User Access Security

Similar Messages

• User access security related

  once you define the nodes and then the Task flow how do you link the Task flow to Security Profile created???
  pls help!

  Pl post details of OS, database and EBS versions.
  Have you reviewed the documentation ? http://docs.oracle.com/cd/E18727_01/doc.121/e13477/T7957T7960.htm#43744
  Pl post specifically what step you do not understand - security profiles are linked to responsibilities, not task flows.
  HTH
  Srini

• How to implement Oracle user/role security with Access front end?

  Hi,
  We have successfully migrated our Access database tables to Oracle 10g using SQL developer. We've recreated all the users and roles(i.e., access groups) in Oracle and granted rights to tables.
  In the Access front end database, in the Database window we have saved linked Oracle tables which replaced the Access tables. The forms, reports, queries run fine with the linked Oracle tables. All the linked table use one ODBC DSN to the Oracle database with the same Oracle user id.
  We need to be able to authenticate users into the Oracle database and RE-link the tables based on their own unique user id. By during so we can allow users to use the Oracle standard user id/role and system privileges to control select, update, ect. rights to the database.
  I've been able to use the VB code within Access to logon into the database with a unique id, but I have not been able to find out how to RE-link the tables to the unique user id using VB. There should be some way to relink tables dynamically, based on users login into the Access front end.
  I don't know a great deal about Access projects, but I do know with SQL server allows login into your Access project and link tables dynamically.
  Can someone give me some assistance or point me in the right direction?
  Thanks in advance,
  Larry

  We had one of our programmers here come up with a VB code solution for re-linking table within Access. However the relinking takes 3-4 minutes for 100+ tables.
  In an effort to help you understand the situation better, I will attempt to elaborate on the problem:
  We have an Access 2003 application which currently has a front end using Access(forms, reports, queries, & VB code) and a MS Access 2003 backend.
  We have migrated the backend tables to Oracle. However, we still have a need to maintain the front end in Access, since we have over 60 forms, 40 reports, 200+ queries in Access. Its easy to understand, we have a significant investment in the front end(Obviously, the plan is to migrate the front end also at some future date).
  In order to utilized the existing front end, we have to validate and modify the current front end connections to the new Oracle backend. One of the features of Access is that you can "link" tables and save the link for runtime. Each Access table can have its own link which is a separate ODBC/JET connection. As such, each separate link has its own userid/database information.
  The other issue with using the Access front-end is that Access utilizes a workgroup file to implement user and group security. The workgroup file contains all the users and which groups the users belong to in Access. Then within Access, you allow users access to object(tables, queries, ect) by their userid and or group. When users open an Access database with Access security enabled, they are required to log into Access. The login is authenticated by the workgroup file. Once, logged into Access, users have rights to Access objects based on their rights granted to their userid and groups they belong. The problem here is that when you remove the linked Access tables and replace them with linked Oracle tables, Access has knowledge about Oracle table rights granted to users; nor would you expect it to.
  The dilema is the disconnect between Access and the fact Oracle utilizes a similar but much more sophisticated security model. It creates users and roles(which are similar to Access groups), and again this is independent of Access security.
  Our solution was to still use the Access workgroup file security along with the Oracle security model. By using the Access userid and then creating a similar Oracle userid with similar table rights granted in Access, you could apply security within Access and also with the Oracle database.
  For example, a user BOB logs into Access via the workgroup file, using VB code, Access then establishes a Oracle connection logining into Oracle using the same unique userid BOB into Oracle.
  After connecting and validating user BOB into Oracle, then the Access tables are relinked to Oracle using the user BOB userid and table rights.
  This Oracle userid has been granted table rights specific for this userid.This allows the user BOB to use the Access application and still be authenticated into the Oracle database.
  The problem with this solution is that the relinking of the saved Access tables takes 3-7 minutes for about 100+ tables. This is not acceptable for users each time they log into the application.
  Our current alternative is to use one Oracle userid to login each user, and use Access form restrictions/security to allow/prevent users from updating/viewing data. Obviously, this is not the optimal solution in respect to security, but it at least allows us to control access to the data(via the forms) by using one logon required for each user, and quick startup time for the application.
  I understand SQL server does a better job in integration, but we use Oracle which is what I am trying to work with.
  Larry

• Best Practice - Securing Schema from User Access

  Scenario:
  User A requires access to schema called BLAH.
  User A is a developer that built an application using this schema in a separate development environment, although has the same privileges mirrored to production (same roles etc - required for operation of the application built).
  This means that the User has roles that grant Select, Update etc rights for the schema / table in order to use (and maintain) the applications.
  How can we restrict access to the BLAH schema in PRODUCTION, enforcing it to only be accessible via middle tier / application (proxy authentication?)?
  We've looked at using proxy authentication, however, it's not possible to grant roles and rights to the proxy account and NOT have them granted to the user (so they can dive straight in using development tooling and hit prod etc)>
  We've tried granting it on a session basis using proxy authentication (i.e. user a connects via proxy, an we ENABLE a disabled role on the user based on this connection), however, it causes performance issues.
  Are we tackling this the wrong way? What's the best practice for securing oracle schemas (and objects in general) for user access where the users actually get oracle user account (or even use SSO) for day to day business as usual.
  To me this feels like a common scenario, especially where SSO comes into play ...

  What about situations where we have Legacy Oracle Forms stuff? In these cases the user must be granted select etc rights to particular objects, as this can't connect via a middle tier.
  The problem we have is that our existing middle tier implementation is built expecting the user credentials to be passed to it during initial authentication and does not use a proxy, or super user style account.  We have, historically, been 100% reliant on Oracle rights and controls to validate and restrict access to our underlying data.  From what you are saying, we should start to look at using proxy or super user access and move this control process further up - i.e. into Code or Packages ?  If so, does this mean that there is no specific way to restrict schema access to given proxy accounts and then grant normal user accounts to connect through these to get access (kind of a delegated access scenario), without using disabled roles?

• Converting a pre-Access 2000 database w/ user-level security to Access 2010

  Hi -
  An old database was passed down to me and I'm tasked with converting it so that we can use it with Access 2010. Sounds simple. However, I'm blocked in every attempt that I make to convert, export, and, in some cases, modify the database, due to not
  having the "appropriate permissions". We (my manager and I) do not know the original owner, and we do not have the original workgroup file. I've had our IT guy check to make sure I am the system admin on my machine in hopes of that making a
  difference - I was even able to create new workgroups and add and remove users to and from those groups but when I tried to convert (or save) the database, write some vba code behind the database, create and save new forms, or even update certain tables,
  I'm told to contact my system administrator or original owner of the object about giving me the "appropriate permissions" to do either of those things. I'm out of ideas here. I've even had a team of people contribute ideas as to how I can get around
  this. I cannot even convert this old database (which is in .mdb format, fyi) to an MDE. Is there any way that the user-level protection can be removed from this database? I'm hoping for an alternative other than to start over from scratch.

  Hi,
  As you said that the .accdb format does not support replication or user-level security, we need to use the MDB format in Access 2010. Please try to follow the steps to remove the user-level protection:
  1.Start Microsoft Access, and log on as a member of the Admins group.
  This can be the administrator account that you created when you secured the database, or it can be any member of the Admins group. Be sure that you’re using your own security-enhanced workgroup information file when starting Access.
  2.Open the database.
  3.On the Tools menu, point to Security, and then click User And Group Permissions.
  4.In the User And Group Permissions dialog box, assign full permissions to the Users group for the database and all the objects in the database.
  Because all users are automatically part of the Users group, this step has the effect of concealing security again.
  5.Click the Users tab, click Admin in the Name box, and then click Clear Password.
  Clearing the password for the Admin user disables the Logon dialog box that is displayed when you start Access. All users are automatically logged on as the Admin user the next time they start Access. This step disables the Logon dialog box for all databases
  that are using the same workgroup information file.
  6.Restart Access.
  7.Create a new database, and then import all objects from the security-enhanced database.
  You can accomplish this easily by using the Import command (File menu, Get External Data submenu).
  Quote From:
  http://office.microsoft.com/en-ca/office-2000-resource-kit/removing-user-level-security-HA001138118.aspx
  Regards,
  George Zhao
  TechNet Community Support

• APO Security to control the users access

  Hi,
  Is there any possibility to control the users access by controlling through selection ID's or does it possible through any of the product lines (Characteristics)?
  My requirement is I have to control all the APO DP users in various levels of Product lines and the access has to be granted at specific product level. Right now I am trying do through selection ids, but I am looking for more effective way.
  Please help me with your views.
  Thank you in advance!
  Jegan

  Hi Jegan,
                There are so many security objects in DP that you can try out and see if they meet your requirement.
  The way I understand your issue is to restrict user by certain products or BW characteristics.
  To control by Products, try the object  C_APO_PROD with activity APO_PROD (Product Identifier). You can select specific products here for each role and restrict by either display, change, execute, delete etc.
  If you want to restrict by BI characteristics, try  object S_RS_AUTH.
  Be careful with this as you are selecting BI objects, the system restricts them even if they are remote part of your work.
  If you have to restrict by specific product levels like all product lines, I am not sure how to do it but you can certainly try searching based on keyword "PROD".
  Please let us know if you discover something useful.

• Access security denied user.dir and jaxp.debug

  Hi all,
  I have a big problem. I must provide an applet at lots of clients but I can't set their java.policy file.
  The process must be transparency of them.
  Then I can't use signed applet.
  When I launch my applet, I have a exception :
  access security denied user.dir and jaxp.debug
  My exception came when I use the class XPathAPI from jakarta.
  Thanks.

  Did you ever find a solution? I am having the same problem and would really appreciate any help that you can give.
  Thanks in advance.

• Way to allow the user access to the saved lists of this Z report

  We have a Z report that we want to run at midnight each Sunday and then view the output/layout first thing Monday morning. We can schedule the report to run but it appears that the only way we can save the output as a 'file' for later viewing is by using the "Save with ID" option, which puts the output into a SAP 'saved list'.
  The problem with this is that it doesn't appear to be possible to access that list from the Z-report - it would appear that you have to go into SQ01 and use the 'saved list' button. This means giving the Z- report user access to SQ01 as well as Z-report, which, for security (SOD) reasons we don't want to do.
  We can run the report in foreground with the output option "File store" and save the output as a file to a specified location,. But this option doesn't appear to be available when the report is scheduled as a background job. If this is done, the background job runs but there's no output anywhere, as far as we can tell.
  So what want is to run the report in background but with the output option 'File store' or equivalent (i.e. an output stored somewhere that the report user can view). Is this not possible, or have we missed something in setting up the report run?
  Or is there a way to allow the user access to the saved lists of this Z report without giving them T-code SQ01?
  Thanks

  Hi !
  I just wonder if the answer from Varishtb below did solve your propblem.
  I have exactly the same problem as you. I also want to be able to look at the saved list without using the sq01.
  If you solved it I will be grateful to get the solution.
  regards Lars
  answer:
  You can call the infoset query directly from a transaction code. There's
  no need to copy it as a 'Z-report' (or as a custom report). In fact,
  everytime you're copying an infoset query to a report, you're calling
  for problems the next time you face an upgrade. (That is because SAP
  changes the internal logic used to handle the infosets queries from
  version to version)
  We're using some infoset queries and they work fine this way.

• Can't Access Secure (HTTPS) Sites On One Account, FF or Safari???

  Hello Mac Fans
  First let me say I'm new to Mac. On one account I can't access secures sites like I can in the admin account. This may be a function of rights but am not sure? All updates have been done.
  I can't login to this forum, my MobileMe account or my bank for example. I had to change to my other account or gasp, use a PC to post this message.
  I installed FireFox trying to isolate the problem to Safari but that didn't pan out, I can't get to HTTPS pages in FF either.
  I turned off Little Snitch thinking I might have denied something by mistake but that didn't help. I checked the rules and found nothing that wasn't allowed.
  Nothing was changed in the router. I just turned on Mac and it worked. The iMac is connected to the router via ethernet cable.
  I've used the search function and tried a few things that have been recommended for others but they didn't help me. I went to the keychain and did a repair, although it didn't find any problem. I over rode a couple keys to always allow them (Apple site stuff) and I ran the disk utility to no avail.
  For reference I will post the information for both Safari and FF.
  Safari:
  Safari can’t open the page “https://support.apple.com/cgi-bin/WebObjects/ACAuthWeb.woa/wa/login?
  appIdKey=2ddbca23a85d20e5bf7478812379ae23&path=/login.jspa%3FsuccessURL%3D/index .jspa” because Safari can’t
  establish a secure connection to the server “support.apple.com”.
  Safari can’t open the page “https://www.mln'sbank.com/” because Safari can’t establish a secure connection to the server
  “www.mln'sbank.com”.
  Safari can’t open the page “https://auth.apple.com/authenticate?service=DockStatus&realm=primary-
  me&returnURL=aHR0cDovL3d3dy5tZS5jb20vd28vV2ViT2JqZWN0cy9Eb2NrU3RhdHVzLndvYS93YS9 0cmFtcG9saW5l&destinationU
  rl=” because Safari can’t establish a secure connection to the server “auth.apple.com”.
  FireFox:
  The connection was interrupted
  The connection to support.apple.com was interrupted while the page was loading.
  * The site could be temporarily unavailable or too busy. Try again in a few
  moments.
  * If you are unable to load any pages, check your computer's network
  connection.
  * If your computer or network is protected by a firewall or proxy, make sure
  that Firefox is permitted to access the Web.
  I've done a lot of snooping around on this forum and have ran out of ideas so now I must ask for help.
  Thanks
  Message was edited by: MLN1963

  I think I may have found the problem. It's embarrassing to find it minutes after posting the message yet I tried to solve it off and on for three days! My brother who is a 20 year Mac user has been trying to help me too. I guess it's true what they say... sometimes it's better to be lucky than good. LOL
  I turned off the parental controls. What I don't understand is that the no website restrictions box was checked. To me this means I should be able to go to any site I wanted. Can anyone explain why I couldn't got to a HTTPS page on a parental controlled account even though there were no restrictions placed on it?
  It's late and I need sleep. I'll leave this open for now until I have more time to test it.

• User access at IO level

  I have 2 OUs-- OU1 and OU2.
  OU1 has 1 inv org-- IO11
  OU2 has 2 inv orgs-- IO21 and IO22.
  I will define responsibilities at IO level, i.e., 3 responsibilities for an application --R11(for IO11), R21 (for IO21) and R22 (for IO22).
  I want to restrict user access at the IO level.So, R21 should access only IO21 and not IO22. Same for R22.
  What will be the value of the following profile options in order to achieve this? My BG name is Set up business Group.
  MO:Operating unit
  MO:security profile
  HR:security profile
  HR:business group

  Hi,
  Try with organization access.
  Guess the above 4 profiles wil help you to restrict at OU level only.
  Hope this helps.
  tks
  M J

• WebLogic 10.3.0 WLI Domain - Microsoft AD administrator user access issue.

  Hi SOA Experts,
  We are facing issue of getting noaccess exception on console (below) when doing datasource testing using Microsoft AD administrator user. The same works fine when testing using WLS embedded LDAP administrator user in WLI domain. In plain WLS 10.3.0 domain (without WLI) with same Microsoft AD configuration they do not see this issue, they are able to successfully test data source using both embedded WLS administrator and Microsoft AD administrator user.
  I enabled security ATN and ATZ debug flags and below is my observation.
  In plain WLS 10.3.0 domain I see that default weblogic administrator user in embedded LDAP is part of administrators group. Microsoft AD administrator user is part of Administrators group from MS AD.
  Whereas in WLI domain I see that default weblogic administrator user is part of Administrators & IntegrationAdministrators groups. In WLI domain Administrators group is again part of IntegrationAdministrators group (below is debug logs).
  Below is Plain WLS Domain Debug log
  ####<Dec 6, 2010 5:20:14 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)
  '> <<WLS Kernel>> <> <> <1291674014123> <BEA-000000> < Subject: 2
  Principal = weblogic.security.principal.WLSUserImpl("weblogic")
  Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
  Below is WLI Domain Debug Log
  <> <1291669863989> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
  ####<Dec 6, 2010 4:11:03 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
  <> <1291669863989> <BEA-000000> < Subject: 3
  Principal = weblogic.security.principal.WLSUserImpl("weblogic")
  Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
  Principal = weblogic.security.principal.WLSGroupImpl("IntegrationAdministrators")
  The issue of Microsoft AD administrator user not able to test datasource in WLI domain seems to be happening because of IntegrationAdministrators group which comes by default with WLI domain (in plain WLS domain we do not have this group). Looks like the datasource which is being created in WLI domain seems to be being treated as WLI resource and user accessing it is being checked if it part of IntegrationAdministrators group. In this case weblogic default administrator user is part of IntegrationAdministrators, for which we do not see issue where as Microsoft AD administrator user which is not part of IntegrationAdministrators seems to be having problem.
  Below is snipper of Microsoft AD administrator user in Debug logs
  ####<Dec 6, 2010 4:13:31 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
  <> <1291670011687> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
  ####<Dec 6, 2010 4:13:31 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
  <> <1291670011687> <BEA-000000> < Subject: 2
  Principal = weblogic.security.principal.WLSUserImpl("MSADAdminUser")
  Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
  Also one more observation about datasource which is created is in plain WLS & WLI domain created datasource resource type is shown as “jdbc” which is expected, but in addition in WLI domain I observe that created datasource resource type is marked as JMX and DS is being considered as application (below), not sure if this has something to do with the issue.
  Below is WLS domain debug log, below you can see that datasource is being treated as JDBC resource which is expected.
  ####<Dec 6, 2010 5:21:03 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1291674063776> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<jdbc>, application=, module=, resourceType=ConnectionPool, resource=testDS, action=reserve>
  Below is WLI domain debug log, below you can see that datasource is being treated as application and it says resource type as JMX
  ####<Dec 6, 2010 4:12:17 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1291669937755> <BEA-000000> < Resource: type=<jmx>, operation=get, application=testDS, mbeanType=weblogic.j2ee.descriptor.wl.JDBCDataSourceBean, target=Name>
  I created user in embedded LDAP in WLI domain with same name as MS AD administrator user and assigned it to Administrators group, that obviously works but is not acceptable solution.
  Below is exception thrown on console when testing datasource using Microsoft AD administrator user.
  weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[MSADAdminUser, Administrators], on Resource weblogic.management.runtime.JDBCDataSourceRuntimeMBean Operation: invoke , Target: testPool at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:205) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222) at javax.management.remote.rmi.RMIConnectionImpl_1030_WLStub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:978) at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544) at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380) at $Proxy92.testPool(Unknown Source) at com.bea.console.actions.jdbc.datasources.testjdbcdatasource.TestJDBCDataSource.begin(TestJDBCDataSource.java:114) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:870) at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:809) at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:478) at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:306) at
  - BoyelT

  This issue has been resolved.
  The problem of Microsoft active directory administrator user not able to test the datasource in WLI domain is caused because of IntegrationAdministrators group & IntegrationAdmin role which comes in WLI domain. Assigning the Microsoft Administrator group to IntegrationAdmin role from WebLogic console has resolved the issue.
  Below are steps for assigning the MS AD administrator group to IntegrationAdmin role from console in WLI domain.
  ======================================================
  - Login to console and click on "Security Realms" and "myrealm"
  - Go to "Roles and Policies" tab and expand "Global Roles" tree and "Roles" tree view under it.
  - Click on "View Role Conditions" link for "IntegrationAdmin" role.
  - Click on "Add Conditions" button select Group (default) for "Predicate List" drop down box and click Next button.
  - Specify MS AD admin group name for "Group Argument Name" text box and hit on Add button.
  ======================================================
  - BoyelT
  Edited by: BoyelT on Dec 20, 2010 1:36 PM

• Allowing unauthenticated users access to gatewayed pages - problem

  Hi,
  I was trying to allow the Guest user access to a specific gatewayed page. For this, I followed the instructions posted here: [ALUI 6.1 Anonymously Access Gatewayed Page|http://forums.oracle.com/forums/thread.jspa?threadID=902777&tstart=0].
  But when I try to access that gatewayed page as guest, the portal throws a permissions exception several times in the process, followed by a redirect to the SSO.
  The curious thing about this is that the exception says that "Current User does not have sufficient permission to object with id = 2". That object is exactly the Guest user object!
  There must be something wrong in my setup, but I can't figure out what it is.
  Below is the exception. Any idea?
  6-25-2009 9:42:45.207 Warning Core ********OEL4.5.1.root [ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)' com.plumtree.server.impl.core.PTBase *** PTBase.ThrowException *** (-2147024891) Current User does not have sufficient permission to object with id = 2
  com.plumtree.server.marshalers.PTException: -2147024891 - Current User does not have sufficient permission to object with id = 2
  at com.plumtree.server.impl.core.PTBase.ThrowException(PTBase.java:86)
  at com.plumtree.server.impl.core.PTBaseObjectManager.VerifyObjectAccess(PTBaseObjectManager.java:1638)
  at com.plumtree.server.impl.core.PTBaseObjectManager.Open(PTBaseObjectManager.java:769)
  at com.plumtree.server.impl.community.CommunityInfoCacheEntry.Initialize(CommunityInfoCacheEntry.java:90)
  at com.plumtree.server.impl.community.CommunityInfoCache.InternalCreateObject(CommunityInfoCache.java:75)
  at com.plumtree.server.impl.core.PlumtreeObjectCache.FindOrCreateObjectInsecure(PlumtreeObjectCache.java:181)
  at com.plumtree.server.impl.core.PlumtreeObjectCache.FindOrCreateObjectCheckSecurity(PlumtreeObjectCache.java:223)
  at com.plumtree.server.impl.community.CommunityInfoCache.FindCommunitySecured(CommunityInfoCache.java:135)
  at com.plumtree.server.impl.community.PTCommunityInfo.GetSecuredCommunityInfoCacheObj(PTCommunityInfo.java:712)
  at com.plumtree.server.impl.community.PTCommunityInfo.<init>(PTCommunityInfo.java:61)
  at com.plumtree.server.impl.community.PTCommunityManager.CachedOpenCommunityInfo(PTCommunityManager.java:584)
  at com.plumtree.server.impl.portlet.providers.CSPPortletProvider.GetCanSetCommunity(CSPPortletProvider.java:1289)
  at com.plumtree.server.impl.portlet.providers.CSPPortletProvider.GetContentInternal(CSPPortletProvider.java:1114)
  at com.plumtree.server.impl.portlet.providers.CSPPortletProvider.GetContent(CSPPortletProvider.java:926)
  at com.plumtree.server.impl.webservice.PTGadgetGateway.GetContentInternal(PTGadgetGateway.java:318)
  at com.plumtree.server.impl.webservice.PTGadgetGateway.GetContent(PTGadgetGateway.java:352)
  at com.plumtree.portalpages.browsing.gateway.GatewayControl.CheckActionSecurityAndExecute(GatewayControl.java:264)
  at com.plumtree.uiinfrastructure.interpreter.filter.utils.GatewayHandlers.HandleGatewayRequest(GatewayHandlers.java:232)
  at com.plumtree.uiinfrastructure.interpreter.filter.GatewayFilter.PreFilter(GatewayFilter.java:54)
  at com.plumtree.uiinfrastructure.interpreter.Interpreter.DoPreFilter(Interpreter.java:1786)
  at com.plumtree.uiinfrastructure.interpreter.Interpreter.HandleRequest(Interpreter.java:234)
  at com.plumtree.uiinfrastructure.interpreter.Interpreter.DoService(Interpreter.java:155)
  at com.plumtree.uiinfrastructure.web.XPPage.service(XPPage.java:306)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
  at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226)
  at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
  at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
  at com.plumtree.binarygateway.BinaryGatewayFilter.doFilter(BinaryGatewayFilter.java:71)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3393)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(Unknown Source)
  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2140)
  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2046)
  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:172 <ptLogMsgEnd>
  Thank you

  i'm not saying this is what it is...(hopefully its not), but there are certain folders that you absolutely can't remove the everyone user from... i think Plumtree is an expert on this.
  have you been 'locking down' your portal recently?

• UNABLE TO ACCESS SECURED EJB USING IIOP FROM JSP

  Following codes does not work with IIOP when called from jsp returns an
  com.sap.engine.services.iiop.CORBA.CORBAObject:com.sap.engine.services.iiop.server.portable.Delegate_1_1@8312b1 step2 RemoteException occurred in server thread; nested exception is: java.rmi.RemoteException: com.sap.engine.services.ejb.exceptions.BaseRemoteException: User Guest does not have access to method create(). at
  Following codes does not work with IIOP when called from a fat client returns an
  org.omg.CORBA.UNKNOWN:   vmcid: 0x0  minor code: 0 completed: Maybe
          at com.sun.corba.se.internal.core.UEInfoServiceContext.<init>(UEInfoServ
  iceContext.java:33)
          at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
          at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstruct
  orAccessorImpl.java:39)
          at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingC
  onstructorAccessorImpl.java:27)
          at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
          at com.sun.corba.se.internal.core.ServiceContextData.makeServiceContext(
  Properties p = new Properties();
  p.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.cosnaming.CNCtxFactory");
  p.put(Context.PROVIDER_URL, "iiop://hostname:50007");
  p.put(Context.SECURITY_PRINCIPAL, "User");
  p.put(Context.SECURITY_CREDENTIALS, "pass");
  I have add java option to add IIOP filer
  -Dorg.omg.PortableInterceptor.ORBInitializerClass.com.sap.engine.services.iiop.csiv2.interceptors.SecurityInitializer
  Solution Required: Could you please detail me what steps in need to perform in order for me to access secure ejb using iiop protocol.
  FYI -- How ever ejb security works with P4 protocol, If required i can send you the test case ear.
  Thanks
  Vijay
  Following are the server side logs
  java.rmi.RemoteException: com.sap.engine.services.ejb.exceptions.BaseRemoteException: User Guest does not have access to method create().
       at test.TestEJBHomeImpl0.create(TestEJBHomeImpl0.java:91)
       at test._TestEJBHome_Stub.create(_TestEJBHome_Stub.java:214)
       at jsp_testIIOP1199698887113._jspService(jsp_testIIOP1199698887113.java:33)
       at com.sap.engine.services.servlets_jsp.server.jsp.JspBase.service(JspBase.java:112)
       at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:544)
       at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:186)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
       at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:608)
       at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:505)
       at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
       at test.TestEJBHomeImpl0.create(TestEJBHomeImpl0.java:89)
       ... 20 more
  ; nested exception is:
       java.lang.SecurityException: com.sap.engine.services.security.exceptions.BaseSecurityException: Caller not authorized.
       at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:608)
       at com.sap.engine.services.security.resource.ResourceHandleImpl.checkPermission(ResourceHandleImpl.java:505)
       at com.sap.engine.services.security.resource.ResourceContextImpl.checkPermission(ResourceContextImpl.java:45)
       at test.TestEJBHomeImpl0.create(TestEJBHomeImpl0.java:89)
       at test._TestEJBHome_Stub.create(_TestEJBHome_Stub.java:214)
       at jsp_testIIOP1199698887113._jspService(jsp_testIIOP1199698887113.java:33)
       at com.sap.engine.services.servlets_jsp.server.jsp.JspBase.service(JspBase.java:112)
       at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:544)
       at com.sap.engine.services.servlets_jsp.server.servlet.JSPServlet.service(JSPServlet.java:186)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)

  That's the code that you need to execute but you should
  probably encapsulate that code in Custom Action.
  Orion has a EJB Tag Library that is free to distribute that
  does all that stuff you just set some attributes.
  Go to their site and look at their Tag Libraries.
  Also look for other Tag Libraries Freely Available for EJB Access.

• User access

  How to give the new user access  for Hyperion Planning application.Please provide any document  for application access.

  Here is the EPM security admin guide: Overview of Shared Services Console
  In particular you may want to look at http://docs.oracle.com/cd/E57185_01/epm.1112/hss_security_user_role/ch09.html

• User Based Security in Power BI (Power Pivot / Power View)

  I am looking for a way to implement User based security (based on user access needs to restrict data) for my Power BI reports. Is there any way implement this kind of security. We have this support in traditional OLAP cube by creating roles and manage them
  at different dimensional data.
  Any help would be highly appreciated.

  Hello,
  You want to implement this functionality using the Power BI Preview or using the Power BI reports integrated in an application?
  Hugs!
  Bruno Destro
  Dicas de programação em .net, C# e SQL - http://smcode.com.br/blog.aspx