Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Oracle Forms Menu Roles

948 views
Skip to first unread message

Erwin van Diermen

unread,
Sep 29, 1999, 3:00:00 AM9/29/99
to
Please help me out with the following problem:
I know it is possible to assign roles to forms menu items, it is even
possible to generate this with Des. 2000, but it does not work properly.
I still receive the error message: "FRM-10256 User is not authorized to
run Forms Menu". The user is granted for a specific role that is allowed
to access the Menu and specific items in the menu, so.... what am I
doing wrong?
Does it have something to do with the 'default' menu items as there are:
FILE, HELP etc?

Please help me out

Erwin


Maurício Bellissimo Falleiros

unread,
Sep 29, 1999, 3:00:00 AM9/29/99
to
Hi Erwin,

One thing I can remember you should do is granting access on the
developer tables to the user.
Other is verifying "max_enabled_roles" parameter in your init<SID>.ora
file.
And (sorry, this should be the first thing) you should certify you
assigned the roles
to each menu item within the path from the root menu. (All roles used in
some path must be included in the module's "Module roles" property).

Hope these helps,

Maurício.
--
Maurício Bellissimo Falleiros <mailto:m...@uniconsult.com.br>

Uniconsult Sistemas e Serviços <mailto:u...@uniconsult.com.br>
R. Demóstenes, 627 cj.134/142 - Campo Belo - São Paulo/SP - 04614-013
Brasil
Fone/Fax: +55-11-5350885 +55-11-5333335

"Em um minuto apenas há tempo
Para decisões e revisões que um minuto revoga."
T.S.Eliot

* Sent from RemarQ http://www.remarq.com * The Internet's Discussion Network *
* The fastest and easiest way to search and participate in Usenet - Free! *

Peter Hewson

unread,
Sep 29, 1999, 3:00:00 AM9/29/99
to
Hi Erwin,

Depending on which version of forms you are using, you need to create a
table called F45_enabled_roles or F50_enabled_roles, owned by SYS user.

When you installed Forms, one of the options is to create forms tables. Have
a look on the Developer CD for documentation.

Hope this helps, Peter

phew.vcf

Frank van Bortel

unread,
Oct 1, 1999, 3:00:00 AM10/1/99
to
Erwin van Diermen wrote:

Do you have users and groups defined in Designer? There should be at least
one, or
Designer "intelligently" skips security, as there are no users anyway...

Here's a note from Oracle on generating menu security (des2k 1.3.2):


Introduction
============

Menu Security Roles allow menus to be created which can restrict access
to specific menu items by certain users. This can be achieved by
grouping users into common roles and then using those roles to restrict
access to certain menu items. Once the users and roles have been set up
any developer with DBA privileges should be able to assign the roles to
a menu module, or menu item. After using the Designer/2000 toolset to
create your module network, including the menu modules, you can then set
about refining the menu security itself.

Note: This article assumes you already know how to generate a Form
with an associated Menu.

You should be familiar with:
* Designer/2000 Repository Object Navigator
* Designer/2000 Preferences Navigator
* Designer/2000 Forms Generator
* Designer/2000 Module Structure Diagrammer
* Developer/2000 Forms Designer

The Menu Security Roles are based on roles defined in the Oracle7 RDBMS.

Prerequisites
=============
To implement Menu security it is a prerequisite that the Forms45 tables
and views have been created. To create these tables and views you need
to run the frm45bld.sql script as the user SYSTEM. After the tables and
views have been created you will need to grant access to them for the
user(s) who will be running the application, this is achieved by running
the frm45grnt.sql script as the user SYSTEM. The script will prompt you
for the name of the user you wish to grant access to. It is worth noting
that Oracle Forms 4.5.6.3 introduces a new script called frm45sec.sql
which creates the view needed to enable Menu security, thus removing the
need to have created the Forms tables and views.

User Privileges
===============
You can still generate Menu modules with security even if you do not have
the required privileges. If the roles that will have access to a generated
Menu already exist you can run the Generator without updating the role
information. However, the Generator will terminate with an error message
if a role does not exist. The Generator will not remove users from the
Menu security tables, to do this you will need to use Forms Designer.

The Preferences Navigator
=========================
The Module Properties affect the way in which the generator will actually
generate your menu module. The first thing to do is open a new properties
window for the specific module you are interested in and then expand the
hierarchy tree and click on the 'Menu Roles' node. You should then see
the following preferences:

MNUADR - Grant all roles access to generated template items with
no security.
Default = Y

MNUBGM - Background menu accessible to all created or updated
menu security roles when the menu is running.

Default = Y

MNUCDR - Create/Use default role containing all of the users
defined in the repository application.

Default = Y

MNUDBG - Debug will be allowed to all created or updated menu
security roles when the menu is running.

Default = Y

MNUDRN - Name for the default role that the generator will create
if the preference MNUCDR = Y

Default = DEVELOPER

MNUOSC - O/S commands will be allowed to all created or updated
menu security roles when the menu is running.

Default = Y

MNUSAS - Specifies whether the generator will generate any new
security information as part of the new generation.
When set to Y the generator suppresses the generation of
all security information including the creation, updating
and assignment of roles to new menu items.

Default = N

You should also consider what values you have for the preferences under the
'Form/Menu Attachment' node but in particular look at the following:

FMNDSR - Specifies the Menu role property in the Forms module.
If set, the Form runs the Menu as if the current user
were a member of the specified security role.

Generating Menu Security Roles
==============================
The Generator uses information held within the Designer/2000 Repository
relating to module access to create the Menu roles that will be able to
access the generated Menu items.

Updating Menu Roles
===================
You can update Menu roles in three ways:

* During Menu generation
* During Form generation
* Independently of both Menu and Form generation

The role update process operates on all of the roles based on the current
application system.

Updating Roles During Menu Generation
-------------------------------------
The Generator will update the Menu security tables before generating the
Menu module if the user has the required privilege, preference MNUSAS = N,
and the 'Update Roles' checkbox in the Forms Generator dialogue box is
checked.

Updating Roles During Form Generation
--------------------------------------
When generating a Form which calls a Menu module, the role information for
the Menu will be updated if the user has the required privilege, preference
MNUSAS = N, the 'Update Roles' checkbox in the Forms Generator dialogue box
is checked, and 'Form and Associated Menu' is selected from the Option list
in the Forms Generator dialogue box.

Updating Roles Independently of Menu & Form Generation
------------------------------------------------------
To update the Menu security tables with information from the Designer/2000
Repository without generating the actual Form or Menu module, select the
'Roles' from the Option list in the Forms Generator dialogue box. The user
must have the required privilege to update the Menu security tables.


Assigning Roles to Menu Items
=============================
The Menu item roles are determined by what groups and users have access to
the module in the Designer/2000 Repository. The Generator will assign all
roles, given to individual menu items, to the whole generated Menu module.
Where a module on which the Menu item is based is accessed by a Repository
user or group the Generator will attempt to assign a Menu role to the Menu
item. If the appropriate Menu role does not exist in the Menu security
table then the Generator will terminate with an error. Where a module is
accessed by groups defined within other groups, the Generator will assign
a Menu role to the generated Menu item for every group or subgroup that
accesses the module and contains at least one user.

Deriving Roles from Groups
==========================
As mentioned in the 'Assigning Roles...' section, wherever a module is
accessed by groups defined within other groups, the Generator will assign
a Menu role to the generated Menu item for every group or subgroup that
accesses the module and contains at least one user. In the situation were
a group contains subgroups but no users, the Generator will create a role
for each of the subgroups that do contain users but no role for the parent
group itself. The Menu role created will be given the name of the group
group defined in the Designer/2000 Repository. In Designer/2000 it is
possible to have groups defined in other application systems with the same
name. In this situation, the Generator will not create a new role for each
group across the different application systems instead it will add users to
the original role created during the first run.

Deriving Roles from Users
=========================
The Generator will create a role for each user who is not part of a group
but has direct access to modules in the current application system. When
a role is created for a user it is given the same name as the user defined
in the Designer/2000 Repository. A new role will not be created for each
module that the user can access, instead the one role will allow access to
all of the modules to which the user has access.

Modules with Public Access
==========================
Where a module has public access granted, the Generator will assign all the
assigned roles on the whole Menu module to the Menu item based on that
module, deriving default roles. The Generator can create a default role for

all the users in an application system in the Designer/2000 Repository.
If no users are defined then the default role is created for the current
user. To create a default role, set the preference MNUCDR = Y and the
preference MNUDRN to the name you want the default role to be known as.

Assigning Default Roles
=======================
A default role is always assigned to the generated Menu module as a whole.
The Generator will also assign the default role to generated Menu items
if no access to the module has been defined and the preference MNUCDR = Y.

Standard Menu Items
===================
When standard Menu items are included in a generated menu, the Generator
will assign all roles that the Menu module has to the standard Menu items.

Template Menu Items
===================
Menu roles assigned to Menu Items in a template Menu module are assigned to
those items in the generated Menu module. When items in the template Menu
module are not assigned Menu roles then use preference MNUADR to specify
whether to assign all the Menu roles from the generated Menu module to those

items.

Using Forms Designer
====================
If you go into Forms designer and look at the property sheet for a Menu you
can see whether a role has been defined against a particular Menu item.
In the top-level Menu property sheet under 'Security' there are two fields:

* Menu Module Roles
This is used to construct the entire list of roles that may
have access to the Menu module.

* Use Security
This specifies whether the Form should enforce the security
scheme.

At the item level you can specify which roles have access to the particular
Menu item. If the 'Display Without Privilege' property is set to False then

the item will not be displayed to users who do not have access to it. If it

is set to True then the item will appear but will be disabled (greyed out)
to users who do not have access to it. Note, the 'Display Without Privilege'

property is only valid when at least one database role has been specified in

the roles list.


REFERENCES
+-------------------------------------------+
| Oracle Designer/2000 Online Documentation |
| Oracle Forms 4.5 Developers Guide |
| Armin Gebbert <Note:31143.1> |
| Darren Smith <Note:8763.1> |
+-------------------------------------------+

--
Met vriendelijke groet/kind regards,

Frank van Bortel
Technical consultant Oracle

Work: Home:
---------------------------------- ----------------------------
V&L Informatica BV Hunzestraat 4
Palatijn 3, 7521 PN Enschede 7555 WB Hengelo
PoBox 545, 7500 AM Enschede (31)074-2425046
053-4341500

Frank van Bortel

unread,
Oct 1, 1999, 3:00:00 AM10/1/99
to
Peter Hewson wrote:

That's SYSTEM, not SYS!

0 new messages