Why security-role-assignment is required ?

Similar Messages

• Security-role and security-role-assignment not working in WL7.0

  Hello all..
  Some EJB components that worked fine in WebLogic 6.1 no longer work in
  WL7.0. It has to do with the security-role and security-role-assignment
  descriptor elements no longer allowing anonymous users to be included in the
  authorization for a bean.
  For example, in WL6.1 placing these items in ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <role-name>Employees</role-name>
  </security-role>
  <method-permission>
  <role-name>Employees</role-name>
  <method>
  <ejb-name>CustomerEJB</ejb-name>
  <method-name>*</method-name>
  </method>
  </method-permission>
  and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
  <security-role-assignment>
  <role-name>Employees</role-name>
  <principal-name>guest</principal-name>
  <principal-name>system</principal-name>
  </security-role-assignment>
  worked fine for clients creating their context using a simple
  InitialContext() constructor without specifying SECURITY_PRINCIPAL or
  SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
  the security-role-assignment element above told WebLogic that "guest" was in
  the Employees role for purposes of this EJB archive.
  Worked in WL6.1, no longer works in WL7.0. Client receives typical
  permission exception:
  java.rmi.AccessException: Security violation: insufficient permission to
  access method 'create'
  If I explicity connect as "system" things are fine, or I can create a new
  user in the default realm in WebLogic, put a matching <principal-name>
  element in the section above, and connect as that user. Note that if I leave
  off the <security-role> section completely, or set the required role name to
  "everyone", the anonymous access works fine. Apparently the anonymous user
  is a member of "everyone" behind the scenes even though "everyone" does not
  appear in the realm list of groups or roles.
  So, my question boils down to this: Is there a "magic" username in WL7 like
  "guest" was in WL6.1 that can be mapped to the required role name, or must
  every client connection use a true weblogic-created user with appropriate
  role assignments used to map it to the required role name.
  -Greg
  P.S. Note that none of the EJB examples provided with WL used
  <security-role>..
  Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
  www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

  Below are the screen shots for PFCG:

• Projects Contract (R 12.1.3) Security Role Assignment

  In Projects Contract (R 12.1.3), is there any way we can have contingent worker(s) in the List of Values for “Employee” in Security Role Assignment window?

  Please check the Profile Option - OKE: Allow Contingent Workers
  This profile option determines whether contingent workers can be granted access to contracts or not.

• The security-role-assignment references an invalid security-role: Certifica

  In Oracle Enterprise Pack for Eclipse, I failed to deploy an application in debug mode. The error I noticed in my domain log is:
  weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: Certificate.
       at weblogic.servlet.security.internal.WebAppSecurity.setRoleMapping(WebAppSecurity.java:180)
       at weblogic.servlet.security.internal.WebAppSecurity.registerSecurityRoles(WebAppSecurity.java:155)
       at weblogic.servlet.internal.WebAppServletContext.prepareFromDescriptors(WebAppServletContext.java:1181)
       at weblogic.servlet.internal.WebAppServletContext.prepare(WebAppServletContext.java:1120)
       at weblogic.servlet.internal.HttpServer.doPostContextInit(HttpServer.java:449)
       at weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:424)
       at weblogic.servlet.internal.WebAppModule.registerWebApp(WebAppModule.java:910)
       at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:364)
       at weblogic.application.internal.flow.ScopedModuleDriver.prepare(ScopedModuleDriver.java:176)
       at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(ModuleListenerInvoker.java:93)
       at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:387)
       at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
       at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:58)
       at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:42)
       at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:615)
       at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
       at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:191)
       at weblogic.application.internal.EarDeployment.prepare(EarDeployment.java:16)
       at weblogic.application.internal.DeploymentStateChecker.prepare(DeploymentStateChecker.java:155)
       at weblogic.deploy.internal.targetserver.AppContainerInvoker.prepare(AppContainerInvoker.java:60)
       at weblogic.deploy.internal.targetserver.operations.ActivateOperation.createAndPrepareContainer(ActivateOperation.java:197)
       at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doPrepare(ActivateOperation.java:89)
       at weblogic.deploy.internal.targetserver.operations.AbstractOperation.prepare(AbstractOperation.java:217)
       at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentPrepare(DeploymentManager.java:723)
       at weblogic.deploy.internal.targetserver.DeploymentManager.prepareDeploymentList(DeploymentManager.java:1190)
       at weblogic.deploy.internal.targetserver.DeploymentManager.handlePrepare(DeploymentManager.java:248)
       at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.prepare(DeploymentServiceDispatcher.java:159)
       at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback(DeploymentReceiverCallbackDeliverer.java:157)
       at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$000(DeploymentReceiverCallbackDeliverer.java:12)
       at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$1.run(DeploymentReceiverCallbackDeliverer.java:45)
       at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:516)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  What I do not understand is that this error remains even though I modified weblogic.xml to remove the following lines:
  <wls:security-role-assignment>
  <wls:role-name>Certificate</wls:role-name>
  <wls:externally-defined/>
  </wls:security-role-assignment>
  I also deleted <MYDOMAIN_HOME>/servers/AdminServer/cache and <MYDOMAIN_HOME>/servers/AdminServer/tmp but this error still showed up when I attempted to deploy the application in Eclipse.
  If I exported the EAR file and deployed it using Admin Console, the application was deployed successfully. But when I deleted it in Admin Console and attempted to deploy it in Eclipse again, the same error occurred and the deployment failed. What could be the reason for this behavior? Is there anything cached somewhere when deploying it in Eclipse? Thanks in advance for your help.

  Hi,
  I know that is an old thread, but just in case... Maybe you could try setting up the DEBUG_OPTIONS in your startManagedWeblogic script and configure a remote debug in Eclipse:
  DEBUG_OPTIONS="-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8003,server=y,suspend=n"
  Hope it helps,
  Luis

• Modify security role assignment at runtime

  hello,
  assume following example:
  In order to use declarative security on a EJB called TestBean, I secured
  TestBean by using the <method-permission> tag in ejb-jar_TestBean.xml,
  and grant permission to a role called adminRole
  At deploy-time, a principal called adminGroup is assigned to adminRole,
  using the <security-role-assigment> tag in weblogic-ejb-jar_TestBean.xml.
  The methods of TestBean are invoked by a JSP (TestJSP).
  This works fine.
  Now I want to add a new principal to adminRole at runtime.
  Is this possible as a matter of principle?
  Can this be managed by TestJSP?
  thanx for your help,
  Michael

  Hello,
  could you provide addition information on the server version and the facets installed in the dynamic web and EAR project ?
  thanks
  Raj

• Unable to assign all security roles to a user with a new custom security role

  Dear All,
  Happy New Year.!
  I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
  any desired security role to the new user.
  However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
  'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
  For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
  to assign some other security roles, including 'Support User Role', to new user 'y'.
  I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
  'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
  Appreciate any help that you can provide on the above issue.
  Thanks in anticipation.

  Hi,
  Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
  Refer:-
  http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
  Hope this helps!!!
  Thanks,
  Prasad
  Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

• Warning: EJB  referenced an unknown security role?

  Hello,
  I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
  In the EJB I have the following check:
  if (ctx.isCallerInRole("ConspiratorRole"))
  System.out.println ("the user is in the ConspiratorRole role");
  At run time, I get the following warning in the WL window:
  Fri Nov 10 12:56:58 EST 2000:<I>
  <EJB JAR deployment D:/weblogic/myserver/myBean.jar>
  Warning: EJB "unu" referenced an unknown security role
  However:
  - the role IS defined (see ejb-jar.xml)
  - has an associated principal (see weblogic-ejb-jar.xml)
  - there is a principal defined in weblogic.properties
  - this principal (and this role) is actually used in practice to access the
  bean. Which works.
  So why the warning?
  Any hint appreciated,
  Thanks.
  ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <description>description of the ConspiratorRole</description>
  <role-name>ConspiratorRole</role-name>
  </security-role>
  </assembly-descriptor>
  weblogic-ejb-jar.xml:
  <weblogic-ejb-jar>
  <security-role-assignment>
  <role-name>ConspiratorRole</role-name>
  <principal-name>Conspirator</principal-name>
  </security-role-assignment>
  </weblogic-ejb-jar>

  You should not reference the role link in you code.The role link is used to
  connect the role name in you code to the
  role name in your deployment descripment. Only if this link is set up as you
  have done below, will the isCallerInRole return true.
  - Sri
  Alf wrote:
  I reviewed older postings and found indications of what appears to be a bug
  in WL: that isCallerInRole always return false for role names but returns
  correct values if the role names are linked with a reference in
  <security-role-ref>. So, according to the DTD at
  http://edocs.bea.com/wle/dd/ddref.htm#1038338 I added the following in
  ejb-jar.xml:
  <ejb-jar>
  <enterprise-beans>
  <session>
  <security-role-ref>
  <role-name>ConspiratorRole</role-name>
  <role-link>ConspiratorRoleLink</role-link>
  </security-role-ref>
  and added 2 lines in the bean to test the both the role and the reference
  if (ctx.isCallerInRole("ConspiratorRole"))
  System.out.println ("the user is in the ConspiratorRole role");
  if (ctx.isCallerInRole("ConspiratorRoleLink"))
  System.out.println ("the user is in the ConspiratorRoleLink
  role");
  The unexpected result was a NullPointerException at
  weblogic.ejb.internal.BaseEJBContext.isCallerInRole(BaseEJBContext.java:665)
  Can anyone shed some light? Thanks.
  "Alf" <alf> wrote in message news:[email protected]...
  Hello,
  I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
  In the EJB I have the following check:
  if (ctx.isCallerInRole("ConspiratorRole"))
  System.out.println ("the user is in the ConspiratorRole role");
  At run time, I get the following warning in the WL window:
  Fri Nov 10 12:56:58 EST 2000:<I>
  <EJB JAR deployment D:/weblogic/myserver/myBean.jar>
  Warning: EJB "unu" referenced an unknown security role
  However:
  - the role IS defined (see ejb-jar.xml)
  - has an associated principal (see weblogic-ejb-jar.xml)
  - there is a principal defined in weblogic.properties
  - this principal (and this role) is actually used in practice to accessthe
  bean. Which works.
  So why the warning?
  Any hint appreciated,
  Thanks.
  ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <description>description of the ConspiratorRole</description>
  <role-name>ConspiratorRole</role-name>
  </security-role>
  </assembly-descriptor>
  weblogic-ejb-jar.xml:
  <weblogic-ejb-jar>
  <security-role-assignment>
  <role-name>ConspiratorRole</role-name>
  <principal-name>Conspirator</principal-name>
  </security-role-assignment>
  </weblogic-ejb-jar>

• Using weblogic security roles in authentication: weblogic 9

  Hi All,
  I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
  weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
  But I have defined the role LTVORole in weblogic using the administrator console.
  below are the details of what I have done:
  Web.xml:
  ========
  <?xml version='1.0' encoding='UTF-8'?>
  <j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
    <j2ee:welcome-file-list>
      <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
      <j2ee:welcome-file>index.html</j2ee:welcome-file>
      <j2ee:welcome-file>index.htm</j2ee:welcome-file>
    </j2ee:welcome-file-list>
    <j2ee:login-config>
      <j2ee:auth-method>FORM</j2ee:auth-method>
      <j2ee:form-login-config>
        <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
        <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
      </j2ee:form-login-config>
    </j2ee:login-config>
  <security-constraint>
    <display-name>checkAccountConstraint</display-name>
  <web-resource-collection>
    <web-resource-name>checkAccountCollection</web-resource-name>
          <url-pattern>test.jsp</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
          <role-name>LTVORole</role-name>
    </auth-constraint>
    </security-constraint>
  </j2ee:web-app>Weblogic.xml
  ===========
  <?xml version="1.0" encoding="UTF-8"?>
  <ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
    <security-role-assignment>
      <role-name>LTVORole</role-name>
     <externally-defined/>
    </security-role-assignment>
  </ns:weblogic-web-app>I have created the role in weblogic in the menu
  security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
  Is it the right way to define a role?
  Please help me find where I am going wrong.
  Thanking you all in advance,
  Gireesh

  Hi All,
  I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
  weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
  But I have defined the role LTVORole in weblogic using the administrator console.
  below are the details of what I have done:
  Web.xml:
  ========
  <?xml version='1.0' encoding='UTF-8'?>
  <j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
    <j2ee:welcome-file-list>
      <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
      <j2ee:welcome-file>index.html</j2ee:welcome-file>
      <j2ee:welcome-file>index.htm</j2ee:welcome-file>
    </j2ee:welcome-file-list>
    <j2ee:login-config>
      <j2ee:auth-method>FORM</j2ee:auth-method>
      <j2ee:form-login-config>
        <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
        <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
      </j2ee:form-login-config>
    </j2ee:login-config>
  <security-constraint>
    <display-name>checkAccountConstraint</display-name>
  <web-resource-collection>
    <web-resource-name>checkAccountCollection</web-resource-name>
          <url-pattern>test.jsp</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
          <role-name>LTVORole</role-name>
    </auth-constraint>
    </security-constraint>
  </j2ee:web-app>Weblogic.xml
  ===========
  <?xml version="1.0" encoding="UTF-8"?>
  <ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
    <security-role-assignment>
      <role-name>LTVORole</role-name>
     <externally-defined/>
    </security-role-assignment>
  </ns:weblogic-web-app>I have created the role in weblogic in the menu
  security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
  Is it the right way to define a role?
  Please help me find where I am going wrong.
  Thanking you all in advance,
  Gireesh

• How to specify the security policy "Allow access to everyone" for security role in Deployment descriptor

  Hi,
  I am migrating a web application from Websphere to Weblogic. The web application has a security role defined in web.xml (Use LDAP for authentication).
  security-role>
          <description>Authenticated</description>
          <role-name>Authenticated</role-name>
      </security-role>
  This role is mapped to a special subject "All authenticated user in appliation realm" in WAS.
  In weblogic, I have the following setting in weblogic.xml
  <wls:security-role-assignment>
          <wls:role-name>Authenticated</wls:role-name>
          <wls:externally-defined />
      </wls:security-role-assignment>
  And after deploy the application, have to manually add a security role and add the security policy "Allow access to everyone" to this role.
  I am wondering if this setting can be specified in  for example weblogic.xml so just deploy web applicaiton using deployment descriptor, and I don't need write script to do that .
  Thanks

  Hi,
  You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
  And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
  Hope this will solve your problem.
  Regards
  MuRam

• Using the deployment plan to extend the security roles

  Hi,
  We have an existing application that has a set of security roles defined. This app has been deployed to Weblogic.
  We would like provide additional security roles through this application. Currently, we have been doing this by manually editing the web.xml and the weblogic.xml files and redeploying the app. Is there any way to achieve this using the deployment plan feature ? If yes, how do we do it?
  Regds,
  Mridhula

  you can use the following deployment Plan xml file:
  <?xml version='1.0' encoding='UTF-8'?>
  <deployment-plan xmlns="http://www.bea.com/ns/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/deployment-plan http://www.bea.com/ns/weblogic/deployment-plan/1.0/deployment-plan.xsd">
  <application-name>deploy_plan</application-name>
  <variable-definition>
  <variable>
  *<name>RoleName</name>*
  *<value>plan</value>*
  </variable>
  <variable>
  *<name>PrincipalName</name>*
  *<value>test</value>*
  </variable>
  </variable-definition>
  <module-override>
  <module-name>appA.war</module-name>
  <module-type>war</module-type>
  <module-descriptor external="false">
  <root-element>weblogic-web-app</root-element>
  <uri>WEB-INF/weblogic.xml</uri>
       <variable-assignment>
  *<name>PrincipalName</name>*
  <xpath>/weblogic-web-app/security-role-assignment/[*role-name="plan"*]/principal-name</xpath>
  </variable-assignment>
  </module-descriptor>
  <module-descriptor external="false">
  <root-element>web-app</root-element>
  *<uri>WEB-INF/web.xml</uri>*
       <variable-assignment>
  *<name>RoleName</name>*
  *<xpath>/web-app/security-constraint/auth-constraint/role-name</xpath>*
  </variable-assignment>
       <variable-assignment>
  *<name>RoleName</name>*
  *<xpath>/web-app/security-role/role-name</xpath>*
  </variable-assignment>
  </module-descriptor>
  <module-descriptor external="true">
  <root-element>wldf-resource</root-element>
  <uri>META-INF/weblogic-diagnostics.xml</uri>
  </module-descriptor>
  </module-override>
  <config-root>E:\wls_docs\deploy_plan\plan</config-root>
  </deployment-plan>
  thanks,
  Sandeep

• Ejb security role & bea implementation

  A role has been defined in ejb-jar as following:
  <security-role>
  <description><![CDATA[Deployer User]]></description>
  <role-name>deployer</role-name>
  </security-role>
  <method-permission>
  <description><![CDATA[Deployer Method Permission]]></description>
  <role-name>deployer</role-name>
  <method>
  <description><![CDATA[All method for CCPStateBean]]></description>
  <ejb-name>CCPStateBean</ejb-name>
  <method-name>*</method-name>
  </method>
  </method-permission>
  If the principal is included in the weblogic-ejb-jar as below, and the jndi lookup
  includes the SECURITY_PRINCIPAL (e.g., jzhu), the code works fine.
  <security-role-assignment>
  <role-name>deployer</role-name>
  <principal-name>jzhu</principal-name>
  </security-role-assignment>
  The problem comes when the principal is not included as above weblogic-ejb-jar
  instead a role "deployer" is defined in WLS's, The user ("jzhu") is defined in
  the deployer group. And the deployer group belongs to deployer role. The defaultRoleMapper
  is enabled. In this scenario, the access failed due to insufficient permission.
  Can ejb-jar's role relates to WLS's role. Please advise. THX.
  -John

  Thanks for the information. It works. I wish bea monitor this newsgroup since this
  is not in their document. By the way, the following links clarifies the relationship
  between DD and admin console security configuration.
  http://edocs.bea.com/wls/docs70/security/cli_apps.html#1090734
  -John
  "Arjuna Chala" <[email protected]> wrote:
  I don't know about "defaultRoleMapper", but this works
  <security-role-assignment>
  <role-name>deployer</role-name>
  <principal-name>deployer</principal-name>
  </security-role-assignment>
  where <role-name> maps to a ejb-jar role and <principal-name> maps to
  a
  weblogic group (in this case).
  "john" <[email protected]> wrote in message
  news:[email protected]..
  A role has been defined in ejb-jar as following:
  <security-role>
  <description><![CDATA[Deployer User]]></description>
  <role-name>deployer</role-name>
  </security-role>
  <method-permission>
  <description><![CDATA[Deployer Method Permission]]></description>
  <role-name>deployer</role-name>
  <method>
  <description><![CDATA[All method for CCPStateBean]]></description>
  <ejb-name>CCPStateBean</ejb-name>
  <method-name>*</method-name>
  </method>
  </method-permission>
  If the principal is included in the weblogic-ejb-jar as below, andthe
  jndi lookup
  includes the SECURITY_PRINCIPAL (e.g., jzhu), the code works fine.
  <security-role-assignment>
  <role-name>deployer</role-name>
  <principal-name>jzhu</principal-name>
  </security-role-assignment>
  The problem comes when the principal is not included as aboveweblogic-ejb-jar
  instead a role "deployer" is defined in WLS's, The user ("jzhu") isdefined in
  the deployer group. And the deployer group belongs to deployer role.The
  defaultRoleMapper
  is enabled. In this scenario, the access failed due to insufficientpermission.
  Can ejb-jar's role relates to WLS's role. Please advise. THX.
  -John

• How Does The security-role Mapping Work?

            I am studying the security part of the deployment descriptor. I am confused about
            how the mapping works.
            Suppose we have
            <security-role>
            <role-name>manager</role-name>
            </security-role>
            and
            <security-role-ref>
            <role-name>FOO</role-name>
            <role-link>manager</role-link>
            </security-role-ref>
            My first question is when a client of the servlet supplies a name for authentication,
            the name supplied should be FOO or can be, say, John Smith?
            Then, according to the Servlet Specification, a security role is a logical grouping
            of users defined by the Application Developer
            or Assembler. When the application is deployed, roles are mapped by a Deployer
            to principals or groups in the runtime environment.
            My second question is how deployer maps the role, say, manager, to principals
            or groups in the runtime environment?
            Thanks in advance.
            

            Thanks a lot, Udit.
            "Udit Singh" <[email protected]> wrote:
            >
            >Hello,
            >The role-name is mapped to principals or gruops based on the security-role-assignment
            >entrires in weblogic.xml. Let us say you have a role-name FOO and you
            >want to
            >assing this role to users John and Mark. You need to make this entry
            >in weblogic.xml-
            ><security_role_assignment>
            > <role-name>FOO</role-name>
            > <principal-name>John</principal-name>
            > <principal-name>Mark</principal-name>
            > </security_role_assignment>
            >
            >so now actually the user need to supply John or Mark as user name at
            >the time
            >of authentication . Hope it helps.
            >
            >Udit
            >
            >
            >"[email protected]" entrance wrote:
            >>
            >>I am studying the security part of the deployment descriptor. I am confused
            >>about
            >>how the mapping works.
            >>Suppose we have
            >><security-role>
            >><role-name>manager</role-name>
            >></security-role>
            >>
            >>and
            >>
            >><security-role-ref>
            >><role-name>FOO</role-name>
            >><role-link>manager</role-link>
            >></security-role-ref>
            >>
            >>My first question is when a client of the servlet supplies a name for
            >>authentication,
            >>the name supplied should be FOO or can be, say, John Smith?
            >>
            >>Then, according to the Servlet Specification, a security role is a logical
            >>grouping
            >>of users defined by the Application Developer
            >>or Assembler. When the application is deployed, roles are mapped by
            >a
            >>Deployer
            >>to principals or groups in the runtime environment.
            >>
            >>My second question is how deployer maps the role, say, manager, to principals
            >>or groups in the runtime environment?
            >>
            >>Thanks in advance.
            >>
            >>
            >>
            >
            

• Error :Authorization check for caller assignment to J2EE security role whil

  Hi Experts,
               i m working as a portal resource .
  after the deployment of standered Sap e-rec package .
  i m getting some error. i have assigned the recruiter role to one test user.
  Now i m getting two issue:
  1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
  2) I m able to see few iview for the test user but those are also in detailed navigation view.
     And few ivews are giving following error :
    i)Internal error
  ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
  /System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
  Full Message Text
  ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
  please suggest what can be  done or what is pending from my side.

  Prajakta2602 wrote:
  Hi Experts,
  >
  > the previous issue got solved..
  > it was due to servies pack miss match and applying notes
  > the Basis guy  checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
  > notes 1445294 and 1175239 were applied.
  > now the issue is:
  >
  >
  >  After implemetation and  i assigning the standerd sap roles
  > 1)Recruiter Administrator
  > 2)Recruiter
  > to the test user .
  > but for few iview it is showing error as in
  > 1) you are not a authorized user
  > 2) internal error
  >
  > please help experts.
  >
  >  i m working on portal side have i to assign any role to that test user..
  >
  >
  > Thnaks & Regards,
  > Prajakta
  You can run a quick check using the below steps:
  1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
  2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
  Regards,
  Mahesh

• How to assign possible agents at security role / CAG level?

  Hi Experts, How to assign possible agents at security role / CAG level?

  Yes, that's exactly what I'm talking about. In your task maintenance, goto additional data -> agent assignment -> Maintain
  Click on th task, click on the assign button. Choose object type 'Role', enter role.
  Cheers,
  Mike

• Security Scopes: All instances of the objects that are related to the assigned security roles greyed out

  So the guy who built our SCCM server is no longer in the company and his AD account no longer exists.  I noticed in SCCM however his account as the "All instances of the objects that are related to the assigned security roles"
  is selected. however the option is greyed out for everyone else.
  This option is the one found under Administration/Security/Administrative Users select the user and open properties then select the Security Scopes tab.
  Is there a way we can provide another user this same level access when we can no longer access through the original build account?
  Already looked into tombstone resurrection of his account thats a no go.
  

  Hi,
  I recommend you rebuild SCCM or open a case with Microsoft.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.