YF:CA_SC_GEN-TESTER security role

Similar Messages

• Invalid Security role-name error in Web Project

  Hi All,
  I have imported a J2EE application project built in JBOSS into NWDS 7.1.
  While building the project i get the following error
  <b>CHKJ3020E:Invalid Security role-name error: PEHNTAHO_ADMIN</b>
  This error directs me to the following code in web.xml
  <security-constraint>
            <display-name>Default JSP Security Constraints</display-name>
            <web-resource-collection>
                 <web-resource-name>Portlet Directory</web-resource-name>
                 <url-pattern>/jsp/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <b><role-name>PEHNTAHO_ADMIN</role-name></b>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
  <b>I have tried out the following things to resolve this issue :</b>
  <b>1) Remove the role manually</b>(as suggested by various people in other J2EE forums), but then some other error came in to picture
  <b>2)Then I added the following code in web.xml</b>
  <security-role>
            <role-name>PEHNTAHO_ADMIN</role-name>
       </security-role>
  Then the above mentioned build error gets resolved, but then I get the following error while deploying the application.
  Dec 3, 2007 12:59:21 AM /userOut/daView_category (eclipse.UserOutLocation) [Thread[Deploy Thread,5,main]] ERROR: Deploy Exception.An error occurred while deploying the deployment item 'sap.com_AnalyticsApp2EAR'.; nested exception is:
       java.rmi.RemoteException:  class com.sap.engine.services.dc.gd.DeliveryException: An error occurred during deployment of sdu id: sap.com_AnalyticsApp2EAR
  sdu file path: D:\usr\sap\CE1\J01\j2ee\cluster\server0\temp\tcbldeploy_controller\archives\191\AnalyticsApp2EAR.ear
  version status: HIGHER
  deployment status: Admitted
  description:
            1. Error:
  Cannot update application sap.com/AnalyticsApp2EAR. Reason: The application sap.com/AnalyticsApp2EAR will not be update, because its validation failed. Reason:
  ERRORS:
  Web Model Builder: com.sap.engine.frame.core.configuration.NameNotFoundException: The parameter/s in String "<?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
       <!-- whole web.xml-->
  </web-app>
  " is/are not defined and could not be substituted., file: AnalyticsApp2.war#WEB-INF/web.xml, column 0, line 0, severity: error
  WARNINGS:
  Web Model Builder: Following tests could not be executed because of failed precondition test "Web Model Builder" : Implicit Constraints Test, JSF Application Test, Mapping Test, Web File Existence Test, Web Class Existence Test, Security Role Test, file: AnalyticsApp2.war, column -1, line -1, severity: warning
  <b>3) I had also added the following code in web-j2ee-engine.xml</b>
  <security-role-map>
            <role-name>PEHNTAHO_ADMIN</role-name>
            <server-role-name>all</server-role-name>
       </security-role-map>
  but still i get the same deployment error.
  Please help me in resolving this problem.
  Can anybody tell me the use of role "PEHNTAHO_ADMIN"?
  Thanks and Regards,
  Sruti

  Hi Malathy,
  Once the users are created in Authentication Provider, and once the roles are created in Weblogic Server, You just have to map users to roles in Jazn-data.xml.
  Could you please let us know you created a roles named users in WLS ?
  Thanks & Regards,
  Murali.
  ============

• YF:CA_SC_GEN-TESTER ISA security role

  I have been using YF:CA_SC_GEN-TESTER in the dev environment successfully uptill now assigning this role to Internet users in Internet Sales scenario. In production we cannot use the same role. I need to create Business Partner, create catalogs, etc. Can someone help me in providing a role which gives this authorization while not using YF:CA_SC_GEN-TESTER. It is a composite role with around 40 single roles inside and argument from security team is it is too powerful and I need to tone it down. Any suggestions? Thanks in advance

  The reason is stated in the log:
  [System.err] java.net.UnknownHostException: APP265: APP265

• Issues with test-all role and browser security

  WLS 10.3.5
  I have a deployed application on Linux using a SQLAuthentication and Authorization - all is well here.
  I have setup all the security (without the test-all role) and I cannot access any of the system.
  If I put the test-all role in - I can access the system.
  I have verified the user has all the roles (I used the example bean to display the user and roles on the menu page) and the test-all role is not in the list.
  I have the menu setup to not display items unless the user has the role (this is working fine - SecurityContext.inRole(rolelist).
  So the context is fine.
  I used jazn-data to set the same roles in the taskflows - this is not working at all unless the test-all role is set - I get authorization errors - not authorized).
  Have I missed something in this?
  I have also noticed that if I close the browser (X) without logging out and come back into the system the authentication is totally bypassed and I go back in as the same user as before.
  Is there some way to destroy the previous context every time the welcome screen is executed.

  Add the following parameters to the Run options for the ViewController project:
  -Djps.auth.debug=true -Djps.auth.debug.verbose=true
  Then restart WebLogic, run the app and watch the console - you'll see all the security evaluations take place which should help you to identify the problem.

• How can I limit/control the addition of auth. objects to security roles?

  Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
  Edited by: Armando Salas on Nov 29, 2011 7:41 PM

  Hi Armando,
  Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
  I hope this helps you
  Regards
  Eduardo

• Problem mapping LoginModule roles to ejb security roles

  I have "successfully" managed to implement the DBSystemLoginModule. When I run my application I successfully authenticate to the database, the login module successfully retrieves the users roles from the database and adds them to the subject:
  PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
  LoginContext lc = new LoginContext("current-workspace-app", cbh);
  lc.login();
  I then perform a lookup on a bean using the same user:
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory");
  env.put("java.naming.security.principal",username);
  env.put("java.naming.security.credentials",password);
  env.put("java.naming.provider.url", "ormi://localhost:23891/current-workspace-app");
  Context ic = new InitialContext(env);
  final SessionEJBHome sessionEJBHome =
  (SessionEJBHome) PortableRemoteObject.narrow( ic.lookup( "SessionEJB" ), SessionEJBHome.class );
  Finally, I create an instance of the bean and call a method of this bean.
  SessionEJB sessionEJB;
  sessionEJB = sessionEJBHome.create( );
  sessionEJB.testMe( );
  I am expecting (hoping) that the roles retrieved from the database by the login module may be used to authenticate the ejb methods. i.e. if (in ejb-jar.xml) the method "testMe" has a method-permission with role-name of "ABC" then this method may only be accessed if the user is a member of the "ABC" role retrieved from the database by the login module. However I get the message:
  "username is not allowed to call this EJB method"
  When I add a security-role-mapping in orion-ejb-jar.xml mapping the role "ABC" to the group "ABC" (and impliesALL="true") then the method is called successfully. However, if I add a security-role-mapping mapping the role "DEF" to the group "DEF" (which the user is not a member of) the ejb method is (wrongly) called successfully (with implies all="false" the method always fails). In other words there seems to be no mapping of the roles retrieved by the login module to the ejb security roles.
  Can anyone please enlighten me on how I can achieve the mapping of the ejb security roles to the roles obtained from the login module.
  Thanks
  PS I have this problem with JDeveloper 10.1.3 (Developer Preview 10.1.3.0.2.223 and Early Access 10.1.3.0.3.3412)

  Hi Sebastian,
  yes, it is possible to do such mapping. And here how it works:
  1. define security roles in the ejb-jar.xml within the <security-role>. For example:
  <security-role>
       <role-name>test</role-name>
  </security-role>
  2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
  <security-permission>
     <security-role-map>
        <role-name>test</role-name>
        <server-role-name>myUMErole</server-role-name>
     </security-role-map>
  </security-permission>
  the myUMErole must be defined in the UME!
  Does this answer your question?

• How can I know the security role of the logged in user

  When you design an enterprise bean or Web component, you should always think about the kinds of users who will access the component. For example, an Account enterprise bean might be accessed by customers, bank tellers, and branch managers. Each of these user categories is called a security role, an abstract logical grouping of users that is defined by the person who assembles the application. When an application is deployed, the deployer will map the roles to security identities in the operational environment.
  But wondering when I log into my application with some user name and password (specified in my Oracle database),wondering how this works with the security role I created .How does J2EE know the security role of the logged in user.
  Thanks
  Manohar

  shet wrote:
  role at run time.
  When I login say as "manju" and password as "money" then how does it know that this user belongs to this security role.Is that the j2ee administrator has to say that user manju has this this security role.Programmitically how does it really work.I am confusedThe j2ee implementation assigns the roles using the JAAS module you have configured for your application on your application server. different JAAS modules get roles in different ways. many allow a single static role to be assigned using a config file. if using a database, often there will be configuration to specify additional database fields which specify the role for a given username.
  At runtime, a developer can test roles using methods like EJBContext.isCallerInRole().

• Advice needed: what does your company log for SAP security role changes?

  My client has a situation where for many years, they never logged changes to SAP security roles.  By that I mean, they never logged even basic details, like who requested a change, tested it, approved it, and what changed!!  Sadly their ticketing system is terrible, completely free-form text and not even searchable. 
  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details?   What details do you capture?  What about Projects, that involve dozens of changes and testing over several months?
  I plan to recommend, at least, they need to use a unique# (a ticket#, or whatever) for every change and update the same in PFCG role desc tab, plus in CTS description of transports... but what about other details, since they have a bad ticketing system?  I spoke with internal audit and change Mgmnt "manager" about it, and they are clueless and will not make recommendations.  It's really weird but they will get into big trouble eventually without any logs for security changes!

  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
  I have questions:
  a) Do you want to make things straight
  b) Do you want to implement a versioning mechanism
  c) You cannot implement anything technical, but you`re asking about best "paper" practise?
  The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
  Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management). Workflow based, staged process with approvals.
  PFCG transaction usage will be curtailed to minimum if implemented fully.
  Do we really want to do things "outside" PFCG?
  @all:
  a) do you guys use custom approval workflows for roles?
  b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role?
  c) who is a friend of GRC here, raise your hand
  Cheers Otto
  p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild

• Using weblogic security roles in authentication: weblogic 9

  Hi All,
  I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
  weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
  But I have defined the role LTVORole in weblogic using the administrator console.
  below are the details of what I have done:
  Web.xml:
  ========
  <?xml version='1.0' encoding='UTF-8'?>
  <j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
    <j2ee:welcome-file-list>
      <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
      <j2ee:welcome-file>index.html</j2ee:welcome-file>
      <j2ee:welcome-file>index.htm</j2ee:welcome-file>
    </j2ee:welcome-file-list>
    <j2ee:login-config>
      <j2ee:auth-method>FORM</j2ee:auth-method>
      <j2ee:form-login-config>
        <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
        <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
      </j2ee:form-login-config>
    </j2ee:login-config>
  <security-constraint>
    <display-name>checkAccountConstraint</display-name>
  <web-resource-collection>
    <web-resource-name>checkAccountCollection</web-resource-name>
          <url-pattern>test.jsp</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
          <role-name>LTVORole</role-name>
    </auth-constraint>
    </security-constraint>
  </j2ee:web-app>Weblogic.xml
  ===========
  <?xml version="1.0" encoding="UTF-8"?>
  <ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
    <security-role-assignment>
      <role-name>LTVORole</role-name>
     <externally-defined/>
    </security-role-assignment>
  </ns:weblogic-web-app>I have created the role in weblogic in the menu
  security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
  Is it the right way to define a role?
  Please help me find where I am going wrong.
  Thanking you all in advance,
  Gireesh

  Hi All,
  I am trying to create a simple application which uses declarative authorization configured in web.xml. I use the simple form based authentication. While trying to deploy my application, I get the error:
  weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: LTVORole.
  But I have defined the role LTVORole in weblogic using the administrator console.
  below are the details of what I have done:
  Web.xml:
  ========
  <?xml version='1.0' encoding='UTF-8'?>
  <j2ee:web-app xmlns:j2ee="http://java.sun.com/xml/ns/j2ee">
    <j2ee:welcome-file-list>
      <j2ee:welcome-file>login.jsp</j2ee:welcome-file>
      <j2ee:welcome-file>index.html</j2ee:welcome-file>
      <j2ee:welcome-file>index.htm</j2ee:welcome-file>
    </j2ee:welcome-file-list>
    <j2ee:login-config>
      <j2ee:auth-method>FORM</j2ee:auth-method>
      <j2ee:form-login-config>
        <j2ee:form-login-page>/login.jsp</j2ee:form-login-page>
        <j2ee:form-error-page>/error.jsp</j2ee:form-error-page>
      </j2ee:form-login-config>
    </j2ee:login-config>
  <security-constraint>
    <display-name>checkAccountConstraint</display-name>
  <web-resource-collection>
    <web-resource-name>checkAccountCollection</web-resource-name>
          <url-pattern>test.jsp</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
          <role-name>LTVORole</role-name>
    </auth-constraint>
    </security-constraint>
  </j2ee:web-app>Weblogic.xml
  ===========
  <?xml version="1.0" encoding="UTF-8"?>
  <ns:weblogic-web-app xmlns:ns="http://www.bea.com/ns/weblogic/90">
    <security-role-assignment>
      <role-name>LTVORole</role-name>
     <externally-defined/>
    </security-role-assignment>
  </ns:weblogic-web-app>I have created the role in weblogic in the menu
  security realms > myrealm > roles and policies > Global Roles > roles > LTVORole
  Is it the right way to define a role?
  Please help me find where I am going wrong.
  Thanking you all in advance,
  Gireesh

• Mapping UME Roles to J2EE Engine Security Roles

  Hi all,
  is there a way to map the roles defined in UME which are used in a Web Dynpro application to those declared as part of an EJB descriptor?
  Any help is highly appreciated.
  Regards,
  Sebastian

  Hi Sebastian,
  yes, it is possible to do such mapping. And here how it works:
  1. define security roles in the ejb-jar.xml within the <security-role>. For example:
  <security-role>
       <role-name>test</role-name>
  </security-role>
  2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
  <security-permission>
     <security-role-map>
        <role-name>test</role-name>
        <server-role-name>myUMErole</server-role-name>
     </security-role-map>
  </security-permission>
  the myUMErole must be defined in the UME!
  Does this answer your question?

• Issue with generating a security role in program CRMD_UI_ROLE_PREPARE

  Hello -
    We have recently upgrade from CRM 2007 from CRM 4.0. We are working with the Business Roles and generating the security role from the business role using CRMD_UI_ROLE_PREPARE. We first create a simple test Business Role, a Z* copying from TPM_ROLE. Then we generated the security using CRMD_UI_ROLE_PREPARE. This was fine. Now was have copied a Business Role from TPM_ROLE that is one we want to use. We have created our own Z* Nav Bar and Role Config Key. This is working fine, but now when we try to generate using CRMD_UI_ROLE_PREPARE, the txt file is not generated, though there are no errors in the log. We can still generate the security role from our simple test. We have looked on line, and read the article in CRM Expert in June on Business Roles, but have not found the solution yet. Has anyone run into this?
  thanks
     George

  This is how I used this program:
  A. Generate required authorization objects
  1.     T-Code: SA38
  2.     Enter report CRMD_UI_ROLE_PREPARE and choose Execute.
  3.     Select your Business Role.
  4.     Choose language EN.
  5.     Choose Execute.
  Result: A file is created for each Business Role and saved on your computer in the SAP working directory. If you are working with Microsoft Windows XP, this file is saved in C:\Documents and Settings\<User ID>\SapWorkDir\.
  B. Assign authorization objects
  1.     T-Code: PFCG
  2.     Enter your Role and choose Change.
  3.     On the Menu tab choose Import from file and upload the file previously created.
  4.     Choose Save.
  Then adapt the authorizations if needed and choose Generate.
  Stephanie.

• Mapping security roles to other roles

  I found the security newsgroup and posted the question there under the same topic. Kindly respond there.
  Message was edited by:
  jheinone

  Hi Sebastian,
  yes, it is possible to do such mapping. And here how it works:
  1. define security roles in the ejb-jar.xml within the <security-role>. For example:
  <security-role>
       <role-name>test</role-name>
  </security-role>
  2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
  <security-permission>
     <security-role-map>
        <role-name>test</role-name>
        <server-role-name>myUMErole</server-role-name>
     </security-role-map>
  </security-permission>
  the myUMErole must be defined in the UME!
  Does this answer your question?

• Warning: EJB  referenced an unknown security role?

  Hello,
  I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
  In the EJB I have the following check:
  if (ctx.isCallerInRole("ConspiratorRole"))
  System.out.println ("the user is in the ConspiratorRole role");
  At run time, I get the following warning in the WL window:
  Fri Nov 10 12:56:58 EST 2000:<I>
  <EJB JAR deployment D:/weblogic/myserver/myBean.jar>
  Warning: EJB "unu" referenced an unknown security role
  However:
  - the role IS defined (see ejb-jar.xml)
  - has an associated principal (see weblogic-ejb-jar.xml)
  - there is a principal defined in weblogic.properties
  - this principal (and this role) is actually used in practice to access the
  bean. Which works.
  So why the warning?
  Any hint appreciated,
  Thanks.
  ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <description>description of the ConspiratorRole</description>
  <role-name>ConspiratorRole</role-name>
  </security-role>
  </assembly-descriptor>
  weblogic-ejb-jar.xml:
  <weblogic-ejb-jar>
  <security-role-assignment>
  <role-name>ConspiratorRole</role-name>
  <principal-name>Conspirator</principal-name>
  </security-role-assignment>
  </weblogic-ejb-jar>

  You should not reference the role link in you code.The role link is used to
  connect the role name in you code to the
  role name in your deployment descripment. Only if this link is set up as you
  have done below, will the isCallerInRole return true.
  - Sri
  Alf wrote:
  I reviewed older postings and found indications of what appears to be a bug
  in WL: that isCallerInRole always return false for role names but returns
  correct values if the role names are linked with a reference in
  <security-role-ref>. So, according to the DTD at
  http://edocs.bea.com/wle/dd/ddref.htm#1038338 I added the following in
  ejb-jar.xml:
  <ejb-jar>
  <enterprise-beans>
  <session>
  <security-role-ref>
  <role-name>ConspiratorRole</role-name>
  <role-link>ConspiratorRoleLink</role-link>
  </security-role-ref>
  and added 2 lines in the bean to test the both the role and the reference
  if (ctx.isCallerInRole("ConspiratorRole"))
  System.out.println ("the user is in the ConspiratorRole role");
  if (ctx.isCallerInRole("ConspiratorRoleLink"))
  System.out.println ("the user is in the ConspiratorRoleLink
  role");
  The unexpected result was a NullPointerException at
  weblogic.ejb.internal.BaseEJBContext.isCallerInRole(BaseEJBContext.java:665)
  Can anyone shed some light? Thanks.
  "Alf" <alf> wrote in message news:[email protected]...
  Hello,
  I get a weird error from WL 5.1 (SP6), using the default WLPropertyRealm.
  In the EJB I have the following check:
  if (ctx.isCallerInRole("ConspiratorRole"))
  System.out.println ("the user is in the ConspiratorRole role");
  At run time, I get the following warning in the WL window:
  Fri Nov 10 12:56:58 EST 2000:<I>
  <EJB JAR deployment D:/weblogic/myserver/myBean.jar>
  Warning: EJB "unu" referenced an unknown security role
  However:
  - the role IS defined (see ejb-jar.xml)
  - has an associated principal (see weblogic-ejb-jar.xml)
  - there is a principal defined in weblogic.properties
  - this principal (and this role) is actually used in practice to accessthe
  bean. Which works.
  So why the warning?
  Any hint appreciated,
  Thanks.
  ejb-jar.xml:
  <assembly-descriptor>
  <security-role>
  <description>description of the ConspiratorRole</description>
  <role-name>ConspiratorRole</role-name>
  </security-role>
  </assembly-descriptor>
  weblogic-ejb-jar.xml:
  <weblogic-ejb-jar>
  <security-role-assignment>
  <role-name>ConspiratorRole</role-name>
  <principal-name>Conspirator</principal-name>
  </security-role-assignment>
  </weblogic-ejb-jar>

• How reusable is a security role

  Can I copy one from one org to another?  More specifically, since the set of custom entities don't match, am I creating a problem or opportunity for collision by copying a security role from one org to another?  Are custom entities managed by
  guid or entityTypeCode within the security role?

  I've just done a test and managed to import a role that was controlling access to an entity present on the origin CRM but not present on the destination CRM. the import went though without errors. the role was created on the destination, but the role's
  settings for the custom entity disappear. So, even if that may not break the system, it Can cause confusion. Specially if you are moving across DEV, TEAST and PROD systems. Not a good practice.
  I Hope I could help. If I have answered please mark as 'Answer'. If was just helpful, please vote. Thanks and happy coding! Bruno Lucas, http://dynamicday.wordpress.com/

• Using the deployment plan to extend the security roles

  Hi,
  We have an existing application that has a set of security roles defined. This app has been deployed to Weblogic.
  We would like provide additional security roles through this application. Currently, we have been doing this by manually editing the web.xml and the weblogic.xml files and redeploying the app. Is there any way to achieve this using the deployment plan feature ? If yes, how do we do it?
  Regds,
  Mridhula

  you can use the following deployment Plan xml file:
  <?xml version='1.0' encoding='UTF-8'?>
  <deployment-plan xmlns="http://www.bea.com/ns/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/deployment-plan http://www.bea.com/ns/weblogic/deployment-plan/1.0/deployment-plan.xsd">
  <application-name>deploy_plan</application-name>
  <variable-definition>
  <variable>
  *<name>RoleName</name>*
  *<value>plan</value>*
  </variable>
  <variable>
  *<name>PrincipalName</name>*
  *<value>test</value>*
  </variable>
  </variable-definition>
  <module-override>
  <module-name>appA.war</module-name>
  <module-type>war</module-type>
  <module-descriptor external="false">
  <root-element>weblogic-web-app</root-element>
  <uri>WEB-INF/weblogic.xml</uri>
       <variable-assignment>
  *<name>PrincipalName</name>*
  <xpath>/weblogic-web-app/security-role-assignment/[*role-name="plan"*]/principal-name</xpath>
  </variable-assignment>
  </module-descriptor>
  <module-descriptor external="false">
  <root-element>web-app</root-element>
  *<uri>WEB-INF/web.xml</uri>*
       <variable-assignment>
  *<name>RoleName</name>*
  *<xpath>/web-app/security-constraint/auth-constraint/role-name</xpath>*
  </variable-assignment>
       <variable-assignment>
  *<name>RoleName</name>*
  *<xpath>/web-app/security-role/role-name</xpath>*
  </variable-assignment>
  </module-descriptor>
  <module-descriptor external="true">
  <root-element>wldf-resource</root-element>
  <uri>META-INF/weblogic-diagnostics.xml</uri>
  </module-descriptor>
  </module-override>
  <config-root>E:\wls_docs\deploy_plan\plan</config-root>
  </deployment-plan>
  thanks,
  Sandeep