Tag Archives: 12c

How to implement permissions on your activities with Oracle Adaptive Case Management ?

When our Oracle Adaptive Case Management project started we initially used the default permissions on the case (Public, Restricted) to make sure our activities where available to the correct BPM application roles. A complex authorization model of roles, with LDAP groups, with users to allow access to the activities, but also custom UI and human tasks.


An important concept of knowledge worker automation (on which off course our whole case is based) is that the users should not be locked into rigid BPM processes (and access constraints I would like to add) which the IT department came up with. So activities on one hand would be allowed access to by all internal knowledge workers anyway, because: “hey .. they are knowledge workers and know best, right ?”

The first exception

However for some exceptions we got the requirements to only allow a specific role to a specific activity. So what we did was adding a new permission for that role and made sure that the activity was only available for that role.

Screen Shot 2016-07-29 at 11.08.18

new permission for role Senior Employee

Screen Shot 2016-07-29 at 11.08.35

set the permission on the activity

And all was good, for a while …

Challenge accepted

This went pretty well for some time, until we ran into a new requirements which made us rethink our design:

  • We had the requirement that on a specific activity where currently only permRoleSeniorEmployee had access now, we had to add the role Medior Employee. Therefor the original design thought that all activities are available for all employees OR for just 1 specific role (senior) for quality assurance was no longer valid.

So we looked at our options :

  1. We allowed the application role Medior to the permRoleSenior permission for a quick win for now, but looking at our naming convention this would be a bit confusing in the long run. All other options below required a code change, build and deploy so we tried to be smart to prevent this from ever happening again.
  2. The activity sadly doesn’t have a multi-select (both 11g and 12.2.1) so it is not possible to select both permRoleSenior and permRoleMedior
  3. We could add a new permission like permRoleMediorAndSenior, but still limiting ourselves to the code base
  4. In future identical requirements we do not want to change the codebase of our ACM project and permissions should be able to change on runtime. So both option 2 and 3 are not smart in the long run.

Our “Best Practice”

We have long running cases (like, really long) and redeployment of a new version will not fix any new permissions requirements on running instances. However since we have 50+ activities in our case where most of them are (currently) allowed access to by all employee levels (the example here just uses 2, but in reality we have much more roles). So the idea of creating a separate permission for each activity was not appealing, we eventually decided that we just had to. So for each activity we created a unique permission and configured in on the activity.

Screen Shot 2016-07-29 at 11.41.15

new unique permission for the activity

Screen Shot 2016-07-29 at 11.41.20

set the permission on the activity


Scripted Configuration

Because know we have a LOT of permissions and roles we are gratefull for having a WLST script to make sure these are automatically configured through our environments. Scripts have some customization, but the main logic was found on the big WWW (sorry, not sure where and who to give credits).

So first we need a property file

# permActMyProcess2

And the WLST script

from java.util import Properties
from import FileInputStream
from import File
from import PortablePrincipal
from import PortablePermission
from import PrincipalType
import os, sys

PROPERTIES = sys.argv[1]

propInputStream = FileInputStream(PROPERTIES)
configProps = Properties()
print '... property',pmTotal

connect('weblogic', 'welcome1', 't3://myserver:7001')

print '============================='
print 'Granting permissions...'
print '============================='
print '... property',pmTotal
while (i <= int(pmTotal)) :


  jpsBean = ObjectName('')

  print 'INFO - Index:',str(i),'| Name:',pmPrincipalName,'| Target:',pmPermTarget,' |Action:',pmPermActions

  principal = PortablePrincipal(pmPrincipalClass, pmPrincipalName,PrincipalType.CUSTOM)
  params = [pmAppStripe, principal.toCompositeData(None)]
  sign = ["java.lang.String", ""]
  perms = mbs.invoke(jpsBean, "getPermissions", params, sign)

  permExists = false
  for perm in perms:
    p = PortablePermission.from(perm)
    if( and p.permissionClassName==pmPermClass and pmPermActions in p.actions):
      permExists = true
      print 'INFO - Permission',pmPermTarget,'(',pmPermActions,') already set for ',pmPrincipalName

      grantPermission(appStripe=''+pmAppStripe,principalClass=''+pmPrincipalClass,principalName=''+pmPrincipalName, permClass=''+pmPermClass, permTarget=''+pmPermTarget,permActions=''+pmPermActions)
      print 'INFO - Permission',pmPermTarget,'(',pmPermActions,') set for ',pmPrincipalName
      print 'ERROR - Failed adding permission ',pmPermTarget,'(',pmPermActions,') to',pmPrincipalName
      print sys.exc_info()

  i = i + 1


The longer we thought about this the more we think the current permission solution lacks some maintainability. It would (for instance) be nice if the BPM WorkSpace would allow some graphical interface where all activities could be easily connected to the (already their) BPM Application Roles. So hopefully in the near future ?

Leave a comment

Posted by on 29-07-2016 in BPM, Oracle


Tags: , , , , ,

Using the Human Task identification key to set your own taskId with Oracle BPM (and BPEL)


Our Oracle ACM/BPM system will create tasks which will not only be handled by users in a front-end but also through a B2B connection with our external partners. So we need to publish a message to our B2B partners when a task is available. The challenge here is that the taskId is externally generated in the Human Task component and for the BPM (and BPEL) process the taskId is unknown until the task is closed. So we need to generate our own taskId or a trick to capture and retrieve the taskId outside the process and send it back to the process.


We first looked at the option to use the Human Task onAssigned event which we could capture through EDN and handle accordingly. However one of the requirements was that we would not communicate an internal (task) ID to our B2B partners so needed to generate our own ID instead. So we thought about generate our own guid() and place it on one of the ProtectedTextAttributes so we could use this to query the correct task. But Laurens van der Starre pointed us out that Oracle actually has a solution for this and we could use the identification key on the Human Task.

So below is an example of a process where our own key (a guid) is generated in the script task and then placed on the human task.


Map the generated variable on the Identification Key



In EM I can see that the generated key is 35373030303632323333383139353637. So we would normally communicate this to our B2B partner. Then on request from our B2B partner to send the details of the task service we can query the correct task using the Oracle TaskQueryService:




<env:Envelope xmlns:env="">
 <taskListResponse xmlns="">
 <task xmlns="">
 <systemAttributes> ... </systemAttributes>

Example / Sources


1 Comment

Posted by on 29-04-2016 in BPM, Oracle


Tags: , ,

Limitation in Oracle Adaptive Case Management (ACM) revision ID length

All our Oracle BPM projects use a revision id during deployment of the SCA component which is something like [4 digits].[svn-revision] which might look like 1602.71234

The Oracle SCA version format convention

In the Oracle documentation it states that the Oracle SCA composite revision must apply this format:
n0[.n1[.n2[.n3[.n4]]]][-milestone-name[milestone-number] | _patch-number]
Where all but “milestone-name” and “comment” are numeric, composed of one or more digits (0-9) from 0 up to a maximum value of 99999999.

This is the same convention you see on the error when deploying a composite with an incorrect revision format.


So we are good due to the fact that our revision naming standard only use n0.n1 and both numbers will not reach the max value of 99999999 anywhere soon.

The problem

However when testing we discovered that when our revision passed 99999 we have a problem. Not due to the normal SOA or BPM components, they can easily handle the longer n1 digits. But due to the fact that our Oracle ACM projects will throw the following error when deploying a composite with a total(!) revision length of 10+


: Case metadata deployment failed. 
Case metadata deployment failed for MyCase. 
Contact system administrator for assistance. 
at oracle.bpm.casemgmt.fabric.CaseManagementServiceEngine.deploy( 
at oracle.bpm.casemgmt.fabric.CaseManagementServiceEngine.deploy( 
at oracle.bpm.casemgmt.fabric.CaseManagementServiceEngine.deploy( 
Caused By: BPM-72806 
Caused By: javax.persistence.PersistenceException: Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException 
Internal Exception: java.sql.SQLException: ORA-12899: value too large for column "SOA_SOAINFRA"."CM_CASE_DEFINITION"."COMPOSITE_VERSION" (actual: 12, maximum: 10)</pre>

So when checking the SOAINFRA database design we discovered that for ACM components the revision is also stored in a column with a definition of VARCHAR2(10)

Name Null Type
----------------- -------- --------------


The solution

So we logged a service request (SR 3-12014738981) and together with Oracle Support we concluded that this is actually a bug in both 11g and 12c.
Bug 22564283 – Limitation in ACM revision ID due to CM_CASE_DEFINITION.COMPOSITE_VERSION

Yesterday we received confirmation from Oracle Support that the bug is fixed and we will receive a patch.
Meanwhile we can already use the workaround to update COMPOSITE_VERSION column in CM_ACTIVITY_DEFINITION and CM_CASE_DEFINITION to VARCHAR2(200).
So actually an easy fix on the SOAINFRA schema we assumed would work if we “hacked” it in our self, but we’re still very glad that it was quickly handled and solved through Oracle Support with an official supported patch.

alter table CM_ACTIVITY_DEFINITION modify (COMPOSITE_VERSION varchar2(200))
alter table CM_CASE_DEFINITION modify (COMPOSITE_VERSION varchar2(200))

So, if you run into the same problem you can refer with Oracle Support to the SR and BUG numbers mentioned above

Leave a comment

Posted by on 17-02-2016 in Uncategorized


Tags: , , , ,

Error in getting XML input stream with Oracle Business Rules 12.2.1

When trying to compile a Oracle ACM/BPM 12.2.1 project (with Oracle Business Rules) the following message throws up: “Error in getting XML input stream”


When Oracle Business Rules 12.2.1 generates it’s default XSD it uses the full system path instead of a relative path for it’s imports. So make sure to manually change the import configuration.



Posted by on 12-02-2016 in Oracle


Tags: , , ,

Using the Weblogic External Listen Address to support Network Address Translation (NAT) firewalls

When trying to connect or deploy from JDeveloper 12.2.2 to our Oracle Fusion Middleware 12.2.1 domain in the Amazon EC cloud I keep having connection problems. Contacting the consoles is not a problem, however extending the IDE Connection results in this error:


t3:// [RJVM:000575]Destination, 7011 unreachable.; nested exception is: Connection refused: connect; [RJVM:000576]No available router to destination.; nested exception is: java.rmi.ConnectException: [RJVM:000576]No available router to destination.Dec 08, 2015 9:50:35 AM logStackTrace

And deploying an artifact to the server results the same


Weblogic configuration

I couldn’t find anything regarding the error on Oracle Support, but luckily my collegue Daljit Singh had the answer. Since the Amazon EC2 uses a public IP (which we use to connect to the admin server) the internal passthrough to the Managed Servers fails. To solve this we should use the Weblogic “external listen address” configuration. The external listen address and port are used to support Network Address Translation (NAT) firewalls. These should match the IP address or DNS name that clients use to access application on the server.

Go to the Weblogic console -> Environment -> Servers -> Managed Server -> Configuration -> General -> Advanced

Make sure the public ip-adres is stored in the External Listen Address here


Your managed server requires a restart afterwards. But then the connection issue is solved.



Posted by on 08-12-2015 in Weblogic


Tags: , , ,

JPS-01050: Opening of wallet based credential store failed

After installing a new Oracle Fusion Middleware 12.2.1 domain on a Ubuntu server (for development purposes) and starting the AdminServer I get the following error:

<Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: There are 1 nested errors: JPS-01050: Opening of wallet based credential store failed. Reason at
at at

However, when checking the cwallet file it is there with proper access rights

ubuntu@ip-10-0-1-170:/opt/oracle/config/domains/rbx_dev/config/fmwconfig$ ls -l cwallet.sso
-rw——- 1 ubuntu ubuntu 194 Dec 1 13:11 cwallet.sso

So when searching we found this Oracle Support Doc ID 1923395.1

Unable Start AdminServer: JPS-01050: Opening of wallet based credential store failed. The FMW WebLogic Server (WLS) installation has been configured to use a non-default Java temporary files directory, i.e. the following has been set in the WebLogic startup or script:


Reference: How to Change the WebLogic Server Location for Temporary Files (Doc ID 1336002.1)
When the Middleware home was restored the directory specified by parameter was missing,
Therefore an IOException occurred when opening the wallet and WLS was unable to initialize the OPSS successfully.

The description however is not completely accurate for our specific problem, but pointed us in the right direction. Since in our case the default /tmp folder is owned by root on Ubuntu and the “normal” ubuntu:ubuntu user/group running the Weblogic scripts has no access.

So we could fix the issue in 2 ways:

    1. Using a custom tmp folder in our script which the ubuntu user had access
      ## CUSTOM FOR RBX_DEV ##
      ## CUSTOM FOR RBX_DEV ##
    2. Giving access to the default /tmp folder for our ubuntu user
      sudo chmod o+rwx /tmp
Leave a comment

Posted by on 08-12-2015 in Weblogic


Tags: , ,

How to use dynamic validate in Oracle Service Bus 12c

One of the new features introduced in Oracle Service Bus 12c is the ability for dynamic validation. A feature which can be used to validate a message against a WSDL or XSD schema file which is both explained here by Oracle. The example on the Oracle website shows this XML code to validate against a XSD:

<validate xmlns="">

However I tried “playing” with the new feature but couldn’t get it to work. The error I got was:

<soap:Text xml:lang="nl">OSB-382524: Failed to perform validation</soap:Text>
<con:fault xmlns:con="">
<con:reason>Failed to perform validation</con:reason>

After contacting Oracle Support I received the following info:

  • BUG 20367846: Internal Documentation  – Validate action to dynamically select a schema – documentation is not clear
  • BUG 20380158: Validate action – Dynamic validation throws NPE

A patch for BUG 20380158 was then released for Oracle Service Bus 12.1.3, which then could be downloaded from Oracle Support:


I downloaded patch 20380158 and used opatch to install it on my DEV environment.

..\p20380158_121300_Generic\20380158&amp;gt;opatch apply
Oracle Interim Patch Installer version
Copyright (c) 2014, Oracle Corporation.  All rights reserved.

Oracle Home       : C:\ORACLE\middleware_12.1.3
Central Inventory : C:\Program Files\Oracle\Inventory
from           : n/a
OPatch version    :
OUI version       :

OPatch detects the Middleware Home as &quot;C:\ORACLE\middleware_12.1.3&quot;

jul 09, 2015 12:48:49 PM oracle.sysman.oii.oiii.OiiiInstallAreaControl initAreaControl
INFO: Install area Control created with access level  0
Applying interim patch '20380158' to OH 'C:\ORACLE\middleware_12.1.3'
Verifying environment and performing prerequisite checks...
All checks passed.

Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = 'C:\ORACLE\middleware_12.1.3')

Is the local system ready for patching? [y|n] y
User Responded with: Y
Backing up files...

Patching component oracle.osb.server,
Patching component oracle.osb.server,

Verifying the update...
Patch 20380158 successfully applied
OPatch succeeded.

After the patch the error was still their but I received a more detailed error message in my logging:

<soap:Text xml:lang="en">OSB-382571: Schema element: GetCaseRequestMessage not found</soap:Text>
<con:fault xmlns:con="">
<con:reason>Schema element: GetCaseRequestMessage not found </con:reason>

After more contact with Oracle Support it indeed appeared that the Oracle documentation was not correct (as mentioned earlier with their reference to BUG 20367846). The XML structure example shown by Oracle also requires an nameSpaceURI element.  Which means the correct XML input for dyanamic validation for an XSD is:

<validate xmlns="">

Example Oracle Service Bus Project with Dynamic Validation

Here is an example of my SB project:


I first use an Assign action in my pipeline to create the $dynValidate variable with XQuery which holds the XML structure for the validation. (You could also use the xquery directly on the validate action).


Here is an example XQuery to generate the required Dynamic Validate XML structure:

xquery version "1.0" encoding "utf-8";
(:: OracleAnnotationVersion "1.0" ::)
(:: pragma parameter=”$i_operation” type=”xs:string” ::)

declare function local:dynValidate($i_operation as xs:string) as element()
<validate xmlns="">
if ($i_operation = "getCase")
then <localname>getCaseRequestMessage</localname>
else if ($i_operation = "insertCase")
then <localname>insertCaseRequestMessage</localname>
else ()

declare variable $i_operation as xs:string external;

After we have the $dynValidate variable we can use it as input for the Validate action. (As mentioned, you can also directly use the Xquery here instead of an expression with the earlier generated variable.


Hope it helps!


Leave a comment

Posted by on 29-07-2015 in Oracle, OSB


Tags: , ,