Using the deployment plan to extend the security roles

Similar Messages

• An impersonation error occurred using the security context of the current user. -- Report server is on remote server and file share folder is on local server

  I have deployed a report on the server (e.g. remoteserver\reports) from my local machine. I opened the report in browser in my local machine and created a new subscription with windows file share delivery option.
  But its giving an error "Failure writing file \\localserver\subscriptions\Report1.xls : An impersonation error occurred using the security context of the current user." Here "subscriptions"
  is the folder which I have created in my local machine.
  I followed the instructions found in the link "http://msdn.microsoft.com/en-us/library/ms157386.aspx"
  Please help to solve this issue.

  Hi,
  Thank you for your reply.
  I have followed the same process. The credentials which I have given are same as my PC. But I am getting the same error. Can you please clarify the statement "Service
  account that is using for file share subscription should have write access to shared folder."
  given in the above link?
  I am the one who created the folder and subscribing the report, so probably I have the full write permissions to the shared folder. What is the service account in this context?
  I think the problem is, I am deploying the report on the server and creating the shared folder in the local machine. I tried giving shared folder permissions to the user on the server. But my local machine is in local domain and I cant access the users on
  the remote server. Do I need to create a shared folder on the server? I am new to SSRS. Please help me.
  PS: I have assigned with all roles viz. Browser, Content Manager, Publisher, Report Builder etc. and My Role name (WEBSERVER\User)
  is different from my local user name (domain\username) in domain.

• ARM approval error after upgrading to SP14: Database error while using the secure store.

  Dear GRC experts,
  After upgrading GRC 10 to SP14, assigning manual passwords during the approval of a request, the approval process is failing.
  Here is the scenario; your advice will be appreciated.
  Task: Manually assign passwords to multiple systems contained in the request
  Where: On the access request, go to “User System Details” tab
  Issue: After approving/submitting the request, the error “Database error while using the secure store” is generated
  Logs: Nothing on transactions SLG1 or ST22; however ST11 shows the error attached below:
  This is the failed approval of the request:
  Other scenarios executed as a workaround, and passed the password assignment this time:
  The approval will work if only one password is assigned to any of the given systems. The rest of the systems get an auto-generated
  password.
  ARM also accepts multiple passwords when the requestor assigns passwords on the “User System Details” prior submitting a
  request. The GRC admin can approve once reached for system approval.
  AS FYI, “Confirm Password” is only required when creating the request but not on any other stage.
  System information:
    -Netweaver 7
    -GRCFND_A SP14
    -GRCPINW SP13
  Regards,
  Gustavo

  SAP just delivered a note to fix this issue. The number is 2022294.

• Using the Security Manager to restrict access to a single package

  After reading up on the Security Manager, the package.access property and the use of the [accessClassInPackage RuntimePermission|http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#RuntimePermission] , it seemed to me that it would possible to set up the following: I have a security-sensitive code base packaged in a jar, and I want to make sure that only one client code base that I specify is permitted to access it. The idea here is to prevent malicious code from executing anything in the sensitive code base; the sensitive code is only accessible to one client that I name in a security policy file. Perhaps rather foolishly, I advised a client to consider this before testing out a sample myself, because much to my surprise, it appears to me that it isn't possible to get the Security Manager to do this at all. Am I missing something? I'm a bit startled by this conclusion -- it seems like such an obvious use for the Security Manager, I'm hard-pressed to be believe that it can't be done, and more inclined to suspect that I'm going about it wrong.
  Here's what I thought I could do: set up the package.access property so that it denies access to any package; then in the policy file, grant the RuntimePermission/accessClassInPackage to the client code base that is permitted to access the sensitive code.
  Of course, you wouldn't want the package.access property to exclude all packages in the global java.security file, because then no code could be accessed at all. It would be necessary to use the trick of resetting the package.access property within the code, as [illustrated in the secure coding guidelines|http://java.sun.com/security/seccodeguide.html#1-1a] .
  But the problem lies in the idea of "use the package.access property to deny access to +any+ package". There doesn't seem to be any way to use wildcards or the like with the property -- it has to specifically name packages (or package prefixes) to which access is forbidden. It wouldn't do to try to name the packages to which I'm trying to prevent access, since we're trying to prevent access from malicious code -- the attacker could just choose package names that aren't on the list. I'd really need to say that access is denied to all packages, except for those in the permitted code base, but the security mechanisms for package access don't seem to allow that.
  Moreover, the trick of changing the value of package.access can't be done within the client code -- otherwise, the attacker client would just set the property to his own purposes. But it can't really be done within the sensitive package either, because the whole idea is to prevent access to that package, and by the time it's busy setting the property, it's already too late, because the package has to have been accessed by a client to get there at all.
  It seems to me that this a symptom of something I've never really understood about the design of the Security Manager -- you can grant permissions to specific code bases, but you can't revoke permissions from specific code bases, let alone all code bases. What I want to do here is grant access permission to one specific code base and revoke it from all others. There doesn't seem to be any way to express that with the mechanisms of the Security Manager.
  The more I look at it, the more it seems that there's just no way to use the Security Manager this way -- set up package access so that a specific code base can only be accessed by one specific client code base. There are surely other ways to get the effect that I'm looking for, but as far as I can tell, none of them involve restricting package access (for example: define a custom permission, grant it only to the permitted client. and check against that permission within the sensitive code base; meaning that the sensitive code has to be accessible to anyone in the first place). This conclusion really surprises me (not to mention my bit of embarrassment with the client); wouldn't this be precisely the sort of thing the Security Manager ought to be good for?

  You're looking at this back to front. The security policy file is there for the client to decide how much access he is going to give this application, not for to application to restrict who can use it. If you want to control what used to be called 'state orientation' you can do that directly by looking down the stack trace inside your code.

• How can I know the security role of the logged in user

  When you design an enterprise bean or Web component, you should always think about the kinds of users who will access the component. For example, an Account enterprise bean might be accessed by customers, bank tellers, and branch managers. Each of these user categories is called a security role, an abstract logical grouping of users that is defined by the person who assembles the application. When an application is deployed, the deployer will map the roles to security identities in the operational environment.
  But wondering when I log into my application with some user name and password (specified in my Oracle database),wondering how this works with the security role I created .How does J2EE know the security role of the logged in user.
  Thanks
  Manohar

  shet wrote:
  role at run time.
  When I login say as "manju" and password as "money" then how does it know that this user belongs to this security role.Is that the j2ee administrator has to say that user manju has this this security role.Programmitically how does it really work.I am confusedThe j2ee implementation assigns the roles using the JAAS module you have configured for your application on your application server. different JAAS modules get roles in different ways. many allow a single static role to be assigned using a config file. if using a database, often there will be configuration to specify additional database fields which specify the role for a given username.
  At runtime, a developer can test roles using methods like EJBContext.isCallerInRole().

• The security-role-assignment references an invalid security-role: Certifica

  In Oracle Enterprise Pack for Eclipse, I failed to deploy an application in debug mode. The error I noticed in my domain log is:
  weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: Certificate.
       at weblogic.servlet.security.internal.WebAppSecurity.setRoleMapping(WebAppSecurity.java:180)
       at weblogic.servlet.security.internal.WebAppSecurity.registerSecurityRoles(WebAppSecurity.java:155)
       at weblogic.servlet.internal.WebAppServletContext.prepareFromDescriptors(WebAppServletContext.java:1181)
       at weblogic.servlet.internal.WebAppServletContext.prepare(WebAppServletContext.java:1120)
       at weblogic.servlet.internal.HttpServer.doPostContextInit(HttpServer.java:449)
       at weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:424)
       at weblogic.servlet.internal.WebAppModule.registerWebApp(WebAppModule.java:910)
       at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:364)
       at weblogic.application.internal.flow.ScopedModuleDriver.prepare(ScopedModuleDriver.java:176)
       at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(ModuleListenerInvoker.java:93)
       at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:387)
       at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
       at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:58)
       at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:42)
       at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:615)
       at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
       at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:191)
       at weblogic.application.internal.EarDeployment.prepare(EarDeployment.java:16)
       at weblogic.application.internal.DeploymentStateChecker.prepare(DeploymentStateChecker.java:155)
       at weblogic.deploy.internal.targetserver.AppContainerInvoker.prepare(AppContainerInvoker.java:60)
       at weblogic.deploy.internal.targetserver.operations.ActivateOperation.createAndPrepareContainer(ActivateOperation.java:197)
       at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doPrepare(ActivateOperation.java:89)
       at weblogic.deploy.internal.targetserver.operations.AbstractOperation.prepare(AbstractOperation.java:217)
       at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentPrepare(DeploymentManager.java:723)
       at weblogic.deploy.internal.targetserver.DeploymentManager.prepareDeploymentList(DeploymentManager.java:1190)
       at weblogic.deploy.internal.targetserver.DeploymentManager.handlePrepare(DeploymentManager.java:248)
       at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.prepare(DeploymentServiceDispatcher.java:159)
       at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback(DeploymentReceiverCallbackDeliverer.java:157)
       at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$000(DeploymentReceiverCallbackDeliverer.java:12)
       at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$1.run(DeploymentReceiverCallbackDeliverer.java:45)
       at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:516)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  What I do not understand is that this error remains even though I modified weblogic.xml to remove the following lines:
  <wls:security-role-assignment>
  <wls:role-name>Certificate</wls:role-name>
  <wls:externally-defined/>
  </wls:security-role-assignment>
  I also deleted <MYDOMAIN_HOME>/servers/AdminServer/cache and <MYDOMAIN_HOME>/servers/AdminServer/tmp but this error still showed up when I attempted to deploy the application in Eclipse.
  If I exported the EAR file and deployed it using Admin Console, the application was deployed successfully. But when I deleted it in Admin Console and attempted to deploy it in Eclipse again, the same error occurred and the deployment failed. What could be the reason for this behavior? Is there anything cached somewhere when deploying it in Eclipse? Thanks in advance for your help.

  Hi,
  I know that is an old thread, but just in case... Maybe you could try setting up the DEBUG_OPTIONS in your startManagedWeblogic script and configure a remote debug in Eclipse:
  DEBUG_OPTIONS="-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8003,server=y,suspend=n"
  Hope it helps,
  Luis

• How to get the security-roles ?

  Hi,
  How can I get the security-roles defined in my web.xml ?
  I have looked for a method in the request, and in the context, but I can't find something that would return a String[] with the roles available in the web-app.
  Any ideas ?
  H.

  Just a stab in the dark, but what about getInitParameterNames() ?
  It returns an Enumeration of String.
  Although, I did not check to see if it returns the <security-roles>
  Short of that, I would think you could use SAX, or something like it, to parse web.xml.
  Just a thought, feel free to correct me.
  S.

• How Does The security-role Mapping Work?

            I am studying the security part of the deployment descriptor. I am confused about
            how the mapping works.
            Suppose we have
            <security-role>
            <role-name>manager</role-name>
            </security-role>
            and
            <security-role-ref>
            <role-name>FOO</role-name>
            <role-link>manager</role-link>
            </security-role-ref>
            My first question is when a client of the servlet supplies a name for authentication,
            the name supplied should be FOO or can be, say, John Smith?
            Then, according to the Servlet Specification, a security role is a logical grouping
            of users defined by the Application Developer
            or Assembler. When the application is deployed, roles are mapped by a Deployer
            to principals or groups in the runtime environment.
            My second question is how deployer maps the role, say, manager, to principals
            or groups in the runtime environment?
            Thanks in advance.
            

            Thanks a lot, Udit.
            "Udit Singh" <[email protected]> wrote:
            >
            >Hello,
            >The role-name is mapped to principals or gruops based on the security-role-assignment
            >entrires in weblogic.xml. Let us say you have a role-name FOO and you
            >want to
            >assing this role to users John and Mark. You need to make this entry
            >in weblogic.xml-
            ><security_role_assignment>
            > <role-name>FOO</role-name>
            > <principal-name>John</principal-name>
            > <principal-name>Mark</principal-name>
            > </security_role_assignment>
            >
            >so now actually the user need to supply John or Mark as user name at
            >the time
            >of authentication . Hope it helps.
            >
            >Udit
            >
            >
            >"[email protected]" entrance wrote:
            >>
            >>I am studying the security part of the deployment descriptor. I am confused
            >>about
            >>how the mapping works.
            >>Suppose we have
            >><security-role>
            >><role-name>manager</role-name>
            >></security-role>
            >>
            >>and
            >>
            >><security-role-ref>
            >><role-name>FOO</role-name>
            >><role-link>manager</role-link>
            >></security-role-ref>
            >>
            >>My first question is when a client of the servlet supplies a name for
            >>authentication,
            >>the name supplied should be FOO or can be, say, John Smith?
            >>
            >>Then, according to the Servlet Specification, a security role is a logical
            >>grouping
            >>of users defined by the Application Developer
            >>or Assembler. When the application is deployed, roles are mapped by
            >a
            >>Deployer
            >>to principals or groups in the runtime environment.
            >>
            >>My second question is how deployer maps the role, say, manager, to principals
            >>or groups in the runtime environment?
            >>
            >>Thanks in advance.
            >>
            >>
            >>
            >
            

• Import roles to the ERM without using the "Mass Role Import

  Hello,
  I want to know if there is another way to import roles to the ERM without using the "Mass Role Import.
  Im'm using SAP GRC AC 5.3
  Best Regards.
  Pablo Mortera.

  Hi.
  There is NO other way to import roles..
  We need to use only ERM for "Mass Role Import.
  Regards
  Gangadhar

• Need to build the security roles (actual technical roles) with HRCON object

  I need to build the security roles (actual technical roles) with HRCON objectfor date driven security.
  Please help me that how could i learn and what should be the approach.
  i.e. What is the requirement for learing to build the security roles (actual technical roles) with HRCON object for date driven security.

  Hi marco,
  It is related to Context solution and I need to implement HR Security in terms of context solution.
  So Could you please describe Following points:
  1. What is context solution
  2. How can i implement this context solution and HR Basic security as well
  3 What is the prerequiest to learn about HR security
  4. I am new for HR Security, SO what would be the approach to implement HR Security.
  Thanks

• How can I use the security package in JCOP41V2.2?

  Hi all, I'm a newbie in javacard programming. I'm trying to develop a project with RSA_signature. But I found, the exception NO_SUCH_ALGORITHM will be thrown out when I new an instance of KeyPair.
  My java file Temp_1.java following:
  package temp;
  import javacard.framework.Applet;
  import javacard.framework.ISO7816;
  import javacard.framework.ISOException;
  import javacard.framework.APDU;
  import javacard.security.*;
  * @author lujj
  public class Temp_1 extends Applet {
  KeyPair myKeyPair = null;
       public static void install(byte[] bArray, short bOffset, byte bLength) {
            // GP-compliant JavaCard applet registration
            new Temp_1().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
       public void process(APDU apdu) throws ISOException{
            // Good practice: Return 9000 on SELECT
            if (selectingApplet()) {
                 return;
            byte[] buf = apdu.getBuffer();
            if(buf[ISO7816.OFFSET_CLA] == (byte)0xEE)
                 try
                      myKeyPair = new KeyPair(KeyPair.ALG_RSA, KeyBuilder.LENGTH_RSA_1024);
                 catch(CryptoException e)
                      ISOException.throwIt((short)(0x6F00+e.getReason()));                    
                 return;
            switch (buf[ISO7816.OFFSET_INS]) {
            case (byte) 0x00:
                 break;
            default:
                 // good practice: If you don't know the INStruction, say so:
                 ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
  This package can be upload and the applet can be installed successfully.
  But if I send the apdu "EE 00 00 00 00" after selected the applet, "6F 03" will be returned.
  Is there anyone can help me? Thanks a lot.

  Thank you so much~
  Actually, it's only an applet for test. I cannot get the error code if I new the KeyPair in install function or Applet construct function. It will return "6A 80" when install the applet.
  And, I found that it support few algorithm. For example, it does not support ALG_DES_MAC4_ISO9797_M2,etc. Is there anything I can do if I want to use the algorithm? Shall I rewrite security package by myself?
  5555, security package is the standard package in JAVACARD API 2.1.1.

• Creating an AQ using a deployment plan

  Hi,
  Does anyone have an example of a deployment plan to create an AQ and to run the sql to create the underlying tables ?
  I have created a SOA AIA-based process that uses AQ for it's JMS. I am currently attempting to deploy this process using the AIA best practice of annotate, harvest, extract Bill Of Materials, create Deployment Plan, deploy. I've been able to create a deployment plan that will deploy the composites and the MDS updates but I'm having trouble creating the correct deployment plan entries to create the AQ.
  I'm using 11.1.1.3g.
  Thanks in advance
  Gareth

  Queue creation example....
  create type EMP_QTYPE as object
  (EMPNO     varchar2(60),
  ADDRESS     varchar2(200),
  RESUME     clob);
  Begin
       dbms_aqadm.create_queue_table(QUEUE_PAYLOAD_TYPE=>'EMP_QTYPE', QUEUE_TABLE=>'EMP_QTBL');
  end;
  Begin
  dbms_aqadm.create_queue (
  Queue_name => 'EMP_Q',
  Queue_table => 'EMP_QTBL');
  end;
  Begin
       dbms_aqadm.start_queue(QUEUE_NAME => 'EMP_Q');
  end;
  Brgds,
  Sanjay

• How to list principals in the security role?

  Does anybody know how to list principals assigned to a security role programmatically?
  The role assigment is specified in weblogic.xml files for web applications and
  weblogic-ejb-jar.xml files for EJBs.
  Any help would be much appreciated,
  Margaret

  I think it's not possible. However, what you can do is to assign a role to a
  group (this relationship being statically defined in weblogic.xml) and then
  manipulate the group membership in order to assign users to the role on the
  fly.
  "Margaret Oberc" <[email protected]> wrote in message
  news:3b127763$[email protected]..
  >
  Does anybody know how to list principals assigned to a security roleprogrammatically?
  The role assigment is specified in weblogic.xml files for webapplications and
  weblogic-ejb-jar.xml files for EJBs.
  Any help would be much appreciated,
  Margaret

• How to get the list of all the security Roles defined ?

  I am trying to programatically get a list of all the roles defined
  in the weblogic. How can I access this information using the exiting
  MBean interfaces.
  thanks
  Prasad

  Wrong forum. Just a hint.

• Problem using the delivered roles in BI Publisher

  We are unable to 'see' the delivered roles in order to assign folder and data source permissions.
  We can add users to the delivered roles, but on the ‘Roles and Permissions’ tab, the delivered roles are not available ( the page is blank). Those roles don’t show up anywhere under ‘available roles’ except when assigning the a user.
  Any thoughts?

  How did you reslove the issue