SSO Privileges?

What privileges do I need to grant to a user so that they can view the reports queue when using SSO?
http://host:port/reports/rwservlet/showjobs

Assign the users to the RW_DEVELOPER or RW_ADMINISTRATOR group to enable them to get access to the showjobs privilege.
For information on groups, refer to Section 12.1.1 "Default Reports-Related Groups" in the Publishing Reports to the Web manual available on OTN: http://www.oracle.com/technology/documentation/dev10gR2.html

Similar Messages

  • SSO and how to Managing User Roles/Privileges with Forms using Oracle db

    We are in the process of implementing Oracle Application Server SSO with our custom Forms application using Oracle database -- all 10.2.0.1.0 version.
    In our Forms Applications, we have about a dozen roles we have assigned to various users. We need to identify each user using our Forms because we are using the GLOBAL USER throughout the application.
    Questions:
    -- Do we have to create users/passwords in both OID and application database?
    -- Is there a way to easily manage the user and passwords between SSO and Forms App/database in one place? For example, how does a user change their password once, but actually change it in both the database and SSO?
    Any advice and/or direction would be greatly appreciated.
    Thank you,
    Mika
    Edited by: user11846198 on Sep 1, 2009 1:41 PM
    Edited by: user11846198 on Sep 1, 2009 1:53 PM

    Yes, you can have global roles in the DB and assign this roles to specific OID users, and the will heritage the privilages, you can do this using Oracle Identity Management Web Tool http://hostname:7777/oiddas is not complicated.
    Greetings.

  • Integrating Application Express with SSO

    Hi,
    What's the difference between integrating Apex with SSO as a partner application, and integrating it as an external application. Are there any benefits / drawbacks to either? and in what situation would you use one or the other?
    Thanks,
    Lee

    Hi, I have one more question related to this.
    We are currently considering implementing the following:
    We are designing a system where the majority of users will have read only access to data. The read only users will NOT have to sign into the system in order to use the system at this privilege level. Other users will have to sign in and once they have done so will then be able to edit and access other functions of the system that are not available to regular read only users. Login links will be available on a number of different screens and once logged in they will be returned to the screen from which they logged in.
    We understand that we can use SSO or even Apex's own authentication to acheive this.
    There is also another system built using portal, forms and SSO. Once a user signs into the portal there is a main menu where various links to different applications are available/hidden depending on the OID groups that the user is a part of.
    Ideally we want to be able to provide a link from the portal system to the apex system from the portal main menu. If a user is signed into the portal then they should be able to enter the apex system without the requirement to sign in again, assuming that they have edit privileges for the apex system. However if the user is signed into the portal but they do not have edit privileges we want to be able to display the apex system in read only mode as we would for anybody else who is not an edit user complete with login links.
    Would this be possible using SSO bearing in mind that we do not want to have to create users for the read only users?
    Any help would be greatly appreciated.
    Thanks,
    Lee

  • SSO with AD to DB

    Hi Tim,
    I have question regarding SSO to database (MSSQL).
    I read most of posts here but no solution found. I configure SSO to infoview from your white paper and this works with no problem.
    To enable SSO to database:
    - in CMC  => "Cache security context (required for SSO to database)" in enabled
    - in krb5.ini  => "forwardable = true" in entered
    - we created SPN => MSSQLSvc/MSCompName.domain.com:1434 BOXISSO (boxisso is "kerberos user")
    - in desiger => "use SSO when refreshing reports at view time"
    In infoview I gen an error "Login failed to for user NT AUTHORITY/ANONYMOUS LOGON..."
    On database are users authenticated with user boxisso or with their ad names? (what are privileges on mssql side needed?)
    Thank you for reply!
    Regards,
    Gregor

    Is the SIA running under a delegated service account (delegation to any service enabled)? Is the SQL DB integrated with AD? and enabled for kerberos? You should verify the latter with Microsoft.
    Also try enabling this on the servers (reporting and SQL) http://support.microsoft.com/kb/262177
    Regards,
    Tim

  • JSP and SSO

    Hi,
    In the oracle database I have my own schema (let's say it is called mySchema) where I have created a package PKG_MINE. The package contains, among others a function getItems which makes queries on portal30 tables. When I execute the code of this function as a procedure (after changing the function into procedure) from portal everything works fine. I wanted to make a call via JSP to that function. It goes without any problem until I make a query on a portal30 table. Then it returns a blank page. I execute the JSP page out of portal. It seems that there is a problem with SSO (the error I get while executing the query as mySchema in SQL*Plus is
    ORA-06510: PL/SQL: unhandled user-defined exception
    ORA-06512: at "PORTAL30.WWCTX_SSO", line 849
    ORA-06510: PL/SQL: unhandled user-defined exception
    ORA-06512: at "PORTAL30.WWCTX_SSO", line 669
    ORA-06502: PL/SQL: numeric or value error
    ORA-06512: at "PORTAL30.WWCTX_SSO", line 935
    ORA-06512: at "PORTAL30.WWCTX_API", line 170
    ORA-06512: at line 1)
    I've searched in Internet but still found nothing. What do I miss? Do the user mySchema has to have read privileges to read the data from portal30 tables? (there are many of them I use). Do I have to be logged in? (I want to show the results to the public user, not authorized one)
    I connected to the database both as mySchema and Portal30. With the same results - a blank page.
    I would appreciate any help
    thanks in advance
    Ewa Janiszewska

    Are you using JDBC to connect to the DB in your JSP page? If so, then what is happening is that the JSP-JDBC connection to the database is established independently from the connection through the PL/SQL gateway that Portal uses. It doesnt matter if you are building portlets or how you call the jsp, any time you connect with JDBC you are connecting to the database though a different connection than your Portal connection. And as such, the PL/SQL PDK API has no idea that a portal user is logged in, so the calls to those procedures fail. You will probably find the same exception occuring if you try to run that procedure in SQL Plus. There is no portal context set, so it fails.
    At this point you have 2 options, that I know of.
    1) call this procedure before you call the PLSQL PDK API procedure:
    wwctx_api_private.set_context('portal30','portal30');
    that will trick the API into thinking the portal30 user is logged in. Becareful with that, as it may be a security risk to allow everyone to run as the portal30 user.
    2) a second option is to place all your code in a stored procedure, then from your JSP use a link or a FORM submit to that stored procedure. Because web stored procedures are called through the PL/SQL gateway, they will have access to the Portal session information (that JDBC does not), and should execute those procedures with the proper privelege. One thing to make sure is that the schema that your portal user maps to has privilege to execute the stored procedure you write to access the PDK API.
    At the end of that stored procedure, you can include a call to owa_util.redirect_url to send the user back to the JSP page.
    So the proccess flow is:
    JSP page submits or links to a PL/SQL stored procedure
    PL/SQL stored procedure calls PDK API functions, then redirects the user to the JSP page (or where ever they need to go)
    I am doing this in an application now it works pretty well. let me know if you have any questions

  • How to make use of SSO login credentials of oracle in Authentication shema using APEX

    Hi
    I am using SSO login for Authorizations. Would like make use of SSO for creating authentication schema. I would appreciate if someone can help me on this. My main requirement is to assign privilege based on users using SSO loging.

    Here's an example.
    I create a new application in APEX called Master with Application ID = 100. I modify some templates, create some LOV's in this master template.
    I create a 2nd application in APEX called Subscriber with Application ID = 101.
    In 101 I go to Shared Components => List of Values => Create. Choose to create as a copy of an existing list of values. In the dropdown, I choose Master (100) and click Next. You then are presented with all of the LOV's from your master application. First off you want to change the name from Copy of <LOV> to just <LOV> more because it is kind of confusing if you don't. In the copy drop-down, this where you choose Copy and Subscribe.
    The way it works is that once an object subscribes, you always make changes to that object in Master (100), and there is a button to push that change to all subscribing applications. So if you have 30 applications subscribing to that one LOV, you just make the change once, push it to the subscribers and they are now up to date.
    Keep in mind it doesn't work with all objects and only certain objects may be subscribed to. Objects like Application Processes for instance do not have a subscription feature, but you could use packages to keep common logic and just reference the same package anywhere you need it.
    What I ended up doing was to create a master and a subscription application. The subscription template has no actual pages, just subscriptions to templates and LOV's that I need. Whenever I need a new application, I just create a new application as a copy of that subscription application and my subscriptions are already setup for me.
    Check out the documentation and just search for Subscribe or Subscription and it should explain pretty much what I did above.

  • Oracle SSO Warning Helper!!!

    When I tried to configure and deploy the JAZN demo callerInfo of Oracle9iAS R2. I was able to get the SSO login page, but after I type my user info, i.e., "ray/welcome", I got the following message
    "Oracle SSO Warning - Unable to process request
    Either the requested URL was not specified in terms of a fully-qualified host name or OHS single sign-on is incorrectly configured.
    Please notify your administrator."
    The domain controller of the Windows NetWork is still under NT4, to use the SSO, is it required the domain controller to run Win2k? How can I work around the fully-qualified host name problem?
    Thanks a lot.

    Please us ethe below workaround
    For Providergroup, webproviders:
    To create providers etc., you have to give privileges to users in the following XML file:
    <OH>/j2ee/OC4J_Portal/applications/portalTools/providerBuilder/WEB-INF/deployment_providerui/provideruiacls.xml
    To give privilege do the following:
    <providerui xmlns="http://www.oracle.com/portal/providerui/1.0">
    <objectType name="ALL_OBJECTS">
    <object name="ANY_PROVIDER" owner="providerui">
    <user name="orcladmin" privilege="500"/>
    <user name="portal" privilege="500"/>
    <user name="any_provider_manage_user" privilege="500"/>
    <user name="any_provider_edit_user" privilege="400"/>
    <user name="any_provider_execute_user" privilege="300"/>
    <user name="any_provider_create_user" privilege="100"/>
    </object>
    <object name="ANY_PORTLET" owner="providerui">
    <user name="orcladmin" privilege="500"/>
    <user name="portal" privilege="500"/>
    <user name="any_portlet_manage_user" privilege="500"/>
    <user name="any_portlet_edit_user" privilege="400"/>
    <user name="any_portlet_execute_user" privilege="300"/>
    </object>
    </objectType>

  • Trying to implement fail log in page and SSO

    Hi everyone,
    Currently I'm using Apex 4.0. My app has enabled SSO and is working fine using the domain users to authenticate. When an user tries to log in into the app using his PC and he has the rights to access it can use the system without problem. However there are some users who has their domain user, but they shared the same PC with other people. In this case, the PC always is on with a generic user for everyone. So if someone tries to access the app (which they has the permissions to use it) the app says! "Sorry you don't have enough privileges" that's because they are using the generic user for that PC and the app is validating that user.
    So here is the deal... I want to use 101 Login page to show up in case an invalid user (generic domain usernames) tries to access the app and give to the user the chance to use his/her Domain username and password there in order to be able to log in into the the app.
    Is there a way I can accomplish this? My app already redirect the generic user into the 101 login page, but can't make it to validate the username and password like the Automatic SSO process.
    Hope you can help me!
    Thanks in advanced
    -Farid
    Edited by: FuryDev on Aug 29, 2012 9:05 AM

    Actually I'm trying to generate sub pages to Page with some local JSP-portlets.
    Basically I'm using PageBackingContext bean with overriding the constructor. In the constructor I'm trying to dynamically generate those sub pages.
    Can't be quite sure if Page can have direct sub pages, or should I first create sub Book with needed pages... but anyway. I think all those Book/PageControls needs to be found somewhere... Although I'm currently trying your PageInstanceControlImpl() aproach to see if it works :)
    - Tave -

  • Bi Publisher integration with SSO when users are in separate containers

    Hi,
    We have bi publisher 10.1.3.4 installed and setup to run with oas 10.1.3.3. Bi publisher as such works fine.
    We need to get it integrated with sso and for that we have followed the steps in the bipub admin&ddeveloper guide, security model section:
    http://download.oracle.com/docs/cd/E12844_01/doc/bip.1013/e12188/T421739T475591.htm#T434695
    In our oid users are devided to 3 containers:
    l=emea,dc=oracle,dc=com
    l=amer,dc=oracle,dc=com
    l=apac,dc=oracle,dc=com
    If the "Distinguished Name for Users" in bi security configuration it set to e.g.
    l=emea,dc=oracle,dc=com
    and the admin user is created in the same container l=emea then login works fine for all users in l=emea container. They can login fine and they have the privileges defined in XMLP groups.
    However this means any user in l=apac or l=amer container cannot login.
    I've therefore created new admin user cn=bipadmin,dc=oracle,dc=com and change the user search base to be dc=oracle,dc=com. Now as the admin bipadmin user I can login fine and have the privileges as defined in XMLP groups.
    Actual end users are in the l=emea, l=amer,l=apac containers and with the end users I can still login but the privileges are missing. So e.g. I can login as cn=xx.yy,l=emea,dc=oracle,dc=com or cn=aa.bb,l=amer,dc=oracle,dc=com but even though I've granted those users admin privileges the admin tab is not visible.
    Distinguished name for groups has not changed. It has been the same all the time and the XMLP groups exists there:
    cn=cappbb,cn=aitsys,cn=Groups,dc=oracle,dc=com.
    But it seems if User search base is changed to higher level than where the users actually are the privileges are no longer found.
    Is Bi Publisher supposed to search for users only from the container which is defined in the "Distinguished Name for Users" (in this case dc=oracle,dc=com) or is bi publisher supposed to search the users from all the subgroups also under the "Distinguished Name for Users" path?
    If anyone has hit the same issue and has fond resolution please let me know.
    Thanks!
    Nina

    Hi Nina,
    User privileges will work fine even though the user search base is pointing at the higher level...
    In my application I have defined the User search base as,
    Distinguished Name for Users : O=ABC
    And my users are under, 1. ABC---> Users ---> US ---> and 2. ABC ---> Vendors...
    All users could you able to login along with their privileges...
    But in your case, i would want you to recheck,the users group/role mapping...
    Also check, if not admin role could you able to atleast import other groups/roles mapped to the user when you login...
    I mean any functional roles (other than XMLP*) mapped to the users are imported...
    thanks..
    regards,
    dmaze

  • NAC Guest Server 2.02 SSO

    I have configured IE security,NTP and DNS settings. But SSO isnt working. Is there any gotchas for NAC Guest Servr SSO?

    Thanks for this, I was hoping nested groups would be supported.  Because let's face it that's a pragmatic way of allowing support teams to get an elevated sponsor privileges....
    I did suspect that nested groups would be the issue yet there is ZERO documentation to confirm it.  Cheers Cisco!
    Thanks for saving me a TAC case!

  • Migrate Forms 10g stand alone to SSO usage

    Hello,
    Currently we have a Forms stand-alone 10g instance on linux. Due to new business needs we have to use SSO for all provided applications.
    What are the options in our situation.
    Best regards,
    Bert Dondertman
    Netherlands

    Bert,
    the option is to install Forms using the full Application Server and copy your application files - or configure if it is the same server. The reason why you can't enable Forms for SSO in a post-instll operation is that the Forms Servlet must register with OID to use a privileged secure access.
    Frank

  • Oracle SSO Warning when creating a Web Provider

    Hi,
    I am getting the following error message when I try to create a new Web Provider in portal:
    Oracle SSO Warning - Unable to process request
    Either the requested URL was not specified in terms of a fully-qualified host name or OHS single sign-on is incorrectly configured. Please notify your administrator.
    I can only see this message in a Mozilla web browser, IE hangs. I have updated the provideruiacls.xml file to include an entry for my portal user with privilege="500".
    Can anyone help?
    Thanks in advance.

    Please us ethe below workaround
    For Providergroup, webproviders:
    To create providers etc., you have to give privileges to users in the following XML file:
    <OH>/j2ee/OC4J_Portal/applications/portalTools/providerBuilder/WEB-INF/deployment_providerui/provideruiacls.xml
    To give privilege do the following:
    <providerui xmlns="http://www.oracle.com/portal/providerui/1.0">
    <objectType name="ALL_OBJECTS">
    <object name="ANY_PROVIDER" owner="providerui">
    <user name="orcladmin" privilege="500"/>
    <user name="portal" privilege="500"/>
    <user name="any_provider_manage_user" privilege="500"/>
    <user name="any_provider_edit_user" privilege="400"/>
    <user name="any_provider_execute_user" privilege="300"/>
    <user name="any_provider_create_user" privilege="100"/>
    </object>
    <object name="ANY_PORTLET" owner="providerui">
    <user name="orcladmin" privilege="500"/>
    <user name="portal" privilege="500"/>
    <user name="any_portlet_manage_user" privilege="500"/>
    <user name="any_portlet_edit_user" privilege="400"/>
    <user name="any_portlet_execute_user" privilege="300"/>
    </object>
    </objectType>

  • NAC authentication SSO crashed after update fixes in Win Server2K3

    NAC 4.7(2) authentication SSO with Active Directory on WinServer2k3 crashed after update the next fixes:
    KB2478971          KERBEROS WEAK HASHING ALGORITHMS
    This update addresses the vulnerabilities by preventing the use of weak hashing algorithms in both Windows Kerberos and Windows KDC and by preventing the client from downgrading the encryption standard to DES for Kerberos communication between client and server.
    http://www.microsoft.com/technet/security/bulletin/MS11-013.mspx
    KB2478953          ACTIVE DIRECTORY DoS
    The vulnerability could allow denial of service if an attacker sent a specially crafted packet to an affected Active Directory server. The attacker must have valid local administrator privileges on the domain-joined computer in order to exploit this vulnerability.
    http://www.microsoft.com/technet/security/bulletin/MS11-005.mspx
    The NAC solution was working fine for a year, but since my costumer installed those fixes we have troubles to auth users in NAC, CAM can't read LDAP tree and CAS neither. I requested my customer to remove those fixes, they did it but they don´t have a snapshot or checkpoint previous to restore the servers.
    We have followed the Cisco's tshoot guides but the problem continues...
    Any suggestion?

    Could you please retpye ktpass on Win2003 server.You said CAM crashed, Do you find any message on support log.
    If you need a quickly support . please open a tac support case for this issue .
    SongL

  • SSO into Self Care Portal

    Hey techies.
    I hope this is an easy one... I don't mind looking silly for asking...
    We've enabled SSO in our environment just yesterday... part of our Jabber roll-out.  As an unexpected surprise, logging into Call Manager is also now automated, which I like.
    However, the gotcha is logging into the Self Care Portal.  On top of my AD-integrated account, I admin several departmental ON-CALL numbers which are local accounts.
    When I select the portal, SSO takes me directly to my account.  I do not see an option to log in with a local account.
    How can I bypass ADFS in such a case and authenticate with a local account?
    Much obliged,
    Mike

    Hi Juan,
    You can refer Table 1: Standard Roles and Privileges on Page 4 which  says Grant an end user log-in rights to the Cisco Standard CCM End Users Unified Communications Self Care Portal with Standard Role as Standard CCM End Users
    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/10_0_1/ccmsys/CUCM_BK_SE5FCFB6_00_cucm-system-guide-100/CUCM_BK_SE5FCFB6_00_cucm-system-guide-100_chapter_0100.pdf
    [+5] to Kevin.
    regds,
    aman

  • Integrating Oracle Applications with Siteminder for SSO.

    We currently have a Oracle Apps implementations with Oracle 9iAS as Application server. We are planning to integrate it in SSO using Netegrity Siteminder.
    Please let me know your thoughts on the following
    1) Additional softwares or patches needed to be applied at Oracle Application Server level before integrating with Siteminder. Do we need to install Oracle SSO seprately or does it come as part of Oracle 9iAS.
    2) Also how will we implement SSO using siteminder without OID.
    Any documents on it will help.

    The Netegrity Siteminder Webagent will authenticate to some third party, probably the corporate LDAP. Using Oracle SSO (OSSO) is required and a java plugin needs to be customized. See:
    Oracle® Application Server Single Sign-On Administrator's Guide
    10g Release 2 (10.1.2) < I know different version but doesn't matter
    B14078-02
    Specifically Chapter - 13 Integrating with Third-Party Access Management Systems. That is a minor task.
    Loading OID is a prerequisite and needs to contain the users that will need access to the protected resources in the environment. If it's a small amount of users, manually maintaining OID may not be a big deal utilizing OIDDAS but if it is a large amount, then this effort is a big deal. Big deal meaning a load utilizing the bulkload utility and a custom job that syncronizes the "Corporate LDAP" with OID. Mapping is important. External dependancy with the "Corporate LDAP" folks.
    Another couple of important things to consider:
    1. The seeded users in OID, such as orcladmin will most likely not be in the "Corporate LDAP" so once Netegrity Simplified Sign On (SSO) comes into play, those users are locked out. Orcladmin is a superuser in OIDDAS. For that reason, server administrators or DBA's that are in OID need to be granted OIDDAS privileges prior to enabling the Netegrity agent to prevent being locked out of that important but sensative tool. Disabling and re-enabling SSO is as simple as editing 2 config files and bouncing a few things though.
    2. The OIDDAS Password lockout policy will start locking users after 60 days with no warning unless changed. If oidadmin gets locked, the fix is Note:251354.1. Very important to change the policy since it will be handled by the "Corporate LDAP". Note:251354.1 covers this. Basically using the oidadmin utility, change the "Password Expiry Time" from the default 5184000 to zero "0" which turn off the policy.
    The realms that should be protected on the Netegrity policy server are both infrastructure. 7777/oiddas and 7777/sso need to be protected realms on the policy server. If you have a protected application going to mid-tier applications like 7778/discoverer/viewer, they get redirected to the infrastructure 7777/sso because if the directive in mod_osso.conf. Forms will be protected by the 7777/sso realm as well. On the Netegrity Policy Server, unprotected sub-realms can be created under protected realms.
    The custom java plugin tells Oracle to trust the "Corporate LDAP" for authentication but authorization can still be performed within OID.
    This all sounds difficult but it is really simple. The only part than can get difficult and time consuming is the OID load. Hopefully you get Siteminder DAS access to administer your realms on the Policy server.
    Hope this helps! - Ron

Maybe you are looking for

  • LG Revolution - Messaging issues, 4G failure, Freeze Up, Slow data, etc, etc, etc.

    The LG Revolution is the worst phone I've ever had. If someone texts me that uses a service provider other than Verizon I only get 160 character limit, doesn't follow up with a second text message, just cuts off. This is so annoying to have to ask so

  • Remove field in Alv grid module pool

    Hi Experts, I have a requirement where in I need to remove a field on the display screen for a particular record. In detail.. I have a created a module pool program where in the final out put was shown using CL_gui_alv_grid on the new screen.The norm

  • Incoming calls issue in Third Party SIP Phone

    Hi, Yesterday I configured my third party sip phone which is yealink in this case on cucm and successfully registered it with cucm, despite of registration i have some calling issue in this phone. I am able to make outbound calls from this phone to a

  • How to get all records using Invoke-webrequest?/Why Invoke-webrequest returns only first 2000 Records?

    invoke-webrequest content returning only 2000 records though it has around 4000 records in web api. The same url if I give in excel oData Data feed I am getting all the records. See the below script Script: $QueryResult= (Invoke-WebRequest -Uri $ODat

  • How to apply CSS to a JEditorPane?

    Hi all, I am working on report displaying and printing. the report is in HTML format. if the font size on the screen is acceptable, the result of printing font size appears to be too big. i want to apply different CSS for displaying and printing. whe