True Role-Based Administration?

I'm sure this has been asked and answered many times, but are there any plans to make the ZCC more iManager-y in terms of Role-Based Administration? I'm trying to create a Report Viewer Role for the Help Desk, and I simply don't want them to be able to click through the rest of the Admin interface. Easy in iManager, why not in ZCC?
Thanks,
Holly

Hnewman,
we've had quite a few enhancement requests for this -
http://support.novell.com/enhancement you might want to add your
"voice"...
Shaun Pond

Similar Messages

  • Difference between ID and Role based Administration - Firefighter 5.3

    In GRC AC 5.3 Firefighter, security guide, there are two sections for role design,
    1. Firefighter Role based Administration
    2. Firefighter ID based Administration
    Can someone explain what is the difference between the two?
    I have read the documentation, but it does not have a clear description of the
    differences between the two.
    Please help.
    Thanks

    HI Prakash,
    Though both of them eventually achieve the same function, that is giving access rights to the user for a certain period under monitring these differ based on the following:
    1. Firefighter Role based Administration
    You identlfy a particular role as a firefighter role and give it to the user.
    2. Firefighter ID based Administration
    You create a separate user altogether and give the normal dialog user, the access to this user's authorization.
    For the implication that both of these have and the differences or comparisons between using 1 & 2, I would suggest you do a bit of Mock testing for both of these. Also, there are a lot of posts related to this on the forum already, which you can refer to, for getting a more detailed idea on this topic. Unlimately, it depends on organization to organization which methodology they folow as per what suits them, according to features which both have. But generally what is preferred is Number 2.
    Regards,
    Hersh.

  • CSM Role Based Administration

    Does Cisco Security Manager 4.x and Cisco Secure Access Control Server 5.x integrated role based administration has fine-grained control for devices? E.g.,
    * User-a can only manage policy-a for device-a
    * User-b can only manage policy-b for device-b

    ACS 4.2 should allow role-based access, but until the final build of CSM 4.0 is released this cannot be confirmed.
    I am not aware of plans to add the support within ACS 5.x, but you can always engage your Cisco account team to submit a product enhancement request on your behalf.
    Scott

  • Weblogic security & EJB role based access

    How does (or not) weblogic security tie into the EJB notion of role based
    control ? Can we create a 'custom' security mechanism for EJB (which
    basically uses the EJB facilities but extends it within the application) by
    using custom weblogic realms ?
    Thanks
    Raju

    Thanks !
    "Terry" <[email protected]> wrote in message
    news:[email protected]...
    comments inline
    r <[email protected]> wrote in message
    news:[email protected]...
    >>
    Here are some more specific questions around an 'example' scenario:
    The application has an entity bean 'Account' that can be accessed by the
    roles 'Bank Employee' and 'Customer'
    'Bank Employee' can execute the 'getBalance()' and 'placeOnHold()'
    methods on the 'Account' bean
    'Customer' can execute the 'withdraw()', 'deposit()', and'getBalance()'
    methods on the 'Account' bean
    These permissions are set up through the deployment descriptor by
    mapping
    the 'Bank Employee' and 'Customer' roles
    to the particular bean methods that the role should be given access to.
    1. How does weblogic provide the facility to map the EJB deployment
    descriptor
    <security-role> to a particular weblogic principal (user orgroup)
    Or, should I say, how do I map the user or group to a
    deployment-descriptor defined role?In the deployment tool, once in the jar select the 'Security' item,create
    an application role (in your case it is probably best to create 2 security
    roles - the bank employee role refering to the bank employee group (usethe
    'in role' checkboxes, and the customer role refering to the customergroup -
    there may at some point be use for an allUsers role, which includes both
    groups, maybe not. What I am saying is that a role is made of a one ormore
    of Principals - in our case groups)
    In the Account Bean select the method permissions item, and create amethod
    permission perm-0, select the perm-0 item that has just popped up in the
    left hand window, tick the box for placeOnHold(), and the boxes for<remote>
    and <home> one level deeper than this in the tree (as an aside, I have
    absolutely no idea why there would be a 'home' box here, ho hum). Selectthe
    'bank employee' 'can invoke' tickbox
    Create perm-1, and do what you did above for 'withdraw()' and 'deposit()'
    methods, and the 'customer' tickbox
    I believe the documents say you would have to set up another permission to
    allow both groups access to the getBalance method, but in practive Ihaven't
    found this the case.
    The documentation for this is at
    http://www.weblogic.com/docs51/classdocs/API_ejb/EJB_deploy.html#1102211
    (or
    search for 'Deploying EJBs with DeployerTool'
    2. Are there any administrative tools provided by weblogic to do
    this
    mapping ?The deployer tool. Otherwise I think it's the acse of writing your own xml
    files
    3. How much effort & complexity is involved in creating a custom
    realm
    Hmmm, depends - you could have the RDBMSRealm that is provided in'examples'
    in half an hour or so (there is a problem with one of the RDBMSUser's
    methods - getUserType or something like that - the solution can be foundin
    the newsgroups if you search), the same is probably true of the LDAPRealm,
    NTRealm etc (although I have never used these).
    Which one you choose depends on what equipment you have available,although
    I would say that the RDBMSRealm canuse a lot of optimisation
    Thanks,Welcome
    Raju
    "Terry" <[email protected]> wrote in message
    news:[email protected]...
    The Principals (i.e. groups and users) from your custom realm are used
    to
    define application roles for the EJBs, but, as far as I am aware youcannot
    use a custom implementation for the ACLs for EJBs
    terry
    r <[email protected]> wrote in message
    news:[email protected]...
    How does (or not) weblogic security tie into the EJB notion of rolebased
    control ? Can we create a 'custom' security mechanism for EJB (which
    basically uses the EJB facilities but extends it within the
    application)
    by
    using custom weblogic realms ?
    Thanks
    Raju

  • JHeadStart Security problem-error page cannot be found- role based security

    JHeadStart Security problem-error page cannot be found- role based security
    Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
    Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

    Thand you very much for your reply! Unfortunately there is a specific restriction-convention in the project I work in. I am supposed to perform role based security with my own tables and no by the jheadstart’s ones. Could you find out what is my fault with the steps I follow trying to perform the process?
    To remind you my steps I paste the following again:
    JHeadStart Security problem-error page cannot be found- role based security
    Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
    Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

  • OBIEE SSO enabling and role based reporting

    Hi,
    I had installed SOA10.1.3.1.0 and OBIEE10.1.3.4.0 already on my WINDOWS. I understand that I need to install 10.1.4 infrastructure to enable SSO in OBIEE, can you please tell me what is 10.1.4 infrastructure? is it equivelent to Oracle Identity Management Infrastructure and Oracle Identity Federation 10.1.4? I tried to download this from OTN since last night, but the page is always unaccessible. Where can I download 10.1.4 infrastructure except otn?
    I have another question regarding to the role based reporting with SSO. We want users to see different reports based on their roles once they login. What options do we have to implement this? From my understanding, we need to maintain a user role mapping table in our database, create groups in OBIEE and map the user role with the group in OBIEE? Is it true? Are there other options? Is there a existing product we can use to implement this?
    Thanks,
    Meng

    have a look on page 137 and further http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/b31770.pdf

  • ADF UIX Role Based Access Control Implementation

    Hi,
    Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
    The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
    Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
    Thanks a lot.
    Sathya

    Brenden,
    I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
    If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
    1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
    The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
    2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
    The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
    1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
    Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
    Two links that you might be interested in to read are:
    http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
    http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
    Frank

  • Role based oracle adf security and filtering data

    while oracle adf security looks great its only role based... does anyone know of any resources describing an architecture where this is used in addition to filtering of data based on say, organization?
    it seems that oracle adf security is not really geared towards a self service app where administrative users have a security interface as part of the application where they can assign roles and associate users to entities for the further filtering of data...

    Hi,
    it seems that oracle adf security is not really geared towards a self service app where administrative users have a security interface as part of the application where they can assign roles and associate users to entities for the further filtering of data...
    ADF Security is a JAAS based security implementation to protect resources (like entities). It is nota security provider like OPSS or OID which you can use for user provisioning and self service (if you code against the IDM APIs). ADF Security only checks for whether a user is authenticated and if the user has the permission to perform a task.
    However, you can use groovy to access the security context from Groovy, which allows you to add the authenticated username to a query - for example to filter recrds out that match the username in one of its attributes.
    For example, you could create a ViewCriteria that for example filters the query by a specific attribute. Say that managers can see data starting from department 10 whereas employees can see data starting from department 100. The ViewCriteria would reference a bind variable with the following default setting
    adf.context.securityContext.isUserInRole('manager')? 10 : 100
    Frank

  • Role based authorisations in the Integration Directory

    We have built a new PI landscape (Pi 7.11) and worked with our security teams to perfect the various roles. I am now attempting to implement role based authorisations in the ESR & ID so that objects in our QAS and PRD environments can be configured but not deleted or created.I have implemented role based authorsations as per the SAP standard process performing the following actions
    Exchange profile com.sap.aii.ib.util.server.auth.activation was set to true and the Java Stack Restarted.
    I created a role in the ID that allowed editing of any object.
    I assigned the role to my userid in NWA useradmin
    I am unable to edit ANY object in the ID
    When I set the Exchange profile parameter to false I found I was able to edit any object in the ID.
    So its obvious that the Exchange Profile Parameter does make a difference. However, it doesn't appear as if the role I created is being referenced, even though I assigned it to my account in NWA user admin. I looks like I may be missing some exchange profile parameters. I have the following exchange profiles set:
    IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.util.server.auth.activation (string) = true
    IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.ib.server.acl.enable (boolean) true
    IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.util.server.auth.activation (string) = true
    IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.ib.server.acl.enable (boolean) true
    Any advice you can offer would be appreciated

    Resolved this issue.
    The documentation is confusing but finally found the answer by referring to the SAP XI 3.0 documentation.

  • Reseeding cache for users with role based security

    I have role based security and trying to set up cache by purging all cache and later seeding cache by query. The query would be different for different users. What is the best way to purge all cache and reseed cache for administrator as well as all users. The EPT would purge cache based on updated tables. But how do I next go about reseeding cache for better performance to all the users. Thanks.

    I have created an ibot with the following:
    General - Normal Priority, Personalized (recipient's data visibility)
    Conditional Request - example_report
    Schedule - some schedule
    Recipients - Me(administrator) and User1
    Destinations - Oracle BI Server cache
    when the ibot runs 2 cache entries are created (for the 2 recipients).
    I have the report (example_report) on the dashboard (1 dashboard, 1 page, 1 report).
    After the ibot runs:
    When the administrator logs in first, there is a cache hit on the report. Followed by when the User1 logs in there is NO cache hit.
    On the other hand when the User1 logs in first, there is a cache hit on the report. Followed by when the administrator logs in there is no cache hit. The query log creates a Query issued to the database instead of cache hit on query.
    The User1 has a data level security.
    Please let me know where was I making an error in setting the ibot and how to get the cache seeding work for the different users with different role based security.
    Thanks for your inputs.

  • Role based personalization

    Hello,
    I am using Portal 8.1 and want to hide button based on roles defined through Portal
    Administrator. Using Interaction Management feature how could i achieve this.
    Content selectors, user segments and other features uses user properties as a
    search criteria.
    I would like to know is there any built-in portal feature that i can use to achieve
    role based personalization.
    Thanks for ur reply.
    Ajit

    Hi Ajit,
    When you mention 'roles', I'm not sure if you're referring to
    a) User Segments (dynamic classifications of users based on properties and
    other factors)
    or
    b) Entitlement Roles, as defined in the Entitlements section of the WLP
    Admin tools.
    if (a), then you can use the pz:div tag to dynamically show/hide sections of
    a JSP based on whether a user is in the selected user segment. So you could
    show/hide your buttons via this tag.
    if (b), then you can base Entitlement roles on expressions, which can
    include user properties among several other options. Then you could use the
    Entitlement API/taglibs such as auth:isUserInRole to show/hide the buttons
    based on whether the user is in the entitlement role.
    -Steve
    "Ajit" <[email protected]> wrote in message news:40d81d7e$1@mktnews1...
    >
    Hello,
    I am using Portal 8.1 and want to hide button based on roles definedthrough Portal
    Administrator. Using Interaction Management feature how could i achievethis.
    >
    >
    Content selectors, user segments and other features uses user propertiesas a
    search criteria.
    I would like to know is there any built-in portal feature that i can useto achieve
    role based personalization.
    Thanks for ur reply.
    Ajit

  • Re: Role based on request.remoteUser being null ?

    Claus,
    You can't test for a null. SP2 (a couple months) includes out-of-the-box
    visitor roles which do exactly what you want. They are based on the magic
    "users" group and can't be directly created via the admin tools.
    -Phil
    "Claus Ljunggren" <[email protected]> wrote in message
    news:3f6880ad$[email protected]..
    Group,
    How do I specify null in the role definitions for entitlements?
    I want to create two roles : loggedIn and notLoggedIn based on therequest's
    remote user property. Looking at the portlet examples the code looks ifthe
    remote user is null, but how can I specify this in the role editor in the
    PortalAppAdmin tool ?
    /Claus Ljunggren

    That would be reasonable. Add a property and set it true for
    each user. Anonymous profile/non-authenticated (default value) would be
    false.
    Create a visitor role based on the
    property value. The SP2 roles will be much more efficient.
    -Phil
    "Claus Ljunggren" <[email protected]> wrote in message
    news:[email protected]..
    Phil,
    Thanks for your answer - so I guess that - in the meantime - we would just
    use a property on the users property set?
    /Claus
    "Phil" <BEA> wrote in message news:[email protected]..
    Claus,
    You can't test for a null. SP2 (a couple months) includes out-of-the-box
    visitor roles which do exactly what you want. They are based on the
    magic
    "users" group and can't be directly created via the admin tools.
    -Phil
    "Claus Ljunggren" <[email protected]> wrote in message
    news:3f6880ad$[email protected]..
    Group,
    How do I specify null in the role definitions for entitlements?
    I want to create two roles : loggedIn and notLoggedIn based on therequest's
    remote user property. Looking at the portlet examples the code looks
    if
    the
    remote user is null, but how can I specify this in the role editor in
    the
    PortalAppAdmin tool ?
    /Claus Ljunggren

  • Role based design

    Sorry for posting again but I think this would be a better place to get answers for this kind of a question.
    I am designing a role based community for a small organization. For all these members, the application is going to behave differently based on there roles. e.g a person with an administrative right would get a different lets say operations screen/jsp as compared to somebody with a role of marketing. What I am planning to do is to use the factory pattern for the purpose as follows
                                  <<Role>>                                                                                                                     
                                getOperationScreen:String |<>-------------------------RoleFactory
                                setOperationScreen:void                                           $getRole:Role
                                              ^
                                              |
                                              |
         |                                                                                           |
    AdminRole                                                                    MarketingRoleSo what I am planning to do is to get the Role object from the factory based on the profile and define the jsp for the operation screesn based on this decision. Most probably in a config file where these configurations can be changed later on if required.
    COuld you guys give me some expert opinion on how do you ppl think about it and what improvements or mods would you suggest.

    If you're interested in roles see reply 7 onwards here
    http://forum.java.sun.com/thread.jsp?forum=425&thread=4
    1667&message=2012642#2012783Thanx for the reply. I was looking at the role object pattern and that seems to be a good choice in my case. However I do have certain question regarding the implementation. Now as per the role object pattern lets say the Person class is the interface which is to be realized later on. It is implemented by PersonRole and PersonCore. My question is whether these two classes fullfill the is-a relayionship between parent and child. Secondly what is that the PersonCore class is supposed to do? and the relationship between PersonRole and PersonCOre class is going to be aggregation? Why is it when they are both implementing the same interface.

  • Public/Role Based Lists

    Do you know if/how it is possible to create a new role based list and assign that list to multiple roles (keeping the same/identical name)?
    For example I want to create a list named Open Opportuntiies. I want to use slightly different criteria and create the same named list for just roles 2 and 3 ... and assign the original one to role 1 only. Can this be done? Seems that the list name must be unique. Is that true?

    Hi,
    Yes the list name has to be unique. You'll need to create different list names here
    Thanks
    Oli @ Innoveer

  • To run OHS at port 80 using solaris role based access control

    Hi.
    I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
    On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
    /etc/user_attr:
    oracle::::type=normal;defaultpriv=basic,net_privaddr
    Change OHS httpd.conf Listen from port 8888 to port 80.
    However, opmnctl startproc process-type=OHS
    failed as below with nothing showing in the diag logs:
    opmnctl startproc: starting opmn managed processes...
    ================================================================================
    opmn id=truffle:6701
    0 of 1 processes started.
    ias-instance id=asinst_1
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ias-component/process-type/process-set:
    ohs1/OHS/OHS/
    Error
    --> Process (index=1,uid=187636255,pid=25563)
    failed to start a managed process after the maximum retry limit
    Thx,
    Ken

    Just to add my two cents here.
    The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
    # usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
    Restart the opmnctl daemond.
    After that OHS/Apache user can bind to lower TCP ports.
    Regards.
    Edited by: Tuelho on Oct 9, 2012 6:05 AM

Maybe you are looking for