Set global roles

Similar Messages

• Setting global roles via command line

  I have lots of global roles defined. today I use the admin console to create them
  leaving room for typo errors, missing one or more roles. Is there a way to use
  a command line tool to accomplish this just like I can set the autheticator provider
  parameters ?
  please help
  premS

  "Satya Ghattu" <[email protected]> wrote in message
  news:[email protected]..
  Cross posting to security newsgroup.
  premS wrote:
  I have lots of global roles defined. today I use the admin console to
  create them
  leaving room for typo errors, missing one or more roles. Is there a wayto use
  a command line tool to accomplish this just like I can set theautheticator provider
  parameters ?
  Unfortunately, the expression language is not public so that makes it
  difficult. There have
  been a fair amount of requests for this functionality. We will probably look
  to do something
  with XACML in the long term.

• Granting Global Roles

  I'm trying to assign global roles to enterprise users via the ESM but it doesn't seem to work. I'm able to connect to the database and I can see that I'm correctly authenticated using sys_context('userenv','external_name'),sys_context('userenv','session_user'), but I don't get any global roles associated with the enterprise role I'm assigned to.
  Ideas? Anyone has an idea how can I debug this or set a trace to see if I'm even really associated with the Enterprise Role?
  Edited by: [email protected] on Dec 9, 2008 10:53 PM

  You can't unless you use a DDL event trigger
  http://www.psoug.org/reference/ddl_trigger.html
  or write a stored procedure that allows the user to grant privileges presented as input parameters and contains a hard coded list of those privs that can be granted.
  Personally I find the idea of giving anyone, other than a DBA or trusted security officer, the ability to grant privs a violation of governance and security practices and would discourage you from doing so except within the context of a procedure as described above.

• How to retrieve Global Roles in a the current security realm?

  Is there a WLS API available that obtains a list of mapped global roles (defined in a security realm) from an application?
  I want to be able to do a getRoles call against an authenticated user. So far, I'm only able to use isUserInRole. What I need is a list of all global roles mapped to a user's group.
  Thanks all...
  Message was edited by:
  raymondng

  You can refer to the api
  http://e-docs.bea.com/wls/docs81/javadocs/weblogic/management/security/authorization/RoleReaderMBean.html#getRoleExpression
  -Ramkumar

• Set default role for Account in SAP CRM 7.0

  We are using SAP CRM 7.0
  When an end user creates a new account there is a section called
  "Role" sub assignment block with entries like "Competitor", "Account", Contact Person, etc.
  I want by default when you create an account that the role Account is specified in there.
  I want it done automatically and do not want to rely on the end user to seelct this.
  I was able to do this with contacts by using an SAP note to set this for cotnact person.
  But does anyone know how to do it for an Account ?
  All I want to do is that when an account is created the system automatically sets the role as "Account".
  Thanks,
  Jon

  Hi Jon,
  For any code changes in bsp components we need it's z-instance and that we get after enhancing the respective entity for eg views, context nodes etc..
  In case you are not familiar with the enhancement, please refer to some thread which explain about the component enhancement concept.
  Coming to this requirement..
  You need to enhance bp_roles component, then enhance rolelist view and roles context node.. redefine the GET_V_PARTNERROLE method.. copy the parent class code and do the necessary changes to manipulate the entries in gt_ddlb_add
  Check the statement at line no 107..
  gr_ddlb_roles->set_selection_table( it_selection_table = gt_ddlb_add ).
  Just before above statment call, manipulate gt_ddlb_add to keep the required role value at index 1..
  Another thing in my test system i can't see any role as "Account" under SPRO customizing "Business Partner Roles" instead "Business Partner (Gen.)" is available, don't know if you are able to see Account Role in the Roles DDLB..
  i would suggest debug the get_v_partnerrole method once at line no 107 see the entries in gt table you will get an idea what you need to change.
  Hope this helps..
  Cheers,
  Sumit Mittal

• Configure global roles in weblogic express

  Weblogic Express 8.1 sp2 does not allow you to configure global roles using the
  Admin console.
  I know this is the expected functionality. How do you configure these global
  roles without the use of the Admin Console.

  As far as i know you could never create roles via WLST offline, only via WLST online.
  Thanks,
  -satya
  BEA Blog: http://dev2dev.bea.com/blog/sghattu/

• Setting the Roles in SAP

  Hi,
  I am integrating SAP with IDM. I have developed a code to create the user in SAP and at the same time trying to set the roles and timezone to the user. There is no problem in creating the user object. But, Roles and timezones are not set in the user object.
  I need your help in setting up the values in SAP...
  Thanks
  Ilayarajan

  Nikhil,
  As you suggested, I have created an object to set the roles in SAP.
  <Object name='SAP'>
  <Attribute name='activityGroups' value='ROLE1'/>
  <Attribute name='fromDate' value='07/15/2007'/>
  <Attribute name='toDate' value='12/31/9999'/>
  </Object>
  * 'activityGroups' is the resource mapping variable. I am using this code snippet in my provisioning WF. But, the vaue is not setting in the SAP.
  Could you Pls, tell me what changes I have to make to set the Roles in SAP.
  Thanks
  Ilayarajan P

• How to set global transactions for XA.

  Hello,
  I have configured 9i RAC active/active database into a active/passive.
  The users were not able to connect using XA drivers.
  I have run the xaview.sql script as sys in @O_H/rdbms/admin and granted select privs as below.
  grant select on v$xatrans$ to public;
  grant select on pending_trans$ to public;
  grant select on dba_2pc_pending to public;
  grant select on dba_pending_transactions to public;
  Still users are not able to connect to the databases using XA drivers.
  What is needed more to be set up on the database side?
  Can any one let me know the detailed method to set global transactions(that is what I was told needs to be set up) on the oracle database.
  Thanks
  SKH

  Further to give more info the error users are facing is
  Could not connect to 'oracle.jdbc.xa.client.OracleXADataSource'.

• SQ01 (How to set Global Area as default)

  Hi All
  In SQ01, i find 2 environments in Query Areas - Global Area & Standard Area. Everytime i execute SQ01 transaction, it takes me to Standard Area, then i have to change it to Global Area & then select the user group. I would like to know how i can set Global Area as default & also a particular user group, so that everytime i run SQ01, it directly takes me to Global Area & the particular user group, so i can execute my query directly instead of having to change it each time.
  Hope my problem is clear, await inputs.
  Vivek

  Hello Vivek,
  You need to maintian some default parameters in your User master record.
  Parameter ID :
  AQB for User Group
  AQW for Query Area.
  Select the AQB from the drop-down and give your default user group in the parameter value.
  Regards,
  Naimesh Patel

• Set up Roles in ebs for Users?

  Hi
  I am creating a conversion for employee security. I was wondering if anyone has set up roles in ebs. I am attempting to get minimal employee data...just names and emp numbers. With that I will set up users. Now that's fine, but what I want is to set up roles for those users. Say a Buyer or Vendor. I want to classify them as such. And then have different responsibilities show up in the app.
  Can this be accomplished? Any insight would help.

  If I have understood this correctly, you could use RBAC (Role Based Access). This is more commonly known as User Management (product code UMX).
  The ony user with this role is initially SYSADMIN. However, you can use SYSADMIN to grant this role to other users.
  Once you have access to User Management, you can define a ROLE. ROLES can be hierarchical, so one ROLE can incorporate other roles.
  To achieve what I think you're trying to do, create a ROLE called ABC. Then make RESPONSIBILITIES X, Y and Z subordinate to that role. Respopnsibilities are specific type of roles anyway.
  Then ROLE ABC will contain responsibilities X, Y and Z.
  Still using the User Management responsibility, ASSIGN ROLE ABC to a user. Then go into 'standard' System Administrator. Navigate to SECURITY > USER >DEFINE and query this user. You will NOT see the responsibilites X, Y, Z because the form defaults to the DIRECT RESPONSIBILITIES tab. These are the responsibilities assigned via System Administrator. BUT - use the tab called INDIRECT RESPONSIBILITIES and you will see X, Y and Z.
  Apply this process to multiple users and you have a solution!
  Regards
  Tim

• How can i set a role that can't see the infoarea?

  HI:
  i want creat a role ,when use the role open the query , he can only see the report under the favorite and role,can't see the infoarea , how can setting the role's right?

  Hi!
  Perhaps you should try creating a user that carries exactly the same authorizations for your intended user/s.  Once created, you can then see if the infoarea can then be visible still.
  Regards,
  P.

• Best way to set global environment variables?

  What is the best way to set global (i.e. for all users of the computer, ideally all shells as well) environment variables under Leopard?
  I know that they can be set via ~/.bashrc, ~/.profile or in my case ~/.zshrc files in the terminal on a per user basis.
  Also, they can be set for GUI apps as well via ~/.MacOSX/environment.plist on a per user basis.
  http://developer.apple.com/documentation/MacOSX/Conceptual/BPRuntimeConfig/Artic les/EnvironmentVars.html
  The path can apparently be set globally by adding files to /etc/paths.d/*
  http://blog.plotdevice.org/2008/04/global-path-in-mac-os-x-leopard/
  Is there a way to set environment variables globally so that they are accessible to all users and all programs including nonstandard shells like zsh?
  My inclination is to set them in /etc/rc.common but that seems like it might be a bad idea. I'd prefer something more like the /etc/paths.d/* solution that only involves adding files, not modifying existing ones. They should be less likely to be overwritten in a system update later.

  They may be less likely to be overwritten than you fear. A lot of things depend on modifications to the system scripts like /etc/profile. Although I'd expect these to be broken by an upgrade to Leopard, for example, they have survived all Tiger upgrades on my machine. You could always have them source scripts in /usr/local, say, so that the work involved in reconfiguring them if they are overwritten is minimal. (Or you could just install your versions in /usr/local and make the system scripts symlinks to those versions - if anything is overwritten, it would be the symlink rather than the file itself. An automated start up script could even check and recreate the symlink if necessary.)
  - cfr

• Creating a Global Role using weblogic.Admin command

  Hi,
  Does anyone have an example of creating a global role using the weblogic.Admin commands? I think I have to use the INVOKE command with the DefaultRoleMapper and createRole method, but I'm not quite sure what the rest of the syntax is.
  Thanks,
  Gabriel

  Gabriel,
  The following works for me:
  weblogic.Admin -url t3://localhost:80 -username weblogic -password weblogic INVOKE -mbean "Security:Name=myrealmDefaultRoleMapper" -method createRole "" "MyGlobalRole" "Grp(Administrators)" ""
  The null first parameter identifies this role as a global role.
  The second param is the name of the role.
  The third parameter is the policy expression. Here, I've mapped the role to the Administrators group. You can also map it to users or a combo of the two. For example, to map it to the "weblogic" user, use "Usr(weblogic)" as the policy expression. If you leave this parameter empty, the role will be created but will not be mapped to anything.
  I'm not sure what the fourth parameter is for. It's not defined in the RoleEditorMBean docs but not including it causes an error. I suspect it's a description field because WLS does not seem to care what you put there.
  HTH,
  Mike

• Extract the userID that set a role for a specific user

  Hi all @SAP Forums,
  I'm going to write a simple report to extract some information about users and role assignments in the system I'm working on.
  The requirements is quite simple; for every user in the USR02 table, I have to extract some info about the roles the user has.
  In order to do so, it's quite straightforward to find roles for a particular user looking into the AGR_USERS table, but ... I'd like to know if there's a way to find the user who set the role assignment for that specific user; the problem is that I cannot find that information in any AGR* tables, so I start to think it's not a stored information I can retrieve in any way.
  Any hints/suggests you can give me? Thanks in advance.

  Hello muthu,
  useful link to refer to when I'll need to extract a full username (first and surname) for a userId. But the question, forgive me if I've been not-so clear, was different.
  A (key) user, say A123456, sets a role for another user (A00000) in SRM... let's suppose now A00000 becomes a buyer. I'd like to know if there's a way, starting from the user A00000, to understand WHO had given him his role (in this case, A123456) and WHEN... I can see the CHANGE_DAT field in AGR_USERS about the "when"... where can I (if I can, obviously) find WHO set the role for A00000 ?
  Thanks again, sorry if I've been not that clear in explaining

• Setting client role in non-production systems

  In our QA test systems of R/3 and BW, the client role  in SCC4 was set to 'Production'. The reason I was given is that  by setting the client role to 'Production', will enable some settings in FI such as period closing,and customizing settings remain open  without transportable requests. I totally disagree with this. I worked on numerous projects, but this is first time I am hearing this. I always set client role to Test in non-production systems, without any problems. Do any one have  any idea about this?
  Thanks
  Santosh

  SAP have a concept of "current settings".  These include things like exchange rates and other items which really appear to be configuration settings.  In a non-modifiable system these cannot be changed because the transport management system tries to get involved.  If the client is set to productive, this restriction is overridden.
  I would always suggest that the QA system should be set to productive and non-modifiable to ensure that the behaviour of the transactions affecting such objects can be tested in a production-like environment.  If you need to have your QA system open for any sort of changes you are exposed to having changes introduced in QA to leading to the impression that new/modified functionality or config works but when the transport takes the unmodified version to production you'll be in trouble.