Securty Role and auto permissions

Similar Messages

• Associate roles and permissions to users that existe on a database

  Hi,
  i want realise a secure authentification i used ADF Configuration but i found out that i cant bring my users from my database. i can just create new users with roles in Jdeveloper.
  do you how we can bring users to Jdeveloper and associate to them roles and permission ?

  i found this tutorial that is that what i did :
  1. Start up weblogic server (Run .. Start Server Instance)
  2. Log on to weblogic console ( http://localhost:7101/console/ )
  3. Use default username/password weblogic/weblogic1
  4. Create a datasource to connect to the schema where the authenticating database tables are (Services .. JDBC .. Data Sources)
  5. Use unique name for datasource. Use JINDI name of jdbc/
  6. Enter database name, schema name and password and test
  7. Add new Authentication provider (Security Realms .. myrealm .. Providers .. New)
  8. Enter datasource name, type SQLAuthenticator click Ok
  9. Going back into provider, change control flag to Sufficient
  10. Select Provider Specific tab and choose Plaintext passwords, password algorithm SHA-1
  11. Shut down weblogic
  12. Edit config.xml file in JDEV_DIR/system11.1.1.2.36.55.36/DefaultDomain/config and replace sql authenticator sql statements with those from web blog
  13. Restart weblogic.
  14. Go to users/groups tab in securty realm and view users and groups imported from database
  15. Set control flag for other providers to "Sufficient"
  source : http://brent.hmdclinical.com/2010/03/using-database-tables-as-weblogic.html
  but the step 12 i dont know what i need to change and with what ?

• Create Roles and Permissions using API

  Hello,
  I'm new to Java and I'm trying to create Roles and Permissions in LiveCycle using API's. Can someone please check and correct my code below?
              //Create a ServiceClientFactory object
              ServiceClientFactory myFactory = ServiceClientFactory.createInstance(connectionProps);
              // Create an AuthorizationManagerServiceClient object
              AuthorizationManagerServiceClient amClient = new AuthorizationManagerServiceClient(myFactory);
              RoleImpl ri = new RoleImpl();
              ri.setName("Test ES Role");
              ri.setDescription("Test Role via API");
              ri.setMutableStatus(true);
              amClient.createRole(ri);
  Executing the above code throws exception as below;
  com.adobe.idp.um.api.UMException| [com.adobe.livecycle.usermanager.client.AuthorizationManagerServiceClient] errorCode:16385 errorCodeHEX:0x4001 message:Exception thrown is NOT a DSCException : UnExpected From DSC chainedException:java.lang.IllegalStateExceptionchainedExceptionMessage:null chainedException trace:java.lang.IllegalStateException
            at com.adobe.idp.dsc.clientsdk.ServiceClientFactory$1.handleThrowable(ServiceClientFactory.j ava:72)
            at com.adobe.idp.dsc.clientsdk.ServiceClient.invoke(ServiceClient.java:220)
            at com.adobe.livecycle.usermanager.client.AuthorizationManagerServiceClient.createRole(Autho rizationManagerServiceClient.java:159)
            at com.adobe.lc.ManageRolesAndPermissions.main(ManageRolesAndPermissions.java:70)
  Caused by: java.lang.NoClassDefFoundError: javax.ejb.EJBException
            at com.adobe.idp.dsc.clientsdk.ServiceClientFactory.evaluateMessageDispatcher(ServiceClientF actory.java:595)
            at com.adobe.idp.dsc.clientsdk.ServiceClient.invoke(ServiceClient.java:215)
            ... 2 more
  Caused by: java.lang.ClassNotFoundException: javax.ejb.EJBException
  Thank you,
  Sandeep

  Mahesh,
  Refer to your other thread ..
  API to create new items in inventory
  API to create new items in  inventory
  Regards,
  Hussein

• OBIEE Roles and Permissions

  Hi,
  I am new to OBIEE. I have installed OBIEE 10.1.3.4.1 in Windows Machines.
  I want to create user in OBIEE and i need to give appropriate permissions those users.
  How to give roles and permissions in OBIEE .Please help me
  Thanks,
  Vijay.

  Hi Vijay,
  Please start here; http://gerardnico.com/wiki/dat/obiee/security_10g
  Good Luck,
  Daan Bakboord
  http://obibb.worpdress.com

• Trying to auto generate roles and privileges

  Greetings All,
  Oracle Enterprise 11g v11.2.0.1.0 on Windows Server 2008
  I have a database with many schemas. One of the schemas is referred to as the CM_MASTER schema in that it has been granted the following: dba, create user, drop user, alter user, create any table, select any table, and a few others, all with the “with admin option” clause.
  We have developers that need select only access to the tables and views of the non-master schemas. My plan was to create a unique ROLE for each schema, then grant select on each table and view in that schema to that unique role. Then grant the appropriate role(s) to each developer hence giving them read only access.
  I can accomplish the above manually while logged on as the CM_MASTER schema.
  I am trying to create a procedure owned and executed only by the CM_MASTER schema that creates a new role and then grants to that role. The procedure accepts a parameter containing the user name of the target schema. The procedure is able to create the role (create role scott_r) successfully.
  However, I am getting an insufficient privileges error (see below) after the role has been created, when trying to issue the “grant select on scott.some_table to scott_r” command via "execute immediate".
  Any ideas what privilege(s) the CM_MASTER user needs in order to be able to issue the grant(s) to the role?
  Error message below:
  exec gen_schema_role('scott');
  Error report:
  ORA-01031: insufficient privileges
  ORA-06512: at "CM_MASTER.GEN_SCHEMA_ROLE", line 30
  ORA-06512: at line 1
  01031. 00000 - "insufficient privileges"
  The procedure code is below:
  The utl_file.put_line commands were added for debugging but nothing gets output.
  When the "execute immediate" lines are commented out, the output from the utl_file.put_line commands displays the correct SQL create and grant statements.
  create or replace
  procedure gen_schema_role(p_db_user in varchar)
  as
  v_role_name varchar2(30);
  v_bat_out utl_file.file_type;
  cursor get_object_names is
  select object_name from dba_objects
  where owner = upper(p_db_user)
  and object_type in ('TABLE','VIEW')
  and status = 'VALID'
  and object_name not like 'DR$%'
  and object_name not like 'XT%';
  begin
  v_bat_out := utl_file.fopen('SR_BACKUP', 'Create_Roles.sql', 'W');
  v_role_name := substr(p_db_user,1,28) || '_r';
  utl_file.put_line(v_bat_out, ' ');
  utl_file.put_line(v_bat_out, 'create role '||v_role_name);
  execute immediate 'create role '||v_role_name; <<-- This seems to work, the role gets created
  for a in get_object_names
  loop
  utl_file.put_line(v_bat_out,' grant select on ' || p_db_user || '.' || a.object_name || ' to ' || v_role_name);
  execute immediate 'grant select on ' || p_db_user || '.' || a.object_name || ' to ' || v_role_name;
  end loop;
  utl_file.fclose(v_bat_out);
  end gen_schema_role;
  Thanks,
  Snyds

  sb92075,
  I just tried, and YES the SQL is able to apply the "grant select" statements to the newly created role.
  I wanted to call this new procedure from the procedure that creates a new user by scheduling a job to perform an IMPDP job to import a base schema (using the remap schema clause).
  Any suggestions how to automate generating this role?
  Thanks,
  Snyds

• How to create a report of users in ucm about their roles and permission

  Hi All ,
  I need to create a report and it should contain all the users in ucm as well as their roles and permissions. Basically the report would be for the admin who can see all the users in a single report and can know about the roles and access of each and every users.
  How to create such report ?? I have tried from web layuot editor but the default report template i.e stdUserReport in user datasource does not contain more than three fields..Is there any method to get such kind of report???
  Please suggest!!

  There was an example component to demonstrate this kind of function. Under Stellent in version 7.5
  I do not know if they hand it out anymore but it is not on the standard samples page for Oracle. You may want to open a Support SR to ask for it. It should still be around in their servers if they can get permission to hand it out as a sample again.
  Sample CustomReports component to demonstrate how to create customized reports
  CustomReportsBundle.zip
  Date:     October 30, 2006
  Sample Version:     version=2006_10_20 (build 1)
  Product and Version:     Content Server
  Sample Status:     This is a Stellent Sample. Stellent Samples are free and include non-supported add-ons, utilities, tutorials or programming examples. It may require additional configuration or security auditing for maximum effect. It is not supported by Stellent without a consulting engagement.

• Passwords and Auto Fill not working...

  All of a sudden, new passwords are not being retained and auto fill doesn't work at all. I've repaired permissions, checked every setting I can think of. What should I try next?
  Thanks,

  I had a similar problem with autofill. Repairing permissions with Onyx seemed to work. (But first, double-check that Autofill is enabled and your "me" Address Book card is correct.)

• Sql server agent roles and job's owner issue

  Hi,
  We have a tricky question about agent role and job owner. If I granted sqlagentoperatorrole to a windows account in a sql instance, the account will have permission to create a sql job, the job's owner is the account and he can edit the job. But we want
  to keep all agent jobs' owner as SA. But after I (have sysadmin role) changed the job's owner to SA, the windows account won't be able to edit the job any more. but I don't want to give sysadmin role to the account, Does anybody have solution for my issue?
  so recap my question,
  1. all jobs owners should be SA
  2. Allow some accounts without sysadmin permission can edit these jobs
  3. Which kid of permission shall I grant to these accounts?
  Thanks
  David

  Its not secessary to have SA for all the jobs, normally we avoid using SA...
  Depends if you want to have some sort of security measures in place. If not, doesn't matter much. As for the 'sa' topic, I change the name of that account or disable immediately after install. It practically eliminates that vector of attack.
  If you SQLAgentOperatorRole permissions then you can do the below... this is just a agent role so this comes under MSDB....
  http://msdn.microsoft.com/en-us/library/ms188283.aspx
  Also if you have sql SA access with doamin account or sql account then you can play with sql server completely without any issues, no harm in this...
  Agenet principals are scoped to msdb; make sure you are running the statement from msdb DB. For example:
  use [msdb]
  go
  -- The code where @userName is declared & set
  EXEC sp_addrolemember 'SQLAgentOperatorRole', @userName
  go
  If you still have problems let us know, and please include the error number and message in order to help us understand the nature of the fauilure.
  Best practice...
  http://technet.microsoft.com/en-us/library/cc966485.aspx
  Raju Rasagounder Sr MSSQL DBA

• UME Role and Action

  I am developing a recursive tree in a Web Dynpro App. My tree has some nodes and subnodes. Under the subnodes i have documents. Depending to the permission of the users should be decided what can the user do with the documents, for example, create, upate, delete and so on. I need to check the authorization of users. I want to follow the conzept like the Web Dynpro tutorial RentCar APP with Actions und Permissions. If a user logs on, i can get his UME role and group. My question is: if it is possible to list the permissions behind of one specific role, which is assigned to the user or a group.
  In short I want to list the permissions and not only check if the user has it or not.
  Please help me.
  Regards
  Hairong Zhao

  Hi Sudhir,
  thank you very much for your quick answer. But it can't resolve our problem really.If we only use hasPermission() method to check if the user has right, the efford to check user in our case is too great .
  I try to describe our problem exactly. In our case, thers is possible that tausend documents can be attached to a node. we can't create a permission for every document. We create for every node a role, but for document we haven't role.  If we don't use the conzept with Actions and Permissions, how can we check the permission of the users, have you another idea?
  Regards,
  Hairong Zhao

• What are Roles and Role entry points in the context of windows azure?

  I am just starting out with my journey towards understanding azure. I have a vague idea about the Web and Worker roles.
  So when I am publish-deploying a website on azure from visual studio, am I doing something with respect to roles? Am I starting up a Web role?!
  RoleEntryPoint: But this is actually related with the web/worker roles and services. My understanding is that the RoleEntryPoint is some code which is executed when you deploy "services" on the azure cloud. These services either have a web role or
  a worker role.
  What is "services" in this context? So what traditional (on-premise) app would be analogous to a service that has a web worker role? A WCF service or WebApi? Or can it be a website? So would a service having a worker role be something analogous to
  a "windows service"?
  And finally RoleEntryPoint. I don't get the use case. From what I've seen,
  say you want to initialize some related services that support your main service, for e.g. a cache server, or a sql database, you have have the initialization logic written in these classes and make the code perform them.
  There are definitely other ways to do this right? You don't need to necessarily tie the deployment of that main service with the initialization of the other services. They could be separate deployments, right?!
  I am a bundle of mistakes intertwined together with good intentions

  Hi deostroll,
  From you post I understand you've read quite a lot about Azure, but I'm affraid there's still some misunderstanding on what all these terms mean.
  Azure is a cloud computing suite of services tiered into three categories: IaaS, PaaS and SaaS. IaaS stands for Infrastructure-as-a-service and is an offering where Microsoft allows you to run your own virtual machines. You will handle everything from software
  patching, network connectivity (from the application level: virtual networks etc.), software installition and configuration etc. Basically everything you would do today on your own premise except for whatever concerns hardware (bare-metal). PaaS stands for
  Platform-as-a-service, and is a middle offerint, where Microsoft selects some VMs and is responsible for periodically patching this machines. You don't have to care about IIS or whatever existing applications there are on the VM either, because it's Microsoft's
  job to do this. Last but not least, SaaS stands for Software-as-a-service, and is the offering where you use a piece of software without even knowing what infrastructure exists behind it: I guess you've used some sort of webmail client before, right? That's
  a SaaS.
  When it comes to Windows Azure, IaaS is offered as Azure VM, PaaS is offered as Azure Cloud Services (formely known as Azure Hosted Services, should you get across documentation that uses that term instead) and SaaS is offered in the form of: Azure WebSites,
  Azure Mobile Services, Azure Media Services and many more.
  When you talk about either web roles or worker roles, you actually talk about two forms of roles that exist in the context of an Azure Cloud Service. Basically, when you create a cloud project from Visual Studio, you end up in adding either Web projects
  which might (but not necessarily) be linked as a Web Role to your Azure Cloud Service. You may also add, to the same solution, Worker Role projects. As you've probably already guessed, whenever you add a Web role, the web project it references is a web project
  in the literal term: ASP.NET Web Project, whether that is WebForms, MVC, MVC WebAPI that's all completely up to you. However, what is a worker role project, you might ask? A worker role project might be though of just as a console application. You basically
  get absolutely no UI, but your code runs as long as it runs inside an infinite loop at some point. If the loop stops, just like a console application, your worker role will stop which will force the Azure FabricController to refresh your role. Consider the
  FabricController has the guardian of all roles, which will auto-magically 'respawn' your roles whenever something goes wrong, whether that's a software issue in your app, in the OS or a hardware failure.
  Moreover, keep in mind that every role in your cloud service project ends up in being created as a separate VM. What this means is that you will have separate VMs for each roles in your cloud service, so even if you create several web projects, you still
  get one machine, with one IIS instances with a single web application (yours) for each of your cloud's roles. Same goes for worker roles.
  I hope this information clears up some of the questions you might have.
  Alex

• Implementing roles and rules based authorisation with Azure AD

  Hi all,
  I would greatly appreciate some input on feasibility and patterns I should look at for a complex technical requirement that I am currently tasked with designing.
  We have a system that comprises a web and mobile app. In the past we have implemented session based authentication through ADAM and authorisation through custom business rules contained within the applications. The authentication mechanism is in the process
  of being migrated to Azure AD and authorisation is planned to be moved to Azure AD for our next release.
  Existing authorisation within our web application is already complex. We have users that belong to different groups with a range of permissions such as read, write or admin. Additionally each user is granted access to N customers and also N locations within
  each customer. We have a requirement that any number of combinations of customers and locations be supported. Users also need to have different permissions for each entity, i.e. read access to customer 1 location 2, write access to customer 4 and administer
  customer 7. Currently these privileges are maintained within a relational database and enforced as part of each PageLoad(). Essentially this is a combination of roles and rules based authorisation.
  We are struggling to represent this complex matrix structure within Azure AD and efficiently implement the authorisation decision in Azure AD. The driver for this technical requirement is to provide re-usability of the authorisation component to other (as
  yet unidentified) applications.
  Currently the best option we have come up with is implementing custom attributes for each class of permissions and storing within this 2048 bit field a bitmask that represents whether this permission is granted for a given location (which has a many to one
  relationship with customer).
  Any help or comment would be gratefully received,
  Phil

  Hi
  When "Advance routing" is used for Task assignment; the task service asserts the folllowing fact types : Task, PreviousOutcome and TaskAction to the rules engine. These facts gives all the reqd info about the task (like outcome of the participant, task stage .. etc)
  Now in the defined ruleset; we can have rules as per our requirement that can extract info from the asserted fact types and assign task to the required/next participant.
  Also note that we write the advance rules for exception cases only.
  For example; let's say all participants have 2 possible Outcomes [COMPLETE, RECHECK]. We have defined the ideal task routing flow as :
  Participant A -> Participant B -> Participant C. This is the flow when all participant selects "COMPLETE"
  Now suppose B selects outcome as "RECHECK" then the task shld move back to A. So for this case only we need to write a advance rule.
  Pls refer to the code sample at : http://download.oracle.com/technology/sample_code/hwf/workflow-106-IterativeDesign.zip
  Also dev guide : refer to section 28.3.7.2 http://download.oracle.com/docs/cd/E14571_01/integration.1111/e10224/bp_hwfmodel.htm#BABBFEJJ
  Thanks
  Edited by: Kania on May 19, 2010 2:41 AM

• Problems with roles and ldapgroups in IDM 8

  Hello Guys,
  I'm facing a problem. I have to put users in ldap groups and i using roles. I have create an IT role and a Business role.
  I use the IT Role to add users in ldap groups through a rule and the business role to assign groups to a user. The business contains the IT Role.
  Normally, when i put a list of two groups in the rule, i must have user put in the two groups and if i remove one of this group in the rule, user must be removed from the choosen group. Unfortunatly, the second scenario doesn't work. I always have the two. And i can't removed the users from all groups.
  Is there something that i'm missing?
  I'm using IDM 8.A patch 2 and Sun Directory Server 6.3.
  The definition of my IT Role is :
  <?xml version='1.0' encoding='UTF-8'?>
  <!DOCTYPE Role PUBLIC 'waveset.dtd' 'waveset.dtd'>
  <Role authType='ITRole' name='My Groups'>
    <ResetLimit count='0'>
        </ResetLimit>
    <Services>
      <ObjectRef type='Resource' name='RESSOURCE LDAP'/>
    </Services>
    <ContainedRoles>
    </ContainedRoles>
    <RoleAttributes>
      <RoleAttribute name='My Groups:#ID#RESSOURCE LDAP:groups'>
        <Comment>Auto generated by Role Mes Groupes</Comment>
        <AttributeName>groups</AttributeName>
        <AttributeValueRef>
          <ObjectRef type='Rule' id='#ID#RuleListeUserGroups' name='Rule Liste User Groups'/>
        </AttributeValueRef>
        <Requirement>Authoritative merge with value, clear existing</Requirement>
        <ResourceRef>
          <ObjectRef type='Resource' id='#ID#RESSOURCE LDAP' name='RESSOURCE LDAP'/>
        </ResourceRef>
      </RoleAttribute>
    </RoleAttributes>
    <MemberObjectGroups>
      <ObjectRef type='ObjectGroup' id='#ID#All' name='All'/>
    </MemberObjectGroups>
  </Role>Thanks All!

  i have it role mapped to ldap groups implemented successfully with the following...
  1. Instead of a rule adding to groups, you should have a resource attribute mapping ... this is described in the ldap resource adapter references....
  <AccountAttributeType id='101' name='ldapGroups' syntax='string' mapName='ldapGroups' mapType='string' multi='true' />2. Now have your IT ROLE to have the group population like the following
  <RoleAttribute name='MYROLE:RESOURCE-NAME:ldapGroups'>
        <AttributeName>ldapGroups</AttributeName>
        <AttributeValueString>
          <List>
            <String>cn=Wirelessaccess,ou=Groups,dc=example,dc=com</String>
          </List>
        </AttributeValueString>
        <Requirement>Authoritative merge with value</Requirement>
        <ResourceRef>
          <ObjectRef type='Resource' name='RESOURCE-NAME'/>
        </ResourceRef>
      </RoleAttribute>

• Does db_owner need datawriter and datareader perms checked?

  A product requires datawriter and datareader permissions. In some cases it needs db_owner (for the service account).
  If db_owner is checked, do you also need to check datawriter and datareader, or are those considered inherited child roles and can be kept unchecked? Thanks!

  Hi,
  As already answered Db_owner would include datareader and writer role.
  BOL says
  Members of the db_owner fixed database role can perform all configuration and maintenance activities on the database, and can also drop the database.
  Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it
  My Technet Wiki Article
  MVP

• Roles included in Roles and how it effects User Content

  I want to have one role which generates a tab called "Budget Development" under this tab depending on the users other assigned roles I want from 1 to 3 addition tabs or selections to appear. Based opn user assigned Roles
  When I create 3 additional roles, and assign them to the Parent Role (Budget  Development) all 3 tabs appear evenif the addional roles are not assigned to the user.
  Role 1 "Budget Development"
              Role 1.1 "Budget Add"
              Role 1.2  "Budget Change"
              Role 1.3  " Budget Delete"
  I have access to all 3 tabs/selection and the functionality when I am assigned the 1 role of "Budget Development"
  How do I selectivly Display Sub-Roles based on Portal Roles and permissions etc.
  Thanks for any help.
  Sarah

  Hi Sarah,
               You can achieve this by the 'Merged Role Concept'.
  1)Create 3 roles with the same name say "Budget Development" which will have different ID's though.
  -Under the role properties set the "Merge ID" for each role. The mergeID has to be the same for all the 3 roles.
  2) Now create 3 worksets say "Budget Add", "Budget Change" and " Budget Delete".
  - and assign each of these worksets to 3 different roles that we have first defined.
  Now depending upon which user needs what access you can assign the roles. The user will see one role but different worksets underneath based upon what he has been assigned.
  -Let me know if you have any further issues with this.

• Doubt about Role and Policy

  Hi everyone,
  I have a doubt about role and policy,
  I'm using OBIEE11.1.1.5, I try to creating role R1 by creating like BIConsumer.
  then I go to policies interface,Edit 'BIConsumer' policy,
  I find only one role 'BIConsumer' under grantee.
  so I'd like to ask why 'R1' is not under policy 'BIConsumer' while R1 has permission like role BIConsumer ???
  thanks in advance!

  Application policies are sets of java permissions that are associated with a principal which is BIConsumer role in this case which grants permissions necessary to use, or to consume, content created by other users.
  So when you try to create like BIConsumer, you are not modifying the existing BIConsumer principal policy( which you should never do) but instead trying to create one similar grants like it.
  Usually as long as you are not dealing with BI Publisher, Financial Reporting and Real-Time Decisions application security permissions restriction, you would not have to modify any of these policies and use the default ones.
  Hope this helps. Pls mark if it does.
  Thanks,
  SVS