Hi experts,
we have a problem to remove certain permission attributes from a Portal user. This should be done by a Java Portal app using removeUserFromGroup (IGroupFactory).
The Portal user management is connected to a second ABAP instance, where all permissions are usually handled. Out process specifies, that certain permission need to be removed from a user after login and should be given back after an approval.
We had this working using Portal roles but now they want to use R/3 groups and I get the following error when trying to remove a group:
<b>Attribute "PRINCIPAL_RELATION_MEMBER_ATTRIBUTE" on namespace "com.sap.security.core.usermanagement.relation" of principal "GRUP.R3_ROLE_DS.ZP43_XXX" is not modifiable.</b>
Here is the basic method to handle the permission removal:
public void deactivatePermissions() throws UMException {
String dummy = appConfig.getValue(AppConfig.GROUP_PATTERN_DUMMY);
String negativ = appConfig.getValue(AppConfig.GROUP_PATTERN_NEGATIV);
String[] apps = getAuthorizableGroups();
for (int i = 0; i < apps.length; i++) {
// String roleId = UMFactory.getRoleFactory().getRoleByUniqueName(apps<i>).getUniqueID();
// String roleNegativId = UMFactory.getRoleFactory().getRoleByUniqueName(apps<i> + negativ).getUniqueID();
// if (iUser.isMemberOfRole(roleNegativId, true))
// UMFactory.getRoleFactory().removeUserFromRole(iUser.getUniqueID(), roleNegativId);
// else
// UMFactory.getRoleFactory().removeUserFromRole(iUser.getUniqueID(), roleId);
String groupId = UMFactory.getGroupFactory().getGroupByUniqueName(apps<i>).getUniqueID();
String groupNegativId = UMFactory.getGroupFactory().getGroupByUniqueName(apps<i> + "_NEGATIV").getUniqueID();
if (iUser.isMemberOfGroup(groupNegativId, true))
UMFactory.getGroupFactory().removeUserFromGroup(iUser.getUniqueID(), groupNegativId);
else
UMFactory.getGroupFactory().removeUserFromGroup(iUser.getUniqueID(), groupId);
}
}
The comments show the code for the role removal which still works fine for Portal roles.
Question is: is this possible with groups also, maybe configurable, or do we have to deal here with limitations in connecting Java UME to ABAP?
Thanks a lot,
ok