SRM 7 role mapping and authorization queries

Similar Messages

• Use of default XACML with custom role mapper and authorization provider

  Hi,
  Is it possible to use the default XACML provider for custom role mappers and authorization providers when role information will be provided via an external application ( not an LDAP or RDBMS server )?
  My custom providers will be communicating with the external application via an API that accepts user credentials and will return decisions whether the credentials were successfully authenticated as well as returning a list of roles for the authenticated user.
  Once the roles and the subject are cached, will the default XACML provider be able to use them to make role mapping and authorization decisions?

  I see 2 approaches. First, write a custom authenticator that stores the role information in the subject either by creating a custom java.security.Principal that is stored in the Subject or by saving it in PrivateCredentials of the Subject. Then right a custom role mapper that knows how to get the role information from the Subject and return a role Map. The default XACML Authorizer will then work with the role information in the role map.
  Second approach is to write a custom role mapper that looks up the role information based on the Subject and returns a role map.
  The chosen approach depends on where you're getting the role information from.

• Role Mapper and Authorizer

  At one point I posted a forum entry and posted a solution for my entry regarding keeping the app deployments around while recreating/overwriting the domain using WLST offline. Keep App Deployments while recreating the domain in WLST offline
  Things seems to work, except that I noticed that the XACML Role Mapper and Authorizer that were created the first time around (when there is no domain folder) are getting replaced by default Role Mapper and Authorizer (on subsequent runs when the domain folder already exists and we overwrite the domain)
  Basically the first readDomain is causing this. without reading the domain, I cannot get the app list.
  System.setProperty("com.bea.cie.script.throwException","true")
  appdeps={}
  try:
    readDomain('c:/temp/basicWLSDomain')
    cd('/AppDeployments')
    apps=ls(returnMap='true')
    for app in apps:
    appdeps[app]=ls(app,returnMap='true', returnType='a')
  except:
    pass
  try:
    closeDomain()
  except:
    pass
  #=======================================================================================
  # Open a domain template.
  #=======================================================================================
  readTemplate("c:/wls11/wlserver_10.3/common/templates/domains/wls.jar")
  #=======================================================================================
  # Configure the Administration Server and SSL port.
  # To enable access by both local and remote processes, you should not set the
  # listen address for the server instance (that is, it should be left blank or not set).
  # In this case, the server instance will determine the address of the machine and
  # listen on it.
  #=======================================================================================
  cd('Servers/AdminServer')
  set('ListenAddress','')
  set('ListenPort', 7001)
  create('AdminServer','SSL')
  cd('SSL/AdminServer')
  set('Enabled', 'True')
  set('ListenPort', 7002)
  #=======================================================================================
  # Define the user password for weblogic.
  #=======================================================================================
  cd('/')
  cd('Security/base_domain/User/weblogic')
  cmo.setPassword('weblogic11g')
  #=======================================================================================
  # Create a JMS Server.
  #=======================================================================================
  cd('/')
  create('myJMSServer', 'JMSServer')
  #=======================================================================================
  # Create a JMS System resource.
  #=======================================================================================
  cd('/')
  create('myJmsSystemResource', 'JMSSystemResource')
  cd('JMSSystemResource/myJmsSystemResource/JmsResource/NO_NAME_0')
  #=======================================================================================
  # Create a JMS Queue and its subdeployment.
  #=======================================================================================
  myq=create('myQueue','Queue')
  myq.setJNDIName('jms/myqueue')
  myq.setSubDeploymentName('myQueueSubDeployment')
  cd('/')
  cd('JMSSystemResource/myJmsSystemResource')
  create('myQueueSubDeployment', 'SubDeployment')
  #=======================================================================================
  # Create and configure a JDBC Data Source, and sets the JDBC user.
  #=======================================================================================
  cd('/')
  create('myDataSource', 'JDBCSystemResource')
  cd('JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
  create('myJdbcDriverParams','JDBCDriverParams')
  cd('JDBCDriverParams/NO_NAME_0')
  set('DriverName','com.pointbase.jdbc.jdbcUniversalDriver')
  set('URL','jdbc:pointbase:server://localhost/demo')
  set('PasswordEncrypted', 'PBPUBLIC')
  set('UseXADataSourceInterface', 'false')
  create('myProps','Properties')
  cd('Properties/NO_NAME_0')
  create('user', 'Property')
  cd('Property/user')
  cmo.setValue('PBPUBLIC')
  cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
  create('myJdbcDataSourceParams','JDBCDataSourceParams')
  cd('JDBCDataSourceParams/NO_NAME_0')
  set('JNDIName', java.lang.String("myDataSource_jndi"))
  cd('/JDBCSystemResource/myDataSource/JdbcResource/myDataSource')
  create('myJdbcConnectionPoolParams','JDBCConnectionPoolParams')
  cd('JDBCConnectionPoolParams/NO_NAME_0')
  set('TestTableName','SYSTABLES')
  #=======================================================================================
  # Target resources to the servers.
  #=======================================================================================
  cd('/')
  assign('JMSServer', 'myJMSServer', 'Target', 'AdminServer')
  assign('JMSSystemResource.SubDeployment', 'myJmsSystemResource.myQueueSubDeployment', 'Target', 'myJMSServer')
  assign('JDBCSystemResource', 'myDataSource', 'Target', 'AdminServer')
  #=======================================================================================
  # Write the domain and close the domain template.
  #=======================================================================================
  setOption('OverwriteDomain', 'true')
  setOption('CreateStartMenu', 'false')
  writeDomain('c:/temp/basicWLSDomain')
  closeTemplate()
  #=======================================================================================
  # Exit WLST.
  #=======================================================================================
  exit()
  So I thought I will create the XACML Authorizer and Role Mapper myself instead of letting the default domain creation process do it. but that is resulting in duplicates on the first run (when the domain folder does not exist) and in the subsequent runs (when the domain folder already exists), I see one XACML and one default.
  cd('/')
  create('base_domain', 'SecurityConfiguration')
  cd('SecurityConfiguration/base_domain/Realm/myrealm')
  ls('a')
  create('XACMLAuthorizer', 'weblogic.security.providers.xacml.authorization.XACMLAuthorizer','Authorizer')
  create('XACMLRoleMapper', 'weblogic.security.providers.xacml.authorization.XACMLRoleMapper','RoleMapper')
  I am going no where with Oracle Support. I am wondering if anyone ran into this before.

  com.oracle.cie.config-wls-schema_10.3.6.0.jar has various SecurityConfiguration XML fragments and the wrong fragment is being used when the domain is recreated.
  I am thinking it is a logic issue in domain creation.

• Problem with Security Role mapping and LDAP

  Hi,
  In Oracle Internet Directory I've created a group called OIDGroup1.OIdGroup1 has 2 users : OIDuser1 and OIDuser2.
  OIDGroup1 is mapped to EjbRole1 (is a security role defined in ejb-jar.xml, EjbRole1 can do everything in the application).Now if I login as OIDuser1 or OIDuser2, application said that the user does not
  have authorization to execute some method. The mapping in my orion-application.xml is :
  <security-role-mapping name="EjbRole1">
  <group name="admin/OIDGroup1"/>
  </security-role-mapping>
  <jazn provider="LDAP" location="ldap://myhost:4032"><jazn-web-app auth-method="SSO"/></jazn>
  if I modified orion-application.xml like this :
  <security-role-mapping name="EjbRole1">
  <group name="admin/OIDGroup1"/>
  <user name="admin/OIDuser1"/>
  </security-role-mapping>
  then login as OIDuser1, it works. But it does not work with OIDuser2.
  That's is a problem for me because our customer can not manage the user/group
  easily : each time they have a a new user, instead of simply adding this user
  in the OIDGroup1 (with graphic interface of OIDAS), they have to modify
  orion-application.xml.
  Do you have any idea ?
  Thanks in advance
  regards

  I found the bug : in LDAP I've got a user also called OIDGroup1 (the same as group's name).

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• OAM manage roles and Authorization in WebLogic integration

  Hi
  Had anyone done weblogic integration where OAM manages roles and Authorization?
  I could read in Oracle WebLogic integration document that,
  "The Security Provider only supports authentication for portals."
  I wanted to figure out if anyone has done this before or Is it possible to delegate role management and Authorization responsibility to OAM?
  Thanks
  Kiran Thakkar

  Thanks for the quick response.
  Thanks
  Kiran Thakkar

• Authentication and authorization for AD users in UCM11g

  Hi all
  we are using webcenter content server 11g. I read some where that for 11g users authentication is done in weblogic server environment, mean content server for 11g in now managed by weblogic server only, am i right?. we have successfully integrated Active Directory with weblogic sever and user of AD are able to log-in UCM but they don't have any role like contributor or Admin. How to do this role mapping for AD user in UCM i.e. authorization for these users. Please provide any guidence on this issue any doc or blog, we are new to webcenter suite.
  Thanks
  Somesh

  As you already have weblogic integrated with AD, remains only role mapping and Single Sign-On integration. For authorization, AD must contain groups with exact names as roles in the Content Server. Those groups should be where Group Base parameter in the weblogic ActiveDirectoryAuthenticator point (like OU=Roles,OU=Oracle,DC=example,DC=com). Assigning AD user to the AD group named contributor, will add contributor role to logged Content Server user.
  As for SSO, refer to the:
  http://docs.oracle.com/cd/E23943_01/web.1111/e13707/sso.htm
  and
  http://docs.oracle.com/cd/E23943_01/doc.1111/e10792/c05_security.htm#autoId21
  Procedure steps are:
  Create a user account for the hostname of the web server machine in Active Directory
  Create krb5.ini file, and locate it in the C:\Windows directory at both machines (Domain Controller and WLS host)
  Generate the keytab file
  Create a JAAS Login File named krb5Login.conf
  Put both keytab and krb5Login.conf files to …/user_domains/domains/my_domain/
  Configure the Identity Assertion Provider
  Adjust Weblogic Server startup arguments for Kerberos authentication
  Redeploy CS (and optionally other servers) server with the documentation given deployment plan
  Check web browser configuration (IE and Firefox only)
  Take a deep breath and test
  If successful have a cake and cup of coffee else goto step one
  Regards,
  Boris

• Business Explorer Roles and Authorizations

  Hi,
  I am using Business Explorer Query Designer and Analyzer ( Excel Work book add on) with BI 7.0.
  I need to create roles and authorizations for the end users to create queries and view queries in excel by using Business Explorer Query Analyzer.
  Kindly suggest me what are the standard transactions, roles and authorizations to be given to the end users.
  Thanks and regards
  Murugesan

  I dont have idea about Bi 7.0 ..
  If its bw 3.X i jusz used rrmx --->>excel ->addins-->>queries --->pop up window --->here we need rfs object S_RFC
  Finally rrmx tcode and general roles which has S_RFC  autorisation object and the query .
  Regards,
  Naveen

• User roles and role mapping

  I've just start as an intern in Change Management team that is helping to implement SD. My two tasks are to "develop SAP user roles specific to the new business processes" and "manage the role to position mapping for provision of security roles." None of the real employees in my team has ever done this, and my manager is now on three weeks leave. I'm new to SAP and I don't really know where to start. Can anyone offer any advice, or point me to some references? Thanks.

  Intern,
  Its a pretty cold manager who will dump a task on a inexperienced subordinate without any guidance or mentoring,  and then take three weeks off.
  Anyhow, you first need to get some insights as to what the expectations of the client are:  What type of users will there be?  What tasks will each user be responsible for carrying out?
  You also will want to collect a list of names of the actual users. Your Basis people will tell you which bits of data will have to be collected in order to create users on the system
  Next, you need to talk to the SD expert on your team about the solutions that will be implemented.  Quotes? Consignment? Scheduling agreements? Pricing? Customer Service? Marketing?  Customer Master? Material Master? The SD expert should be able to tell you at a very minimum which transactions should be made available.
  There are standard roles available delivered in the system.  These are pretty much un-usable as delivered, but they make a good starting point.  Review http://help.sap.com/erp2005_ehp_04/helpdata/EN/b4/3f9c41919eae5fe10000000a1550b0/frameset.htm
  and
  http://help.sap.com/erp2005_ehp_04/helpdata/EN/06/57683801b5c412e10000009b38f842/frameset.htm
  Once you have all the info needed from the client and your SD experts, you then design the supporting roles at a high level. I usually use an Excel Spreadsheet with two tabs:  One tab listing roles to be developed, with all the transactions and authorization object limitations for each one;  and another tab listing Users and the supporting data needed to create a user.  If you are a Basis expert, you already know the next steps.  If not, then you typically hand your designs to the Basis team for creation of the actual Roles.
  Good luck.  Remember not to treat your interns the same way you have been treated.
  DB49

• Roles and authorizations in BI content

  Hi experts,
  I'm trying to define a very simple scheme of roles and authorizations for my queries.
  So, i'm trying to limit the acess by infocube and DSO, but I'm missing the authorizations objects for Cube and DSO.
  I know that authorization object for queries it's S_RS_COMP.
  So my roles would be something like
  BI_ROLE_FI
  Authorization Object                                  Autorization Object Value
  Acess query (S_RS_COMP)                         NA                              
  Infoobject (whats the object???)                   0FIGL_C01
  DSO (whats the object???)                            0FIGL_O14
  BI_ROLE_PUR
  Authorization Object                                  Autorization Object Value
  Acess query (S_RS_COMP)                         NA                              
  Infoobject (whats the object???)                   0PUR_C01
  Can you help me find out whats the missing information
  Thanks and regards
  Joana

  Hi,
  Iu2019ve gave authorization to the object youu2019ve mentioned, but itu2019s still not working.
  Basically what I have is the following:
  One role that allows me to execute queries, workbooks, etc.
  A second role, dependent on the area of work, that should allow me only to have access to queries  from cubes/MP/DSO that are specific to users area.
  I will then give each user role 1 + the adequate role 2, depending on their work area.
  For role 1 I have got:
  S_RFC     
  Activity: 16
  Name of RFC to be protected: *
  Name of RFC object to be protected: *
  S_TCODE     
  Transaction code: RRMX
  S_GUI     
  Activity: 16
  S_USER_AGR     
  Activity: 01, 02, 03
  Role Name: ANLG_BI_01
  S_USER_TCD     
  Transaction code: RRMX
  S_RS_AUTH     
  BI Analysis Authorization: BI_ALL
  S_RS_COMP     
  Activity: 03, 16
  InfoArea:*
  InfoCube: *
  Name (ID) of a reporting component: *
  Type of a reporting component: *
  S_RS_COMP1
  Activity: 03, 16, 22
  Name (ID) of a reporting component: *
  Type of a reporting component: *
  Owner (Person Responsible) for a reporting Component: *
  S_RS_TOOLS
  Logical Command Name: THEMES
  Iu2019ve tested this role, and it works u2013 they can access queries, create workbooks, create permanent model workbooks
  For role 2 u2013 Finance I have     
  S_USER_AGR     
  Activity: 01, 02, 03
  Role Name: ROLE2
  S_RS_ADMWB
  Activity: 03,66
  Data warehousing workbench Object: INFOAREA
  S_RS_ODSO
  Activity: 03
  Infoarea: 0FIGL_ERP
  DataStore Object: 0FIGL_014
  SubObject for ODS Object: *
  S_RS_ICUBE
  Activity: 03, 66
  Infocube SubObject: *
  Infoarea: 0FIAP
  InfoCube: 0FIAP_C02
  S_RS_MPRO     
  Activity: 03
  Infoarea: 0FIN_REP_SIMPL_1_ERP
  MultiProvider: 0FIAP_M20, 0FIAP_M30
  MultiProvider SubObject: *
  I then gave to my test user this 2 roles, and with that user I can still see every infoarea, and access all reports.
  I will have more specific roles u2013 to other areas (SCM, TV, etc), but I chose this one has an example.
  First question I have: can I manage my requirement in 2 different roles: one for action that can be performed (role 1) and other for areas that they can access data from (role 2)?
  What objects/restrictions am I missing in role 2?
  Many thanks
  Joana

• Defining BI Power User Role and Authorizations

  We are looking for information/best practices/guidelines pertaining to defining BI Power Users and the appropriate authorizations to attach to this role.  Our Power Users are asking for approval to access several transactions within BI, specifically within RSA1. I am curious to know how you define your power user role(s) and to what extent they have access to BW itself (i.e. BEx, Web Designer, direct access to BW transactions such as listcube, RSA1, RRI, ability to update custom tables, ability to access the data model structure, etc )? Do your power users have access to develop production queries in DEV and test in your QA environment or are they restricted to ad hoc queries in Production? Have you seen any best practices or guidelines from SAP surrounding appropriate authorizations for Power Users? Any information you would be willing to share with us would be most appreciated.

  Hatem,
  You have an option to use the old method however it's recommend to use analysis authorizations going forward.
  Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
  Cheers,
  Ben

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• Is it possible to modify the tag structure tree and the role map via scripting?

  We use unstructured FrameMaker to produce training materials which we distribute as tagged PDF to meet accessibility requirements.
  When FrameMaker creates a tagged PDF, it does a fairly good job of populating the structure based on the PDF setup information for the paragraph formats in the FrameMaker documents. However, there are some limitations in the support that FrameMaker provides. For example, almost all paragraphs are assigned to the P role even if they are headings and should be mapped to H1-H6.
  We want to be able to easily post-process a PDF that has been generated from FrameMaker to fix some of the tag structure issues (including tag names and the role map) so that the PDF will provide the optimum experience for a user of the JAWS screen reader.
  I spent some time reading the SDK documentation but didn't find much information about manipulating a tagged PDF via the API, especially via scripting.
  Does anyone have any examples or references which explain how to do it?

  AFAIK, it's not possible with a script. You might want to ask in the SDK forum, as it could be possible with a plugin.

• Roles and Object queries tab not visible in MBO attribute properties

  Hi,
  We have installed the SUP Personal developer edition 2.0 on a windows 2008 server. I am trying to create a sample application for getting the list of sales orders by using the SAP BAPI. Once I have the MBO in place, I see that I cannot view the 'Roles' and 'Object Queries' tabs in the 'Attributes' section of the MBO properties.
  Does anyone know why this happens? Is it due to configuration issues? Do help me out as we're trying to get a demo working.
  Thanks & Regards,
  Vaishnavi

  Hi Vaishnavi,
  Check whether you have selected "Advanced" mode . You should be able to see it.
  Regards,
  Viju

• RFC Sender - Logon User - What Roles and Authorizations?

  Hi,
  Scenario: RFC Sender --> XI --> JDBC
  What necessary Roles and Authorizations has to be given for Logon User (in Sender RFC Communication Channel).
  It has to be moved to production soon. My Client wants to give only Roles and Authorization that are necessary for the Logon User.
  With Regards,
  Manikandan R

  Hi ,
  U need to give ECC Authorisation
  Application server : ECC Server
  Sytsem no : ECC system number
  Logoon User : ECC any username
  password : password for above user
  clientr : ECC client ( From which client u are sending to RFC adapter)
  Regards,
  Jayasimha jangam