Shared Schemas Enterprise User Security.

Hello,
I currently have externally authenticated users setup. With each user having his own schema.
My enviromnent does not need users to have seperate schemas. There will be a Prod, Train and Test environments. My question is what is the best way to implement database access. Should I stick with my current environment and grant privledges to allow users to access the same schema. Should I create a global schema and create Enterprise users and map those users to that schema. Should I create the different environments as global schemas in one database or create three separate databases. Any Suggestions. The documentation does not give real world solutions.
Thanks in advance!!!

If you're not using DB 10.2 this is the "expected" behavior for the DB. See also metalink note 351170.1 "Enterprise Users Can Connect to a Database when the OID Account is Disabled"
regards,
--Olaf

Similar Messages

Get error while Integrating with Oracle's Enterprise User Security

Hi,
I am trying to create an Oracle Enterprise User integrating with OVD and MS Active Directory.
I am following all the steps in Integrating with Oracle's Enterprise User Security.
In the documentation section: "Configuring Oracle Virtual Directory for the Integration"
I have applied the steps successfully until:
Update and load the entries into the Local Store Adapters by performing the following steps:
I have successfully extended the Oracle Virtual Directory schema with the loadOVD.ldif
However I am getting errors in the next step: Update realmRoot.ldif to use your namespaces
The next step states the following:
Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname,
and memberurl attributes in the file. If you have a DN mapping between Active Directory and
Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory.
The realmRoot.ldif file is located in ORACLE_VIRTUAL_DIRECTORY_HOME/eus,
where ORACLE_VIRTUAL_DIRECTORY_HOME represents the location where Oracle Virtual Directory is installed.
The realmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user's Enterprise User Security hashed password attribute.
Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:
ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port -D cn=admin -w Admin_Password -v -a –f realmRoot.ldif
When I run the ldapmodify command I get the following error:
add dc:
testldap
add objectclass:
top
domain
domainDNS
adding new entry DC=testldap,DC=local
ldap_add: Operations error
ldap_add: additional info: LDAP Error 1 : null
The actual realmRoot.ldif looks like this:
# Please uncomment the following one line if you are importing this
# LDIF file via OVD Manager or OVD Server's ldapmodify tool.
#version: 1
#dn: dc=com
#dc: com
#objectclass: domain
dn: DC=testldap,DC=local
changetype: add
dc: testldap
#o: subarashii
objectclass: top
objectclass: domain
objectclass: domainDNS
#objectclass: orclSubscriber
#orclsubscriberfullname: subarashii
#orclVersion: 90400
# If your domain structure has more layers than dc=subarashii,dc=com,
# for example, it's dc=us,dc=subarashii,dc=com, you will need to load
# the following ldif entry/entries too.
# Uncomment out the following, if required.
#dn: dc=us,dc=subarashii,dc=com
#orclversion: 90400
#orclsubscriberfullname: us
#objectclass: domain
#objectclass: top
#objectclass: orclSubscriber
#dc: us
# Adding EUSDBGroup entry
# Modify the memberurl attribute and replace it with your own domain name
#dn: cn=EUSDBGROUP,dc=subarashii,dc=com
#cn: EUSDBGROUP
#memberurl:ldap:///dc=subarashii,dc=com??sub?(&(objectclass=orclService)(objectclass=orclDBServer))
#objectclass:groupofuniquenames
#objectclass:groupofurls
#objectclass:top

Did you ever get your questions answered about the realmRoot.ldif file? Did you manage to configure a successful integration of OVD with EUS? I am battling with trying to get Oracle Virtual Directory integrated with Enterprise User Security, but every step I take in Chapter 7 of the OVD manual fails in some way, and the instructions are often vague. I am not sure how to modify the realmRoot.ldif file. Is there any improved documentation on this? I have logged a Service Request, but not getting any help. Any resources or documentation you know of that provides better guidance would be much appreciated. I am way behind my schedule now and this is a very frustrating exercise.
Thanks.

Completion Insight not working correctly when using Enterprise User Security (EUS) logon

This is a pre existing issue we've experienced with SQL Developer, though I've only just worked out what is causing the issue it is present in previous versions of the tool, up to the current 4.0.EA2.
We experience issues with the Completion Insight functionality of SQL Developer.
When we log into a database using Enterprise User Security i,e authenticating against OID, the schema of the database account is prefixed to any reference to public synonyms, ie all user_%, all_%, dba_% and v$% views.
When I change the authentication of the database account back to normal database authentication the schema prefix correctly isn't shown. It simply suggests the synonym name of the views.
An example of this is as follows when attempting to query the DBA_TABLES view:
The database account is ORADBA and has DBA privs.
The EUS user that is mapped to the ORADBA schema is dbutler.
The ORADBA user is configured to authenticate externally (against OID).
I login with my dbutler directory credentials:
If I start typing:
select * from dba_tabl
The object name is suggested as ORADBA.dba_tables
If I change the authentication of the ORADBA account back to database authentication, the prefix is no longer present.
i.e If I start typing:
select * from dba_tabl
The object name is suggested as dba_tables

If you're not using DB 10.2 this is the "expected" behavior for the DB. See also metalink note 351170.1 "Enterprise Users Can Connect to a Database when the OID Account is Disabled"
regards,
--Olaf

Enterprise User Security and Password Policies

Hi!
I'm testing Enterprise User Security. Till now everything has gone ok, I can connect to my db using oid users.
Now I'm configuring OID password policies for my realm but it seems that these are not applied when I connect through db. For example, I can try to logon with a wrong password as many time as I want, although in policies a limit of three is set.
Is this correct?!

If you're not using DB 10.2 this is the "expected" behavior for the DB. See also metalink note 351170.1 "Enterprise Users Can Connect to a Database when the OID Account is Disabled"
regards,
--Olaf

How to configure Enterprise User Security ?

Hi All,
I am following the oracle document for setting up Enterprise User Security to setup Enterprise user security between OID 11g and database 11g . but right now if i click on the "Enterprise User Security" link in the Security under the Server tab , I am getting a HTTP 500 internal error , please kindly provide your inputs .
Regards,
Senthil.

Hi,
You don't so much configure enterprise voice for federation, you just configure enterprise voice. Then when you configure you're environment for federation, the voice features will take care of themselves. The two are separation components / features.
But you'll need to be a little more specific; Are the two user forests using the same Lync environment through a forest trust(s) (resource or central forest topologies)? If they are, then you don't need to do anything with federation for these
two forests to leverage enterprise voice between their users - it will just work. However if each user forest is using a separate Lync environment, then you will need to configure federation between the two and make use of Lync Edge servers.
You can enable enterprise voice for users without an SBC or gateway, this component is used merely to connect your Lync platform to the PSTN. You may also use a direct SIP trunk to your mediation server as you have eluded to, although I never recommend this
in production for security reasons (which I feel others will back me on), it is still a supported option.
Let me know if I've interpreted this completely wrong.
Kind regards
Ben
Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.
Lync | Skype | Blog: Gecko-Studio

Enterprise User Security, How do I store the DB password somewhere else?

Hi Guys,
I'm running Oracle 11gR2 and OID 11gR1.
Right now I have enterprise user security working, however I would like to decouple Apps / Directory password from the DB password in OID.
I understand that I can stick the password in orclpasswordverifier.
I have tried to add a new Password Verifier in OID, set up the appropriate appID in the password verifier, added the orclpasswordverifier.<appid> = password into my user but the set up refuses to go to orclpasswordverifier.<appid> it still uses the value of userpassword and orclpassword. I have also read the manual like 5 times.
I've even tried to move the Password Verifier around, to root DBSecurity context, to my domain's context, swapped around the appid value, but no matter what it doesn't seem to work.
Any advise please?

I could able to find out the solution for the first item by looking at the forums and some documentation.
We can specify the some part of the URL in the cgicmd.dat file as a key value pairs, which is located in <Oracle-Home>/reports/conf
testreports: userid=scott/tiger@ORCL destype=CACHE server=ust %*
Here the key is -- testreports
Now new URL to access the report like
http://localhost:7778/reports/rwservlet?cmdkey=testreports&report=sample_report.rdf&desformat=pdf&p_from_date=02-MAY-2006&p_to_date=03-SEP-2006
You can see that Key is passed as cmdkey=testreports
Please do remember that you have to append %* at the end of the key, this will allow part of the Key specified in the config file and part will be supplied in the URL
Madhu

Enterprise User Security

Hi All,
Can an Oracle 9i Database Release 2 (or above) authenticate users using LDAP against Novell E-Directory?
Thanks,
Matt

Can you see it with
select * from dba_roles;

Enterprise User Security (EUS) with Oracle RAC database

Hi all,
i'm experiencing a problem configuring centralized AAA on Oracle OID for Oracle RAC Database.
My environment is:
1) Oracle OID 10g (192.168.15.245 - rh4oidserver.klab.it)
2) Oracle RAC database 11g
I successfull configured a standalone Oracle Database to authenticate user in OID centralized repository, but i'm experiencing different problem to do, with RAC, same things.
In dept:
1) Oracle RAC works correctly and internal user (SYS,Oracle, ecc.) are correctly authenticated and authorizated against database
2) Oracle RAC register himself in OID (see attached snapshoot)
3) I run sqlplus to connect on Oracle RAC using OID users and i get following error: ORA-28030 Server encountered problems accessing LDAP directory service
Using a sniffer, i can see a reset message after SSL handshake (SSL v3 encrypted alert), but i don't undenstand root cause....
Host file on RAC server is:
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1          localhost.localdomain localhost
::1          localhost6.localdomain6 localhost6
# Public
192.168.15.177          orclrac1.klab.it orclrac1
192.168.15.178 orclrac2.klab.it orclrac2
#Private
192.168.1.100          orclrac1-priv.klab.it orclrac1-priv
192.168.1.105 orclrac2-priv.klab.it orclrac2-priv
#Virtual
192.168.15.88 orclrac1-vip.klab.it orclrac1-vip
192.168.15.96 orclrac2-vip.klab.it orclrac2-vip
92.168.15.184 openfiler.klab.it openfiler
192.168.1.90 openfiler-priv.klab.it openfiler-priv
192.168.15.246     acti.klab.it acti
#192.168.1.245 rh4oidserver.klab.it rh4oidserver
192.168.15.245 rh4oidserver.klab.it rh4oidserver
tnsname.ora is:
# tnsnames.ora Network Configuration File: /u01/app/oracle/product/11.1.0/db_1/network/admin/tnsnames.ora
# Generated by Oracle configuration tools.
RACDB1 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = orclrac1-vip)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = racdb.klab.it)
(INSTANCE_NAME = racdb1)
RACDB =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = orclrac1-vip)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = orclrac2-vip)(PORT = 1521))
(LOAD_BALANCE = yes)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = racdb.klab.it)
LISTENERS_RACDB =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = orclrac1-vip)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = orclrac2-vip)(PORT = 1521))
RACDB2 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = orclrac2-vip)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = racdb.klab.it)
(INSTANCE_NAME = racdb2)
ldap.ora is:
# ldap.ora Network Configuration File: /u01/app/oracle/product/11.1.0/db_1/network/admin/ldap.ora
# Generated by Oracle configuration tools.
DIRECTORY_SERVERS= (rh4oidserver.klab.it:389:636)
DEFAULT_ADMIN_CONTEXT = "dc=dbtest101,dc=klab,dc=it"
DIRECTORY_SERVER_TYPE = OID
sqlnet.ora is:
# sqlnet.ora.orclrac1 Network Configuration File: /u01/app/oracle/product/11.1.0/db_1/network/admin/sqlnet.ora.orclrac1
# Generated by Oracle configuration tools.
NAMES.DIRECTORY_PATH= (LDAP,TNSNAMES)
WALLET_LOCATION =
(SOURCE =
(METHOD = FILE)
(METHOD_DATA =
(DIRECTORY = /u01/app/oracle/admin/racdb)
listener.ora is:
# listener.ora.orclrac1 Network Configuration File: /u01/app/oracle/product/11.1.0/db_1/network/admin/listener.ora.orclrac1
# Generated by Oracle configuration tools.
LISTENER_ORCLRAC1 =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = orclrac1-vip)(PORT = 1521)(IP = FIRST))
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.15.177)(PORT = 1521)(IP = FIRST))
LISTENER_ORCLRAC2 =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = orclrac1-vip)(PORT = 1521)(IP = FIRST))
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.15.178)(PORT = 1521)(IP = FIRST))
Thank's in advance for any help or suggestion.
Antonio

Hello bipkary,
what version are you using?
the following link tells you everything about EUS in oracle10g R2:
http://download.oracle.com/docs/cd/B19306_01/network.102/b14269/toc.htm

Setting Up Enterprise User Security

Hi All,
Oracle Database Assistant always crashes when I try to modify or delete a database. It always crashes with java receiving a SIGSEGV (segmentation fault) in libjava.so. I'm using the jre shipped with the Oracle package. It does not crashes when I tru to create a new one, it's working fine then. What's wrong?

I can't even seem to get the DBAssistant to run and continue past the JNLS error popup? It is supposed to be a bug - then it should continue ... any ideas?
thanks
adam
<BLOCKQUOTE>quote:<HR>Originally posted by afreeman ():
I got the same problem; I can create databases without any problem, but cannot delete or modify them - dbassist dies with a sigsegv in same java library that you mentioned.
I've been looking around for a list of things to do to manually delete a database on linux; I'll post it, if I find something useful.
-Aaron<HR></BLOCKQUOTE>
null

Can Enterprise users have more than 1 Shared Schema ?

Hi Everyone,
I just want to know whether is it possible for
Enterprise Users ( Schema-Independant users) able to access different shared schemas using the same user credentials.
A typical example is :
User1, User2 & User3 were Enterprise users who works for same project has been assigned to a shared schema (project1) which works fine with the enterprise user security by assigning them Project1 schema as default schema.
But User2 also works for another project ( Project2) and should be logged into schema project2 using his user credentials . Is this possible ???
Thanks
Venu

Oracle object privileges are generally best managed via the use of ROLES.
One way to have multiple end users access one schema might be to use the PROXY connection feature.
Both subjects are convered in the official documentation.
HTH -- Mark D Powell --

Can Enterprise Users have more than One Shared Schemas ???

Hi Everyone,
I just want to know whether is it possible for Enterprise Users ( Schema-Independant users) able to access different shared schemas using the same user credentials.
A typical example is :
User1, User2 & User3 were Enterprise users who works for same project has been assigned to a shared schema (project1)
which works fine with the enterprise user security by assigning them Project1 schema as default schema.
But User2 also works for another project ( Project2) and should be logged into schema project2 using his user credentials . Is this possible ???
Thanks
Venu

Oracle object privileges are generally best managed via the use of ROLES.
One way to have multiple end users access one schema might be to use the PROXY connection feature.
Both subjects are convered in the official documentation.
HTH -- Mark D Powell --

Establishing Enterprise Users Under OracleAS 10gR3

I'm interested in establishing 10gR2 database users as “Schema-Independent Global Users” as identified in the Database Administrators Guide. The reason for this is that our web-based application currently uses the “One Big Application User Approach” of logging into the database, which is inherently bad for database auditing (among other things). I’d like to switch to the “Proxy Authentication Integrated with Enterprise User Security” method as discussed in the Oracle Database Security Guide 10g Release 2 (10.2). It’s the “Enterprise User Security” aspect that I need some guidance on. 
The Database Enterprise User Administrator's Guide 10g Release 2 (10.2) (last released in June 2005) talks about how to establish “Enterprise Users” in an OID that includes an identity management realm. It also states that “OracleAS SSO must be installed and configured to authenticate enterprise user security administrators when they log in to the Enterprise Security Manager Console, an element of Enterprise Security Manager.” So, essentially this document covers how to establish and administer Enterprise Users under OracleAS10g (9.0.4). 
I'm interested in using OracleAS 10gR3 10.1.4.0.1 but it looks like Oracle has moved the Identity Management pieces (OID, SSO, Certificate Authority, etc.) around from R2 (OracleAS Infrastructure Installation) to R3 and introduced "Oracle Identity Management". 
What specifically do I download under OracleAS 10gR3 (OracleAS or Identity Managment) and if it's OracleAS what type of install would be required to end up with the required OID and SSO components?. 
Thank you.

Thanks Martin. The repackaging of the identity management pieces (OID, SSO, DAS, etc.) under OracleAS 10gR3 (as compared to versions prior to 10gR3) threw me for a loop. I was looking for these pieces in the OracleAS 10gR3 download at:
http://www.oracle.com/technology/software/products/ias/htdocs/1013.html
and those pieces aren't in that distribution any longer.

Setting Application Context Attributes for Enterprise Users Based on Roles

Hello,
We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
-- For each record in my RoleSitePrivileges table, set
-- an attribute named 'SITE_PRIVILEGE_<SiteID>'.
-- If the current user has been assigned a role matching
-- the value in the 'RoleName' field, set the corresponding
-- attribute to 'Y'... otherwise, set it to 'N'.
FOR iPrivRec IN (SELECT RoleName, SiteID
 FROM RoleSitePrivileges
 ORDER BY SiteID)
 LOOP
 SELECT COUNT(*)
 INTO roleExists
 FROM dba_role_privs
 WHERE granted_role = UPPER(iPrivRec.RoleName)
 AND grantee = USER;
 IF roleExists > 0 THEN
 DBMS_SESSION.set_context(
 namespace => 'my_ctx',
 attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
 value => 'Y');
 ELSE
 DBMS_SESSION.set_context(
 namespace => 'my_ctx',
 attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
 value => 'N');
 END IF;
 END LOOP;To finish things off, I created a security policy function for the table which returns the following:
RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
 FROM session_context
 WHERE attribute LIKE ''SITE_PRIVILEGE_%''
 AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
Thank you!

Hello,
We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
-- For each record in my RoleSitePrivileges table, set
-- an attribute named 'SITE_PRIVILEGE_<SiteID>'.
-- If the current user has been assigned a role matching
-- the value in the 'RoleName' field, set the corresponding
-- attribute to 'Y'... otherwise, set it to 'N'.
FOR iPrivRec IN (SELECT RoleName, SiteID
 FROM RoleSitePrivileges
 ORDER BY SiteID)
 LOOP
 SELECT COUNT(*)
 INTO roleExists
 FROM dba_role_privs
 WHERE granted_role = UPPER(iPrivRec.RoleName)
 AND grantee = USER;
 IF roleExists > 0 THEN
 DBMS_SESSION.set_context(
 namespace => 'my_ctx',
 attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
 value => 'Y');
 ELSE
 DBMS_SESSION.set_context(
 namespace => 'my_ctx',
 attribute => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
 value => 'N');
 END IF;
 END LOOP;To finish things off, I created a security policy function for the table which returns the following:
RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
 FROM session_context
 WHERE attribute LIKE ''SITE_PRIVILEGE_%''
 AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
Thank you!

Subject: RE :(forte-users) Web enterprise & user visibleservice Objects

A few months ago we faced a similar problem while migrating from classic
Forte to Web. We had to protect our investment in various frameworks that we
wrote for the classic Forte apps, which made use of extensive
user-level-caching among other things.
We solved the problem using a custom routing mechanism. In brief, we created
several( replicated) server partitions that contains all the user-level
Service objects that existed in the class-Forte apps. Then we wrote a
'custom-router' which mimics Forte load-balanced router( dialog duration =
session ) to intelligently route incoming HTTPRequests to one of these
replicated partitions. The router would look at the some tag on the session
and then route the request to one of these replicated "client clone" using
the tag. Successive requests from the same client will go to the same
replicated partition so that you can use the client-cache or any other
per-user services.
The advantages of this approach are
1) You can continue to make use of caching and other user-level components
that you may have.
2) The web and classic Forte clients can work seamlessly if you write them
to use reference partitions that hosts the other shared( Environment visible
) service objects.
Ofcourse you will have to write ( and maintain )the custom-routing code and
also pay attention to house-keeping. For example, the burdon of cleaning up
the cache on logout or session expiration lies on you. If you don't do this,
then your new user might be looking at an old cache of some other user.
Hope this helps,
Ajith
Forte Systems Consultant.
Subject: (forte-users) Web enterprise & user visible service objects
Hi
We have taken a forte application and converted it to run on the web using
* forte web enterprise &
* fortecgi.exe
In the forte application we have a user visible Local Cache Manager
Service Object (i.e. each users has their own copy) for storing things
like
* the details of the current user id
* the details of the current client chosen
* arrays that are needed by other windows
With web enterprise this service object is no longer user visible, how can
we make it user visible?
Thanks in advance.
Deborah Wallis
dwallisnbs.co.za
WARNING:
Any unauthorised use or interception of this email is illegal. If this email
is not intended for you, you may not copy, distribute nor disclose the
contents to anyone. Save for bona fide company matters, the BoE Group does
not accept any responsibility for the opinions expressed in this email.
For further details please see: http://www.nbs.co.za/emaildisclaim.htm
For the archives, go to: http://lists.xpedior.com/forte-users and use
the login: forte and the password: archive. To unsubscribe, send in a new
email the word: 'Unsubscribe' to: forte-users-requestlists.xpedior.com

A few months ago we faced a similar problem while migrating from classic
Forte to Web. We had to protect our investment in various frameworks that we
wrote for the classic Forte apps, which made use of extensive
user-level-caching among other things.
We solved the problem using a custom routing mechanism. In brief, we created
several( replicated) server partitions that contains all the user-level
Service objects that existed in the class-Forte apps. Then we wrote a
'custom-router' which mimics Forte load-balanced router( dialog duration =
session ) to intelligently route incoming HTTPRequests to one of these
replicated partitions. The router would look at the some tag on the session
and then route the request to one of these replicated "client clone" using
the tag. Successive requests from the same client will go to the same
replicated partition so that you can use the client-cache or any other
per-user services.
The advantages of this approach are
1) You can continue to make use of caching and other user-level components
that you may have.
2) The web and classic Forte clients can work seamlessly if you write them
to use reference partitions that hosts the other shared( Environment visible
) service objects.
Ofcourse you will have to write ( and maintain )the custom-routing code and
also pay attention to house-keeping. For example, the burdon of cleaning up
the cache on logout or session expiration lies on you. If you don't do this,
then your new user might be looking at an old cache of some other user.
Hope this helps,
Ajith
Forte Systems Consultant.
Subject: (forte-users) Web enterprise & user visible service objects
Hi
We have taken a forte application and converted it to run on the web using
* forte web enterprise &
* fortecgi.exe
In the forte application we have a user visible Local Cache Manager
Service Object (i.e. each users has their own copy) for storing things
like
* the details of the current user id
* the details of the current client chosen
* arrays that are needed by other windows
With web enterprise this service object is no longer user visible, how can
we make it user visible?
Thanks in advance.
Deborah Wallis
dwallisnbs.co.za
WARNING:
Any unauthorised use or interception of this email is illegal. If this email
is not intended for you, you may not copy, distribute nor disclose the
contents to anyone. Save for bona fide company matters, the BoE Group does
not accept any responsibility for the opinions expressed in this email.
For further details please see: http://www.nbs.co.za/emaildisclaim.htm
For the archives, go to: http://lists.xpedior.com/forte-users and use
the login: forte and the password: archive. To unsubscribe, send in a new
email the word: 'Unsubscribe' to: forte-users-requestlists.xpedior.com

CMC tool raise http 404 error when viewing user security on server object.

Description of Problem or Question:
In investigating an issue promoting an LCM job, I attempted to use the CMC tool to look at the user security on a server object. When I executed the command the tool raised an error.
HTTP Status 404 - /CmcAppActions/jsp/Shared_Rights/rights.face.
type: Status Report
message: /CmcAppActions/jsp/Shared_rights/rights.face
description: The requested resource (/CmcAppActions/jsp/Shared_Rights/rights.face) is not available.
Product\Version\Service Pack\Fixpack (if applicable):
Business Objects XI 3.1 SP2
Apache Tomcat 5.5.20
Java 6.0.170
Relevant Environment Information (OS & version, java or .net & version, DB & version):
WIN Server 2003 Enterprise SP2
Sporadic or Consistent (if applicable):
Consistent error
What has already been tried (where have you searched for a solution to your question/problem):
I have done some research in service.sap.com and on the Web, but have found nothing concrete other than it appears to be an error in the install of the Tomcat server.
Edited by: Jon Russell on Jul 9, 2010 12:20 AM

Hi Alvaro,
Forgot this thread was open as of yet. There was a solutio but nothing concrete I can offer to th user community. The reason i that this devolved into a Note to SAP and, as I recall, the solution was for a BO consultant to remotely access our development server for BO an bsically do "brain surgery" in the SQL Server db we had supporting BO. It was a difficult issue an eventually required direct intervention from SAP-BO.

Shared Schemas Enterprise User Security.

Similar Messages

Maybe you are looking for