Skip to Content
0
Dec 12, 2007 at 06:07 PM

Remove R/3 group permissions from Portal UME

63 Views

Hi experts,

we have a problem to remove certain permission attributes from a Portal user. This should be done by a Java Portal app using removeUserFromGroup (IGroupFactory).

The Portal user management is connected to a second ABAP instance, where all permissions are usually handled. Out process specifies, that certain permission need to be removed from a user after login and should be given back after an approval.

We had this working using Portal roles but now they want to use R/3 groups and I get the following error when trying to remove a group:

<b>Attribute "PRINCIPAL_RELATION_MEMBER_ATTRIBUTE" on namespace "com.sap.security.core.usermanagement.relation" of principal "GRUP.R3_ROLE_DS.ZP43_XXX" is not modifiable.</b>

Here is the basic method to handle the permission removal:

    public void deactivatePermissions() throws UMException {
        String dummy = appConfig.getValue(AppConfig.GROUP_PATTERN_DUMMY);
        String negativ = appConfig.getValue(AppConfig.GROUP_PATTERN_NEGATIV);
        String[] apps = getAuthorizableGroups();
        
        for (int i = 0; i < apps.length; i++) {
//            String roleId = UMFactory.getRoleFactory().getRoleByUniqueName(apps<i>).getUniqueID();
//            String roleNegativId = UMFactory.getRoleFactory().getRoleByUniqueName(apps<i> + negativ).getUniqueID();
//            if (iUser.isMemberOfRole(roleNegativId, true))
//                UMFactory.getRoleFactory().removeUserFromRole(iUser.getUniqueID(), roleNegativId);
//            else
//                UMFactory.getRoleFactory().removeUserFromRole(iUser.getUniqueID(), roleId);

            String groupId = UMFactory.getGroupFactory().getGroupByUniqueName(apps<i>).getUniqueID();
            String groupNegativId = UMFactory.getGroupFactory().getGroupByUniqueName(apps<i> + "_NEGATIV").getUniqueID();
            if (iUser.isMemberOfGroup(groupNegativId, true))
                UMFactory.getGroupFactory().removeUserFromGroup(iUser.getUniqueID(), groupNegativId);
            else
                UMFactory.getGroupFactory().removeUserFromGroup(iUser.getUniqueID(), groupId);
        }
    }

The comments show the code for the role removal which still works fine for Portal roles.

Question is: is this possible with groups also, maybe configurable, or do we have to deal here with limitations in connecting Java UME to ABAP?

Thanks a lot,

ok