Using Position Based Security with BI

Similar Messages

• SAP IDM position based security with user in multiple positions

  Hi,
  In case of Higher Duties, we have a scenario where a user can have multiple positions with access to the business roles of both the positions.
  The design is to have one business role assigned to one position so that the user can have all the access he requires.
  In case of higher duties, we see an exception.
  Has anyone implemented such a scenario?
  Inputs/advices are much valued.
  Thanks
  Chaitanya

  Hi Chaitanya,
  Is it possible to assign more than one position to an employee in HCM?
  If so, there is many ways of dealing with that from IDM side, I don't know precisely your business requirement, what you need to maintain and what should be dynamic, but i can suggest you to :
  1. Translate every position you receive from HR to a Business role and assign as many Business roles you want to the same user.
  From HCM you will receive :
  Employee :
  - Z_POSITION_ID1 :1
  - Z_POSITION_ID2 : 2
  In IDM
  Employee
  - Member of BR1
  - Member of BR2
  2. If you have a lot of attributes related to HR position on user (link user-position) to maintain , then create a custom Object in IDM (entrytype Z_POSITION).
  You wil be able to manage relations much easier than a simple relation (One-to-one attribute)
  Otherwise, It worth to look over this blog for general design of HCM integration :
  How to optimize identities’ lifecycle management in your information system using SAP HR events?
  Fadoua

• Does auto provisioning work with position based security

  We are implementing GRC 5.3 and use position based security.  I am able to run risk analysis for position based security but now we want to use CUP and push our roles to the positions.  And finally we want to associate the user to the position.  We want to do all of this through GRC.  Is this possible?
  Thanks!

  Peggy,
     For this to work, click on the tab (on top) which says by system. Here you can set up autoprovisioning by system. If you have 5.2, I don't know if this is available or not but it is available in 5.3.
  Regards,
  Alpesh

• IDM, GRC and position based security

  We use position based security in our ERP  system and are implementing GRC.  In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs.  We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead.  There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.
  Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?     
  How can IdM be configured to react to a position change and update the roles appropriately?
  Has anyone implemented GRC and IDM with position based security?
  Regards,
  Wayne

  Hi Wayne,
  In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.
  You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.
  I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.
  So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.
  This is all theory though, I'm just getting started with IdM myself.
  Kind regards,
  Dagwin

• Is there any difference in upgrade for position based security model

  Hello Gurus,
  I am working on a Upgrade project from 4.6c to ECC6.0 , In 4.6C R/3 system position based security concept is used.
  Are there any extra precautions need to be taken while upgrading in a position based security model ?
  Or
  Is it the same procedure either it is a role based security model or a postion based security model.
  iam new to this upgrade stuff, please kindly direct me in the right direction.
  Also please provide if any documents are available.
  Thanks,
  Sanketh.

  Hi,
  Already there are many document posted on SDN on same . Security upgrade is standard and mostly deal with role modification and can you elaborate more on Position based. Positiong related assignment also taken care with respective functional team  for ex :HR and technical team Workflow if there are any issues.
  Better you go throug the upgrade document .see post already available in forum before starting with upgrade.
  Experts correct me in case of correction.

• Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

  I would love some help with this issue.  I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0  I have a test account set up with lab.acme.com to use the ACS.
  When I log into my site using Windows Auth, everything is great.  However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
  to use to log in   and after 3-5 second
   and return me the logon page with error message “Authentication failed” 
  I base my setup on the technet article
  http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
  I validated than all my certificate are valid and able to retrieve the crl
  I got in eventlog id 300
  The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
  Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
  Additional Data
  Exception details:
  Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
  ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
  correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  --- End of inner exception stack trace ---
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
  serializationContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
  trustNamespace, AsyncCallback callback, Object state)
  System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
  failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  thx
  Stef71

  This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
  on my case was :
  PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ad0001.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
  Certificate                 : [Subject]
                                  CN=domain.AD0001CA, DC=domain, DC=com
                                [Issuer]
                                  CN=domain.AD0001CA, DC=portal, DC=com
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  22/07/2014 11:32:05
                                [Not After]
                                  22/07/2024 11:42:00
                                [Thumbprint]
                                  blablabla
  Name                        : domain.ad0001
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : domain.ad0001
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17164
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ADFS_Signing.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
  Certificate                 : [Subject]
                                  CN=ADFS Signing - adfs.domain
                                [Issuer]
                                  CN=ADFS Signing - adfs.domain
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  23/07/2014 07:14:03
                                [Not After]
                                  23/07/2015 07:14:03
                                [Thumbprint]
                                  blablabla
  Name                        : Token Signing Cert
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : Token Signing Cert
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17184
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.PORTAL>

• Position Based Security

  Hi All,
  How to find out whether the security implemented is position based or role based. and in position based is there any difference in delaing with authorisation changes,  compared to roled based security.
  Can some one please let me know the information.
  Regards,
  Sandhya

  Hi,
  the difference is on how you assign the roles to users. Position based means that roels are assigned according to the position the user has in the org-structure.
  Roles are assigned to the position and each user who is assigned to the position gets those roles assigned.
  You can identify such roles as they are assigned indirectly (blue colour in SU01 and PFCG(tab users)) and if hr-org is activated and maintained in your system.
  Administrators should know of how they assign roles in your system. Just ask them.
  b.rgds,
  Bernhard

• IP based security with JSP?

  Hi,
  How easy/hard would it be to implement IP based security in a JSP application? I.e. We want to restrict the IP addresses that can access our application.
  Is this something that can be done in the web.xml using the security contraints??
  Or is it much more ocmplex than this?
  (We want to prevent our customer from sharing the application with third-parties, so we can not rely on a firewall based approach)
  Thanks

  Well, for Apache, it's easier. I think for Location to work, you need virtual directories set up. I could be wrong... Or try using Directory intead of Location. I recall Location was for something special... but I forget the details. For Apache/Tomcat, I've usually used aliases to handle directories...
  Alias /ITMS "ITMS_HOME/tools/tomcat/jakarta-tomcat-4.0.3/webapps/ITMS"
  <Directory "ITMS_HOME/tools/tomcat/jakarta-tomcat-4.0.3/webapps/ITMS">
  AllowOverride None
  Options Indexes
  Order allow,deny
  Allow from all
  ExpiresActive On
  ExpiresByType application/octet-stream "access plus 7 days"
  ExpiresByType image/gif "access plus 7 days"
  ExpiresByType image/jpeg "access plus 7 days"
  ExpiresByType text/x-javascript "access plus 0 seconds"
  ExpiresByType text/css "modification plus 7 days"
  ExpiresByType text/html "access plus 0 seconds"
  ExpiresByType text/vnd.wap.wml "access plus 0 seconds"
  ExpiresDefault "now plus 1 month"
  </Directory>
  You can set up deny's from IP or IP range or domain.
  Deny from .domain.com
  Deny from 123.232.123.33
  Deny from 123.232.124.

• User Level Authorization in Position Based Security

  Hi Geeks,
  I'm facing a problem in restricting a user accessing from another users data.
  Let me give you a picture of my issue.
  I have assigned a position based role to a Position XXXXX, while XXXX is accessing his data, he is also able to see the data of User YYYYY, but as per my client requirement, User XXXXX can only see the data of his own, not other users.
  Can you please let me know how to restrict this.
  <removed_by_moderator>
  Thanks
  Venkat
  Edited by: Julius Bussche on Jun 4, 2009 8:44 AM

  > p_pernr when this object is present, including infotypes in this object allows you to control access to own record only(I), or other employee records only(E) excuding own.
  Stated like that it could still be misleading.
  E does not grant access to other employees records. It only means that if the user already has access to other employees records (via P_ORGIN...), then this authorization will exclude their own personel number from that authorization, even although they have the access.
  This can be usefull, for example to prevent the HR department from changing their own basic pay without stopping them from giving you a raise or a bonus...
  Cheers,
  Julius

• Trying to use Oracle Label Security with a XMLType

  Hi everybody.
  I'm trying to apply some of the Oracle Label Security functionalities to a table created from the annotations of a XML Schema
  (Below I show part of this XML Schema:
  <?xml version="1.0" encoding="UTF-8"?>
  <xs:schema xmlns:xdb="http://xmlns.oracle.com/xdb"
  xmlns:xs="http://www.w3.org/2001/XMLSchema"
  elementFormDefault="qualified"
  attributeFormDefault="unqualified">
  <xs:element name="FILE_INFO" xdb:SQLType="FILE_INFO" xdb:defaultTable="TABLE_FILE_INFO">
  <xs:complexType>
  <xs:choice>
  <xs:element name="FILE_INFO_DICOM"
  type="FILE_INFO_DICOM_TYPE" />
  <xs:element name="FILE_INFO_ANALYZE"
  type="FILE_INFO_ANALYZE_TYPE" />
  </xs:choice>
  </xs:complexType>
  </xs:element>
  <xs:complexType name="FILE_INFO_DICOM_TYPE" xdb:SQLType="FILE_INFO_DICOM_TYPE">
  <xs:sequence>
  <xs:element name="ELEMENT_INFO_DICOM"
  type="ELEMENT_INFO_DICOM_TYPE"
  minOccurs="0"
  maxOccurs="unbounded"
  xdb:defaultTable="TABLE_ELEMENT_INFO_DICOM"
  xdb:SQLInline ="false"/>
  </xs:sequence>
  </xs:complexType>
  <xs:complexType name="ELEMENT_INFO_DICOM_TYPE" xdb:SQLType="ELEMENT_INFO_DICOM_TYPE">
  <xs:all>
  <xs:element name="Description" type="xs:string" minOccurs="0" maxOccurs="1" />
  <xs:element name="GroupTag" type="xs:string" minOccurs="0" maxOccurs="1" />
  <xs:element name="ElementTag" type="xs:string" minOccurs="0" maxOccurs="1" />
  <xs:element name="VR" type="xs:string" minOccurs="0" maxOccurs="1"/>
  <xs:element name="Value" type="xs:string" minOccurs="0" maxOccurs="1"/>
  </xs:all>
  </xs:complexType>
  ................etc
  I've created a security policy that I have tested on relational tables (not based on any object type) and works correctly.
  BEGIN
  SA_POLICY_ADMIN.APPLY_TABLE_POLICY(policy_name => 'policy1',
  schema_name => 'oe',
  table_name => 'TABLE_FILE_INFO',
  table_options => 'LABEL_DEFAULT, READ_CONTROL, WRITE_CONTROL',
  label_function => NULL,
  predicate => NULL);
  END;
  When I try to apply this policy to the XMLSchema-created table (TABLE_FILE_INFO) I get next error messages:
  ORA-22856: cannot add columns to object tables
  ORA-00604 error occurred at recursive SQL level 1
  ORA-12445: cannot change HIDDEN property of column.
  ORA-06512: in "LBACSYS.LBAC_POLICY_ADMIN", line 257
  ORA-06512: in line 2
  I suppose that the main problem is that the apply_plicy procedure is trying to add an extra column to a table created from a defined type.
  So my questions are: It's that true? Is it possible to apply a policy to the content of XML documents, I mean, if I want to restrict that some users see some subset of a XML document based on a specific policy, is there anything similar to Oracle Label security for XML? (as defined with the annotations in the XML Schema, some elements will be mapped to rows of a XMLType-based table when a XML document is inserted into the XMLDB repository (marked to follow the previous XML Schema of course)
  Hope someone can help to solve my doubts...
  Thanks,
  Marcos.

  Have you ever answered this question? If not, have you tried to use the "HIDE" property on your table_options?

• Problem using file based JNDI with JMS Bridge, WL 6.1sp3

            I am trying to connect an MQ queue to a Weblogic JMS queue using the JMS bridge,
            WLS6.1sp3. I have the CR081404_61sp3.jar and CR081511_61sp3.jar patches.
            I am having trouble getting the bridge to look up the MQ queue in the file based
            JNDI. According to the log it is trying to use a weblogic.jndi.WLInitialContextFactory
            instead of a com.sun.jndi.fscontext.RefFSContextFactory, which is what it is configured
            to use. I am getting the following error:
            <Sep 29, 2002 12:16:22 PM EDT> <Info> <MessagingBridge> <Bridge "Provd Messaging
            Bridge" is getting the connections to the two adapters.>
            <Sep 29, 2002 12:16:22 PM EDT> <Debug> <MessagingBridge> <Messaging Bridge Debugging
            RUNTIME! Bridge Provd Messaging Bridge In getConnections: isStopped = false>
            <Sep 29, 2002 12:16:22 PM EDT> <Debug> <MessagingBridge> <Messaging Bridge Debugging
            RUNTIME! Bridge Provd Messaging Bridge Getting source connection: sourceConnSpec
            = weblogic.jms.adapter.JMSConnectionSpec@27166f>
            <Sep 29, 2002 12:16:22 PM EDT> <Info> <Connector> <Unable to locate context: java:/comp/env/wls-connector-resref>
            <Sep 29, 2002 12:16:22 PM EDT> <Info> <Connector> <Unable to determine Resource
            Principal for Container Managed Security Context.>
            <Sep 29, 2002 12:16:22 PM EDT> <Info> <Connector> <Unable to locate context: java:/comp/env/wls-connector-resref>
            <Sep 29, 2002 12:16:22 PM EDT> <Info> <Connector> <Unable to determine Resource
            Principal for Container Managed Security Context.>
            <Sep 29, 2002 12:16:22 PM EDT> <Warning> <Connector> << Weblogic Messaging Bridge
            Adapter (XA) > ResourceAllocationException of javax.resource.ResourceException:
            ConnectionFactory: failed to get initial context (InitialContextFactory =weblogic.jndi.WLInitialContextFactory,
            url = file:/opt/mqm/java/mq-jndi, user name = guest, password = guest on createManagedConnection.>
            <Sep 29, 2002 12:16:22 PM EDT> <Error> <Connector> <Error granting connection
            request.>
            <Sep 29, 2002 12:16:22 PM EDT> <Info> <MessagingBridge> <Bridge "Provd Messaging
            Bridge" failed to connect to the source destination and will try again in 25 seconds.
            (javax.resource.spi.ResourceAllocationException: CreateManagedConnection Error:
            ConnectionFactory: failed to get initial context (InitialContextFactory =weblogic.jndi.WLInitialContextFactory,
            url = file:/opt/mqm/java/mq-jndi, user name = guest, password = guest)>
            <
            The configuration of the bridge, printed out in the log, is:
            <Sep 29, 2002 12:16:00 PM EDT> <Debug> <MessagingBridge> <Messaging Bridge Debugging
            STARTUP! Bridge Provd Messaging Bridge's source properties are:
            AdapterJNDIName=eis.jms.WLSConnectionFactoryJNDIXA
            Classpath=null
            ConnectionFactoryJNDIName = PMS.mqQcf
            ConnectionURL = file:/opt/mqm/java/mq-jndi
            InitialConnectionFactory = com.sun.jndi.fscontext.RefFSContextFactory
            DestinationType = Queue
            DestinationJNDIName = PMS.mqProvdRequest>
            <Sep 29, 2002 12:16:00 PM EDT> <Debug> <MessagingBridge> <Messaging Bridge Debugging
            STARTUP! Bridge Provd Messaging Bridge's target properties are:
            AdapterJNDIName=eis.jms.WLSConnectionFactoryJNDIXA
            Classpath=null
            DestinationType = Queue>
            Am I correct in assuming it should be using the fscontext connection factory?
            Why is it using the weblogic one?
            Jason
            

  CR081511_61sp3.jar patch should fix the problem. Make sure that the
            jar file is picked up. It should be put before other weblogic jar files.
            You should be able to tell if it is picked up by looking at the first
            couple of lines of your server log file.
            Dongbo
            Jason Kriese wrote:
            >
            > I am trying to connect an MQ queue to a Weblogic JMS queue using the JMS bridge,
            > WLS6.1sp3. I have the CR081404_61sp3.jar and CR081511_61sp3.jar patches.
            >
            > I am having trouble getting the bridge to look up the MQ queue in the file based
            > JNDI. According to the log it is trying to use a weblogic.jndi.WLInitialContextFactory
            > instead of a com.sun.jndi.fscontext.RefFSContextFactory, which is what it is configured
            > to use. I am getting the following error:
            >
            > <Sep 29, 2002 12:16:22 PM EDT> <Info> <MessagingBridge> <Bridge "Provd Messaging
            > Bridge" is getting the connections to the two adapters.>
            > <Sep 29, 2002 12:16:22 PM EDT> <Debug> <MessagingBridge> <Messaging Bridge Debugging
            > RUNTIME! Bridge Provd Messaging Bridge In getConnections: isStopped = false>
            > <Sep 29, 2002 12:16:22 PM EDT> <Debug> <MessagingBridge> <Messaging Bridge Debugging
            > RUNTIME! Bridge Provd Messaging Bridge Getting source connection: sourceConnSpec
            > = weblogic.jms.adapter.JMSConnectionSpec@27166f>
            > <Sep 29, 2002 12:16:22 PM EDT> <Info> <Connector> <Unable to locate context: java:/comp/env/wls-connector-resref>
            >
            > <Sep 29, 2002 12:16:22 PM EDT> <Info> <Connector> <Unable to determine Resource
            > Principal for Container Managed Security Context.>
            > <Sep 29, 2002 12:16:22 PM EDT> <Info> <Connector> <Unable to locate context: java:/comp/env/wls-connector-resref>
            >
            > <Sep 29, 2002 12:16:22 PM EDT> <Info> <Connector> <Unable to determine Resource
            > Principal for Container Managed Security Context.>
            > <Sep 29, 2002 12:16:22 PM EDT> <Warning> <Connector> << Weblogic Messaging Bridge
            > Adapter (XA) > ResourceAllocationException of javax.resource.ResourceException:
            > ConnectionFactory: failed to get initial context (InitialContextFactory =weblogic.jndi.WLInitialContextFactory,
            > url = file:/opt/mqm/java/mq-jndi, user name = guest, password = guest on createManagedConnection.>
            >
            > <Sep 29, 2002 12:16:22 PM EDT> <Error> <Connector> <Error granting connection
            > request.>
            > <Sep 29, 2002 12:16:22 PM EDT> <Info> <MessagingBridge> <Bridge "Provd Messaging
            > Bridge" failed to connect to the source destination and will try again in 25 seconds.
            > (javax.resource.spi.ResourceAllocationException: CreateManagedConnection Error:
            > ConnectionFactory: failed to get initial context (InitialContextFactory =weblogic.jndi.WLInitialContextFactory,
            > url = file:/opt/mqm/java/mq-jndi, user name = guest, password = guest)>
            > <
            >
            > The configuration of the bridge, printed out in the log, is:
            >
            > <Sep 29, 2002 12:16:00 PM EDT> <Debug> <MessagingBridge> <Messaging Bridge Debugging
            > STARTUP! Bridge Provd Messaging Bridge's source properties are:
            > AdapterJNDIName=eis.jms.WLSConnectionFactoryJNDIXA
            > Classpath=null
            > ConnectionFactoryJNDIName = PMS.mqQcf
            > ConnectionURL = file:/opt/mqm/java/mq-jndi
            > InitialConnectionFactory = com.sun.jndi.fscontext.RefFSContextFactory
            > DestinationType = Queue
            > DestinationJNDIName = PMS.mqProvdRequest>
            > <Sep 29, 2002 12:16:00 PM EDT> <Debug> <MessagingBridge> <Messaging Bridge Debugging
            > STARTUP! Bridge Provd Messaging Bridge's target properties are:
            > AdapterJNDIName=eis.jms.WLSConnectionFactoryJNDIXA
            > Classpath=null
            > DestinationType = Queue>
            >
            > Am I correct in assuming it should be using the fscontext connection factory?
            > Why is it using the weblogic one?
            >
            > Jason
            

• HCM Position based security: any transition period?

  Hello Gurus, If a person is transferred from one position to another, the next time the RHPROFL0 job runs, it will remove all the old position's roles and assign the new ones it finds from the new position; is it possible to have a transition period(e.g. 15 or 30 days) where the user can have both the old and new roles?
  The Structural PD profiles do have an option to support this but is there a way to do this for all normal ABAP roles assigned to the Positions using the relationship infotype?
  Thanks,
  Arya

  Hi Arya
  Yes..this is possible by using the structural switch - AUTSW ADAYS. This switch is used to specify the tolerance time for authorization check in the event of org or position change. I think by default the switch is off.(not sure). If you do not want user to lose old authorization during the transition period you can activate the switch (I think default is 15 calendar days).
  Hope this helps
  Regards
  Santosh kumar

• Can I use Webroot Internet Security with the new version of Firefox?

  I am being advised to download the new version. However, I remember seeing something about it not being compatible with Webroot. Is that true?

  You can try this extension to override compatibility issues,
  * https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/
  Once it is installed, open Addons Manager and re-enable Webroot addon.
  Addons Manager URL: &nbsp;&nbsp;&nbsp;'''about:addons'''

• Error in Role Based security using weblogic 9

  Hi All,
  Currently I am working with Weblogic Server 9. I am trying to use role based security. Below is the entries for web.xml.
  <security-constraint>
       <web-resource-collection>
            <web-resource-name>Success</web-resource-name>
            <url-pattern>/form.jsp</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
            <role-name>admin</role-name>
       </auth-constraint>
       <user-data-constraint>
  <transport-guarantee>INTEGRAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>myrealm</realm-name>
  </login-config>
  <security-role>
       <role-name>admin</role-name>
  </security-role>
  When I am calling form.jsp from the browser it is asking for the username and password, but after giving the username and password it is showing the followig error:
  Error 403--Forbidden
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.4 403 Forbidden
  The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
  So can any one provide me the solution for the above problem.
  Thanks in advance.
  By,
  Sandip Pradhan

  Here is a blog post for the backend (WebLogic Admin GUI) http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-role.html and a blog post for the web.xml in your project http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-ear.html.

• Prblem with testing container-based security apps with JSC/AppServer 8...

  not sure whether this is a JSC or an AppServer issue, correct me if neccessary...
  I'm using container based security to dicate logic based upon user names & roles for my test JSC app. The problem is that when I run the app by autodeploying it to my Sun AppServer 8 instance (same machine, WinXP Pro) the security settings eems to be cached. That is, if I change the security roles or permissions in the container by editing the web.xml file the changes aren't reflected in the app upon redeployment. I have to copy it to a new directory and deploy as a new app to see any security change. It seems that the old usernames and roles are cached -even if I manually restart the app server. Is this a JSC or an ApPServer issue? Am I missing something? Is there an easier way for me reset security data when testing an application? Thanx in advance...
  -J

  while your solution may technically work, it is unusable to me because I can't successfully deploy a war file using JSC after I've manually added container-based descriptors to the web.xml file. In order for me even to be able to deploy the app I need to modify web.xml and sun-web.xml by hand in the build directory