User Roles Problem
Hello VMM Geeks,
I am using SCVMM 2012 R2 with Update Rollup 4. I have configured User Roles for each service groups (like Exchange-Admins, SCCM-Admins, SCOM-Admins, etc.), assigned the Self-Service user rights for each User Role, and added the respective service accounts
for each user Role in the Members tab.
I have not added the User IDs, but the service accounts for each user role.
I installed the VMM Console on the desktops of users. Now, the users are logging-in on the console through ‘Use current Microsoft Windows session identity’, it opens a small window of Select User Role (Select the user role you would like to use for this
session), which shows the drop-down options for all the configured user roles. When any user chooses the Administrator (VMM default) user role, users are getting connected to VMM with all administrative privileges.
This is a crucial security threat as any user is able to easily login to VMM with all administrative privileges.
Following are the members of Administrator user role:
NT AUTHORITY\SYSTEM
CONTOSO\DomainAdmins
CONTOSO\SCVMM_Admin
CONTOSO\VMM_Node1$
CONTOSO\VMM_Node2$
CONTOSO\VMM_ServiceCluster$
CONTOSO\VMM_CNO$
When the users login using their designated service accounts, it works fine and VMM shows only their assigned VMs. But the thing is that I cannot restrict the users from logging on the VMM console with Administrator user role.
Please help and advise me ASAP.
Regards,
Hasan Bin Hasib
Thanks Madam. I will install the UR 5 today.
I have a confusion and would be thankful if you please help me.
After completing the installation of VMM 2012 R2, I directly installed the UR 4 (skipping the UR 1, UR 2, and UR 3). I though that all the features/fixes of UR1, UR2 and UR3 will also be incorporated in UR4. So I want to ask that do I need to install all
the previous Update Rollups (UR1, UR2, and UR3)?
Please advise.
Thank you.
Regards,
Hasan Bin Hasib
Similar Messages
-
User Role problems in Sun Java Application Server Platform Edition 8
I am having two problems setting up user roles in Sun Java Application Server Platform Edition 8. At first, I thought that it was a problem with the higher level features that I was using, so I created a very simple example using the simplest authentication I can use, but the problem still occurs. I am using the file realm and configuring the users in the App Server Admin Console. I create 2 users in different roles. One user should have access, the other should not.
1) The first problem is that both users can access the page
2) The second problem is that the isUserInRole() method returns false for both users with the role that it should be authenticating against.
Here is a sample of my code:
Users Configured in Console:
username password roles
user1 ********** admin
user2 ********** noaccess
web.xml
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>My Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>file</realm-name>
</login-config>
<servlet>
<servlet-name>
TestServlet
</servlet-name>
<servlet-class>
mypackage.TestServlet
</servlet-class>
<security-role-ref>
<role-name>admin</role-name>
<role-link>admin</role-link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>
TestServlet
</servlet-name>
<url-pattern>
/TestServlet
</url-pattern>
</servlet-mapping>
TestServlet.java:
out.println("admin role: " + request.isUserInRole("admin") + "<BR/>");
Thanks before hand for any responses.
- BrianHi Jeanfrancois,
Your suggestion has lead me to find my problem. There were actually three problems.
1) First, you suggestion to reorder my xml file did not cause any errors to occur. I got suspicious that my web.xml file was wrong. I looked at some sample web-xml files and found that I was missing the header as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'>
2) When I added this information, the deploy feature failed stating the my web.xml file was out of order. I fixed the ordering. It now deployed, but the security still wasn't working.
3) I then added the sun-web.xml file. This file was missing before hand as I thought it was unnessary. However, this file added the essential mapping from a role to a group. After adding this, it now started to work.
Thanks so much for you time and effort. You really did help me.
- Brian Blank -
Admin + User Roles Setup Problems
Further to my addition to Monique's post below (mepriestly) ,
I have now managed to get as far as setting up the Admin and
Publisher roles and sending a connection key to my client but
Contribute cannot seem to complete the final step of saving these
shared settings to my server.
The result is now an error message saying the Admin settings
are invalid and it wants to remove all user roles and preferences
from the system...problem being it's already taken me a week to get
this far!
Any help/advice would be hugely appreciated.
Thank you,
KaTyFraggleFeatures wrote:
> Further to my addition to Monique's post below
(mepriestly) , I have now
> managed to get as far as setting up the Admin and
Publisher roles and sending a
> connection key to my client but Contribute cannot seem
to complete the final
> step of saving these shared settings to my server.
>
> The result is now an error message saying the Admin
settings are invalid and
> it wants to remove all user roles and preferences from
the system...problem
> being it's already taken me a week to get this far!
>
> Any help/advice would be hugely appreciated.
>
> Thank you,
>
> KaTy
>
have you moved your website from one computer (webroot
location) to
another computer? Was there a difference in the IP
configuration of the
machine when it got rebooted where contribute is hosted? If
so, then you
need to go to the websiteroot\_mm\*.csi open this file and
ensure that
any
http://<servername>/location/
has proper IP address in the
<servername> in the url where ever in the entire file.
hope this helps. -
Problem while loading security information (users/roles) from repository
Iview have stopped connecting to our MDM, All repositories, all IViews Very strange
Here is what I see in the logs.... Any ideas? Please if you have seen this before only
Marty
com.sap.mdm.extension.MetadataException: Problem while loading security information (users/roles) from repository 'PORTAL_CUSTOMERS'
at com.sap.mdm.extension.MetadataManager.loadRoleCache(MetadataManager.java:559)
at com.sap.mdm.extension.MetadataManager.internalGetRoleSet(MetadataManager.java:502)
at com.sap.mdm.extension.MetadataManager.getRoleSet(MetadataManager.java:471)
at com.sap.mdm.extension.MetadataManager.createMetadataKey(MetadataManager.java:464)
at com.sap.mdm.extension.MetadataManager.getRepositorySchema(MetadataManager.java:197)
at com.sap.mdm.uwl.MdmUwlConnector.createUserSessionContext(MdmUwlConnector.java:1463)
at com.sap.mdm.uwl.MdmUwlConnector.new_retrieveItems(MdmUwlConnector.java:546)
at com.sap.mdm.uwl.MdmUwlConnector.getItems(MdmUwlConnector.java:129)
Caused by: com.sap.mdm.commands.CommandException: com.sap.mdm.net.ConnectionException: java.io.IOException: Unexpected socket read. Result is -1.
at com.sap.mdm.security.commands.GetUserListCommand.execute(GetUserListCommand.java:72)
at com.sap.mdm.extension.MetadataManager.loadRoleCache(MetadataManager.java:526)
Caused by: com.sap.mdm.net.ConnectionException: java.io.IOException: Unexpected socket read. Result is -1.
at com.sap.mdm.internal.protocol.manual.AbstractProtocolCommand.execute(AbstractProtocolCommand.java:102)
at com.sap.mdm.security.commands.GetUserListCommand.execute(GetUserListCommand.java:69)
at com.sap.mdm.internal.net.DataSocket.receiveData(DataSocket.java:62)
at com.sap.mdm.internal.net.ConnectionImpl.readInt(ConnectionImpl.java:497)
at com.sap.mdm.internal.net.ConnectionImpl.readInt(ConnectionImpl.java:490)
at com.sap.mdm.internal.net.ConnectionImpl.nextMessage(ConnectionImpl.java:629)
at com.sap.mdm.internal.net.ConnectionImpl.receiveMessage(ConnectionImpl.java:572)
at com.sap.mdm.internal.net.ConnectionImpl.send(ConnectionImpl.java:233)
at com.sap.mdm.internal.protocol.manual.AbstractProtocolCommand.execute(AbstractProtocolCommand.java:99)
com.sap.mdm.commands.CommandException: com.sap.mdm.net.ConnectionException: java.net.SocketException: There is no process to read data written to a pipe.Early this month we upgraded the MDM server to:
MDM Server version: 5.5.63.57
And the portal components:
MDM 5.5 SP06 Technology Patch 3 (Build 5.5.63.57)
MDM 5.5 SP06 Application Patch 3 (Build 5.5.63.57)
MDM 5.5 SP06 Java API Patch 3 (Build 5.5.63.57)
However the issue just began 2 days ago?
We started intgrating MDM Workflow with UWL and assigned Roles and Iviews to the Universal Worklist Configuration
It seems the Iviews work for a while and then after some time everything gives up? Very confounding
And yes we are using standard Iviews (search, Result and detail)
Thanks
Edited by: Marty Monroe on Oct 31, 2008 3:07 PM -
Problem with a calculated member browsing cube with a specific user role
Good evening to all of you .
I am not a newbie about SSAS nor an expert developer.
I use SSAS 2008 R2 Standard Edition.
I try to simplify my problem with a calculated measure.
I have a CUBE with :
[Measures].[Sales Amount]
Dimension STORES - Dimension CUSTOMERS - Dimension DATE
I have also 2 user roles :
Direction Role can see all members of all dimensions.
Customize Role has a restriction about Dimension STORES ..it can see only a STORE of all (Suppose to have 100 stores).
User that has a Customize Role, when browse cube in Excel , want to see for a specific CUSTOMER , Sales Amount of his own STORE but also the total Sales Amount of ALL STORES for that Customer...
Is it possibile to do that ???
Can you give any suggestion also using Adventure Works Cube ???
I was able to create a calculated measure like that below.
It does not work...It give the same result of Sales Amount
It seems that Customize Role win Always about every kind of calculate measure i need to create..
i.e SUM([STORES].[STORES].[ALL STORES],[Measures].[Sales Amount])
Thanks in advance.Hi maretix,
According to your description, you have a customize role which limit the user can only see data about his own STORE. Now this user wants to see the total Sales Amount for his own STORES only. Right?
In Analysis Services, when granting custom access to dimension data, it has a option "Enable Visual Total" in Advanced dimension security. By default, the
VisualTotals property is disabled (set to False). This default setting maximizes performance because Analysis Services can quickly calculate the total of all cell values, instead of having to spend time selecting which
cells values to calculate. So you always get same result which is the total for all STORES.
In this scenario, please select this option. When you enable the VisualTotals property, your custom role can only view aggregated totals for dimension members to which the role has permission.
Reference:
Grant custom access to dimension data (Analysis Services)
If you have any question, please feel free to ask.
Best Regards,
Simon Hou
TechNet Community Support -
Problem assigning internet user Role through portal
Hi All,
Please could someone help me with the following:
I am creating a registration process that creates a new CRM Business partner with contact person and internet user roles. When i run the Bapi from with in CRM everything works fine however when i run my jsp dynpage application and call the same bapi, the internet user that i create does not have any of the logon details or roles. Does anyone know why this is? i am using the same user when running in crm and the portal.
Many thanks in advance
CalvinHi Sunil,
Thanks for your reply. answers to your questions:
1. Yes, all portal users are maintained and have the same roles as CUA users. Portal authenticates against CUA.
2. Yes the user is created correctly on the backend. i have created a BAPI that creates users, BP's and assigns roles. This Bapi works perfectly when run in CRM but as soon as it is accessed via the portal the internet user role does not have all the required information.
Many thanks
Calvin -
How to hide custom fields in Shopping cart depening on user role
Hi,
We have some custom fields in shopping cart for basic view. Every thing works fine. Now client is asking to hide all the custom fields based on user role.
I found some function module to fund roles. now my main problem is unable to find the cusotm filed screen field name.
When I tryed to find the screen field name using BBPSC02/03, its giving 'GT_DISPLAY_100-FIELD'. If I try to use this field, its not working.
Could you pls tell me how to find custom screen filed name to hide in shopping cart.
Thanks,
RamHi Ram,
As Laurent suggested,to hide the custom fields based on the user role,you need to implement the logic in BADi "BBP_CUF_BADI_2".
You have the importing parameter IV_USER in this BADI.
Pass this parameter to tables AGR_USERS and AGR_USERT to get the user role
OR
Use FM: BAPI_USER_GET_DETAIL
with USERNAME= user id and can retrieve Table: ACTIVITYGROUPS Field:AGR_NAME
if you want the otherway around
you can also use FM: RSRA_USERS_OF_AGR_GET
with I_AGR_NAME= role and you can retieve Table: ACTIVITY_GROUPS_USERS Field: UNAME(usr Id)
Then check the value for the User role as obtained using the above steps and accordingly set the property for the custom fields to hide them.
BR,
Deepti. -
Pull User Role from identity manager in BPM process
Hi,
How can I pull user name, user role from different identity manager in order to configure hierarchy workflow in BPM process? can any one guide me on that??
Regards,
AmikI'm having the same problem on WebLogic 10.3
-
OIA : Import Users, Accounts, User Role Memberships and Entitlements
Hi,
I have intgrated OIM 11.1.1.5 with OIA 11.1.1.5. I am trying to execute scheduled job in OIA " Import Users, Accounts, User Role Memberships and Entitlements"
which in turn invokes scheduled job some of them are :
OIM Staging Tables Collection Status Failed with following exception
Accounts imported from OIM staging table : Status In progress for more than 2 hours
Please provide pointer to resolve this :
11:06:15,915 DEBUG [RbacxDataImporterImpl] --> imported 28 metadata items StopWatch 'import Attribute Value Metadata': running time (millis) = 0
11:06:15,917 INFO [IamDbEntitlementImportHelperImpl] Imported 28 entitlements
11:06:15,917 DEBUG [DBIAMSolution] publishing import completed event...
11:06:15,917 DEBUG [AuthenticationEventsListener] Listening application event
11:06:15,917 DEBUG [DefaultIAMListener] Queuing IAM Event.com.vaau.rbacx.iam.IAMEvent[source=com.vaau.rbacx.iam.db.DBIAMSolution@133e9a5e]
11:06:15,917 DEBUG [IamDbEntitlementImportHelperImpl] Completing import run id ---> 31
11:06:15,917 DEBUG [DefaultJobMonitor] MonitorMap{status=3, totalCount=28, currentCount=28, iamType=ENTITLEMENTS IMPORT}
11:06:15,917 DEBUG [DefaultJobMonitor] MergedMap{status=3, totalCount=28, currentCount=28, iamType=ENTITLEMENTS IMPORT}
11:06:15,917 DEBUG [DBIAMSolution] Importing Users
11:06:15,918 DEBUG [DefaultJobMonitor] MonitorMap{status=6, totalCount=0, currentCount=0, iamType=DATA IMPORT}
11:06:15,918 DEBUG [DefaultJobMonitor] MergedMap{status=6, totalCount=0, currentCount=0, iamType=DATA IMPORT}
11:06:15,918 DEBUG [IamDbUserImporterImpl] DBUsers Import Start ...
11:06:15,918 DEBUG [DBIAMSolution] publishing import starting event...
11:06:15,918 DEBUG [AuthenticationEventsListener] Listening application event
11:06:15,918 DEBUG [DefaultIAMListener] storing new ImportRun
11:06:15,918 DEBUG [SequenceGeneratorServiceImpl] Getting MemorySequence for sequence name com.vaau.rbacx.iam.domain.ImportRun
11:06:15,918 DEBUG [SequenceGeneratorServiceImpl] Returning count for sequence name com.vaau.rbacx.iam.domain.ImportRun, count = 32
11:06:15,920 DEBUG [SequenceGeneratorServiceImpl] Getting MemorySequence for sequence name ImportRunStepId
11:06:15,920 DEBUG [SequenceGeneratorServiceImpl] Returning count for sequence name ImportRunStepId, count = 32
11:06:15,924 DEBUG [IamDbUserImporterImpl] Starting import run id ---> 32
11:06:15,987 ERROR [IamDbUserManagerImpl] Problem retrieving IAM userIds from db
*org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [null]; error code [0];*
--- The error occurred in com/vaau/rbacx/iam/db/dao/ibatis/maps/IamDbUser.xml.
--- The error occurred while executing query.
--- Check the select id from oia_staging_users .
--- Check the SQL Statement (preparation failed).
--- Cause: java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException:
--- The error occurred in com/vaau/rbacx/iam/db/dao/ibatis/maps/IamDbUser.xml.
--- The error occurred while executing query.
--- Check the select id from oia_staging_users .
--- Check the SQL Statement (preparation failed).
--- Cause: java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:83)
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:80)
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:80)
at org.springframework.orm.ibatis.SqlMapClientTemplate.execute(SqlMapClientTemplate.java:212)
at org.springframework.orm.ibatis.SqlMapClientTemplate.executeWithListResult(SqlMapClientTemplate.java:249)
at org.springframework.orm.ibatis.SqlMapClientTemplate.queryForList(SqlMapClientTemplate.java:296)
at org.springframework.orm.ibatis.SqlMapClientTemplate.queryForList(SqlMapClientTemplate.java:290)
at com.vaau.rbacx.iam.db.dao.ibatis.SqlMapIamDbUserDao.findAllUserIds(SqlMapIamDbUserDao.java:48)
at com.vaau.rbacx.iam.db.manager.IamDbUserManagerImpl.getUserIds(IamDbUserManagerImpl.java:48)
at com.vaau.rbacx.iam.db.helpers.IamDbUserImporterImpl.readUsers(IamDbUserImporterImpl.java:78)
at com.vaau.rbacx.iam.db.DBIAMSolution.doDataLoad(DBIAMSolution.java:547)
at com.vaau.rbacx.iam.db.DBIAMSolution.loadData(DBIAMSolution.java:284)
at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl.dataLoad(RbacxIAMServiceImpl.java:510)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy132.dataLoad(Unknown Source)
at com.vaau.rbacx.scheduling.executor.iam.DbIamJobExecutor.execute(DbIamJobExecutor.java:83)
at com.vaau.rbacx.scheduling.manager.providers.quartz.jobs.AbstractJob.execute(AbstractJob.java:72)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:534)
Caused by: com.ibatis.common.jdbc.exception.NestedSQLException:
--- The error occurred in com/vaau/rbacx/iam/db/dao/ibatis/maps/IamDbUser.xml.
--- The error occurred while executing query.
--- Check the select id from oia_staging_users .
--- Check the SQL Statement (preparation failed).
--- Cause: java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource
at com.ibatis.sqlmap.engine.mapping.statement.MappedStatement.executeQueryWithCallback(MappedStatement.java:201)
at com.ibatis.sqlmap.engine.mapping.statement.MappedStatement.executeQueryForList(MappedStatement.java:139)
at com.ibatis.sqlmap.engine.impl.SqlMapExecutorDelegate.queryForList(SqlMapExecutorDelegate.java:578)
at com.ibatis.sqlmap.engine.impl.SqlMapExecutorDelegate.queryForList(SqlMapExecutorDelegate.java:552)
at com.ibatis.sqlmap.engine.impl.SqlMapSessionImpl.queryForList(SqlMapSessionImpl.java:118)
at org.springframework.orm.ibatis.SqlMapClientTemplate$3.doInSqlMapClient(SqlMapClientTemplate.java:298)
at org.springframework.orm.ibatis.SqlMapClientTemplate.execute(SqlMapClientTemplate.java:209)
at org.springframework.orm.ibatis.SqlMapClientTemplate.executeWithListResult(SqlMapClientTemplate.java:249)
at org.springframework.orm.ibatis.SqlMapClientTemplate.queryForList(SqlMapClientTemplate.java:296)
at org.springframework.orm.ibatis.SqlMapClientTemplate.queryForList(SqlMapClientTemplate.java:290)
at com.vaau.rbacx.iam.db.dao.ibatis.SqlMapIamDbUserDao.findAllUserIds(SqlMapIamDbUserDao.java:48)
at com.vaau.rbacx.iam.db.manager.IamDbUserManagerImpl.getUserIds(IamDbUserManagerImpl.java:48)
at com.vaau.rbacx.iam.db.helpers.IamDbUserImporterImpl.readUsers(IamDbUserImporterImpl.java:78)
at com.vaau.rbacx.iam.db.DBIAMSolution.doDataLoad(DBIAMSolution.java:547)
at com.vaau.rbacx.iam.db.DBIAMSolution.loadData(DBIAMSolution.java:284)
at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl.dataLoad(RbacxIAMServiceImpl.java:510)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy132.dataLoad(Unknown Source)
at com.vaau.rbacx.scheduling.executor.iam.DbIamJobExecutor.execute(DbIamJobExecutor.java:83)
at com.vaau.rbacx.scheduling.manager.providers.quartz.jobs.AbstractJob.execute(AbstractJob.java:72)
at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
... 1 more
Caused by: java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource
at oracle.ucp.util.UCPErrorHandler.newSQLException(UCPErrorHandler.java:541)
at oracle.ucp.jdbc.PoolDataSourceImpl.throwSQLException(PoolDataSourceImpl.java:588)
at oracle.ucp.jdbc.PoolDataSourceImpl.startPool(PoolDataSourceImpl.java:277)
at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:647)
at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:614)
at oracle.ucp.jdbc.PoolDataSourceImpl.getConnection(PoolDataSourceImpl.java:608)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.vaau.commons.springframework.aop.interceptor.DataSourceInterceptor.invoke(DataSourceInterceptor.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy131.getConnection(Unknown Source)
at org.springframework.jdbc.datasource.DataSourceUtils.doGetConnection(DataSourceUtils.java:113)
at org.springframework.jdbc.datasource.TransactionAwareDataSourceProxy$TransactionAwareInvocationHandler.invoke(TransactionAwareDataSourceProxy.java:210)
at $Proxy118.prepareStatement(Unknown Source)
at com.ibatis.sqlmap.engine.execution.DefaultSqlExecutor.prepareStatement(DefaultSqlExecutor.java:519)
at com.ibatis.sqlmap.engine.execution.DefaultSqlExecutor.executeQuery(DefaultSqlExecutor.java:173)
at com.ibatis.sqlmap.engine.mapping.statement.MappedStatement.sqlExecuteQuery(MappedStatement.java:221)
at com.ibatis.sqlmap.engine.mapping.statement.MappedStatement.executeQueryWithCallback(MappedStatement.java:189)
at com.ibatis.sqlmap.engine.mapping.statement.MappedStatement.executeQueryForList(MappedStatement.java:139)
at com.ibatis.sqlmap.engine.impl.SqlMapExecutorDelegate.queryForList(SqlMapExecutorDelegate.java:578)
at com.ibatis.sqlmap.engine.impl.SqlMapExecutorDelegate.queryForList(SqlMapExecutorDelegate.java:552)
at com.ibatis.sqlmap.engine.impl.SqlMapSessionImpl.queryForList(SqlMapSessionImpl.java:118)
at org.springframework.orm.ibatis.SqlMapClientTemplate$3.doInSqlMapClient(SqlMapClientTemplate.java:298)
at org.springframework.orm.ibatis.SqlMapClientTemplate.execute(SqlMapClientTemplate.java:209)
at org.springframework.orm.ibatis.SqlMapClientTemplate.executeWithListResult(SqlMapClientTemplate.java:249)
at org.springframework.orm.ibatis.SqlMapClientTemplate.queryForList(SqlMapClientTemplate.java:296)
at org.springframework.orm.ibatis.SqlMapClientTemplate.queryForList(SqlMapClientTemplate.java:290)
at com.vaau.rbacx.iam.db.dao.ibatis.SqlMapIamDbUserDao.findAllUserIds(SqlMapIamDbUserDao.java:48)
at com.vaau.rbacx.iam.db.manager.IamDbUserManagerImpl.getUserIds(IamDbUserManagerImpl.java:48)
at com.vaau.rbacx.iam.db.helpers.IamDbUserImporterImpl.readUsers(IamDbUserImporterImpl.java:78)
at com.vaau.rbacx.iam.db.DBIAMSolution.doDataLoad(DBIAMSolution.java:547)
at com.vaau.rbacx.iam.db.DBIAMSolution.loadData(DBIAMSolution.java:284)
at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl.dataLoad(RbacxIAMServiceImpl.java:510)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy132.dataLoad(Unknown Source)
at com.vaau.rbacx.scheduling.executor.iam.DbIamJobExecutor.execute(DbIamJobExecutor.java:83)
at com.vaau.rbacx.scheduling.manager.providers.quartz.jobs.AbstractJob.execute(AbstractJob.java:72)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
... 1 more
Caused by: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource
at oracle.ucp.util.UCPErrorHandler.newUniversalConnectionPoolException(UCPErrorHandler.java:421)
at oracle.ucp.util.UCPErrorHandler.newUniversalConnectionPoolException(UCPErrorHandler.java:389)
at oracle.ucp.jdbc.DriverConnectionFactoryAdapter.createConnection(DriverConnectionFactoryAdapter.java:134)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.createOnePooledConnectionInternal(UniversalConnectionPoolImpl.java:1613)
at oracle.ucp.common.UniversalConnectionPoolImpl$UniversalConnectionPoolInternal.access$600(UniversalConnectionPoolImpl.java:1421)
at oracle.ucp.common.UniversalConnectionPoolImpl.createOnePooledConnection(UniversalConnectionPoolImpl.java:488)
at oracle.ucp.common.UniversalConnectionPoolImpl.addNewConnections(UniversalConnectionPoolImpl.java:988)
at oracle.ucp.common.UniversalConnectionPoolBase.getInitialConnections(UniversalConnectionPoolBase.java:541)
at oracle.ucp.common.UniversalConnectionPoolBase.start(UniversalConnectionPoolBase.java:655)
at oracle.ucp.jdbc.PoolDataSourceImpl.startPool(PoolDataSourceImpl.java:271)
... 51 more
Caused by: java.sql.SQLRecoverableException: IO Error: Invalid number format for port number
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:419)
at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:538)
at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:228)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:521)
at oracle.ucp.jdbc.DriverConnectionFactoryAdapter.createConnection(DriverConnectionFactoryAdapter.java:130)
... 58 moreHi Pallavi,
i have the same problem, can you provide me more specific details?
-exactly oimjdbc.properties location please?
-which is what I have to modify?
Thanks in advance! -
Export / import tablespace with all objects (datas, users, roles)
Hi, i have a problem or question to the topic export / import tablespace.
On the one hand, i have a database 10g (A) and on the other hand, a database 11g (B).
On A there is a tablespace called PRO.
Furthermore 3 Users:
PRO_Main - contains the datas - Tablespace PRO
PRO_Users1 with a role PRO_UROLE - Tablespace PRO
PRO_Users2 with a role PRO_UROLE - Tablespace PRO
Now, i want to transfer the whole tablespace PRO (included users PRO_MAIN, PRO_USER1, PRO_User2 and the role PRO_UROLE) from A to B.
On B, I 've created the user PRO_Main and the tablespace PRO.
On A , i execute following statement:
expdp PRO_Main/XXX TABLESPACES=PRO DIRECTORY=backup_datapump DUMPFILE=TSpro.dmp LOGFILE=TSpro.log
On B:
impdp PRO_Main/XXX TABLESPACES=PRO DIRECTORY=backup_datapump DUMPFILE=TSpro.dmp LOGFILE=TSpro.log
Result:
The User PRO_Main was imported with all the datas.
But i 'm missing PRO_USER1, PRO_User2 and the role PRO_UROLE...
I assume, i 've used wrong parameters in my expd and / or impdp.
It would be nice, if anybody can give me a hint.
Thanks in advance.
Best Regards,
FrankWhen you do a TABLESPACE mode export by specifying just the tablespaces, then all that gets exported are the tables and their dependent objects. The users, roles, and the tablespace definitions themselves don't get exported.
When you do a SCHEMA mode export by specifying the schemas, you will get the schema definitions (if the schema running the export is privied) and all of the objects that the schema owns. The schema does not own roles or tablespace definitions.
In your case, you want to move
1. schemas - which you already created 1 on your target database
2. roles
3. everything in the tablespaces owned by multiple schemas.
There is no 1 export/import command that will do this. This is how i would do this:
1 - move the schema definitions
a. you can either create these manually or
b1. expdp schemas=<your list of schemas> include=user
b2 impdp the results from b1.
2. move the roles
expdp full=y include=role ...
remember, this will include all roles. If you want to limit what gets exported, then use:
include=role:"in ('ROLE1', 'ROLE2', ETC.)
impdo the roles just exported
3. move the user information
a. If you want to move all of the schema's objects like functions, packages, etc, then you need to use a schema mode
export
expdp user/password schemas=a,b,c ...
b. If you want to move only the objects in those tablespaces, then use the tablespace export
expdp user/password tablespaces=tbs1, tbs2, ...
c. import the dumpfile generated in step 3
impdp user/password ...
Hope this helps.
Dean -
Modify Script to Create User Role on Single Database.
Hi All,
Below is the script to create user role on database. Here problem is when I execute this script, it creates user role for all database within an instance and I want it to create user role only on 2 database say TEST1 and TEST2
Can anyone help me to modify the script?
--===================================================================================
-- Description
-- Database Type: MSSQL
-- This script creates a role called 'gdmmonitor' for ALL databases.
-- It grants some system catalogs to this role to allow Classification and Assessment on the database.
-- It then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.
-- before runnign this script
-- you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
-- This sqlguard login doesn't need to be added to any database or given
-- any privilege. The script will take care of that.
-- Note:
-- If you wish to use a different login name (instead of 'sqlguard') you need to change
-- the value of the variable '@Guardium_user' in the script below;
-- (Look for the string: "set @Guardium_user = 'sqlguard'" and replace the 'sqlguard')
-- after runnign this script
-- Nothing to do, the script already creates the db user
-- User/Password to use
-- User: sqlguard (or any other name, if changed)
-- Pass: user defined
-- Role: gdmmonitor
--===================================================================================
PRINT '>>>==================================================================>>>'
PRINT '>>> Creating role: "gdmmonitor" at the server level.'
PRINT '>>>==================================================================>>>'
-- Change to the master database
USE master
-- *** If a different login name is desired, define it here. ***
DECLARE @Guardium_user AS varchar(50)
set @Guardium_user = 'sqlguard'
DECLARE @dbName AS varchar(256)
DECLARE @memberName AS varchar(256)
DECLARE @dbVer AS nvarchar(128)
SET @dbVer = CAST(serverproperty('ProductVersion') AS nvarchar)
SET @dbVer = SUBSTRING(@dbVer, 1, CHARINDEX('.', @dbVer) - 1)
IF (@dbVer = '8') SET @dbVer = '2000'
ELSE IF (@dbVer = '9') SET @dbVer = '2005'
ELSE IF (@dbVer = '10') SET @dbVer = '2008'
ELSE IF (@dbVer = '11') SET @dbVer = '2012'
ELSE SET @dbVer = '''Unsupported Version'''
IF (@dbVer != '2000')
BEGIN
-- This privilege is required to peform a specific MSSQL test.
-- Test name: SQL OLEDB disabled (DisallowAdhocAccess registry key)
-- Procedure execute: EXEC master.dbo.sp_MSset_oledb_prop
-- Purpose: To display provider property, not changing anything.
PRINT '==> Granting MSSSQL 2005 and above setupadmin server role'
EXEC master..sp_addsrvrolemember @loginame = @Guardium_user, @rolename = N'setupadmin'
END
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if they exist
CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL)
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND mbr.groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the role gdmmonitor on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the role gdmmonitor on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.spt_values TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysconfigures TO gdmmonitor
GRANT SELECT ON dbo.sysdatabases TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syslogins TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
-- Grant execute privileges to the role for MSSql Common
PRINT '==> Granting common EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON sp_helpdbfixedrole TO gdmmonitor
GRANT EXECUTE ON sp_helprotect TO gdmmonitor
GRANT EXECUTE ON sp_helprolemember TO gdmmonitor
GRANT EXECUTE ON sp_helpsrvrolemember TO gdmmonitor
GRANT EXECUTE ON sp_tables TO gdmmonitor
GRANT EXECUTE ON sp_validatelogins TO gdmmonitor
GRANT EXECUTE ON sp_server_info TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sql_logins TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
GRANT SELECT ON sys.server_role_members TO gdmmonitor
GRANT SELECT ON sys.configurations TO gdmmonitor
GRANT SELECT ON sys.master_key_passwords TO gdmmonitor
GRANT SELECT ON sys.server_principals TO gdmmonitor
GRANT SELECT ON sys.server_permissions TO gdmmonitor
GRANT SELECT ON sys.credentials
TO gdmmonitor
--This is called by master.dbo.sp_MSset_oledb_prop.
--By defautl it should have already been granted to public.
GRANT EXECUTE ON sys.xp_instance_regread TO GDMMONITOR
GRANT EXECUTE ON sys.sp_MSset_oledb_prop TO GDMMONITOR
END
-- Re-add the dropped members
IF EXISTS (SELECT 1 FROM #rolemember)
BEGIN
PRINT '==> Re-adding the role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- END of role creation on database
PRINT '==> END of role creation on: ' + @dbName
PRINT ''
-- Change to the msdb database
USE msdb
set @memberName = ''
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if it exists
TRUNCATE TABLE #rolemember
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM .dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the gdmmonitor role on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the gdmmonitor role on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
GRANT SELECT ON dbo.backupset TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
-- Grant execute privileges to the role for MSSql 2005 or above
PRINT '==> Granting MSSql 2005 and above EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON msdb.dbo.sp_enum_login_for_proxy TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
END
IF (@dbVer > '2000' and @dbVer < '2012')
--This sp is not available in SQL 2012
BEGIN
GRANT EXECUTE ON sp_get_dtspackage TO gdmmonitor
END
-- Re-add the dropped members
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Re-adding the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the temporary table
DROP TABLE #rolemember
-- END of role creation on database
PRINT '==> END of gdmmonitor role creation on: ' + @dbName
-- Role creation complete
PRINT '<<<==================================================================<<<'
PRINT '<<< END of creating role: "gdmmonitor" at the server level.'
PRINT '<<<==================================================================<<<'
PRINT ''
PRINT '>>>==================================================================>>>'
PRINT '>>> Starting application database role creation'
PRINT '>>>==================================================================>>>'
use master
DECLARE @databaseName AS varchar(80)
DECLARE @executeString AS varchar(7950)
DECLARE @dbcounter as int
set @dbcounter = 0
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases where name not in ('master', 'msdb')
and not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @dbcounter = @dbcounter + 1
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'PRINT ''>>> Starting MSSql ' + @dbVer + ' role creation on database: ' + @databaseName + ''' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'/* Variable @memberNameDBname must be declare within the string or else it will fail */ ' +
'DECLARE @memberName' + cast(@dbcounter as varchar(5)) + ' as varchar(50) ' +
'/*find any members of the role if it exists*/ ' +
'CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL) ' +
'INSERT INTO #rolemember ' +
'SELECT DISTINCT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr ' +
'WHERE usr.uid = mbr.memberuid ' +
'AND groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'/*Drop the Role Members If they exist*/ ' +
'IF EXISTS (SELECT * FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Dropping the role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Dropping member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_droprolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/*drop the role if it exists*/ ' +
'IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'BEGIN ' +
'PRINT ''==> Dropping the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_droprole ''gdmmonitor'' ' +
'END ' +
'/* Create the role */ ' +
'PRINT ''==> Creating the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_addrole ''gdmmonitor'' ' +
'/* Grant select privileges to the role for MSSql Common */ ' +
'PRINT ''==> Granting common SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON dbo.sysmembers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysobjects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysprotects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysusers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON dbo.syspermissions TO gdmmonitor ' +
'/* Check if the version is 2005 or greater */ ' +
'IF (' + @dbVer + ' != ''2000'') ' +
'BEGIN ' +
'/* Grant select privileges to the role for MSSql 2005 and above */ ' +
'PRINT ''==> Granting MSSql 2005 and above SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON sys.database_permissions TO gdmmonitor ' +
'GRANT SELECT ON sys.all_objects TO gdmmonitor ' +
'GRANT SELECT ON sys.database_principals TO gdmmonitor ' +
'GRANT SELECT ON sys.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON sys.database_role_members TO gdmmonitor ' +
'END ' +
'/* Re-add the dropped members */ ' +
'IF EXISTS (SELECT 1 FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Re-adding the gdmmonitor role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Re-adding member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_addrolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/* drop the temporary table */ ' +
'DROP TABLE #rolemember ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT ''<<< END of role creation on: ' + @databaseName + ''' ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT '' ''' +
'PRINT '' '''
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
-- Adding user to all the databases
-- and grant gdmmonitor role, only if login exists.
PRINT '>>>==================================================================>>>'
PRINT '>>> Add and Grant gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '>>> on all databases.'
PRINT '>>>==================================================================>>>'
USE master
/* Check if @Guardium_user is a login exist, if not do nothing.*/
IF NOT EXISTS (select * from syslogins where name = @Guardium_user)
BEGIN
PRINT ''
PRINT '************************************************************************'
PRINT '*** ERROR: Could not find the login: ''' + @Guardium_user + ''''
PRINT '*** Please add the login and re-run this script.'
PRINT '************************************************************************'
PRINT ''
END
ELSE
BEGIN
DECLARE @counter AS smallint
set @counter = 0
-- This loop runs 4 time just to make sure that the @Guardium_user gets added to all db.
-- 99% of the time, this is totally unnecessary. But in some rare case on SQL 2005
-- the loop skips some databases when it tried to add the @Guardium_user.
-- After two to three executions, the user is added in all the dbs.
-- Might be a SQL Server bug.
WHILE @counter <= 3
BEGIN
set @counter = @counter + 1
set @databaseName = ''
set @executeString = ''
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases
where not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'/*Check if the login already has access to this database */ ' +
'IF EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'/*Check if login already have gdmmonitor role*/ ' +
'IF NOT EXISTS (SELECT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr WHERE usr.uid = mbr.memberuid ' +
'AND mbr.groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'AND usr.name = ''' + @Guardium_user + ''') ' +
'BEGIN ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END ' +
'END ' +
'IF NOT EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'PRINT ''==> Adding user [' + @Guardium_user + '] to database: ' + @databaseName + ''' ' +
'execute sp_adduser [' + @Guardium_user + '] ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END '
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
END -- end while
-- Required for Version 2005 or greater.
IF (@dbVer != '2000')
BEGIN
-- Grant system privileges to the @guardium_user. This is a requirement for >= SQL 2005
-- or else some system catalogs will filter our result from assessment test.
-- This will show up in sys.server_permissions view.
PRINT '==> Granting catalog privileges to: ''' + @Guardium_user + ''''
execute ('grant VIEW ANY DATABASE to [' + @Guardium_user + ']' )
execute ('grant VIEW ANY DEFINITION to [' + @Guardium_user + ']' )
END
PRINT '<<<==================================================================<<<'
PRINT '<<< Finished Adding and Granting gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '<<< on all databases.'
PRINT '<<<==================================================================<<<'
PRINT ''
END
GOThanks a lot Sir... it worked.
Can you also help me in troubleshooting below issue?
This script is working fine on all databases except one MS SQL 2005 database. build of this database is 9.00.3042.00
SA account with highest privileges is been used for script execution. errors received are as follow:
>>>==================================================================>>>
>>> Creating role: "gdmmonitor" at the server level.
>>>==================================================================>>>
==> Granting MSSSQL 2005 and above setupadmin server role
==> Starting MSSql 2005 role creation on database: master
(0 row(s) affected)
==> Dropping the gdmmonitor role members on: master
==> Creating the role gdmmonitor on: master
Msg 15002, Level 16, State 1, Procedure sp_addrole, Line 16
The procedure 'sys.sp_addrole' cannot be executed within a transaction.
==> Granting common SELECT privileges on: master
Msg 15151, Level 16, State 1, Line 117
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 118
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 119
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 120
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 121
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 122
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 123
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 124
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 125
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 126
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
==> Granting common EXECUTE privileges on: master
Msg 15151, Level 16, State 1, Line 130
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 131
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 132
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 133
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 134
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 135
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 136
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission. -
ABAP User Roles and Query for accessing particular T- codes and Reports
dear Gurus
I have one problem, i want to know about ABAP User Query ,i have one requirement my user wants to Lock all the HR Std versus Customized reports in T- code SQ01,other department peoples also see the Payslips and Hr personal reports which is harmfull to the dept so i want to Lock all the reports in Std T- code in SQ01 and i have created one Customized User Roles or Query in which the T-codes and Reports are assigned only those particular user can access the T-codes and Std reports .how can it be possible i dont have any idea about user roles and Queries .
kindly help me out or send me some documents related to user roles and queries
regards ritesh sharmaHi Ritesh,
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/103cafc2-7a64-2b10-14b3-eddb7d324561
Regards,
Flavya -
Inconsistent behavior of user-role assignment
Hi, all.
i'm using EP 6.0 SP9 patch1.
i logged on as an Administrator user.
In the menu User Administration --> Roles --> Roles, i got the inconsistent behavior of user-role assignment.
1. Normal behavior(from user --> edit)
i searched and selected one user and click the "Edit" link
--> i can assign all the roles that i want.
2. Abnormal behavior(from role --> edit)
i searched and selected one role first and click the "Edit" link
--> some roles CANNOT be editted(even though i clicked the "Edit" link, it doesn't go to the edit screen). The roles that i couldn't edit are the SAP original roles like Administrator, content_admin_role, user_admin_role...
Could someone please give me any advice on this problem?
Thanks.Hi Sejoon,
please open an OSS message.
Best regards
Detlev -
Role problems using RIMLoginModule
Hi all,
we are currently trying to execute an web application using the RIMLoginModule with a blackberry.
For this reason, we have to configure the module on: http://servername:port/webdynpro/dispatcher/sap.com/mba~com.sap.mbs.mso.main/MSOMain
Unfortunately, after calling this url, I logged on to the server, but he complains, that he does not find a user role in configuration database!
What is the problem?
We are having NW2004s SP15 Web AS.
Is it possible that the RIMLoginModule runs only on a 6.40? If yes, what kind of solution exists for systems >6.40 ?
Thank you for your help in advance.
Kind regards, Patrick.You could try this- Tools -> Priviliges -> (Show Privilege for the ROLE not the USER), then see if "Desktop & Plus Privilege" is checked
I was just creating/removing EUL's in my test instance and the same thing happened to me. -
Customize portal "Help" link based on user roles
Is there a chance to customize the Help link URL in Masthead iView based on user roles? The use case we have is that the "Help" should be different for users of the purchasing company from those of the supplying company.
Thanks.Hello Jay.
This is a multi step process.
Step 1 : Create 2 desktops with everything as same but different mastheads.
- Copy your existing desktop and paste it in your working folder in PCD (Not select Delta link)
- Now download masthead par file.
- Modify your masthead par file where you will disable help link. Rename you masthead file (newMasthead.par) and export it from NWDS. Now import it in portal.
- open your framework page in desktop2. Just add your new masthead in it. Enable the new one and disable the existing one.
Step 2 : Create 2 groups of users. (First one belong to users who wish to see help link . i.e existing desktop) (Second of thoese users who do not have to see help link i.e. newDesktop)
- Assign users to appropriate groups.
- Assign same roles to both groups.
Step 3 : Modify main rule section in PCD.
- If group = HelpLinkUsers Then Desktop1
If group = NoHelpLinkUsers Then Desktop2.
You may find above process bit tedious and lengthy.
But if you wish to further customize your portal then this will be needed one day.
If you find problems in implementing any step then please search in google or SDN.
Please revert back on any specific question on above approach you may face while implementing.
Thanks
Maybe you are looking for
-
i get a error message when i update my aam message " the remote server is not responding in a proper manner. please retry later after few minutes. ?
-
Reinstallation of oracle 10g on Fedora Core 2
Dear Oracle community, I tried to install Oracle database 10g software (Enterprise-edition) on my PC (Fedora Core 2) in two steps. At first the software only (as described in http://www.oracle-base.com/articles/10g/OracleDB10gInstallationOnFedora2.ph
-
Passing form data to a PDF for printing
I have found a few articles online about setting this up, but having no luck on getting the data to pass and display within the pdf file.. Can anyone offer suggestions or some good tutorial sites i can continue to read about? thanks... ASP, SQL2005,
-
Vendor problem in Garnishments
Hi, In my company HR is being implemented now. We were using SAP Fi for more than a year (but in a different client). Now when we are implementing HR, we are not doing 3rd party remittance, and so we did not maintain any FI vendors in our present cli
-
Opening a template indd file using java API
How do I open a template indd file using java API and use it for laying out graphics and text ? Thanks in advance