SLD security roles

Hi all -
Could someone shed a light on the SLD security roles for me ?
SLD is running fine (on a EP JAVA WAS) but I seem to miss the roles that come with it (LcrUser, LcrAdministrator, etc...)
Can I import/deploy/create them ? When do I use the 'Assign User Groups to Roles' from the VA - SLD Data Supplier ?
thx guys,
Paul

Hi everyone,
the assignment of SLD roles can be done from the Policy Configurations in the Security Provider Service in the Visual Administrator. Once you are there you'll have to choose the sap.com/com.sap.lcr*sld component and then click the Security Roles tab. From there you should have access to the SLD roles. Since the SLD roles are J2EE roles (they won't show up in the User Management console) and you can assign them to users/user groups from VA.
You can use the "Assign roles to groups" button in the SDL Data Supplier service in case the UME is used with an ABAP backend user sotre. In this case the ABAP user roles will appear as user groups in the J2EE Engine. If the J2EE user groups are created after the SLD server has been deployed, you can perform the mappings by using the SLD configuration service in the Visual Administrator.
For documentation of the above, take a look at the Post Installation guide from service.sap.com/sld -> Media Library.
Hope this helps.
Regards,
Yonko

Similar Messages

SLD security - Lcr* Roles

I can't find the UME actions to assign to J2EE Security roles as part of SLD config.
i.e: com.sap.lcr.LcrUser,
     com.sap.lcr.LcrSupport,... etc
Also the Lcr* roles
i.e: LcrUser,
     LcrSupport,
     LcrClassWriter,... etc
are visible in Visual Administrator i.e: Services -> Security Provider -> sap.com/sap.com.lcr*sld, but not in URL ../sld/useradmin portal. No actions are assigned in VA.
How do I make actions visible to assign them? I am following the SLD post-installation procedures for NW04s.

Hey Raynald,
I had created these roles myself from the corresponding actions.
Once you create the roles you also have to do the below group assignments.
SAP_SLD_GUEST LcrUser
SAP_SLD_DEVELOPER LcrInstanceWriterNR
SAP_SLD_CONFIGURATOR LcrInstanceWriterLD and
LcrInstanceWriterNR
SAP_SLD_ORGANIZER LcrInstanceWriterAll
SAP_SLD_ADMINISTRATOR LcrAdministrator
SAP_SLD_DATA_SUPPLIER DataSupplierLD
SAP_SLD_SUPPORT LcrSupport
Sumit.

Security role with alias KeystoreAdministrator does not exist.

i have a error trying to start the java engine of a Solution Manager 4.0 SR2 on AIX with ibm jdk SR9
the next log is about the std_server0.out
i do not how to create the alias because i can not connect using Visual Administrator because the server not start
stdout/stderr redirect
node name : server0
pid : 995354
system name : SMS
system nr. : 00
started at : Wed Aug 13 18:26:36 2008
[Thr 1] Wed Aug 13 18:26:37 2008
[Thr 1] MtxInit: -2 0 0
<?xml version="1.0" ?>
<verbosegc version="200708_30">
SAP J2EE Engine Version 7.00 PatchLevel 108458.44 is starting...
Loading: LogManager ... 2643 ms.
Loading: PoolManager ... 2 ms.
Loading: ApplicationThreadManager ... 837 ms.
Loading: ThreadManager ... 54 ms.
Loading: IpVerificationManager ... 12 ms.
Loading: ClassLoaderManager ... 14 ms.
Loading: ClusterManager ... 226 ms.
Loading: LockingManager ... 68 ms.
Loading: ConfigurationManager ... 86617 ms.
Loading: LicensingManager ... 28 ms.
Loading: CacheManager ... 159 ms.
Loading: ServiceManager ...
Loading services.:
Service cross started. (75 ms).
Service memory started. (98 ms).
Service runtimeinfo started. (115 ms).
Service trex.service started. (87 ms).
Service file started. (156 ms).
Service timeout started. (159 ms).
Service userstore started. (19 ms).
Service jmx_notification started. (78431 ms).
Service p4 started. (188119 ms).
Service classpath_resolver started. (63 ms).
<af type="nursery" id="1" timestamp="Wed Aug 13 18:32:05 2008" intervalms="0.000">
<minimum requested_bytes="48" />
<time exclusiveaccessms="1.635" />
<nursery freebytes="0" totalbytes="209715200" percent="0" />
<tenured freebytes="1724342296" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637940248" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<gc type="scavenger" id="1" totalid="1" intervalms="0.000">
 <flipped objectcount="253990" bytes="19242624" />
 <tenured objectcount="0" bytes="0" />
 <refs_cleared soft="644" weak="1" phantom="0" />
 <finalization objectsqueued="1363" />
 <scavenger tiltratio="50" />
 <nursery freebytes="190330424" totalbytes="209715200" percent="90" tenureage="10" />
 <tenured freebytes="1724342296" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637940248" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
 </tenured>
 <time totalms="107.395" />
</gc>
<nursery freebytes="190328376" totalbytes="209715200" percent="90" />
<tenured freebytes="1724342296" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637940248" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<time totalms="110.754" />
</af>
Service deploy started. (4055 ms).
Service bimmrdeployer started. (7 ms).
Service MigrationService started. (70 ms).
Service log_configurator started. (194277 ms).
Service locking started. (8 ms).
Service http started. (295 ms).
Service naming started. (626 ms).
Service failover started. (112 ms).
Service appclient started. (140 ms).
Service javamail started. (218 ms).
Service ts started. (220 ms).
Service jmsconnector started. (207 ms).
Service licensing started. (22 ms).
Service connector started. (212 ms).
Service configuration started. (32 ms).
Service iiop started. (316 ms).
Service webservices started. (706 ms).
Service dbpool started. (25283 ms).
<af type="nursery" id="2" timestamp="Wed Aug 13 18:33:36 2008" intervalms="91291.585">
<minimum requested_bytes="768" />
<time exclusiveaccessms="0.302" />
<nursery freebytes="0" totalbytes="209715200" percent="0" />
<tenured freebytes="1723791376" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637389328" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<gc type="scavenger" id="2" totalid="2" intervalms="91293.279">
 <flipped objectcount="353647" bytes="28752016" />
 <tenured objectcount="0" bytes="0" />
 <refs_cleared soft="1056" weak="0" phantom="0" />
 <finalization objectsqueued="2858" />
 <scavenger tiltratio="50" />
 <nursery freebytes="180516672" totalbytes="209715200" percent="86" tenureage="11" />
 <tenured freebytes="1723791376" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637389328" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
 </tenured>
 <time totalms="90.892" />
</gc>
<nursery freebytes="180514624" totalbytes="209715200" percent="86" />
<tenured freebytes="1723791376" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637389328" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<time totalms="92.831" />
</af>
Service com.sap.security.core.ume.service started. (64165 ms).
Service tcdisdic~srv started. (815 ms).
Service security started. (911 ms).
Service classload started. (43 ms).
Service applocking started. (132 ms).
Service shell started. (216 ms).
Service tceCATTPingservice started. (21 ms).
Service telnet started. (60 ms).
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [service_ssl] and user [null] not generated; Consequences: keystore view [service_ssl] is not created for user [null]; Countermeasures:see log for details
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [TrustedCAs] and user [null] not generated; Consequences: keystore view [TrustedCAs] is not created for user [null]; Countermeasures:see log for details
Service webdynpro started. (699 ms).
Service keystore started. (952 ms).
Service ssl started. (56 ms).
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [TicketKeystore] and user [null] not generated; Consequences: keystore view [TicketKeystore] is not created for user [null]; Countermeasures:see log for details
Service ejb started. (1367 ms).
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [securestorage] and user [null] not generated; Consequences: keystore view [securestorage] is not created for user [null]; Countermeasures:see log for details
Service tcseccertrevoc~service started. (286 ms).
Service tcsecsecurestorage~service started. (379 ms).
Aug 13, 2008 6:33:41 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [securestorage] and user [null] not generated; Consequences: keystore view [securestorage] is not created for user [null]; Countermeasures:see log for details
Service servlet_jsp started. (1783 ms).
Aug 13, 2008 6:33:41 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [securestorage] and user [null] not generated; Consequences: keystore view [securestorage] is not created for user [null]; Countermeasures:see log for details
Timed out services:
Service com.adobe~DataManagerService > hard reference to service jmx.
Service com.adobe~TrustManagerService > hard reference to service jmx.
Service cafumrelgroupsimp > hard reference to service cafummetadataimp.
Service com.adobe~PDFManipulation > hard reference to service jmx.
Service adminadapter > hard reference to service jmx.
Service pmi > hard reference to service tcsecdestinations~service.
Service jms_provider > hard reference to service jmx.
Service sld > service sld start method invoked.
Service jmx > service jmx start method invoked.
Service rfcengine > hard reference to service jmx.
Service tcsecsaml~service > hard reference to service adminadapter.
Service com.adobe~LicenseService > hard reference to service basicadmin.
Service com.adobe~DocumentServicesConfiguration > hard reference to service basicadmin.
Service tcsmdserver~service > hard reference to service jmx.
Service com.adobe~DocumentServicesDestProtoService > hard reference to service jmx.
Service cafummetadataimp > service cafummetadataimp start method invoked.
Service tcsecvsiservice > hard reference to service tcsecdestinationsservice.
Service tcsecdestinationsservice > service tcsecdestinationsservice start method invoked.
Service dsr > hard reference to service security.
Service monitor > hard reference to service jmx.
Service cafruntimeconnectivityimpl > service cafruntimeconnectivityimpl start method invoked.
Service tclmctcconfsservice_sda > hard reference to service jmx.
Service CUL > hard reference to service jmx.
Service tc.monitoring.logviewer > hard reference to service jmx.
Service apptracing > hard reference to service jmx.
Service com.adobe~XMLFormService > hard reference to service jmx.
Service tcsecwssecservice > service tcsecwssecservice start method invoked.
Service com.adobe~FontManagerService > hard reference to service jmx.
Service com.adobe~DocumentServicesLicenseSupportService > hard reference to service jmx.
Service com.adobe~DocumentServicesBinaries2 > hard reference to service jmx.
Service basicadmin > hard reference to service jmx.
[Framework -> criticalShutdown] 3 core services have timed out [adminadapter; jmx; basicadmin].
Aug 13, 2008 6:33:53 PM com.sap.engine.core.Framework [Thread[Thread-1,5,main]] Fatal: Critical shutdown was invoked. Reason is: 3 core services have timed out [adminadapter; jmx; basicadmin].
</verbosegc>

i have a error trying to start the java engine of a Solution Manager 4.0 SR2 on AIX with ibm jdk SR9
the next log is about the std_server0.out
i do not how to create the alias because i can not connect using Visual Administrator because the server not start
stdout/stderr redirect
node name : server0
pid : 995354
system name : SMS
system nr. : 00
started at : Wed Aug 13 18:26:36 2008
[Thr 1] Wed Aug 13 18:26:37 2008
[Thr 1] MtxInit: -2 0 0
<?xml version="1.0" ?>
<verbosegc version="200708_30">
SAP J2EE Engine Version 7.00 PatchLevel 108458.44 is starting...
Loading: LogManager ... 2643 ms.
Loading: PoolManager ... 2 ms.
Loading: ApplicationThreadManager ... 837 ms.
Loading: ThreadManager ... 54 ms.
Loading: IpVerificationManager ... 12 ms.
Loading: ClassLoaderManager ... 14 ms.
Loading: ClusterManager ... 226 ms.
Loading: LockingManager ... 68 ms.
Loading: ConfigurationManager ... 86617 ms.
Loading: LicensingManager ... 28 ms.
Loading: CacheManager ... 159 ms.
Loading: ServiceManager ...
Loading services.:
Service cross started. (75 ms).
Service memory started. (98 ms).
Service runtimeinfo started. (115 ms).
Service trex.service started. (87 ms).
Service file started. (156 ms).
Service timeout started. (159 ms).
Service userstore started. (19 ms).
Service jmx_notification started. (78431 ms).
Service p4 started. (188119 ms).
Service classpath_resolver started. (63 ms).
<af type="nursery" id="1" timestamp="Wed Aug 13 18:32:05 2008" intervalms="0.000">
<minimum requested_bytes="48" />
<time exclusiveaccessms="1.635" />
<nursery freebytes="0" totalbytes="209715200" percent="0" />
<tenured freebytes="1724342296" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637940248" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<gc type="scavenger" id="1" totalid="1" intervalms="0.000">
 <flipped objectcount="253990" bytes="19242624" />
 <tenured objectcount="0" bytes="0" />
 <refs_cleared soft="644" weak="1" phantom="0" />
 <finalization objectsqueued="1363" />
 <scavenger tiltratio="50" />
 <nursery freebytes="190330424" totalbytes="209715200" percent="90" tenureage="10" />
 <tenured freebytes="1724342296" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637940248" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
 </tenured>
 <time totalms="107.395" />
</gc>
<nursery freebytes="190328376" totalbytes="209715200" percent="90" />
<tenured freebytes="1724342296" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637940248" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<time totalms="110.754" />
</af>
Service deploy started. (4055 ms).
Service bimmrdeployer started. (7 ms).
Service MigrationService started. (70 ms).
Service log_configurator started. (194277 ms).
Service locking started. (8 ms).
Service http started. (295 ms).
Service naming started. (626 ms).
Service failover started. (112 ms).
Service appclient started. (140 ms).
Service javamail started. (218 ms).
Service ts started. (220 ms).
Service jmsconnector started. (207 ms).
Service licensing started. (22 ms).
Service connector started. (212 ms).
Service configuration started. (32 ms).
Service iiop started. (316 ms).
Service webservices started. (706 ms).
Service dbpool started. (25283 ms).
<af type="nursery" id="2" timestamp="Wed Aug 13 18:33:36 2008" intervalms="91291.585">
<minimum requested_bytes="768" />
<time exclusiveaccessms="0.302" />
<nursery freebytes="0" totalbytes="209715200" percent="0" />
<tenured freebytes="1723791376" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637389328" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<gc type="scavenger" id="2" totalid="2" intervalms="91293.279">
 <flipped objectcount="353647" bytes="28752016" />
 <tenured objectcount="0" bytes="0" />
 <refs_cleared soft="1056" weak="0" phantom="0" />
 <finalization objectsqueued="2858" />
 <scavenger tiltratio="50" />
 <nursery freebytes="180516672" totalbytes="209715200" percent="86" tenureage="11" />
 <tenured freebytes="1723791376" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637389328" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
 </tenured>
 <time totalms="90.892" />
</gc>
<nursery freebytes="180514624" totalbytes="209715200" percent="86" />
<tenured freebytes="1723791376" totalbytes="1728053248" percent="99" >
 <soa freebytes="1637389328" totalbytes="1641651200" percent="99" />
 <loa freebytes="86402048" totalbytes="86402048" percent="100" />
</tenured>
<time totalms="92.831" />
</af>
Service com.sap.security.core.ume.service started. (64165 ms).
Service tcdisdic~srv started. (815 ms).
Service security started. (911 ms).
Service classload started. (43 ms).
Service applocking started. (132 ms).
Service shell started. (216 ms).
Service tceCATTPingservice started. (21 ms).
Service telnet started. (60 ms).
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [service_ssl] and user [null] not generated; Consequences: keystore view [service_ssl] is not created for user [null]; Countermeasures:see log for details
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [TrustedCAs] and user [null] not generated; Consequences: keystore view [TrustedCAs] is not created for user [null]; Countermeasures:see log for details
Service webdynpro started. (699 ms).
Service keystore started. (952 ms).
Service ssl started. (56 ms).
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [TicketKeystore] and user [null] not generated; Consequences: keystore view [TicketKeystore] is not created for user [null]; Countermeasures:see log for details
Service ejb started. (1367 ms).
Aug 13, 2008 6:33:40 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [securestorage] and user [null] not generated; Consequences: keystore view [securestorage] is not created for user [null]; Countermeasures:see log for details
Service tcseccertrevoc~service started. (286 ms).
Service tcsecsecurestorage~service started. (379 ms).
Aug 13, 2008 6:33:41 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [securestorage] and user [null] not generated; Consequences: keystore view [securestorage] is not created for user [null]; Countermeasures:see log for details
Service servlet_jsp started. (1783 ms).
Aug 13, 2008 6:33:41 PM com.sap.engine.services.keystore [Thread[_keystore_managed_system_thread_,10,SAPEngine_System_Thread[impl:5]_Group]] Fatal: Source: com.sap.engine.services.security.exceptions.BaseSecurityException: Security role with alias KeystoreAdministrator does not exist.; Description: system user based security support for view [securestorage] and user [null] not generated; Consequences: keystore view [securestorage] is not created for user [null]; Countermeasures:see log for details
Timed out services:
Service com.adobe~DataManagerService > hard reference to service jmx.
Service com.adobe~TrustManagerService > hard reference to service jmx.
Service cafumrelgroupsimp > hard reference to service cafummetadataimp.
Service com.adobe~PDFManipulation > hard reference to service jmx.
Service adminadapter > hard reference to service jmx.
Service pmi > hard reference to service tcsecdestinations~service.
Service jms_provider > hard reference to service jmx.
Service sld > service sld start method invoked.
Service jmx > service jmx start method invoked.
Service rfcengine > hard reference to service jmx.
Service tcsecsaml~service > hard reference to service adminadapter.
Service com.adobe~LicenseService > hard reference to service basicadmin.
Service com.adobe~DocumentServicesConfiguration > hard reference to service basicadmin.
Service tcsmdserver~service > hard reference to service jmx.
Service com.adobe~DocumentServicesDestProtoService > hard reference to service jmx.
Service cafummetadataimp > service cafummetadataimp start method invoked.
Service tcsecvsiservice > hard reference to service tcsecdestinationsservice.
Service tcsecdestinationsservice > service tcsecdestinationsservice start method invoked.
Service dsr > hard reference to service security.
Service monitor > hard reference to service jmx.
Service cafruntimeconnectivityimpl > service cafruntimeconnectivityimpl start method invoked.
Service tclmctcconfsservice_sda > hard reference to service jmx.
Service CUL > hard reference to service jmx.
Service tc.monitoring.logviewer > hard reference to service jmx.
Service apptracing > hard reference to service jmx.
Service com.adobe~XMLFormService > hard reference to service jmx.
Service tcsecwssecservice > service tcsecwssecservice start method invoked.
Service com.adobe~FontManagerService > hard reference to service jmx.
Service com.adobe~DocumentServicesLicenseSupportService > hard reference to service jmx.
Service com.adobe~DocumentServicesBinaries2 > hard reference to service jmx.
Service basicadmin > hard reference to service jmx.
[Framework -> criticalShutdown] 3 core services have timed out [adminadapter; jmx; basicadmin].
Aug 13, 2008 6:33:53 PM com.sap.engine.core.Framework [Thread[Thread-1,5,main]] Fatal: Critical shutdown was invoked. Reason is: 3 core services have timed out [adminadapter; jmx; basicadmin].
</verbosegc>

Security Role for RZ70

Hi Guys,
Which security role provides access to RZ70. Also when I added all the SLD roles I am told I do not have authority to change SLD administration, instead of not being authorized for the transaction.
Regards,
Chris

Hi,
It seems your SLD hasnt been registered onto the SAP gateway.
Have you setup your Data Supplier Bridge properly Access information in T-code SLDAPICUST
check this post
Re: No Message Server defined
tcode rz70 ( program RSLDADM ) is part of SAPKB62019. In this report you could check if any special Security roles have added
Refer,
Re: RZ70
Re: Accesing multiple R/3 systems from WD application
Thanks
swarup
Edited by: Swarup Sawant on Feb 23, 2008 4:43 AM

Error :Authorization check for caller assignment to J2EE security role whil

Hi Experts,
i m working as a portal resource .
after the deployment of standered Sap e-rec package .
i m getting some error. i have assigned the recruiter role to one test user.
Now i m getting two issue:
1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
2) I m able to see few iview for the test user but those are also in detailed navigation view.
And few ivews are giving following error :
i)Internal error
ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
/System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
Full Message Text
ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
please suggest what can be done or what is pending from my side.

Prajakta2602 wrote:
Hi Experts,
>
> the previous issue got solved..
> it was due to servies pack miss match and applying notes
> the Basis guy checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
> notes 1445294 and 1175239 were applied.
> now the issue is:
>
>
> After implemetation and i assigning the standerd sap roles
> 1)Recruiter Administrator
> 2)Recruiter
> to the test user .
> but for few iview it is showing error as in
> 1) you are not a authorized user
> 2) internal error
>
> please help experts.
>
> i m working on portal side have i to assign any role to that test user..
>
>
> Thnaks & Regards,
> Prajakta
You can run a quick check using the below steps:
1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
Regards,
Mahesh

How to get security roles in a JSF portlet

I need to get the LDAP user-roles available in the Sun Portal Server 7 in my JSF-168 portlet.
I've added the mapping file, updated the portlet.xml and web.xml, deployed the portlet (psconsole). But the portlet shows the "content not available" error with javax....title title.
I've probably messed up the descriptors, but I don't see what is wrong. Here they are:
roleMaps.properties
cn\=VSM.Administrator,dc\=neco,dc\=cz=Administrator
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4">
<context-param>
 <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
 <param-value>server</param-value>
</context-param>
<context-param>
 <param-name>javax.faces.CONFIG_FILES</param-name>
 <param-value>/WEB-INF/navigation.xml,/WEB-INF/managed-beans.xml</param-value>
</context-param>
<context-param>
 <param-name>com.sun.faces.validateXml</param-name>
 <param-value>true</param-value>
</context-param>
<context-param>
 <param-name>com.sun.faces.verifyObjects</param-name>
 <param-value>false</param-value>
</context-param>
<filter>
 <filter-name>UploadFilter</filter-name>
 <filter-class>com.sun.rave.web.ui.util.UploadFilter</filter-class>
 <init-param>
 <description>
 The maximum allowed upload size in bytes. If this is set
 to a negative value, there is no maximum. The default
 value is 1000000.
 </description>
 <param-name>maxSize</param-name>
 <param-value>1000000</param-value>
 </init-param>
 <init-param>
 <description>
 The size (in bytes) of an uploaded file which, if it is
 exceeded, will cause the file to be written directly to
 disk instead of stored in memory. Files smaller than or
 equal to this size will be stored in memory. The default
 value is 4096.
 </description>
 <param-name>sizeThreshold</param-name>
 <param-value>4096</param-value>
 </init-param>
</filter>
<filter-mapping>
 <filter-name>UploadFilter</filter-name>
 <servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<servlet>
 <servlet-name>Faces Servlet</servlet-name>
 <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
 <load-on-startup>1</load-on-startup>
</servlet>
<servlet>
 <servlet-name>ExceptionHandlerServlet</servlet-name>
 <servlet-class>com.sun.errorhandler.ExceptionHandler</servlet-class>
 <init-param>
 <param-name>errorHost</param-name>
 <param-value>localhost</param-value>
 </init-param>
 <init-param>
 <param-name>errorPort</param-name>
 <param-value>25444</param-value>
 </init-param>
</servlet>
<servlet>
 <servlet-name>ThemeServlet</servlet-name>
 <servlet-class>com.sun.rave.web.ui.theme.ThemeServlet</servlet-class>
</servlet>
<servlet>
 <description>Generated By Sun Java Studio Creator</description>
 <display-name>CreatorPortlet Wrapper</display-name>
 <servlet-name>VSMPortal</servlet-name>
 <servlet-class>org.apache.pluto.core.PortletServlet</servlet-class>
 <init-param>
 <param-name>portlet-class</param-name>
 <param-value>com.sun.faces.portlet.FacesPortlet</param-value>
 </init-param>
 <init-param>
 <param-name>portlet-guid</param-name>
 <param-value>VSMPortal.VSMPortal</param-value>
 </init-param>
</servlet>
<servlet-mapping>
 <servlet-name>ExceptionHandlerServlet</servlet-name>
 <url-pattern>/error/ExceptionHandler</url-pattern>
</servlet-mapping>
<servlet-mapping>
 <servlet-name>ThemeServlet</servlet-name>
 <url-pattern>/theme/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
 <servlet-name>VSMPortal</servlet-name>
 <url-pattern>/VSMPortal/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
 <welcome-file>faces/null</welcome-file>
</welcome-file-list>
<error-page>
 <exception-type>javax.servlet.ServletException</exception-type>
 <location>/error/ExceptionHandler</location>
</error-page>
<error-page>
 <exception-type>java.io.IOException</exception-type>
 <location>/error/ExceptionHandler</location>
</error-page>
<error-page>
 <exception-type>javax.faces.FacesException</exception-type>
 <location>/error/ExceptionHandler</location>
</error-page>
<error-page>
 <exception-type>com.sun.rave.web.ui.appbase.ApplicationException</exception-type>
 <location>/error/ExceptionHandler</location>
</error-page>
<jsp-config>
 <jsp-property-group>
 <url-pattern>*.jspf</url-pattern>
 <is-xml>true</is-xml>
 </jsp-property-group>
</jsp-config>
 <security-role>
 <role-name>Administrator</role-name>
 </security-role>
</web-app>
portlet.xml
<?xml version='1.0' encoding='UTF-8' ?>
<portlet-app xmlns='http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd' version='1.0'>
 <portlet>
 <description>Created By Java Studio Creator</description>
 <portlet-name>VSMPortal</portlet-name>
 <display-name>VSMPortal Portlet</display-name>
 <portlet-class>com.sun.faces.portlet.FacesPortlet</portlet-class>
 <init-param>
 <name>com.sun.faces.portlet.INIT_VIEW</name>
 <value>/Uctarna.jsp</value>
 </init-param>
 <expiration-cache>0</expiration-cache>
 <supports>
 <mime-type>text/html</mime-type>
 <portlet-mode>VIEW</portlet-mode>
 </supports>
 <supported-locale>en</supported-locale>
 <portlet-info>
 <title>VSMPortal</title>
 <short-title>VSMPortal</short-title>
 <keywords>Creator</keywords>
 </portlet-info>
 <security-role-ref>
 <role-name>Administrator</role-name>
 <role-link>Administrator</role-link>
 </security-role-ref>
 </portlet>
</portlet-app>If I don't use the security-role and security-role-ref tags, the portlet works, and the isUserInRole method obviously doesn't.

Nobody uses the LDAP roles in a portlet? Anybody knows other thread discussing similar issue (I can't find anything)?

CRM 2011: Can you control which form is used based not security roles, but on a field value?

I see that you can control which form is used based on security roles, but can you control it based on other field values? I'd like a new record to use a different form until a given status is updated. I have a status of draft and active. So
it would be nice if I could use form1 for those in draft, form2 for those that are active. But I only see where you can control that via the security roles.
I can code all of this via JavaScript, but having the ability to use two separate forms would be nice. Is that even possible.
Best regards,
Jon Gregory Rothlander

Hello,
Recheck following article - http://gonzaloruizcrm.blogspot.com/2014/11/avoiding-form-reload-when-switching-crm.html
Dynamics CRM MVP/ Technical Evangelist at SlickData LLC
My blog

How to use security roles in Weblogic server?

Hello Gurus,
I am new to Weblogic server and I am trying to investigate how to make
use of security roles in weblogic server (5.1.0). Can anyone point me
to some documentation. Specifically, I am looking for instance level,
and method level security and how to use it.
Thanks for taking your time to read this e-mail.
Thank You all in advance,
Hari.

You should read the security information in the Servlet 2.2 specification
that WL 5.1 implements:
http://java.sun.com/products/servlet/download.html
Chapter 11 deals with declarative and programmatic security, and includes a
section on roles:
11.4 Roles
A role is an abstract logical grouping of users that is defined by the
Application Developer or
Assembler. When the application is deployed, these roles are mapped by a
Deployer to security
identities, such as principals or groups, in the runtime environment.
A servlet container enforces declarative or programmatic security for the
principal associated with
an incoming request based on the security attributes of that calling
principal. For example,
1. When a deployer has mapped a security role to a user group in the
operational environment. The
user group to which the calling principal belongs is retrieved from its
security attributes. If the
principal's user group matches the user group in the operational environment
that the security
role has been mapped to, the principal is in the security role.
2. When a deployer has mapped a security role to a principal name in a
security policy domain, the
principal name of the calling principal is retrieved from its security
attributes. If the principal is
the same as the principal to which the security role was mapped, the calling
principal is in the
security role.
Cameron Purdy
http://www.tangosol.com
"Hari" <[email protected]> wrote in message
news:[email protected]..
Hello Gurus,
I am new to Weblogic server and I am trying to investigate how to make
use of security roles in weblogic server (5.1.0). Can anyone point me
to some documentation. Specifically, I am looking for instance level,
and method level security and how to use it.
Thanks for taking your time to read this e-mail.
Thank You all in advance,
Hari.

How to get security roles

Hi All,
I want to know how to get the security roles which we configured in adfsecurity.
Regards,
Smaran

Hi,
to get all roles associated with the current user, try
SecurityContext secCtx = ADFContext.getCurrent().getSecurityContext();
String[] roles = secCtx.getUserRoles();
To get access to the roles defined on the system (not user specific) then this requires OPSS access. The JavaDocs are here:
http://download.oracle.com/docs/cd/E17904_01/apirefs.1111/e10686/toc.htm
From the top of my head. this is how get access to the JPS context to query system resources.
JpsContextFactory jpsfact = JpsContextFactory.getContextFactory();
JpsContext jpxCtx = jpdfact.getContext();
IdentityStoreService store = jpxCtx.getServiceInstance(IdentityStoreService.class);
... from here on I have no further hint without trying it myself. However, I hope I go you started
Frank

Map security roles to group within LDAP using external 3rd Party LDAP

I'm haveing a problem mapping my logical role defined in my web.xml to a role within Active Directory. I'm currently authenticating using Active Directory succsfully, however after the user is authenticated I get a message from the OC4J container that my role can not be found. Can you map a logical role to group within Active Directory? Below are details about my configuration.
Any help would be greatly appreciated.
Log.xml log entry that confirms webtA is communicating successfully with AD.
SG_TEXT>JAAS-LDAPLoginModule: authenticating user wmgraham</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>JAAS-LDAPLoginModule: DN for user wmgraham is cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
Error reported in the log
<MESSAGE>
<HEADER>
<TSTZ_ORIGINATING>2008-08-27T11:38:05.991-04:00</TSTZ_ORIGINATING>
<COMPONENT_ID>j2ee</COMPONENT_ID>
<MSG_TYPE TYPE="TRACE"></MSG_TYPE>
<MSG_LEVEL>16</MSG_LEVEL>
<HOST_ID>F2287032-W</HOST_ID>
<HOST_NWADDR>30.30.16.14</HOST_NWADDR>
<MODULE_ID>security</MODULE_ID>
<THREAD_ID>14</THREAD_ID>
<USER_ID>wmgraham</USER_ID>
</HEADER>
<CORRELATION_DATA>
<EXEC_CONTEXT_ID><UNIQUE_ID>30.30.16.14:59560:1219851485804:6</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>for group=[JAZNGroupAdaptor: webta] there's no matching role found.</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
Web.xml Logical Role definition
<security-constraint>
<web-resource-collection>
<web-resource-name>allpages</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>WEBTA_J2EE_USER</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>WEBTA_J2EE_USER</role-name>
</security-role>
Orion-web.xml This file maps the logical role defined in webxml to a group within Active Directory.
<security-role-mapping name="WEBTA_J2EE_USER">
<group name="webta"/> <-- Group defined in AD -->
</security-role-mapping>

What is the name of the group in AD (provide the DN) that you want to map the j2ee logical role WEBTA_J2EE_USER? What are the group search base and group mapping attribute?
When wmgraham logs into the app, the 3rd party ldap login module will attempt to query for the groups wmgraham is a member of - this is done using the group search base configuration for the provider.
In this example, the DN is "cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and likely user search base is set to "ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi".
Assuming group search base is (say) "ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and and group mapping attr is "cn", then the role mapping you mention should work for group DN "cn=webta,ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi"

Invalid Security role-name error in Web Project

Hi All,
I have imported a J2EE application project built in JBOSS into NWDS 7.1.
While building the project i get the following error
CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN
This error directs me to the following code in web.xml
<security-constraint>
 <display-name>Default JSP Security Constraints</display-name>
 <web-resource-collection>
 <web-resource-name>Portlet Directory</web-resource-name>
 <url-pattern>/jsp/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>PEHNTAHO_ADMIN</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>
I have tried out the following things to resolve this issue :
1) Remove the role manually(as suggested by various people in other J2EE forums), but then some other error came in to picture
2)Then I added the following code in web.xml
<security-role>
 <role-name>PEHNTAHO_ADMIN</role-name>
 </security-role>
Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
 java.rmi.RemoteException: class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
version status: HIGHER
deployment status: Admitted
description:
 1. Error:
Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
ERRORS:
Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
 
</web-app>
" is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
WARNINGS:
Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
3) I had also added the following code in web-j2ee-engine.xml
<security-role-map>
 <role-name>PEHNTAHO_ADMIN</role-name>
 <server-role-name>all</server-role-name>
 </security-role-map>
but still i get the same deployment error.
Please help me in resolving this problem.
Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
Thanks and Regards,
Sruti

Hi Malathy,
Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
Could you please let us know you created a roles named users in WLS ?
Thanks & Regards,
Murali.
============

Unable to assign all security roles to a user with a new custom security role

Dear All,
Happy New Year.!
I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
any desired security role to the new user.
However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
to assign some other security roles, including 'Support User Role', to new user 'y'.
I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
Appreciate any help that you can provide on the above issue.
Thanks in anticipation.

Hi,
Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
Refer:-
http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
Hope this helps!!!
Thanks,
Prasad
Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

Need api for changing security role in web.xml !!

My requirement is to change the value of the deployment descriptor "security-role" (in web.xml) through an api and inturn to persist the new value in web.xml. Also I need to know if this change is automatically redeployed or an explicit redeployment is needed ? In that case how do I redeploy using an api call ?
I found a lot of apis related to roles like createRole, removeRole etc.. But there are no apis to change the name of the role and inturn persist in web.xml.
Do I need to provide any more information ? Let me know
Thanks,
Karthick

why and when do you change security-role? try to use ant task (perhaph you need xpath also). itÂ´s the better when you perform task about lifeÂ´s cycle of application.
please, describe your problem.
of course in you change web.xml you must restart the application.

Security-role and security-role-assignment not working in WL7.0

Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

Below are the screen shots for PFCG:

How can I limit/control the addition of auth. objects to security roles?

Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
Edited by: Armando Salas on Nov 29, 2011 7:41 PM

Hi Armando,
Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
I hope this helps you
Regards
Eduardo

SLD security roles

Similar Messages

Maybe you are looking for