User Attributes & Security role

Hi,
I need to develop HR role for 34 different regions for which I need to develop 34 different roles.
Is there any option like we create a single HR role with * at personal area and can able to control the access through User attributes somewhere outside PFCG?
Please guide.
Thanks,
SAP Consultant

You will have to read the documentation on personalization and which APIs it provides.
This means that your application must support it.
So... you need to tell us more about the application and less about roles, as you do not want to use them for control (you can however also assign personalization keys to roles, however user personalizations take preference.
Note that in contrast to parameter IDs )in case someone mentions them...) the personalizations can only be changed by an admin of the user or the role (S_USER* objects).
PIDs are a preference... only.
Cheers,
Julius

Similar Messages

JDev EA1 Error with JAZN/Security Roles/Authentication

I have a current JSF application created under JDev 10.1.3 Preview which runs fine, but under JDev EA1 it crashes.
The application has a JAZN definition with a realm and user defined. The user is also tied to a security role.
In the web.xml I have a security role defined and security constraints. I also have the security-role-mappings in the orion-application.xml for deployment which uses OID to authenticate.
This all works fine in JDev 10.1.3 preview.
When I run the application in JDev EA1, the login dialog does not appear and the application crashes because it can't authenticate who is using the application. I have deleted and recreated the Jazn user and security roles under EA1.
I have noticed that JDev is now reporting the "<security-constraint>" tag in web.xml is an error now.
Any ideas on what's wrong?
Thanks

We're using SSO, so we haven't written our own login handler. The orion-application.xml has the "<jazn-web-app auth-method="SSO"/>" tag in it. We let SSO handle the login. You can write your own login handler if you wanted to. I think there's several threads about doing it. We wanted to try and use SSO and not have to write the piece to do the login.
orion-application.xml:
<jazn provider="LDAP"
location="ldap://my.company.com:<port number>"
default-realm="my_realm_here">
<jazn-web-app auth-method="SSO"/>
</jazn>
The way we approached it, we have a User and Visit object. The User object just holds some data:
public class User implements Serializable
private String userid;
private String name;
private String email;
private Date loginTime;
The faces-config.xml is like this:

<managed-bean>
<managed-bean-name>user</managed-bean-name>
<managed-bean-class>com.mycompany.User</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
<managed-property>
<property-name>queryService</property-name>
<value>#{queryservicebean}</value>
</managed-property>
</managed-bean>
We're using Spring to inject the "queryservicebean". You may not need this section. We're having to grab data from a database table. So you can probably skip that "<managed-property>" section.
The section I think you are really asking about is the ViewHandler. You probably need to look at extending the ViewHandler to populate your user object.
public class AuthenticatingViewHandler extends ViewHandler{...}
You will probably need to look at adding code in the createView and restoreView methods.
Something like:
public class AuthenticatingViewHandler extends ViewHandler
private final ViewHandler _base;
public AuthenticatingAurepViewHandler(ViewHandler base)
_base = base;
public UIViewRoot createView(FacesContext facesContext, String viewId)
viewId = loadUser(facesContext,viewId);
return _base.createView(facesContext, viewId);
} //END createView(FacesContext facesContext, String viewId)
public UIViewRoot restoreView(FacesContext facesContext, String viewId)
viewId = loadUser(facesContext,viewId);
return _base.restoreView(facesContext,viewId);
} //END restoreView(FacesContext facesContext, String viewId)
--Then "loadUser" would populate your User object:
public String loadUser(FacesContext facesContext, String viewId)
String userId = facesContext.getExternalContext().getRemoteUser();
User user = (User) JSFUtils.getManagedBean(ViewConstants.USER);
-- Set the userid from OID in your User object
user.setUserid(userId);
-- Note: You may need to do some parsing on your user id string from OID.
-- Do more stuff here, may switch to a differnt viewId if needed, like an error page.
return viewId;
} // END loadUser(FacesContext facesContext, String viewId)
} //END AuthenticatingViewHandler
The "JSFUtils.getManagedBean" uses the valuebinding to get the User bean from the FacesContext. We also carry a boolean isUserLoaded in the User object so we're not executing the loadUser code each time a view is rendered. The Visit object just has a navigation trace and other things of interest to us, so you may not care about it.
A lot of this is from Adam Wiener's post on Sun's JSF forum. I think there's a couple of ways to approach this, with our requirements this works out better. If anybody else has any suggestions, it would be great to hear about them.
As always, hope it helps out with what you are doing and thanks for the chocolate.

Dimension security is not working if user have two roles in SSAS while connecting from Excel

Hello Genius,
I am facing the issue when user trying to connect the cube from excel if user have more than one role in ssas db.
Role 1: Countryuser, I have implemented the dimension security with country
dimension and countrycode attribute.
Role 2: CityUser, I have implemented the dimension security with
city dimension and citycode attribute.
If user is mapped to any one of above role dimension security is working perfectly according to the logic but mapped to both role, cube is exposing all the data in this case dimension security is not working.
Please give me the solution to fix this issue or incase I am wrong kindly advice.
Thanks
Ganesh

This is the expected behaviour as allowed sets in roles are unioned together.
This is not a problem when your roles are restricting across a single attribute.
eg.
US_role = {[Geography].[Country].[USA]
France_role = {[Geography].[Country].[France] }
as someone in both roles ends up seeing {[Geography].[Country].[USA], [Geography].[Country].[France] }
But when you have different attributes:
NY_role = {[Geography].[City].[New York] }
France_role = {[Geography].[Country].[France] }
The first role is unrestricted on countries and the second is unrestriced on cities which is effectively:
NY_role = {[Geography].[Country].AllMembers , [Geography].[City].[New York] }
France_role = {[Geography].[Country].[France], [Geography].[City].AllMembers }
And when you union those two sets together you end up with:
{[Geography].[Country].AllMembers , [Geography].[City].AllMembers }
Which means that someone in both roles can see everything.
So if you want to restrict someone to City = New York and Country = France you have to create a
single role where both attributes are restricted. So if you have a lot of these combinations you will either have to create a lot of "combination" roles or look at dynamic security.
The other thing that might work is make sure that you only give some users access to certain cities and others access to certain countries. It's the mixing of the two for a single person that causes the issues.
http://darren.gosbell.com - please mark correct answers

Unable to assign all security roles to a user with a new custom security role

Dear All,
Happy New Year.!
I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
any desired security role to the new user.
However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
to assign some other security roles, including 'Support User Role', to new user 'y'.
I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
Appreciate any help that you can provide on the above issue.
Thanks in anticipation.

Hi,
Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
Refer:-
http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
Hope this helps!!!
Thanks,
Prasad
Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

How can I know the security role of the logged in user

When you design an enterprise bean or Web component, you should always think about the kinds of users who will access the component. For example, an Account enterprise bean might be accessed by customers, bank tellers, and branch managers. Each of these user categories is called a security role, an abstract logical grouping of users that is defined by the person who assembles the application. When an application is deployed, the deployer will map the roles to security identities in the operational environment.
But wondering when I log into my application with some user name and password (specified in my Oracle database),wondering how this works with the security role I created .How does J2EE know the security role of the logged in user.
Thanks
Manohar

shet wrote:
role at run time.
When I login say as "manju" and password as "money" then how does it know that this user belongs to this security role.Is that the j2ee administrator has to say that user manju has this this security role.Programmitically how does it really work.I am confusedThe j2ee implementation assigns the roles using the JAAS module you have configured for your application on your application server. different JAAS modules get roles in different ways. many allow a single static role to be assigned using a config file. if using a database, often there will be configuration to specify additional database fields which specify the role for a given username.
At runtime, a developer can test roles using methods like EJBContext.isCallerInRole().

Redirecting user to acustom page depending on security role after glassfish

Hi,
I have a JSF application using glassfish authentication mechanism. I'm planning to use a jdbc realm and form based authentication (I'm using a jsp page to get username and password) . I have 3 different user roles (student, admin and staff)
However I cannot find how to redirect a user to a different page (Ex: staff report page if the logged in user is in the security role staff). I have configured sun-web.xml and web.xml to map the roles and groups. The problem is after authentication the user is always redirected back to the home page, which is the login page. I understand this is how the glassfish authentication works by default. But is there a way to navigate the user to a different page depending on his role.
I'm new to EJB security. Please help me on this subject. Thanks a lot in advance.

Check this blog post, which provides an alternate solution (You can choose the best possible solution based on your use-case).
http://andrejusb.blogspot.com/2007/10/security-in-oracle-adf-and-automatic.html
Thanks,
Navaneeth

User security roles

Hi,
I'm kind of new to setting up security the "right" way in J2EE applications. I was wondering if anyone could offer some help or point me towards some good resources.
I am building a Struts J2EE application on my company's intranet.. I'm using Weblogic 7, on a Windows 2000 box. This application needs to enforce restrictions based on who is accessing the it and their role. I already know the users's NT username by using a JCIFS filter. I use this information to look them up in a database that has their application security access defined (no LDAP yet... still waiting for them to get that going). I know that you can define certain roles in the web.xml and restrict access to resources based on those roles. My question is: In my application, how do I associate a user with a role defined in my web.xml? Also, how (if at all) can I use Weblogic to make things easier? I've found tons of documentation, but nothing with any real life examples, and nothing relating to exactly what I am trying to do. Also, am I going about this the right way? Perhaps there is a simpler solution.
I would appreciate any help.
Thanks,
Ed

for info
java.sun.com/products/jaas/index.jsp
FOr api's it has been integrated with jdk1.4.2
for simple example
http://java.sun.com/security/jaas/doc/module.html

Receiving an error when trying to remove P00 Security role from the user

Hi All,
I am receiving an error when trying to remove P00 Security role from the user.
After logging on to GRC CUP, clicking on u201CCreate requestu201D, and filling out required information,
I click on Select Roles/Groups
On the next screen,
I click on Existing Roles/Groups
ERROR MESSAGE appears X Action failed and no roles appear in the box to select for removal.
Regards,
Vineet

Hi Vineet,
My be your selection is incorrect
Try this
in Applicaiton Area -- Select ALL
Functional Area -
Select ALL
Company -
Select ALL
Role/Profile/Group Names --- Give p00* and execute the report
if you give only p00 it wont give any result
Hope this helps
Thank you,
Kishore

Drilldown depending on the oracle application user's securing attributes

Hi all,
I created a html table and I have a specific column that is allowed to drilldown to details but I would like also make this drilldown be depended on the user's securing attributes. If the person has permission the he will see the value and can enter in details, but if he doesnt have the permission he just see the value.
Any ideas?!?!
Thanks in advanced,
Adolfho

Hi Adolfho,
you could try binding the Read Only attribute of this item/region through SPEL. For example, if you have a profile and need to give permission only to users that have the "Y" value on this profile, you can add this to the select clause of your VO:
SELECT fnd_profile.value("profile_name") = 'Y' AS PROF_VALUE
and then you can put the following expression on the Read only attribute of the region:
${!ProfValue}
You can also do this on the controller by getting a reference to the respective OA Bean and calling setReadOnly(boolean) or setAttribute(READ_ONLY_ATTR, Object)...
Hope it helps
Thiago

Using the SDK to check if user security role membership

Is there any way to check if a user is in a particular security role using the SDK?
I ask because I am considering adding a web based ticket search by ID/key word look-up web service since this function is not part of the Self-Service Portal. I am looking into what it takes to maintain the system's security model or at least limit
the information given to the users. I am thinking that affected users might get some ability to modify their tickets.
I've already built a web portal hosting complex forms for several of our teams where the Self-Service Portal was too limited to collect necessary information. The forms portal already uses the SDK to submit work items directly into Service Manager.
This would be a welcome extension of the web site's capabilities.

Hi,
You may try powershell, here are two PowerShell scripts that use
SMLets to reveal interesting information about user roles in SCSM, please refer to it:
https://gallery.technet.microsoft.com/Service-Manager-SCSM-User-ebcdfcd6
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

How to use security roles in Weblogic server?

Hello Gurus,
I am new to Weblogic server and I am trying to investigate how to make
use of security roles in weblogic server (5.1.0). Can anyone point me
to some documentation. Specifically, I am looking for instance level,
and method level security and how to use it.
Thanks for taking your time to read this e-mail.
Thank You all in advance,
Hari.

You should read the security information in the Servlet 2.2 specification
that WL 5.1 implements:
http://java.sun.com/products/servlet/download.html
Chapter 11 deals with declarative and programmatic security, and includes a
section on roles:
11.4 Roles
A role is an abstract logical grouping of users that is defined by the
Application Developer or
Assembler. When the application is deployed, these roles are mapped by a
Deployer to security
identities, such as principals or groups, in the runtime environment.
A servlet container enforces declarative or programmatic security for the
principal associated with
an incoming request based on the security attributes of that calling
principal. For example,
1. When a deployer has mapped a security role to a user group in the
operational environment. The
user group to which the calling principal belongs is retrieved from its
security attributes. If the
principal's user group matches the user group in the operational environment
that the security
role has been mapped to, the principal is in the security role.
2. When a deployer has mapped a security role to a principal name in a
security policy domain, the
principal name of the calling principal is retrieved from its security
attributes. If the principal is
the same as the principal to which the security role was mapped, the calling
principal is in the
security role.
Cameron Purdy
http://www.tangosol.com
"Hari" <[email protected]> wrote in message
news:[email protected]..
Hello Gurus,
I am new to Weblogic server and I am trying to investigate how to make
use of security roles in weblogic server (5.1.0). Can anyone point me
to some documentation. Specifically, I am looking for instance level,
and method level security and how to use it.
Thanks for taking your time to read this e-mail.
Thank You all in advance,
Hari.

Map security roles to group within LDAP using external 3rd Party LDAP

I'm haveing a problem mapping my logical role defined in my web.xml to a role within Active Directory. I'm currently authenticating using Active Directory succsfully, however after the user is authenticated I get a message from the OC4J container that my role can not be found. Can you map a logical role to group within Active Directory? Below are details about my configuration.
Any help would be greatly appreciated.
Log.xml log entry that confirms webtA is communicating successfully with AD.
SG_TEXT>JAAS-LDAPLoginModule: authenticating user wmgraham</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>JAAS-LDAPLoginModule: DN for user wmgraham is cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
Error reported in the log
<MESSAGE>
<HEADER>
<TSTZ_ORIGINATING>2008-08-27T11:38:05.991-04:00</TSTZ_ORIGINATING>
<COMPONENT_ID>j2ee</COMPONENT_ID>
<MSG_TYPE TYPE="TRACE"></MSG_TYPE>
<MSG_LEVEL>16</MSG_LEVEL>
<HOST_ID>F2287032-W</HOST_ID>
<HOST_NWADDR>30.30.16.14</HOST_NWADDR>
<MODULE_ID>security</MODULE_ID>
<THREAD_ID>14</THREAD_ID>
<USER_ID>wmgraham</USER_ID>
</HEADER>
<CORRELATION_DATA>
<EXEC_CONTEXT_ID><UNIQUE_ID>30.30.16.14:59560:1219851485804:6</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>for group=[JAZNGroupAdaptor: webta] there's no matching role found.</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
Web.xml Logical Role definition
<security-constraint>
<web-resource-collection>
<web-resource-name>allpages</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>WEBTA_J2EE_USER</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>WEBTA_J2EE_USER</role-name>
</security-role>
Orion-web.xml This file maps the logical role defined in webxml to a group within Active Directory.
<security-role-mapping name="WEBTA_J2EE_USER">
<group name="webta"/> <-- Group defined in AD -->
</security-role-mapping>

What is the name of the group in AD (provide the DN) that you want to map the j2ee logical role WEBTA_J2EE_USER? What are the group search base and group mapping attribute?
When wmgraham logs into the app, the 3rd party ldap login module will attempt to query for the groups wmgraham is a member of - this is done using the group search base configuration for the provider.
In this example, the DN is "cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and likely user search base is set to "ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi".
Assuming group search base is (say) "ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and and group mapping attr is "cn", then the role mapping you mention should work for group DN "cn=webta,ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi"

User= Group= SubGroup= Role: Now working when this link is used

Hai,
We are using EP 5.0 with LDAP 7.6 When a user id created it is attached to a group and the group is attached to a role. I introduced a nested group in this link as userid is attached to group, group is attached to sub group and subgroup is attached to role. When i did like this and login to the portal system the roles are not seen in the portal.
Below are the things which i did,
When a user id(Ex : MYTEST1) is created it is attached to a group(Ex : ESS_GE) by the below code.
       String group = "ESS_GE";
       String groupdn = "cn=" + group.toUpperCase() + "," + groupsRoot;
       String userdn = "cn=" + userid.toUpperCase() + "," + peopleRoot;
      // modifications for group and user
      LDAPModification[] modGroup = new LDAPModification[2];
      LDAPModification[] modUser = new LDAPModification[2];
   // Add modifications to modUser
   LDAPAttribute membership = new LDAPAttribute("groupMembership", groupdn);
   modUser[0] = new LDAPModification( LDAPModification.ADD, membership);
   LDAPAttribute security = new LDAPAttribute("securityEquals", groupdn);
   modUser[1] = new LDAPModification( LDAPModification.ADD, security);
    // Add modifications to modGroup
    LDAPAttribute member = new LDAPAttribute("uniqueMember", userdn);
    modGroup[0] = new LDAPModification( LDAPModification.ADD, member);
    LDAPAttribute equivalent = new LDAPAttribute("equivalentToMe", userdn);
    modGroup[1] = new LDAPModification( LDAPModification.ADD, equivalent);
   // Modify the user's attributes
   lc.modify( userdn, modUser);
   // Modify the user's group attributes
    lc.modify( groupdn, modGroup);
Group is attached to a role(EP_GE_USER_ROLE). So the link is User =>Group=>Role which is MYTEST1=>ESS_GE=>EP_GE_USER_ROLE. This linke is working perfectly
I introduced a nested group and changed the link as User=>Group=>Sub_Group=>Role which is MYTEST1=>ESS_GE=>ESS_GE_ONLINE=>EP_GE_USER_ROLE.
After this when I login with the user id MYTEST1 the Roles which are attached to ESS_GE_ONLINE is not shown. Any idea why the roles which are attached to group ESS_GE_ONLINE is not transferred to ESS_GE group. Should I have to add any other LDAP attributes apart from the one which are coded below.
String group1 = "ESS_GE";
String group2 = "ESS_GE_ONLINE";
String groupdn1 = "cn=" + group1.toUpperCase() + "," + groupsRoot;
String groupdn2 = "cn=" + group2.toUpperCase() + "," + groupsRoot;
//Add ESS_GE_ONLINE group to ESS_GE group
LDAPAttribute membership1 = new LDAPAttribute("uniqueMember", groupdn2);
modGroup1[0] = new LDAPModification( LDAPModification.ADD, membership1);
LDAPAttribute security1 = new LDAPAttribute("equivalentToMe", groupdn2);
modGroup1[1] = new LDAPModification( LDAPModification.ADD, security1);
//Add ESS_GE group to ESS_GE_ONLINE group
LDAPAttribute membership2 = new LDAPAttribute("uniqueMember", groupdn1);
modGroup2[0] = new LDAPModification( LDAPModification.ADD, membership2);
LDAPAttribute security2 = new LDAPAttribute("equivalentToMe", groupdn1);
modGroup2[1] = new LDAPModification( LDAPModification.ADD, security2);
lc.modify( groupdn1, modGroup1);
lc.modify( groupdn2, modGroup2);
Thanks & Regards,
H.K.Hayath Basha.

change that to the following and retest:
Joshua Fowler wrote:
I think you're correct. Under the Publish settings of the document, that's what "Class" points to.
Here's the first main section of the code:
package com.anselmbradford
import flash.display.MovieClip;
import flash.events.TimerEvent;
import flash.utils.Timer;
public class Main extends MovieClip
* Create a new CountDown object, listen for updates and pass it the date to countdown to.
public function Main()
var cd:CountDown = new CountDown();
cd.addEventListener( CountDownEvent.UPDATE , _updateDisplay );
cd.init( new Date(2015,3,9,20,00) );
* Update the display.
private function _updateDisplay( evt:CountDownEvent ) : void
Does this look correct?
Thanks again!

How to modify user attributes in Microsoft IAS or Active Directory??

Anyone have an idea?? What I'm trying to do is to authenticate management access to an ACE 4710 against a Microsoft IAS server.
According to the document below:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/security/guide/aaa.html#wp1519045
it sounds like I need to be able to modify user attributes similar to what I know is doable in ACS. I base my assumption on this because of the following statement in the link above:
"Step 3 Go to the User Setup section of the Cisco Secure ACS HTML interface and double-click the name of an existing user that you want to define a user profile attribute for virtualization. The User Setup page appears.
Step 4 Under the TACACS+ Settings section of the page, configure the following settings:
â¢Click the Shell (exec) check box.
â¢Click the Custom attributes check box.
â¢In the text box under the Custom attributes, enter the user role and associated domain for a specific context in the following format:
shell:<contextname>=<role> <domain1> <domain2>...<domainN>"
Is something like this possible in IAS??
I have the authentication piece working for the ACE however when I login, I'm assigned an ACE defined default role of 'network-monitor' which gives me only read-only access. The way I'm interpreting what needs to be done to resolve this is to have the authentication server send an attribute value that states that the user is in the role 'Admin' in which case I'll have unlimited access to my ACE.
Make sense?? Any thoughts??
Thanks in advance.
-Lloyd

Lloyd,
It is possible via Radius and not TACACS. On the same link if you scroll down, you will see option of doing it via Radius.
"Defining Private Attributes for Virtualization Support in a RADIUS Serve"
Find attached the doc that explains about setting up user attributes on IAS.
Regards,
~JG
Do rate helpful posts

How validate user.attributes in SAML assertation?

Hello!
I'm using WebLogic Server 10.3.6.0 + Oracle Service Bus 11.1.1.6 + Oracle Enterprise Manager 11g.
I deploy my Web Service on Weblogic Server and protect this by OWSM SAML-based policy (now it is oracle/wss_saml_token_bearer_over_ssl_service_policy).
It is working, but some things I don't understand.
My main question: how can I configure to validation of user.attributes in the saml assertation?
For example, inbound requests has 3 attributes in saml assertation tag: role, email and dept.
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance">
<soap:Header>
<wsse:Security>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="Id-0000010a3c4ff12c-0000000000000002"
IssueInstant="2006-03-27T15:26:12Z" Version="2.0">
<saml:Issuer Format="urn:oasis ... WindowsDomainQualifiedName">
TestCA
</saml:Issuer>
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis ... WindowsDomainQualifiedName">
TestUser
</saml:NameIdentifier>
</saml:Subject>
<saml:Conditions NotBefore="2005-03-27T15:20:40Z"
NotOnOrAfter="2028-03-27T17:20:40Z"/>
*<saml:AttributeStatement>*
*<saml:Attribute Name="role" NameFormat="http://www.oracle.com">*
*<saml:AttributeValue>admin</saml:AttributeValue>*
*</saml:Attribute>*
*<saml:Attribute Name="email" NameFormat="http://www.oracle.com">*
*<saml:AttributeValue>[email protected]</saml:AttributeValue>*
*</saml:Attribute>*
*<saml:Attribute Name="dept" NameFormat="">*
*<saml:AttributeValue>engineering</saml:AttributeValue>*
*</saml:Attribute>*
*</saml:AttributeStatement>*
</saml:Assertion>
</wsse:Security>
</soap:Header>
<soap:Body>
<product>
<name>Enterprise Gateway</name>
<company>Oracle</company>
<description>Web Services Security</description>
</product>
</soap:Body>
</soap:Envelope>
But I want permit only request's with 4 attibutes (for example, role + email + dept + city) or something like? How I can configure this in OWSM-policy settings or WebLogic settings?
Thanks for any help.

That would be the easiest route but isn't it against the standards to use triggers on tables. I was thinking of doing the validation before the item is created on the page, by customizing the create item and update item pages.
Did anyone work on PIM to do this sort of customization, the pages are all dynamic and are pretty complex, I am not able to figure out where to fit in my validation.

User Attributes & Security role

Similar Messages

Maybe you are looking for