Domain B) so that we can monitor other departments devices as the leverage this system.
  Monitoring is working just fine on both domains and we are just working on fine tuning SCOM so that we can roll it out as a service we offer to our customers.  One of the next steps we are working on before rolling it out is giving specific users access
  to view only their own devices, dashboards, and groups.  So I created a Read-Only profile and went to add a user to test it out, but that user is on Domain B and SCOM is unable to resolve this account.  I'm seeing Event ID 26319 with Error Code 1332.
  How can I get SCOM to discover devices on a different domain so that I can give them different permissions for accessing the Operations Console and/or Web Console?  Is this possible?
  Here is the Error I'm seeing.
  Log Name:      Operations Manager
  Source:        OpsMgr SDK Service
  Date:          2/4/2015 1:11:59 PM
  Event ID:      26319
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      xxxxx.xxxx.xxxxxxxx.xxx
  Description:
  An exception was thrown while processing UpsertUserRolesV2 for session ID uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40.
   Exception message: The creator of this fault did not specify a Reason.
   Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
  Unable to resolve the user [email protected] associated with the user role. Error code 1332. Check your active directory configuration.).
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="OpsMgr SDK Service" />
      <EventID Qualifiers="49152">26319</EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2015-02-04T21:11:59.000000000Z" />
      <EventRecordID>172748</EventRecordID>
      <Channel>Operations Manager</Channel>
      <Computer>xxxxx.xxxx.xxxxxxxx.xxx</Computer>
      <Security />
    </System>
    <EventData>
      <Data>UpsertUserRolesV2</Data>
      <Data>uuid:f3b4015e-9583-4237-b7a6-406826434553;id=40</Data>
      <Data>The creator of this fault did not specify a Reason.</Data>
      <Data>System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Microsoft.EnterpriseManagement.Common.UserRoleUserUnresolvedException:
  Unable to resolve the user [email protected]  associated with the user role. Error code 1332. Check your active directory configuration.).</Data>
    </EventData>
  </Event>
  Thanks for any help I can get in resolving this issue.
  Jake

  The SCOM Management Server is in Domain A.  I've tried it already and it has failed.  
  So just to clarify the method I used was to go to Administration>Security>User Roles.  Then New User Role>Read-Only Operator.  In the Create User Role Wizard I then gave the User Role a name, Clicked "Add" under User Role Members.
   Then the Select Users or Groups window pops up and I changed the Locations from Domain A to Domain B and searched for the user, which it's able to find, then clicked "OK" to add it to the User Role members which it does just fine.  On
  the next page which is Group Scope I checked the one group I want this account to have access to and then click next.  This brings me to Dashboards and Views where I click the radio button for "Only the dashboards and views selected in each tab are
  approved" and chose the folder of dashboards I want this account to access and then click next.  This brings me to the Summary and I click "Create".  At this point it thinks for a moment then closes out the wizard but the new Read-Only
  Operator does not appear.  I then look in Event Viewer and see the Event I pasted above.
  Am I doing something wrong here?  Any guidance on how to get around this issue would be much appreciated.
  Thanks,
  Jake

• How to setup the security based on roles in Organization.

  Hi,
  How to setup the security based on roles in Organization.
  For example:Few users are Manager and a few user are Non Manager .Manager should have access to all work data including Non Manager and Non Manager should access based role.How to setup this? How OBI server identify the user role?
  kindly let me know.
  Regards.,
  CHR

  Hi,
  You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
  And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
  Hope this will solve your problem.
  Regards
  MuRam

• Restricting values of a dropdown based on user roles

  Hi,
  Is it possible to restrict the values of a custom metadata dropdown based on the user roles (assuming only 1 role is assigned to each user)? Say, based on the role assigned to a user, he/she should see only 3-4 values out of 10 values in a dropdown on the checkin page. Please suggest.
  Thanks.

  You can get pretty close out of the box using some configuration manager applet voodoo
  1)First off create a Table that will contain the options for your list. Create the columns e.g. label and id and then also create a column called dSecurityGroup
  2)Add a view based on the table you just created, choose the Security tab and select "Use standard document security"
  3)Add some values to your view - make sure that you populate the dSecurityGroup column with real values of security groups
  4)Once it is all published, have a look at the checkin and search screens. You should find that UCM will evaluate the options in the same way it would documents - based on the dSecurityGroup value you applied to the row - e.g. you will see an option on the search screen if you have at least R permissions, you will see an option on a checkin screen if you have at least RW permission
  Try it out :-)

• User roles in Integration Repository

  Hi everybody,
  does anybody have experience with user roles in XI 3.0? We want to limit access to various namespaces in the Integration Repository with use of these roles that can be created in the IR. That way, various XI developers working on the same XI-Repository should not be able to work in the namespaces of other developers.
  We created the role in the IR and assigned it to a user in the J2EE Engine. But so far, it doesn't seem to work.
  Am I missing something??
  Thanks a lot,
  Francis Wolf

  Hi,
  it looks like the integration to the "abap" backend (=IS-Server) is missing.
  J2EE-R3 integration regards user management maps R3 roles onto J2EE user groups. Thus, if the term "role" is used in R3 context, it has to be translated to "user group" in J2EE.
  Next steps:
  1. Create user in "R3", with transaction SU01.
  2. In "R3", create a role with transaction PFCG
  3. UME Admin WebApp: assign role to user group
  4. XI Exchange Profile WebApp: activate data-dependent authorization checks. Put: com.sap.aii.util.server.auth.activation" in section "IntegrationBuilder.Repository" to true
  Please check the documentation on Netweaver security and Integration of UME Roles with SAP Roles
  Hope that gives an idea!
  Good luck
  Holger

• How to create/get user & role in Weblogic 9.2 programmatically?

  Hi,
  I am new to Weblogic 9.
  I need to create a web service to manage user/role in WebLogic 9.
  Searching thru the web and found some classes like:
  AtnSecurityMgmtHelper, AtnProviderDescription etc
  Are those the correct classes to create/retrieve user & role?
  If so, what jar file contains those classes and where is the jar
  file?
  Thanks in advance,
  Terry

  You can do it with WLST help
  http://e-docs.bea.com/wls/docs92/config_scripting/config_WLS.html#wp1019913
  or via JMX through http://e-docs.bea.com/wls/docs92/javadocs/weblogic/management/security/authentication/UserEditorMBean.html and such

• Usage of Different Prompt based on Users Role in OBIEE

  Hi
  I have a requirement(OBIEE Reports) as below.
  The Dashboard page will have a Prompt(Drop Down) Say for Geography where it will list all the countries available.When a global user(Role) logs in to the application he should see all the list of available countries along with "All Choice" option in the prompt.But when a Country user(Role) logs in he should see only the country available for him in the prompt without "All Choice" Option.Also if the Country user(Role) belongs to more then one country he should see all countries he belongs to along with the "All Choice" option in the prompt.
  Any help on this is Appreciated.
  With Regards
  Subhadipta Samantray
  Edited by: user635206 on Jun 11, 2009 10:22 AM
  Edited by: user635206 on Jun 11, 2009 10:23 AM

  Hi
  Like David points, you may use Security Groups to display 1 or more Countries to the User depending upon 'Global' or 'Country'. You will have to use content filters to reflect the scope of the user in session.
  Then 'All Choices' is a prompt front-end feature. You cannot restrict to 'Country' but 'Country' anyway cant see more rows that he is eligible. So, you may consider 'All Choices' for all users.
  Try and tell us if this worked for you

• User Role problems in Sun Java Application Server Platform Edition 8

  I am having two problems setting up user roles in Sun Java Application Server Platform Edition 8. At first, I thought that it was a problem with the higher level features that I was using, so I created a very simple example using the simplest authentication I can use, but the problem still occurs. I am using the file realm and configuring the users in the App Server Admin Console. I create 2 users in different roles. One user should have access, the other should not.
  1) The first problem is that both users can access the page
  2) The second problem is that the isUserInRole() method returns false for both users with the role that it should be authenticating against.
  Here is a sample of my code:
  Users Configured in Console:
  username password roles
  user1 ********** admin
  user2 ********** noaccess
  web.xml
       <security-role>
            <role-name>admin</role-name>
       </security-role>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>My Protected Area</web-resource-name>
                 <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                 <role-name>admin</role-name>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>file</realm-name>
       </login-config>
       <servlet>
            <servlet-name>
                 TestServlet
            </servlet-name>
            <servlet-class>
                 mypackage.TestServlet
            </servlet-class>
            <security-role-ref>
                 <role-name>admin</role-name>
                 <role-link>admin</role-link>
            </security-role-ref>
       </servlet>
       <servlet-mapping>
            <servlet-name>
                 TestServlet
            </servlet-name>
            <url-pattern>
                 /TestServlet
            </url-pattern>
       </servlet-mapping>
  TestServlet.java:
            out.println("admin role: " + request.isUserInRole("admin") + "<BR/>");
  Thanks before hand for any responses.
  - Brian

  Hi Jeanfrancois,
  Your suggestion has lead me to find my problem. There were actually three problems.
  1) First, you suggestion to reorder my xml file did not cause any errors to occur. I got suspicious that my web.xml file was wrong. I looked at some sample web-xml files and found that I was missing the header as follows:
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'>
  2) When I added this information, the deploy feature failed stating the my web.xml file was out of order. I fixed the ordering. It now deployed, but the security still wasn't working.
  3) I then added the sun-web.xml file. This file was missing before hand as I thought it was unnessary. However, this file added the essential mapping from a role to a group. After adding this, it now started to work.
  Thanks so much for you time and effort. You really did help me.
  - Brian Blank

• Checking user roles in FI Module

  Hi,
  Please let me know the points to be considered while checking the security and authorization in FI modules based on a user role.
  Thanks,
  Sridevi

  Hi,
  While defining the security roles, as a first step Composite roles, Single Roles are created. Transaction codes are attached to Single roles. A group of Single roles are attached to a Composite roles.
  Based of Business requirements / Orgnaization structure in the Company  in the sense VP. Finance / Controller / Sr.Manager / Manager etc., the composite roles and single roles are assigned to the positions. For example Vice President Finance will have full authorization to all composite roles.
  Some of the users require only display authorization, in which case a role is created only incorporating transaction codes which display documents.
  Thanks
  Murali.