YF:CA_SC_GEN-TESTER ISA security role

I have been using YF:CA_SC_GEN-TESTER in the dev environment successfully uptill now assigning this role to Internet users in Internet Sales scenario. In production we cannot use the same role. I need to create Business Partner, create catalogs, etc. Can someone help me in providing a role which gives this authorization while not using YF:CA_SC_GEN-TESTER. It is a composite role with around 40 single roles inside and argument from security team is it is too powerful and I need to tone it down. Any suggestions? Thanks in advance

The reason is stated in the log:
[System.err] java.net.UnknownHostException: APP265: APP265

Similar Messages

YF:CA_SC_GEN-TESTER security role

I have been using YF:CA_SC_GEN-TESTER in the dev environment successfully uptill now. In production we cannot use the same role. I need to create Business Partner, create catalogs, etc. Can someone help me in providing a role which gives this authorization while not using YF:CA_SC_GEN-TESTER. It is a composite role with around 40 single roles inside and argument from security team is it is too powerful and I need to tone it down. Any suggestions? Thanks in advance

Hi
yes, I had the same issue and I found a solution.
You need to request a patch for BUG 9212862 (already corrected in WLS 10.3.3) and do the follwing:
javax.xml.ws.BindingProvider provider = (javax.xml.ws.BindingProvider)port;
java.util.Map context = provider.getRequestContext();
context.put(weblogic.wsee.jaxrpc.WLStub.POLICY_COMPATIBILITY_PREFERENCE, weblogic.wsee.jaxrpc.WLStub.POLICY_COMPATIBILITY_MSFT);
This will cause the SecurityMessageArchitect class of WLS to not send the SecurityTokenReference in the Soap security header.
Please note that is evidently a non-comformity to the specs of microsoft:
Please give a look at
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf (8.3 Signing Tokens)
and also at:
http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
(3.4 Identifying and Referencing Security Tokens)
A SAML key identifier reference MUST be used for all (local and remote) references to SAML 1.1
assertions. [...]
All conformant implementations MUST be able to process SAML assertion references occurring in a
<wsse:Security> header or in a header element other than a signature to acquire the corresponding
assertion. A conformant implementation MUST be able to process any such reference independent of the
confirmation method of the referenced assertion.
It follows that the .NET 3.5 is a non conformat implementation: I would gladly know which is the position of Microsoft on that.
ciao
carlo

Invalid Security role-name error in Web Project

Hi All,
I have imported a J2EE application project built in JBOSS into NWDS 7.1.
While building the project i get the following error
CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN
This error directs me to the following code in web.xml
<security-constraint>
 <display-name>Default JSP Security Constraints</display-name>
 <web-resource-collection>
 <web-resource-name>Portlet Directory</web-resource-name>
 <url-pattern>/jsp/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>PEHNTAHO_ADMIN</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
 </security-constraint>
I have tried out the following things to resolve this issue :
1) Remove the role manually(as suggested by various people in other J2EE forums), but then some other error came in to picture
2)Then I added the following code in web.xml
<security-role>
 <role-name>PEHNTAHO_ADMIN</role-name>
 </security-role>
Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
 java.rmi.RemoteException: class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
version status: HIGHER
deployment status: Admitted
description:
 1. Error:
Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
ERRORS:
Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
 
</web-app>
" is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
WARNINGS:
Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
3) I had also added the following code in web-j2ee-engine.xml
<security-role-map>
 <role-name>PEHNTAHO_ADMIN</role-name>
 <server-role-name>all</server-role-name>
 </security-role-map>
but still i get the same deployment error.
Please help me in resolving this problem.
Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
Thanks and Regards,
Sruti

Hi Malathy,
Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
Could you please let us know you created a roles named users in WLS ?
Thanks & Regards,
Murali.
============

How can I limit/control the addition of auth. objects to security roles?

Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
Edited by: Armando Salas on Nov 29, 2011 7:41 PM

Hi Armando,
Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
I hope this helps you
Regards
Eduardo

Problem mapping LoginModule roles to ejb security roles

I have "successfully" managed to implement the DBSystemLoginModule. When I run my application I successfully authenticate to the database, the login module successfully retrieves the users roles from the database and adds them to the subject:
PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
LoginContext lc = new LoginContext("current-workspace-app", cbh);
lc.login();
I then perform a lookup on a bean using the same user:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory");
env.put("java.naming.security.principal",username);
env.put("java.naming.security.credentials",password);
env.put("java.naming.provider.url", "ormi://localhost:23891/current-workspace-app");
Context ic = new InitialContext(env);
final SessionEJBHome sessionEJBHome =
(SessionEJBHome) PortableRemoteObject.narrow( ic.lookup( "SessionEJB" ), SessionEJBHome.class );
Finally, I create an instance of the bean and call a method of this bean.
SessionEJB sessionEJB;
sessionEJB = sessionEJBHome.create( );
sessionEJB.testMe( );
I am expecting (hoping) that the roles retrieved from the database by the login module may be used to authenticate the ejb methods. i.e. if (in ejb-jar.xml) the method "testMe" has a method-permission with role-name of "ABC" then this method may only be accessed if the user is a member of the "ABC" role retrieved from the database by the login module. However I get the message:
"username is not allowed to call this EJB method"
When I add a security-role-mapping in orion-ejb-jar.xml mapping the role "ABC" to the group "ABC" (and impliesALL="true") then the method is called successfully. However, if I add a security-role-mapping mapping the role "DEF" to the group "DEF" (which the user is not a member of) the ejb method is (wrongly) called successfully (with implies all="false" the method always fails). In other words there seems to be no mapping of the roles retrieved by the login module to the ejb security roles.
Can anyone please enlighten me on how I can achieve the mapping of the ejb security roles to the roles obtained from the login module.
Thanks
PS I have this problem with JDeveloper 10.1.3 (Developer Preview 10.1.3.0.2.223 and Early Access 10.1.3.0.3.3412)

Hi Sebastian,
yes, it is possible to do such mapping. And here how it works:
1. define security roles in the ejb-jar.xml within the <security-role>. For example:
<security-role>
 <role-name>test</role-name>
</security-role>
2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
<security-permission>
 <security-role-map>
 <role-name>test</role-name>
 <server-role-name>myUMErole</server-role-name>
 </security-role-map>
</security-permission>
the myUMErole must be defined in the UME!
Does this answer your question?

How can I know the security role of the logged in user

When you design an enterprise bean or Web component, you should always think about the kinds of users who will access the component. For example, an Account enterprise bean might be accessed by customers, bank tellers, and branch managers. Each of these user categories is called a security role, an abstract logical grouping of users that is defined by the person who assembles the application. When an application is deployed, the deployer will map the roles to security identities in the operational environment.
But wondering when I log into my application with some user name and password (specified in my Oracle database),wondering how this works with the security role I created .How does J2EE know the security role of the logged in user.
Thanks
Manohar

shet wrote:
role at run time.
When I login say as "manju" and password as "money" then how does it know that this user belongs to this security role.Is that the j2ee administrator has to say that user manju has this this security role.Programmitically how does it really work.I am confusedThe j2ee implementation assigns the roles using the JAAS module you have configured for your application on your application server. different JAAS modules get roles in different ways. many allow a single static role to be assigned using a config file. if using a database, often there will be configuration to specify additional database fields which specify the role for a given username.
At runtime, a developer can test roles using methods like EJBContext.isCallerInRole().

Advice needed: what does your company log for SAP security role changes?

My client has a situation where for many years, they never logged changes to SAP security roles. By that I mean, they never logged even basic details, like who requested a change, tested it, approved it, and what changed!! Sadly their ticketing system is terrible, completely free-form text and not even searchable.
Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
I plan to recommend, at least, they need to use a unique# (a ticket#, or whatever) for every change and update the same in PFCG role desc tab, plus in CTS description of transports... but what about other details, since they have a bad ticketing system? I spoke with internal audit and change Mgmnt "manager" about it, and they are clueless and will not make recommendations. It's really weird but they will get into big trouble eventually without any logs for security changes!

Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
I have questions:
a) Do you want to make things straight
b) Do you want to implement a versioning mechanism
c) You cannot implement anything technical, but you`re asking about best "paper" practise?
The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management). Workflow based, staged process with approvals.
PFCG transaction usage will be curtailed to minimum if implemented fully.
Do we really want to do things "outside" PFCG?
@all:
a) do you guys use custom approval workflows for roles?
b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role?
c) who is a friend of GRC here, raise your hand
Cheers Otto
p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild

Using weblogic security roles in authentication: weblogic 9

Hi All,
I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
But I have defined the role LTVORole in weblogic using the administrator console.
below are the details of what I have done:
Web.xml:
========
<?xml version='1.0' encoding='UTF-8'?>
<j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
<j2ee:welcome-file-list>
 <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
 <j2ee:welcome-file>index.html</j2ee:welcome-file>
 <j2ee:welcome-file>index.htm</j2ee:welcome-file>
</j2ee:welcome-file-list>
<j2ee:login-config>
 <j2ee:auth-method>FORM</j2ee:auth-method>
 <j2ee:form-login-config>
 <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
 <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
 </j2ee:form-login-config>
</j2ee:login-config>
<security-constraint>
<display-name>checkAccountConstraint</display-name>
<web-resource-collection>
<web-resource-name>checkAccountCollection</web-resource-name>
 <url-pattern>test.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
 <role-name>LTVORole</role-name>
</auth-constraint>
</security-constraint>
</j2ee:web-app>Weblogic.xml
===========
<?xml version="1.0" encoding="UTF-8"?>
<ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
<security-role-assignment>
 <role-name>LTVORole</role-name>
 <externally-defined/>
</security-role-assignment>
</ns:weblogic-web-app>I have created the role in weblogic in the menu
security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
Is it the right way to define a role?
Please help me find where I am going wrong.
Thanking you all in advance,
Gireesh

Hi All,
I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
But I have defined the role LTVORole in weblogic using the administrator console.
below are the details of what I have done:
Web.xml:
========
<?xml version='1.0' encoding='UTF-8'?>
<j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
<j2ee:welcome-file-list>
 <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
 <j2ee:welcome-file>index.html</j2ee:welcome-file>
 <j2ee:welcome-file>index.htm</j2ee:welcome-file>
</j2ee:welcome-file-list>
<j2ee:login-config>
 <j2ee:auth-method>FORM</j2ee:auth-method>
 <j2ee:form-login-config>
 <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
 <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
 </j2ee:form-login-config>
</j2ee:login-config>
<security-constraint>
<display-name>checkAccountConstraint</display-name>
<web-resource-collection>
<web-resource-name>checkAccountCollection</web-resource-name>
 <url-pattern>test.jsp</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
 <role-name>LTVORole</role-name>
</auth-constraint>
</security-constraint>
</j2ee:web-app>Weblogic.xml
===========
<?xml version="1.0" encoding="UTF-8"?>
<ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
<security-role-assignment>
 <role-name>LTVORole</role-name>
 <externally-defined/>
</security-role-assignment>
</ns:weblogic-web-app>I have created the role in weblogic in the menu
security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
Is it the right way to define a role?
Please help me find where I am going wrong.
Thanking you all in advance,
Gireesh

Mapping UME Roles to J2EE Engine Security Roles

Hi all,
is there a way to map the roles defined in UME which are used in a Web Dynpro application to those declared as part of an EJB descriptor?
Any help is highly appreciated.
Regards,
Sebastian

Hi Sebastian,
yes, it is possible to do such mapping. And here how it works:
1. define security roles in the ejb-jar.xml within the <security-role>. For example:
<security-role>
 <role-name>test</role-name>
</security-role>
2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
<security-permission>
 <security-role-map>
 <role-name>test</role-name>
 <server-role-name>myUMErole</server-role-name>
 </security-role-map>
</security-permission>
the myUMErole must be defined in the UME!
Does this answer your question?

Issue with generating a security role in program CRMD_UI_ROLE_PREPARE

Hello -
We have recently upgrade from CRM 2007 from CRM 4.0. We are working with the Business Roles and generating the security role from the business role using CRMD_UI_ROLE_PREPARE. We first create a simple test Business Role, a Z* copying from TPM_ROLE. Then we generated the security using CRMD_UI_ROLE_PREPARE. This was fine. Now was have copied a Business Role from TPM_ROLE that is one we want to use. We have created our own Z* Nav Bar and Role Config Key. This is working fine, but now when we try to generate using CRMD_UI_ROLE_PREPARE, the txt file is not generated, though there are no errors in the log. We can still generate the security role from our simple test. We have looked on line, and read the article in CRM Expert in June on Business Roles, but have not found the solution yet. Has anyone run into this?
thanks
 George

This is how I used this program:
A. Generate required authorization objects
1. T-Code: SA38
2. Enter report CRMD_UI_ROLE_PREPARE and choose Execute.
3. Select your Business Role.
4. Choose language EN.
5. Choose Execute.
Result: A file is created for each Business Role and saved on your computer in the SAP working directory. If you are working with Microsoft Windows XP, this file is saved in C:\Documents and Settings\<User ID>\SapWorkDir\.
B. Assign authorization objects
1. T-Code: PFCG
2. Enter your Role and choose Change.
3. On the Menu tab choose Import from file and upload the file previously created.
4. Choose Save.
Then adapt the authorizations if needed and choose Generate.
Stephanie.

Mapping security roles to other roles

I found the security newsgroup and posted the question there under the same topic. Kindly respond there.
Message was edited by:
jheinone

Hi Sebastian,
yes, it is possible to do such mapping. And here how it works:
1. define security roles in the ejb-jar.xml within the <security-role>. For example:
<security-role>
 <role-name>test</role-name>
</security-role>
2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
<security-permission>
 <security-role-map>
 <role-name>test</role-name>
 <server-role-name>myUMErole</server-role-name>
 </security-role-map>
</security-permission>
the myUMErole must be defined in the UME!
Does this answer your question?

Warning: EJB referenced an unknown security role?

Hello,
I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
In the EJB I have the following check:
if (ctx.isCallerInRole("ConspiratorRole"))
System.out.println ("the user is in the ConspiratorRole role");
At run time, I get the following warning in the WL window:
Fri Nov 10 12:56:58 EST 2000:
<EJB JAR deployment D:/weblogic/myserver/myBean.jar>
Warning: EJB "unu" referenced an unknown security role
However:
- the role IS defined (see ejb-jar.xml)
- has an associated principal (see weblogic-ejb-jar.xml)
- there is a principal defined in weblogic.properties
- this principal (and this role) is actually used in practice to access the
bean. Which works.
So why the warning?
Any hint appreciated,
Thanks.
ejb-jar.xml:
<assembly-descriptor>
<security-role>
<description>description of the ConspiratorRole</description>
<role-name>ConspiratorRole</role-name>
</security-role>
</assembly-descriptor>
weblogic-ejb-jar.xml:
<weblogic-ejb-jar>
<security-role-assignment>
<role-name>ConspiratorRole</role-name>
<principal-name>Conspirator</principal-name>
</security-role-assignment>
</weblogic-ejb-jar>

You should not reference the role link in you code.The role link is used to
connect the role name in you code to the
role name in your deployment descripment. Only if this link is set up as you
have done below, will the isCallerInRole return true.
- Sri
Alf wrote:
I reviewed older postings and found indications of what appears to be a bug
in WL: that isCallerInRole always return false for role names but returns
correct values if the role names are linked with a reference in
<security-role-ref>. So, according to the DTD at
http://edocs.bea.com/wle/dd/ddref.htm#1038338 I added the following in
ejb-jar.xml:
<ejb-jar>
<enterprise-beans>
<session>
<security-role-ref>
<role-name>ConspiratorRole</role-name>
<role-link>ConspiratorRoleLink</role-link>
</security-role-ref>
and added 2 lines in the bean to test the both the role and the reference
if (ctx.isCallerInRole("ConspiratorRole"))
System.out.println ("the user is in the ConspiratorRole role");
if (ctx.isCallerInRole("ConspiratorRoleLink"))
System.out.println ("the user is in the ConspiratorRoleLink
role");
The unexpected result was a NullPointerException at
weblogic.ejb.internal.BaseEJBContext.isCallerInRole(BaseEJBContext.java:665)
Can anyone shed some light? Thanks.
"Alf" <alf> wrote in message news:[email protected]...
Hello,
I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
In the EJB I have the following check:
if (ctx.isCallerInRole("ConspiratorRole"))
System.out.println ("the user is in the ConspiratorRole role");
At run time, I get the following warning in the WL window:
Fri Nov 10 12:56:58 EST 2000:
<EJB JAR deployment D:/weblogic/myserver/myBean.jar>
Warning: EJB "unu" referenced an unknown security role
However:
- the role IS defined (see ejb-jar.xml)
- has an associated principal (see weblogic-ejb-jar.xml)
- there is a principal defined in weblogic.properties
- this principal (and this role) is actually used in practice to accessthe
bean. Which works.
So why the warning?
Any hint appreciated,
Thanks.
ejb-jar.xml:
<assembly-descriptor>
<security-role>
<description>description of the ConspiratorRole</description>
<role-name>ConspiratorRole</role-name>
</security-role>
</assembly-descriptor>
weblogic-ejb-jar.xml:
<weblogic-ejb-jar>
<security-role-assignment>
<role-name>ConspiratorRole</role-name>
<principal-name>Conspirator</principal-name>
</security-role-assignment>
</weblogic-ejb-jar>

How reusable is a security role

Can I copy one from one org to another? More specifically, since the set of custom entities don't match, am I creating a problem or opportunity for collision by copying a security role from one org to another? Are custom entities managed by
guid or entityTypeCode within the security role?

I've just done a test and managed to import a role that was controlling access to an entity present on the origin CRM but not present on the destination CRM. the import went though without errors. the role was created on the destination, but the role's
settings for the custom entity disappear. So, even if that may not break the system, it Can cause confusion. Specially if you are moving across DEV, TEAST and PROD systems. Not a good practice.
I Hope I could help. If I have answered please mark as 'Answer'. If was just helpful, please vote. Thanks and happy coding! Bruno Lucas, http://dynamicday.wordpress.com/

Using the deployment plan to extend the security roles

Hi,
We have an existing application that has a set of security roles defined. This app has been deployed to Weblogic.
We would like provide additional security roles through this application. Currently, we have been doing this by manually editing the web.xml and the weblogic.xml files and redeploying the app. Is there any way to achieve this using the deployment plan feature ? If yes, how do we do it?
Regds,
Mridhula

you can use the following deployment Plan xml file:
<?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://www.bea.com/ns/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/deployment-plan http://www.bea.com/ns/weblogic/deployment-plan/1.0/deployment-plan.xsd">
<application-name>deploy_plan</application-name>
<variable-definition>
<variable>
*<name>RoleName</name>*
*<value>plan</value>*
</variable>
<variable>
*<name>PrincipalName</name>*
*<value>test</value>*
</variable>
</variable-definition>
<module-override>
<module-name>appA.war</module-name>
<module-type>war</module-type>
<module-descriptor external="false">
<root-element>weblogic-web-app</root-element>
<uri>WEB-INF/weblogic.xml</uri>
 <variable-assignment>
*<name>PrincipalName</name>*
<xpath>/weblogic-web-app/security-role-assignment/[*role-name="plan"*]/principal-name</xpath>
</variable-assignment>
</module-descriptor>
<module-descriptor external="false">
<root-element>web-app</root-element>
*<uri>WEB-INF/web.xml</uri>*
 <variable-assignment>
*<name>RoleName</name>*
*<xpath>/web-app/security-constraint/auth-constraint/role-name</xpath>*
</variable-assignment>
 <variable-assignment>
*<name>RoleName</name>*
*<xpath>/web-app/security-role/role-name</xpath>*
</variable-assignment>
</module-descriptor>
<module-descriptor external="true">
<root-element>wldf-resource</root-element>
<uri>META-INF/weblogic-diagnostics.xml</uri>
</module-descriptor>
</module-override>
<config-root>E:\wls_docs\deploy_plan\plan</config-root>
</deployment-plan>
thanks,
Sandeep

Error :Authorization check for caller assignment to J2EE security role whil

Hi Experts,
i m working as a portal resource .
after the deployment of standered Sap e-rec package .
i m getting some error. i have assigned the recruiter role to one test user.
Now i m getting two issue:
1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
2) I m able to see few iview for the test user but those are also in detailed navigation view.
And few ivews are giving following error :
i)Internal error
ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
/System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
Full Message Text
ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
please suggest what can be done or what is pending from my side.

Prajakta2602 wrote:
Hi Experts,
>
> the previous issue got solved..
> it was due to servies pack miss match and applying notes
> the Basis guy checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
> notes 1445294 and 1175239 were applied.
> now the issue is:
>
>
> After implemetation and i assigning the standerd sap roles
> 1)Recruiter Administrator
> 2)Recruiter
> to the test user .
> but for few iview it is showing error as in
> 1) you are not a authorized user
> 2) internal error
>
> please help experts.
>
> i m working on portal side have i to assign any role to that test user..
>
>
> Thnaks & Regards,
> Prajakta
You can run a quick check using the below steps:
1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
Regards,
Mahesh

YF:CA_SC_GEN-TESTER ISA security role

Similar Messages

Maybe you are looking for