Security roles in the OC4J

Similar Messages

• How can I know the security role of the logged in user

  When you design an enterprise bean or Web component, you should always think about the kinds of users who will access the component. For example, an Account enterprise bean might be accessed by customers, bank tellers, and branch managers. Each of these user categories is called a security role, an abstract logical grouping of users that is defined by the person who assembles the application. When an application is deployed, the deployer will map the roles to security identities in the operational environment.
  But wondering when I log into my application with some user name and password (specified in my Oracle database),wondering how this works with the security role I created .How does J2EE know the security role of the logged in user.
  Thanks
  Manohar

  shet wrote:
  role at run time.
  When I login say as "manju" and password as "money" then how does it know that this user belongs to this security role.Is that the j2ee administrator has to say that user manju has this this security role.Programmitically how does it really work.I am confusedThe j2ee implementation assigns the roles using the JAAS module you have configured for your application on your application server. different JAAS modules get roles in different ways. many allow a single static role to be assigned using a config file. if using a database, often there will be configuration to specify additional database fields which specify the role for a given username.
  At runtime, a developer can test roles using methods like EJBContext.isCallerInRole().

• Receiving an error when trying to remove P00 Security role from the user

  Hi All,
  I am receiving an error when trying to remove P00 Security role from the user.
  After logging on to GRC CUP, clicking on u201CCreate requestu201D, and filling out required information,
  I click on Select Roles/Groups
  On the next screen,
  I click on Existing Roles/Groups
  ERROR MESSAGE appears X Action failed and no roles appear in the box to select for removal.
  Regards,
  Vineet

  Hi Vineet,
  My be your selection is incorrect
  Try this
  in Applicaiton Area -- Select ALL
  Functional Area  -
  Select ALL
  Company           -
  Select ALL
  Role/Profile/Group Names --- Give p00* and execute the report
  if you give only p00 it wont give any result
  Hope this helps
  Thank you,
  Kishore

• Using the SDK to check if user security role membership

  Is there any way to check if a user is in a particular security role using the SDK?
  I ask because I am considering adding a web based ticket search by ID/key word look-up web service since this function is not part of the Self-Service Portal.  I am looking into what it takes to maintain the system's security model or at least limit
  the information given to the users.  I am thinking that affected users might get some ability to modify their tickets.
  I've already built a web portal hosting complex forms for several of our teams where the Self-Service Portal was too limited to collect necessary information.  The forms portal already uses the SDK to submit work items directly into Service Manager.
  This would be a welcome extension of the web site's capabilities.

  Hi,
  You may try powershell, here are two PowerShell scripts that use
  SMLets to reveal interesting information about user roles in SCSM, please refer to it:
  https://gallery.technet.microsoft.com/Service-Manager-SCSM-User-ebcdfcd6
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Invalid Security role-name error in Web Project

  Hi All,
  I have imported a J2EE application project built in JBOSS into NWDS 7.1.
  While building the project i get the following error
  <b>CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN</b>
  This error directs me to the following code in web.xml
  <security-constraint>
            <display-name>Default JSP Security Constraints</display-name>
            <web-resource-collection>
                 <web-resource-name>Portlet Directory</web-resource-name>
                 <url-pattern>/jsp/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <b><role-name>PEHNTAHO_ADMIN</role-name></b>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
  <b>I have tried out the following things to resolve this issue :</b>
  <b>1) Remove the role manually</b>(as suggested by various people in other J2EE forums), but then some other error came in to picture
  <b>2)Then I added the following code in web.xml</b>
  <security-role>
            <role-name>PEHNTAHO_ADMIN</role-name>
       </security-role>
  Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
  Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
       java.rmi.RemoteException:  class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
  sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
  version status: HIGHER
  deployment status: Admitted
  description:
            1. Error:
  Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
  ERRORS:
  Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
       <!-- whole web.xml-->
  </web-app>
  " is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
  WARNINGS:
  Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
  <b>3) I had also added the following code in web-j2ee-engine.xml</b>
  <security-role-map>
            <role-name>PEHNTAHO_ADMIN</role-name>
            <server-role-name>all</server-role-name>
       </security-role-map>
  but still i get the same deployment error.
  Please help me in resolving this problem.
  Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
  Thanks and Regards,
  Sruti

  Hi Malathy,
  Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
  Could you please let us know you created a roles named users in WLS ?
  Thanks & Regards,
  Murali.
  ============

• Unable to assign all security roles to a user with a new custom security role

  Dear All,
  Happy New Year.!
  I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
  any desired security role to the new user.
  However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
  'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
  For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
  to assign some other security roles, including 'Support User Role', to new user 'y'.
  I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
  'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
  Appreciate any help that you can provide on the above issue.
  Thanks in anticipation.

  Hi,
  Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
  Refer:-
  http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
  Hope this helps!!!
  Thanks,
  Prasad
  Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

• Problem mapping LoginModule roles to ejb security roles

  I have "successfully" managed to implement the DBSystemLoginModule. When I run my application I successfully authenticate to the database, the login module successfully retrieves the users roles from the database and adds them to the subject:
  PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
  LoginContext lc = new LoginContext("current-workspace-app", cbh);
  lc.login();
  I then perform a lookup on a bean using the same user:
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory");
  env.put("java.naming.security.principal",username);
  env.put("java.naming.security.credentials",password);
  env.put("java.naming.provider.url", "ormi://localhost:23891/current-workspace-app");
  Context ic = new InitialContext(env);
  final SessionEJBHome sessionEJBHome =
  (SessionEJBHome) PortableRemoteObject.narrow( ic.lookup( "SessionEJB" ), SessionEJBHome.class );
  Finally, I create an instance of the bean and call a method of this bean.
  SessionEJB sessionEJB;
  sessionEJB = sessionEJBHome.create( );
  sessionEJB.testMe( );
  I am expecting (hoping) that the roles retrieved from the database by the login module may be used to authenticate the ejb methods. i.e. if (in ejb-jar.xml) the method "testMe" has a method-permission with role-name of "ABC" then this method may only be accessed if the user is a member of the "ABC" role retrieved from the database by the login module. However I get the message:
  "username is not allowed to call this EJB method"
  When I add a security-role-mapping in orion-ejb-jar.xml mapping the role "ABC" to the group "ABC" (and impliesALL="true") then the method is called successfully. However, if I add a security-role-mapping mapping the role "DEF" to the group "DEF" (which the user is not a member of) the ejb method is (wrongly) called successfully (with implies all="false" the method always fails). In other words there seems to be no mapping of the roles retrieved by the login module to the ejb security roles.
  Can anyone please enlighten me on how I can achieve the mapping of the ejb security roles to the roles obtained from the login module.
  Thanks
  PS I have this problem with JDeveloper 10.1.3 (Developer Preview 10.1.3.0.2.223 and Early Access 10.1.3.0.3.3412)

  Hi Sebastian,
  yes, it is possible to do such mapping. And here how it works:
  1. define security roles in the ejb-jar.xml within the <security-role>. For example:
  <security-role>
       <role-name>test</role-name>
  </security-role>
  2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
  <security-permission>
     <security-role-map>
        <role-name>test</role-name>
        <server-role-name>myUMErole</server-role-name>
     </security-role-map>
  </security-permission>
  the myUMErole must be defined in the UME!
  Does this answer your question?

• Mapping UME Roles to J2EE Engine Security Roles

  Hi all,
  is there a way to map the roles defined in UME which are used in a Web Dynpro application to those declared as part of an EJB descriptor?
  Any help is highly appreciated.
  Regards,
  Sebastian

  Hi Sebastian,
  yes, it is possible to do such mapping. And here how it works:
  1. define security roles in the ejb-jar.xml within the <security-role>. For example:
  <security-role>
       <role-name>test</role-name>
  </security-role>
  2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
  <security-permission>
     <security-role-map>
        <role-name>test</role-name>
        <server-role-name>myUMErole</server-role-name>
     </security-role-map>
  </security-permission>
  the myUMErole must be defined in the UME!
  Does this answer your question?

• Issue with generating a security role in program CRMD_UI_ROLE_PREPARE

  Hello -
    We have recently upgrade from CRM 2007 from CRM 4.0. We are working with the Business Roles and generating the security role from the business role using CRMD_UI_ROLE_PREPARE. We first create a simple test Business Role, a Z* copying from TPM_ROLE. Then we generated the security using CRMD_UI_ROLE_PREPARE. This was fine. Now was have copied a Business Role from TPM_ROLE that is one we want to use. We have created our own Z* Nav Bar and Role Config Key. This is working fine, but now when we try to generate using CRMD_UI_ROLE_PREPARE, the txt file is not generated, though there are no errors in the log. We can still generate the security role from our simple test. We have looked on line, and read the article in CRM Expert in June on Business Roles, but have not found the solution yet. Has anyone run into this?
  thanks
     George

  This is how I used this program:
  A. Generate required authorization objects
  1.     T-Code: SA38
  2.     Enter report CRMD_UI_ROLE_PREPARE and choose Execute.
  3.     Select your Business Role.
  4.     Choose language EN.
  5.     Choose Execute.
  Result: A file is created for each Business Role and saved on your computer in the SAP working directory. If you are working with Microsoft Windows XP, this file is saved in C:\Documents and Settings\<User ID>\SapWorkDir\.
  B. Assign authorization objects
  1.     T-Code: PFCG
  2.     Enter your Role and choose Change.
  3.     On the Menu tab choose Import from file and upload the file previously created.
  4.     Choose Save.
  Then adapt the authorizations if needed and choose Generate.
  Stephanie.

• Mapping security roles to other roles

  I found the security newsgroup and posted the question there under the same topic. Kindly respond there.
  Message was edited by:
  jheinone

  Hi Sebastian,
  yes, it is possible to do such mapping. And here how it works:
  1. define security roles in the ejb-jar.xml within the <security-role>. For example:
  <security-role>
       <role-name>test</role-name>
  </security-role>
  2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
  <security-permission>
     <security-role-map>
        <role-name>test</role-name>
        <server-role-name>myUMErole</server-role-name>
     </security-role-map>
  </security-permission>
  the myUMErole must be defined in the UME!
  Does this answer your question?

• Warning: EJB  referenced an unknown security role?

  Hello,
  I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
  In the EJB I have the following check:
  if (ctx.isCallerInRole("ConspiratorRole"))
  System.out.println ("the user is in the ConspiratorRole role");
  At run time, I get the following warning in the WL window:
  Fri Nov 10 12:56:58 EST 2000:<I>
  <EJB JAR deployment D:/weblogic/myserver/myBean.jar>
  Warning: EJB "unu" referenced an unknown security role
  However:
  - the role IS defined (see ejb-jar.xml)
  - has an associated principal (see weblogic-ejb-jar.xml)
  - there is a principal defined in weblogic.properties
  - this principal (and this role) is actually used in practice to access the
  bean. Which works.
  So why the warning?
  Any hint appreciated,
  Thanks.
  ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <description>description of the ConspiratorRole</description>
  <role-name>ConspiratorRole</role-name>
  </security-role>
  </assembly-descriptor>
  weblogic-ejb-jar.xml:
  <weblogic-ejb-jar>
  <security-role-assignment>
  <role-name>ConspiratorRole</role-name>
  <principal-name>Conspirator</principal-name>
  </security-role-assignment>
  </weblogic-ejb-jar>

  You should not reference the role link in you code.The role link is used to
  connect the role name in you code to the
  role name in your deployment descripment. Only if this link is set up as you
  have done below, will the isCallerInRole return true.
  - Sri
  Alf wrote:
  I reviewed older postings and found indications of what appears to be a bug
  in WL: that isCallerInRole always return false for role names but returns
  correct values if the role names are linked with a reference in
  <security-role-ref>. So, according to the DTD at
  http://edocs.bea.com/wle/dd/ddref.htm#1038338 I added the following in
  ejb-jar.xml:
  <ejb-jar>
  <enterprise-beans>
  <session>
  <security-role-ref>
  <role-name>ConspiratorRole</role-name>
  <role-link>ConspiratorRoleLink</role-link>
  </security-role-ref>
  and added 2 lines in the bean to test the both the role and the reference
  if (ctx.isCallerInRole("ConspiratorRole"))
  System.out.println ("the user is in the ConspiratorRole role");
  if (ctx.isCallerInRole("ConspiratorRoleLink"))
  System.out.println ("the user is in the ConspiratorRoleLink
  role");
  The unexpected result was a NullPointerException at
  weblogic.ejb.internal.BaseEJBContext.isCallerInRole(BaseEJBContext.java:665)
  Can anyone shed some light? Thanks.
  "Alf" <alf> wrote in message news:[email protected]...
  Hello,
  I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
  In the EJB I have the following check:
  if (ctx.isCallerInRole("ConspiratorRole"))
  System.out.println ("the user is in the ConspiratorRole role");
  At run time, I get the following warning in the WL window:
  Fri Nov 10 12:56:58 EST 2000:<I>
  <EJB JAR deployment D:/weblogic/myserver/myBean.jar>
  Warning: EJB "unu" referenced an unknown security role
  However:
  - the role IS defined (see ejb-jar.xml)
  - has an associated principal (see weblogic-ejb-jar.xml)
  - there is a principal defined in weblogic.properties
  - this principal (and this role) is actually used in practice to accessthe
  bean. Which works.
  So why the warning?
  Any hint appreciated,
  Thanks.
  ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <description>description of the ConspiratorRole</description>
  <role-name>ConspiratorRole</role-name>
  </security-role>
  </assembly-descriptor>
  weblogic-ejb-jar.xml:
  <weblogic-ejb-jar>
  <security-role-assignment>
  <role-name>ConspiratorRole</role-name>
  <principal-name>Conspirator</principal-name>
  </security-role-assignment>
  </weblogic-ejb-jar>

• How do I map declared security role to an actual operational one?

  Hello,
  Suppose I have created few security roles at the ejb-jar.xml file of my J2EE application using:
  <security-role>
  <role-name> managers <role-name>
  </security-role>
  Our portal is connected to our LDAP server so the WAS contains all the groups it has over there.
  My question is: How do I actualy map the security role I declared at the deployment descriptor (manager) to an actual group in our organization?

  Hi Roy,
  Are you familiar with thishttp://help.sap.com/saphelp_nw04/helpdata/en/1a/733e401b21e801e10000000a155106/frameset.htm ?
  Best regards, Maksim Rashchynski.

• Showing or hiding buttons/ enabling text boxes depending upon security role in Portal

  Hi All,
  Is it possible to show or hide ceratin text box or buttons depending on the security
  role of the user ? Let's suppose we have screen with buttons update, delete. Now
  we want that when a administrator logs in he will see a screen with data in editable
  text boxes and update and delete button. In case of normal user, only the phone
  no. will be editable and he can't see the delete button.
  Is it possible using portal feature ?
  Any suggestion is welcome.
  TIA,
  Sudarson

  Sudarson,
  Not that I know of. If you'd like to eloborate on the feature you're
  building I can log an enhancement request for you.
  Sincerely,
  Daniel Selman
  "sudarson" <[email protected]> wrote in message
  news:3c5f698e$[email protected]..
  >
  Hi Daniel,
  Thanks for the reply. I think, I should elaborate my query.
  Yeah, programattically we can do the stuff. But my question is that isthere any
  such feature in weblogic portal so that in stead of using is UserInRoleand doing
  it programatically, we can do it thru portal, thus having bettermaintainability.
  >
  Regards,
  Sudarson
  "Daniel Selman" <[email protected]> wrote:
  Sudarson,
  Yes this is possible. You can programmatically check the logged in user's
  role within your JSP and react accordingly (all standard J2EE). You
  should
  do this with caution however as you could quickly create a maintenance
  problem for yourself. Declarative security externalizes all security
  settings (groups. permissions etc.) away from application code and is
  usually to be preferred.
  Programmatic security through EJB mechanisms such as the SessionContext
  isCallerInRole and getCallerPrincipal methods and web-tier methods
  getRemoteUser, isUserInRole and getUserPrincipal.
  http://java.sun.com/j2ee/j2sdkee/techdocs/guides/ejb/html/Security5.html
  Sincerely,
  Daniel Selman
  "sudarson" <[email protected]> wrote in message
  news:3c5e81cf$[email protected]..
  Hi All,
  Is it possible to show or hide ceratin text box or buttons dependingon
  the security
  role of the user ? Let's suppose we have screen with buttons update,delete. Now
  we want that when a administrator logs in he will see a screen withdata
  in editable
  text boxes and update and delete button. In case of normal user, onlythe
  phone
  no. will be editable and he can't see the delete button.
  Is it possible using portal feature ?
  Any suggestion is welcome.
  TIA,
  Sudarson

• NWA 7.3 : Looking for "security roles" (Policy Configuration) ...

  Hi guys,
  We deployed a simple application in our new SAP NW 7.3 JAVA instance; by calling the application, we receive "error 403 : Error: You are not authorized to view the requested resource."; this was fixed wihtin NW 7.x by adding a user/group within security roles of the selected component ( Visual Admin => Security Provider => Policy Configurations => select component and than security roles );
  where to do this within NWA 7.3 ?
  any ideas;
  Thanks
  Oliver

  Hi Oliver,
  Procedure
    Start SAP NetWeaver Administrator with the quick link /nwa/auth.
    Choose Components.
    Select a policy configuration.
    On the Authentication Stack tab, choose the Edit pushbutton.
    Determine if you want to use an existing template or if you want to change the policy configuration of the current component. 
  To use an existing template, select a template from the Used Template field.
  For authscheme references, select a template from Used Authscheme.
  The component uses the settings and authentication stack from the template. To edit these settings, edit the settings of the policy configuration template. To create a new template, see Creating Authentication Stack Templates for Policy Configurations.
    To change the policy configuration of the current component, do the following: 
  Add and remove login modules as required.
  The system applies the login modules in the order they appear in the list.
    Set a processing flag for each login module. 
  For more information about login module flags, see Policy Configurations and Authentication Stacks.
    Add and remove any options to the login modules.
    Set the authentication stack parameters according to the type of policy configuration. 
  Please,go through below help file
  http://help.sap.com/saphelp_nw73/helpdata/en/4a/734e26fa92731fe10000000a42189c/frameset.htm
  Cheers
  Revanth Pasupuleti

• Run a workflow with a low security role profile

  Hello,
  I created a workflow that is sending an email to the administrator when a certain action has to be done. To make sure this workflow has actually been running, I ended it with a step that update a two option field as 'Email sent'. 
  I would like to lock this field for users because I only want them to read it but not change its data. So I enabled security role. 
  The problem is that since I made that, the workflow cannot be run because users don't have the security role to change this field. 
  I found out while browsing thrgough the internet that I had to check 'Execute as the owner of the workflow', but this didn't help. 
  So does anyone has a response to my problem or another way to manage it? A solution that does not involve any code because I'm not working in IT at all, we're a small company and so I'm a salesman. 
  Thanks for your help.
  Sylvain

  Hi,
       Create these 2 fields as non-searchable fields so users cannot search them.  If the user does not need to change these fields, make the fields read-only on the form. There is no need to use security role profile and play with
  security roles for this.
  Hope this helps.
  Minal Dahiya
  blog : http://minaldahiya.blogspot.com.au/
  If this post answers your question, please click "Mark As Answer" on the post and "Vote as Helpful"