Weblogic 10.3.2 - Visitor entitlements role issue

Similar Messages

• Weblogic 10.3.2 visitor entitlements roles issue

  1)I am upgrading my weblogic portal application from Weblogic 8.1SP4 to Weblogic 10.3.2 version. I found that roles that created under visitor entitlements thru weblogic portal administration portal are not visible to assigned user.For example I created testRole for my application and added user testuser to this user.When I login to my portal application this user should able to see the portal page that related to testRole.But currently this is not working.
  To fix the above issue I created one new group under User and groups management and added the above user to that group and added that group to testRole. Now the user is able to see the portal pages
  My question is why the user is not able to access the roles when he is not part of any group.Because My portal application have different business users with different entitlement setups for which I cannot categorize under groups.
  The above functionality is working fine in Weblogic8.1SP4 production environment.
  Regards,
  Satya

  Hi Satya
  Post on the WebLogic forum....
  WebLogic Server - General
  Cheers
  David

• Are Visitor Entitlement Roles == Scoped Roles

  I'm working on the security implementation for a WebLogic 8.1 Portal application.
  I've been doing some prototyping and am trying to determine where Visitor Entitlement
  roles are stored. Are these implemented as scoped roles from a WL platform viewpoint.
  I created two test roles for my portal and do not see any scoped roles under
  the application or the portal node in the WebLogic console.
  I'm trying to determine if these portal entitlement roles are/can be treated as
  weblogic platform roles and can be used in security annotations for an EJB or
  Java Control, and if they can be used for IsCallerInRole. I can create a security
  policy to protect the portal resource, but I'm looking for a way to apply the
  corresponding security in the business layer.
  Thanks in advance for any advice.
  Jim

  Jim,
  The WLP roles are stored in the default role mapper provider. They are
  scoped roles, but only attachable to WLP resources (pages, portlets, etc.)
  and cannot be used to protect J2EE resources. The basic reason for this
  is because WLP roles can include custom predicates (date/time/profile
  attributes) that rely on layered product classes that the base application
  server is unaware of and cannot edit using the WLS console.
  In Service Pack 3, the WLP admin tools will allow the converse - that is,
  you'll be able to reference/use WLS global roles in WLP policies.
  Service Pack2 adds a new tag to the auth taglib which allows you to
  do a isUserInRole check against the WLP (and WLS) roles.
  -Phil
  "Jim Maycott" <[email protected]> wrote in message
  news:[email protected]..
  >
  I'm working on the security implementation for a WebLogic 8.1 Portalapplication.
  I've been doing some prototyping and am trying to determine where VisitorEntitlement
  roles are stored. Are these implemented as scoped roles from a WLplatform viewpoint.
  I created two test roles for my portal and do not see any scoped rolesunder
  the application or the portal node in the WebLogic console.
  I'm trying to determine if these portal entitlement roles are/can betreated as
  weblogic platform roles and can be used in security annotations for an EJBor
  Java Control, and if they can be used for IsCallerInRole. I can create asecurity
  policy to protect the portal resource, but I'm looking for a way to applythe
  corresponding security in the business layer.
  Thanks in advance for any advice.
  Jim

• Visitor entitlements have disappeared in Web Logic Portal console

  Hi all,
  Please help! We have an issue whereby our users no longer have permission to access parts of our web application. Upon further investigation, when looking in the Portal console under visitor entitlements, we see the following message:
  There are no visitor entitlement roles to display.
  We have checked the portal database, and can see the roles are still in there, but aren't being retrieved by the application. We can also add new roles through the console, which are persisted in the database, but these too do not show in the console.
  This had previously been working, and we are not sure what has changed.
  Please advise what further information I can provide to help resolve this!
  Kind regards,
  Mike

  Hi,
  I was able to find a white paper which discusses this topic.
  http://edocs.bea.com/wlp/docs81/whitepapers/vcr/index.html
  If this isn't helpful, please post this question to the portal newsgroup at http://newsgroups.bea.com/bea/forum.jspa?forumID=2044
  cheers
  Raj

• Access Visitor entitlements programmatically

  Hi,
  I wonder if it is possible to access (create, manage, delete) Visitor Entitlements programmatically by a Beehive control/Helper ...
  It is possible to do this for Delegated Admin roles with the DelegationRoleManagerControl control provided by Oracle. But I didn't find an equivalent to manage the Visitor Entitlements roles.
  I'm using Weblogic Portal 10.2 (Weblogic Server 10) on a JRockit R27.6.0 1.5.0_15
  Best.
  Edited by: user11804594 on 19 août 2009 02:54

  Hi
  if you want to get the list of roles for the currently logged in user thats possible.
  If you want to get the roles for any logged in user, its possible if you know what the entitlement definition is before hand. if the entitlement is based on directly assigning users to the role or groups to the role, then its fine and can be done without needing the code to know which role is which group, it can be done programmatically.
  if you have a more complicated and or clauses in the role definitiob or do not know the entitlement definition before hand then I dont think it is.
  Which scenario applies to you?

• How to configure a form based login page with entitlement role

  We need to have login page to our portal app.
  When using "form based" authentication is it possible to map the security on a
  "entitlement role" ?
  Our need is to be abled to give direct url acces to some pages of the portal (for
  exemple by sending urls like "http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_pageLabel=mypage")"
  by email to portal users) and need a simple mecanism of authentication before
  redirecting to the portal page.
  Inste

  Olivier,
  You can't reference WLP visitor roles in weblogic.xml, but you can
  reference global roles (created using the WLS console):
  - <security-role-assignment>
  <role-name>PortalSystemAdministrator</role-name>
  <externally-defined />
  </security-role-assignment>
  -Phil
  "Olivier" <[email protected]> wrote in message
  news:[email protected]..
  >
  We need to have login page to our portal app.
  When using "form based" authentication is it possible to map the securityon a
  "entitlement role" ?
  Our need is to be abled to give direct url acces to some pages of theportal (for
  exemple by sending urls like"http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_page
  Label=mypage")"
  by email to portal users) and need a simple mecanism of authenticationbefore
  redirecting to the portal page.
  Inste

• How to get entitlement role list

  How can I get the portal entitlement role list by API?
  If I use
  RolePolicyManager.listRolesForResource(String anEntAppName,
  String aWebAppName,
  String aResourceId)
  How can I specified the aResourceId such that the roles of entire portal will
  be retreived?
  Or it is just a wrong approach? Thx a lot!!
  Ken

  I can get it by calling
  String str[] = RolePolicyManager.listRolesForResource(
  ApplicationHelper.getApplicationName(),
  ApplicationHelper.getWebAppName(getRequest()),
  EntitlementConstants.P13N_ROLE_POLICY_POOL
  "Ken" <[email protected]> wrote:
  >
  How can I get the portal entitlement role list by API?
  If I use
  RolePolicyManager.listRolesForResource(String anEntAppName,
  String aWebAppName,
  String aResourceId)
  How can I specified the aResourceId such that the roles of entire portal
  will
  be retreived?
  Or it is just a wrong approach? Thx a lot!!
  Ken

• Visitor entitlements in a admin extension

  Hi,
  i want to extend my portal administration console.
  Is there a way to get a list of all visitor entitlements?
  Thanks!
  Markus

  look at RolePolicyManager
  e.g.
  import com.bea.p13n.management.ApplicationHelper;
  import com.bea.p13n.entitlements.common.EntitlementConstants;
  import com.bea.p13n.entitlements.management.RolePolicyManager;
  String entAppName=ApplicationHelper.getApplicationName();
  String webAppName = ApplicationHelper.getWebAppName(request);
  String[] policies = RolePolicyManager.listRolesForResource(entAppName, webAppName, EntitlementConstants.P13N_ROLE_POLICY_POOL);

• Weblogic Portal Samples-Dynamic Visitor tools sample

  Hi,
  For configuring the DVT samples at weblogic portal it is mentioned that 'The DVT Sample is not supported for a production environment'. We are not clear with this point.
  Will it work only for testing environment?
  Is it require to take any licence for this at production environment?
  We have used the DVT for Streaming Desktop and it works only when we enable the Dynamic Visitor tools sample in bea workshop while Adding the DVT Facet.
  Please clarify the same.
  Regards
  Himanshu

  Hi Himanshu
  It should work for Production Env also and as far as I know you DO NOT need any extra or separate license just to support this DVT samples. As the word itself mentions "DVT Samples", since its a kind of sample utility, BEA/Oracle officially do not support it. It can be used freely either in Dev/Test or Prod Env. Just incase if you run into any major issues, which really breaks DVT and if it do not work, then Support may say it is not supported. But still I guess they will not leave it in the air. So best thing is, do full regression testing in Dev/Test Env and then move to the Production Env. It should work for any Env as far as you install the Samples while installing WLP 10.x and Enable this facet when you create the Portal Domain.
  Thanks
  Ravi Jegga

• Weblogic 12c JAX-WS usernametoken policy authentication issue

  I created a simple JAX-WS webservice on weblogic12c. I added a cutom policy -a simple usernametoken policy.
  I added the policy to the webservice via the admin console. (inbound only)
  Testing from soapui, I was able to get a good response with correct username/password.
  If I dont pass the username/password , I get an Invalid security message.
  The issue is when I send in an incorrect username/and or password, I get following error:
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Body>
  <env:Fault>
  <faultcode>env:Server</faultcode>
  <faultstring>Unknown exception, internal system processing error.</faultstring>
  </env:Fault>
  </env:Body>
  </env:Envelope>
  Why is the correct reason not receved in teh soap message???
  On turning on debug log, I was able to see following message in the server log:
  ####<Mar 13, 2013 4:37:41 PM EDT> <Debug> <SecurityAtn> <NJCDTL02> <myServer1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1363207061361> <BEA-000000>
       at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:601)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
       at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:601)
       at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
       at $Proxy16.login(Unknown Source)
       at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
       at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:601)
       at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
       at $Proxy34.authenticate(Unknown Source)
       at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
       at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:338)
       at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:345)
       at weblogic.xml.crypto.wss.SecurityUtils.assertId(SecurityUtils.java:100)
       at weblogic.xml.crypto.wss.SecurityUtils.assertIdentity(SecurityUtils.java:72)
       at weblogic.xml.crypto.wss.UsernameTokenHandler.getSubject(UsernameTokenHandler.java:207)
       at weblogic.xml.crypto.wss.WSSecurityContext.getSubject(WSSecurityContext.java:656)
       at weblogic.xml.crypto.wss.WSSecurityContext.getSubject(WSSecurityContext.java:596)
       at weblogic.wsee.security.wssp.handlers.PostWssServerPolicyHandler.processRequest(PostWssServerPolicyHandler.java:56)
       at weblogic.wsee.security.wssp.handlers.WssHandler.handleRequest(WssHandler.java:112)
       at weblogic.wsee.jaxws.framework.jaxrpc.TubeFactory$JAXRPCTube.processRequest(TubeFactory.java:222)
       at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:892)
       at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:841)
       at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:804)
       at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:706)
       at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:430)
       at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:640)
       at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:265)
       at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:163)
       at weblogic.wsee.jaxws.WLSServletAdapter.handle(WLSServletAdapter.java:171)
       at weblogic.wsee.jaxws.HttpServletAdapter$AuthorizedInvoke.run(HttpServletAdapter.java:708)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
       at weblogic.wsee.util.ServerSecurityHelper.authenticatedInvoke(ServerSecurityHelper.java:103)
       at weblogic.wsee.jaxws.HttpServletAdapter$3.run(HttpServletAdapter.java:311)
       at weblogic.wsee.jaxws.HttpServletAdapter.post(HttpServletAdapter.java:336)
       at weblogic.wsee.jaxws.JAXWSServlet.doRequest(JAXWSServlet.java:99)
       at weblogic.servlet.http.AbstractAsyncServlet.service(AbstractAsyncServlet.java:99)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:242)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:216)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:132)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:352)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:235)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3284)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3254)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
       at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
       at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2163)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2089)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2074)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1512)
       at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
  >
  ####<Mar 13, 2013 4:37:41 PM EDT> <Debug> <SecurityAtn> <NJCDTL02> <myServer1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1363207061361> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
  ####<Mar 13, 2013 4:37:41 PM EDT> <Debug> <SecurityAtn> <NJCDTL02> <myServer1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1363207061361> <BEA-000000> <LDAP Atn Abort>
  ####<Mar 13, 2013 4:37:41 PM EDT> <Debug> <SecurityAtn> <NJCDTL02> <myServer1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1363207061361> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
  ####<Mar 13, 2013 4:37:41 PM EDT> <Debug> <SecurityAtn> <NJCDTL02> <myServer1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1363207061361> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate failed for user test1234>

  Hi René ,
  i just use plain HTTP, not HTTPS.
  seems don't involve any certificate, am i right?
  in J2SE environment, i can run the webservice client without problem.
  but once i run the client in weblogic, the problem mentioned occurred.
  if i manually delete the ws-policy related tag in the wsdl file (i download it to local filesystem for testing), the client can run in weblogic too.
  so, think there is some setting in weblogic that try to handle the ws-policy by its so-called 'credential provider'(e.g. ClientUNTCredentialProvider ?)
  thank you.

• Regarding Enterprise Portal Role issue

  Hi,
  The system administrator  has assgined a role called "k-role"  to a user. The K-role has some  3 pages inside it. When the user view the portal with his id, he can see the role called "K-role" and the pages. But when he clicks a page to access the documents with in it, it says "ACCESS DENIED". There is no restriction kept at the document level. Restriction is only at the role level.
  What could the error be? How can i resolve this issue? How can the user access the document?
  Regards,
  Divya

  Hi Divya,
  the portal users assigned to super admin role (usually via group Administrators) do have full permissions on every document. You HAVE to add read permissions for group Everyone in order to make the documents accessible by every portal user.
  1.      Open the Details dialog box for the item (for example, for the folder).
  2.      Choose Settings ® Permissions.
  3.      Enter one or more users, groups, or roles.
  4.      Choose Add.
  5.      Select one of the following permissions: Read, Write, Read/Write, Delete, Full Control
  Best regards,
  Martin

• WebLogic Portal 9.2 MP1 Autonomy BEACMRepoFetch issue

  Hi,
  I would like to ask you a favor to look into my issue and respond if you have found a way to fix it.
  BEACMRepoFetch was not indexing the BEA CM contents with the default portal domain. I went through the documentation and found out that the "Search Indexing Enabled" must be "true" in WebLogic Admin Console | Content Management | BEA Repository. I changed the property value to "true". Now I get the following error. The CM full serach is still not working.
  <Mar 14, 2007 9:34:28 PM PDT> <Error> <Search> <BEA-415611> <Unable to create th
  e Content FullTextSearch database associated with repository BEA Repository due
  FullTextSearch engine error.
  com.bea.content.repo.internal.server.logic.search.CommandFailedException: autono
  my command did not complete in 300,000 msec, waited 299,985 msec, status=0
  at com.bea.content.repo.internal.server.logic.search.AutonomyHelper46.wa
  itForServerCommand(AutonomyHelper46.java:179)
  at com.bea.content.repo.internal.server.logic.search.AutonomyClient46Man
  ager.createDatabase(AutonomyClient46Manager.java:164)
  at com.bea.content.repo.internal.server.logic.search.AutonomyClient46Man
  ager.connect(AutonomyClient46Manager.java:91)
  at com.bea.content.federated.internal.VirtualRepositoryManagerImpl.ensur
  eFullTextSearchDatabaseExists(VirtualRepositoryManagerImpl.java:223)
  at com.bea.content.manager.internal.ContentListener.postStart(ContentLis
  tener.java:59)
  Truncated. see log file for complete stacktrace
  >

  The following need to be configured for CM Full Text Search (and BEACMRepoFetch) to work properly: (note these instructions are for a development box, not a production system)
  - this Autonomy integration will work with a BEA Repository
  - verify WLP_SEARCH_OPTION is set in the shell/command window before the server is started. This can be set to 'full', 'minimal', or 'none'. Set to 'full' to start up all the Autonomy processes.
  - verify the autonomy processes start up and stay running. You should see 8 or so processes like AutonomyIDOLServer.exe, content.exe, AutonomyDiSH.exe, category.exe, community.exe, FileSystemFetch.exe, BEACMRepoFetch.exe, HTTPFetch.exe, etc. I like to use the Process Explorer tool on Windows because it shows the hierarchy of processes.
  - check the Autonomy logs in the tree at WL_HOME/portal/thirdparty/autonomy/<os> for any 'error', 'warning', 'fail', 'unable', 'cannot', 'can't' messages. On windows, I like to use a tool like Agent Ransack to scan all *.log files in the entire directory tree for these strings. One semi-common message is that Autonomy sometimes will not start up if there is less than 1 Gb of free disk space.
  - verify the following properties/settings are set on the repository config (note some of these default to true): search-enabled=TRUE, fulltext-search-is-enabled=TRUE, search-indexing-is-enabled=TRUE, cm_fireRepositoryEvents=TRUE
  - verify your type and any associated properties have indexing enabled.

• Portfolio menu role issue.

  Dear Gurus,
  I am new to this FPN area.
  We are working on a Federated Portal Network(FPN).  We are having an SAP Enterprise Portal(company wide) and SAP BI Portal(content). The issue is that when ever we are trying to run the report under the Portfolio Menu role in BI Portal it is running without any error.  When we are running the same report under the Portfolio Menu role under SAP EP we are getting the error saying the requested page not found.  Please suggest a solution to this.

  BI portal and SAP EP both are different is it?
  Have you published the report in SAP EP properly and added to the role which is present in the SAP EP.
  When publishing report, you have make as template=<report technical name> at last.
  if any mistakes in the steps when you publish the report. it would give the error when you try to execute the report.
  Please check with your EP administrator.
  Hope this would help you.

• SAP MII workbench - saving new transaction - role issue?

  We are using MII 12.1.4 (build 53) and have copied the SAP java roles to our own groups (ABAP Roles) in the UME, including the defined actions of the SAP roles.  We then assign the ABAP role in ABAP to the User, so that in the UME they now have the groups assigned. 
  We have run into an issue where when creating a new transaction in the MII workbench we are unable to save it.  If we add the standard SAP UME role SAP_XMII_DEVELOPER, we are now able to create and save the transaction (or whatever work).  The only difference we can see in the SAP_XMII_DEVELOPER role and our copied role is the name, all the actions in SAP_XMII_DEVELOPER are in our Group (ABAP role).
  our ABAP role (UME Group) example is:
  ZZZZ:Z_MII_DEVELOPER (has UME role AD_JU_MII_DEVELOPER assigned)
  UME Roles:
  Z_MII_DEVELOPER has the 3 actions below assigned:
       xappsxmiiumeactions     XMII_User
       xappsxmiiumeactions     XMII_Read_Only
       xappsxmiiumeactions     XMII_Developer
  SAP_XMII_DEVELOPER has the same 3 actions as above, and the onluy difference is the description, and that it doesn't have any assigned groups.
  Does the MII workbench use the hardcoded role names somewhere that would not allow us to use  our the ABAP roles (JAVA groups) or is there something else we are missing in the group?
  I have searched the best practices, forums, SAP help, OSS, etc. with no luck
  Thanks for any help,
  jake

  Hi Jake,
  I also faced the same problem recently.
  As Mike said, you need to add your role in " Transaction -> Security". Here, you will find all the available roles. Put the required role in Reader and Writer Roles windows.
  As far as your question is concerned, by default MII assigns XMII Administrators, XMII Developers and XMII Users roles (MII 12.0) as Reader to Transaction. Where as MII assigns XMII Administrators and XMII Developers roles as Writer to Transaction.
  Hope this helps!
  Best Regards,
  Kedar

• SSAS Cube Role Issue

  Hi,
  I want to grant access to a user to a SSAS database. I'm able to add him to two databases but when i try to add him to the third database, it seems to hang. I have tried both GUI and XMLA query for this.The ALTER ROLE XMLA query(after extracting the member
  tag from the role query of another database) gives the following error in a couple of seconds:
  "Transaction errors: Aborting transaction on session 115585.
  Transaction errors: Aborting transaction on session 115585. Transaction errors: Aborting transaction on session 115585.
  I had to kill the query eventually. It doesn't seem to be a user issue as a simple alter role of the existing role also gives this error.
  I'm using SSAS 2005. Its strange that it is showing this issue suddenly today. Can someone please help?
  Regards,
  Sumit

  A restart of the SSAS service worked in this case. Never thought it would be as simple as this.