Access by User ID only

Similar Messages

• How do I restrict access so users can only visit certain sites?

  At work we are setting up a laptop in order to do only one thing - use one particular website. I'd like to make sure nobody can visit any other sites.

  Your secure computer has a piece of unpleasant software - My Web Search. Remove any signs of it in Add-ons>Extensions and Plug-ins. Also check in Add/Remove Programs(Programs and Features in Win7). Also make sure you don't have any entries for Fun Web Products.
  You are showing Fx3.5.8. If that is so, it is high time you updated. Chances are, though, that My Web Search has frozen your User Agent String.
  Google for further information but don't accept advice from people behind these products. You can also look in the Search Firefox Help box above.

• The kerberos PAC verification failure when all users of only one RODC Site, trying to get access iis webpage of different site using Integrated Windows Authentication

  The kerberos PAC verification failure when all users of only one Site which having only one RODC server(A), trying to get access iis webpage of different site which having WDC server(B) using Integrated Windows Authentication. But when they accessing the
  website using IP address, it is not asking for credentials as I think it is using NTLM Authentication at that time which is less secure than Kerberos.
  Note that:- All user accounts and Computers of the RODC has been allowed cache password on the RODC. Nearest WDC for the RODC (A) is the WDC (B).
  The website is hosted on a windows server 2003 R2 and generating below system event log for those users of the RODC site :-
  Event Type: Error
  Event Source: Kerberos
  Event Category: None
  Event ID: 7
  Date:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">date</var>
  Time:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">time</var>
  User: N/A
  Computer:
  <var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">computer_name (the 2003 server)</var>
  Description: The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client<var style="color:#333333;font-family:'Segoe
  UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">computer_name</var> in realm <var
  style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;line-height:normal;">realm_name</var> had
  a PAC which failed to verify or was modified. Contact your system administrator.
  This issue has been raised for last one week. Before that everything was fine. No Group Policy changed, Time also same.
  In this situation do I need to do Demotion of the RODC and re-promote it as RODC again  or is there any other troubleshooting to resolve it.
  Thanks in Advanced
  Souvik

   Hi Amy,
  Thanks for your response
  I noticed that Logon server could become incorrect again after user re-login or restart of a workstation.
  It seems root cause is different.  Need a permanent solution.
  The Workstations of the RODC site are getting IP from a DHCP server by automatic distribution of IP from a specific subnet for the site only.  The RODC is
  the Primary DNS server for the site.
  I have checked the subnet and it is properly bound with only with that AD site. The group of users and workstations are in the same site AD organisational Unit.
  Sometime I restarted the NET LOGON service and DNS server service on ther RODC server and sometime rebooted the server. But the Logon server issue has not fixed permanently.
  The internal network bandwidth of the site is better than the bandwidth to communicate with other site.  
  The server is Windows server 2008 R2 standard and hosting the below roles
  RODC
  DNS
  File server
  The server performance is Healthy in core times when maximum users usually logins. 
  Any further support would be much appreciated Amy
  Thanks
  Souvik

• HT4798 How do I gain access to Users & Groups preferences when I cannot even log in.

  I only have one apple ID linked and I cannot reset my password via the pop up box and cannot access the user groups as I cannot even log in.
  Can anyone help.
  Thanks
  Matt

  Reset Password
  OS X 10.6 Snow Leopard
  Follow the instructions in  second and third boxes.
  Reset Password using Recovery HD
  OS X 10.7 Lion /10.8 Mountain Lion
  Follow the instructions in the first and third boxes.
  http://pondini.org/OSX/Password.html
  Note
  Keychain
  I don't remember my original (former) account password
  https://support.apple.com/kb/HT1631

• Windows 7 Desktop synchronisation - Windows cannot access \\server\users\name\desktop

  Hi there
  My client has a laptop which won’t load the desktop when disconnected from the network. When you log on (while disconnected) you get the error
  “Windows cannot access \\server\users\name\desktop”
  Works as expected while connected to the network.
  The server is a Windows Small Business Server 2003 with active directory etc. and roaming profiles turned on. This issue does not occur on other workstations/laptops.
  When I check the Users folder on the local system drive there is not a desktop folder. I assume this is the issue although I’m not sure how you would force windows to create one or why one hasn’t been created?
  This is a brand new laptop so my initial reaction was to reset the laptop to factory state and then add the laptop back in to the domain. After this process the issue was still present!
  I guess the only thing I should mention is that this was shipped as a Home Premium laptop and was then upgraded to Professional using an upgrade key.
  I have checked Control Panel, System & Security, System, Advanced, User Profiles and the account shows as Local with Roaming Profiles greyed out.
  Any ideas?
  Martyn Fewtrell
  [email protected]
  Martyn Fewtrell TNC (IT Solutions) Ltd Email: [email protected] Web: http://www.tncit.co.uk

  Hi,
  I am just writing to check the status of this thread. Was the information provided in previous
  reply helpful to you? Do you have any further questions or concerns? Please feel free to let us know.
  Regards,
  Alex Zhao
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Alex Zhao
  TechNet Community Support

• How to restrict AS02 access to certain fields only

  How to restrict AS02 (Asset Master Record) access to certain fields only. Currently when you assigned AS02 to a certain user, this will enable the user to change all the fields in the asset master record. Suppose i want only the user to restrict the access to certain field eg.NDJAR (Life in Yrs).
  Thanks for your inputs.
  Regards,
  Robert

  hello,
  basis has to assign the proper activity with object A_S_ANLKL. in this case they have to allow activity 03 only with combination of Cocode,asset class. see some more details below.
  This authorization object is the first part of the object "asset master record."
  The definition at this level determines whether the user is authorized to process data in a given company code. The activity type for the transaction is also defined here. This authorization object is used for master data transactions, for the display of value fields, and for reporting.
  Defined Fields
  The following fields are assigned to the authorization object
  Asset class (specified by entering a value in the pop-up window)
  Company code (specified by entering a value in the pop-up window)
  Activity type - there are three different activity types:
  01 = Create
  02 = Change (including blocking and deleting)
  03 = Display

• Best practice for select access to users

  Not sure if this is the correct forum to post, if not then let me know where should I post.
  From my understanding this is the best forum to ask this questions.
  Are you aware of any "Best Practice Document" to grant select accesses to users on databases. These users are developers which select data out of database for the investigation and application bug fix.
  From time to time user want more and more access to different tables so that they can do investigation properly.
  Let me know if there exists a best practice document around this space.
  Asked in this forum as this is related to PL/SQL access.

  Welcome to the forum!
  Whenever you post provide your 4 digit Oracle version.
  >
  Are you aware of any "Best Practice Document" to grant select accesses to users on databases. These users are developers which select data out of database for the investigation and application bug fix.
  From time to time user want more and more access to different tables so that they can do investigation properly.
  Let me know if there exists a best practice document around this space.
  >
  There are many best practices documents about various aspects of security for Oracle DBs but none are specific to developers doing invenstigation.
  Here is the main page for Oracles' OPAC white papers about security.
  http://www.oracletechnetwork-ap.com/topics/201207-Security/resources_whitepaper.cfm
  Take a look at the ones on 'Oracle Identity Management' and on 'Developers and Identity Services'.
  http://www.dbspecialists.com/files/presentations/implementing_oracle_11g_enterprise_user_security.pdf
  This paper by Database Specialists shows how to use Oracle Identity Management to limit access to users such as developers through the use of roles. It shows some examples of users using their own account but having limited privileges based on the role they are given.
  http://www.dbspecialists.com/files/presentations/implementing_oracle_11g_enterprise_user_security.pdf
  And this Oracle White Paper, 'Oracle Database Security Checklist', is a more basic security doc that discusses the entire range of security issues that should be considered for an Oracle Database.
  http://www.oracle.com/technetwork/database/security/twp-security-checklist-database-1-132870.pdf
  You don't mention what environment (PROD/QA/TEST/DEV) you are even talking about or whether the access is to deal with emergency issues or general reproduction and fixing of bugs.
  Many sites create special READONLY roles, eg. READ_ONLY_APP1, and then grant privileges to those roles for tables/objects that application uses. Then that role can be granted to users that need privileges for that application and can be revoked when they no longer need it.
  Some sites prefer creating special READONLY users that have those read only roles. If a user needs access the DBA changes the password and provides the account info to the user. When the user has completed their duties the DBA resets the password to something no one else knows.
  Those special users have auditing on them and the user using them is responsible for all activity recorded in the logs during the time the user has access to that account.
  In general you grant the minimum privileges needed and revoke them when they are no longer needed; generally through the use of roles.
  >
  Asked in this forum as this is related to PL/SQL access.
  >
  Please explain that. Your question was about 'access to different tables'. How does PL/SQL access fit into that?
  The important reason for the difference is that access is easily controlled thru the use of roles but in named PL/SQL blocks roles are disabled. So those special roles and accounts mentioned above are well-suited to allowing developers to query data but are not well-suited if the user needs to execute PL/SQL code belonging to another schema (the app schema).

• Unable to provision Business Rules access for users

  Hi all,
  Our analytic server is properly configured in Shared Services : we can correctly create users, provision Essbase access for those users, change password, etc...
  An application business rules is visible in the left pane of shared services, but we are not able to provision Business rules access for users.
  When we try to provision access for a user, we have only access to the Analytic properties.
  What's going wrong ?

  It sounds like the user you login to HSS with hasn't been assigned with "Provisioning Mgr" rights to business rules.
  Get the HSS admin user to grant you these rights and you should then be able to provision users to use Business RUles.
  Gee

• RAR: Risk resolution options , Remove access from user is disabled

  Hi All,
  In RAR , After risk analysis, if we click on risk description 3 Risk resolution options are there.
  Mitigate Risk
  Remove access from user
  Delimit access for user
  In these options mitigate risk only working.I am using GRC SP 5.
  How about other two options , save button is disabled.How to enable this?
  can we remove/delimit access to  user using these options? any body  tested these options?
  Thanks n Regards,
  Joseph

  Joseph,
     These functionalities do not exist in the tool and these buttons have been in the RAR for past 2 years. SAP wants clients to use CUP for removing or delemiting access so I highly doubt this will ever work.
  Alpesh

• How to check if the user has only the display authority of a message

  hi,
  How to check if the user has only the display authority of a message but does not have the change authority for a certain message?
  Best regards,

  hi blake
  though i am an application consultant and for authorisation u need to have help of BASIS person if u r not the one but still i can guide u regarding the same,
  Basically Authorization Management 
  Use
  You can use the following authorization objects to control the authorizations for maintaining business partner data:
  •        Authorization objects for the Business Partner:
  •     &#61601;        B_BUPA_GRP
  •     &#61601;        B_BUPA_ATT
  •     &#61601;        B_BUPA_FDG
  •     &#61601;        B_BUPA_RLT•       
  Authorization objects for relationships:
  •     &#61601;        B_BUPR_BZT
  •     &#61601;        B_BUPR_FDG
  In addition, you can assign an authorization group to a business partner in the dialog. The authorization group controls which users may maintain data for this business partner.
  You can also define authorizations for fields and field groups using the Business Data Toolset (BDT). Depending on the settings you have made, the system carries out the relevant authorization checks.
  In the dialog in the SAP GUI, you can display an overview of the authorizations assigned to you by pressing the button Settings.
  For more information on authorization management, see the Implementation Guide (IMG) of the Business Partner, as well as in the Developer’s Handbook for the BDT under  Authorizations.
  IntegrationAuthorization management for the Business Partner forms part of the  SAP authorization concept.
  Prerequisites
  You have made the necessary settings in Customizing of the Business Partner under Basic Settings--> -Address Management.
  Moving over
  AS ABAP Authorization Concept 
  The ABAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the users that determine which actions a user can execute in the SAP system, after he or she has logged on to the system and authenticated himself or herself.
  To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.
  Authorization Checks 
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:
  •        Starting SAP transactions (authorization object S_TCODE)
  •        Starting reports (authorization object S_PROGRAM)
  •        Calling RFC function modules (authorization object S_RFC)
  •        Table maintenance with generic tools (S_TABU_DIS)
  Checking at Program Level with AUTHORITY-CHECK
  Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code of the program, to check whether users have the appropriate authorization and whether these authorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactions that are called indirectly by other programs.
  AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.
  Starting SAP Transactions
  When a user starts a transaction, the system performs the following checks:
  •        The system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction.
  •        The system then checks whether the user has authorization to start the transaction.
  The SAP system performs the authorization checks every time a user starts a transaction from the menu or by entering a command. Indirectly called transactions are not included in this authorization check. For more complex transactions, which call other transactions, there are additional authorization checks.
  •     &#61601;        The authorization object S_TCODE (transaction start) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code.
  •     &#61601;        If an additional authorization is entered using transaction SE93 for the transaction to be started, the user also requires the suitable defined authorization object (TSTA, table TSTCA).
  If you create a transaction in transaction SE93, you can assign an additional authorization to this transaction. This is useful, if you want to be able to protect a transaction with a separate authorization. If this is not the case, you should consider using other methods to protect the transaction (such as AUTHORITY-CHECK at program level).
  •        The system checks whether the transaction code is assigned an authorization object. If so, a check is made that the user has authorization for this authorization object.
  The check is not performed in the following cases:
  You have deactivated the check of the authorization objects for the transaction (with transaction SU24) using check indicators, that is, you have removed an authorization object entered using transaction SE93. You cannot deactivate the check for objects from the SAP NetWeaver and HR areas.
  This can be useful, as a large number of authorization objects are often checked when transactions are executed, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload. You can therefore deactivate authorization checks of this type in a targeted manner using transaction SU24.
  •     &#61601;        You have globally deactivated authorization objects for all transactions with transaction SU24 or transaction SU25.
  •     &#61601;        So that the entries that you have made with transactions SU24 and SU25 become effective, you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to “Y” (using transaction RZ10).
  All of the above checks must be successful so that the user can start the transaction. Otherwise, the transaction is not called and the system displays an appropriate message.
  Starting Report Classes
  You can perform additional authorization checks by assigning reports to authorization classes (using report RSCSAUTH). You can, for example, assign all PA* reports to an authorization class for PA (such as PAxxx). If a user wants to start a PA report, he or she requires the appropriate authorization to execute reports in this class.
  We do not deliver any predefined report classes. You must decide yourself which reports you want to protect in this way. You can also enter the authorization classes for reports with the maintenance functions for report trees. This method provides a hierarchical approach for assigning authorizations for reports. You can, for example, assign an authorization class to a report node, meaning that all reports at this node automatically belong to this class. This means that you have a more transparent overview of the authorization classes to which the various reports are transported.
  You must consider the following:
  •     •         After you have assigned reports to authorization classes or have changed assignments, you may have to adjust objects in your authorization concept (such as roles (activity groups), profiles, or user master records).
  •     •         There are certain system reports that you cannot assign to any authorization class. These include:
  •     •         RSRZLLG0
  •     •         STARTMEN (as of SAP R/3 4.0)
  •     •         Reports that are called using SUBMIT in a customer exit at logon (such as SUSR0001, ZXUSRU01).
  •     •         Authorization assignments for reports are overwritten during an upgrade. After an upgrade, you must therefore restore your customer-specific report authorizations.
  Calling RFC Function Modules
  When RFC function modules are called by an RFC client program or another system, an authorization check is performed for the authorization object S_RFC in the called system. This check uses the name of the function group to which the function module belongs. You can deactivate this check with parameter auth/rfc_authority_check.
  Checking Assignment of Authorization Groups to Tables
  You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.
  You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).
  please See also:
  •        SAP Notes 7642, 20534, 23342, 33154, and 67766
  guess this info will help you,there is one graphic which actually explain the hierarchy of authorisation,i will find some time out to let u know more info about the authorisation
  but if u sit with ur BASIS guy then u can learn lot of things in PFCG
  i guess u r a basis guy,then its not a problem
  best regards
  ashish

• SharePoint 2013 On-Prem- Can I limit users of only 1 group should be only able to create OneDrive?

  I have a requirements of limiting users to use onedrive for business site. What I want to do is below
  1) I want to configure in such a way that not all users should be able to create their personal site
  2) only members of a particular AD group should be able to create oneDrive?
  Is this possible? and how?

  You can do this by editing the permissions in the User Profile service application.  Access the User Profile service in Central Admin.  Click on the Manage User Permissions link in the first set of links on the manage user profile page.  By
  default the groups listed have all three permissions.  Remove the Create Personal Site permission from all the existing groups.  Now add the AD group that you want to be able to create personal MySites (OneDrive) and give them all three permissions.
   Click OK.
  This won't affect any existing users that already created mySites (OneDerive).  But only members of the AD group you gave permission to will be able to create OneDrive for business sites from then on.
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• How to restrict user to only see Performance Monitoring in RWB?

  Hi
  I have an issue, where I would like to let a business person see how many requests, there have been the last 24 hours for a given interface in PI 7.11. This can be done, in the RWB -> Performance monitoring, but how do I restrict the user, to only have access to the Performance Monitoring link in RWB?
  Shold I just give him the UME role "NWA_READONLY" even though, this probably will also give him access to the other links in RWB? Or is there a smarter way?
  BR
  MIkael

  Hi,
  There is no way to provide access to only Performance monitoring in RWB.

• How to deliver MM02 to user with only Bin Location editable.

  My user wishes to have access to change only the Bin Location field in MM02. How can we achieve this? or in other words how can we deliver MM02 to user with only the Bin Location field editable.
  My basis guy sees a possibility if we can some how provide the authorization objects of all the fields of MM02.Shall that be a practical approach. if yes, what is the way of finding the authorization objects?
  Regards,
  Alok.

  Hi,
  You can create a transaction variant in SHD0 for MM02.
  [Transaction variants|http://help.sap.com/saphelp_nw70/helpdata/en/7d/f639f8015111d396480000e82de14a/content.htm] simplify transaction flow by:
  -Inserting default values in fields
  -Hiding and changing the ready for input status of fields
  -Hiding and changing the attributes of table control columns
  -Hiding individual menu functions
  -Hiding entire screens
  Transaction variants are actually made up of a series of screen variants. The field values and field attributes for each screen in a transaction variant are stored in screen variants. Each variant is assigned to a transaction. Variants may, however, contain values for screens in multiple transactions, if transaction flow makes this necessary. The transaction the variant is assigned to serves as its initial transaction, whenever you start the variant.
  Both client-specific and cross-client transaction variants exist. Screen variants are always cross-client; they may, however, be assigned to a client-specific transaction.
  A specific namespace has been designated for cross-client transaction variants and screen variants and they are both automatically attached to the Change and Transport System. Client-specific transaction variants can be transported manually.
  Transaction and screen variants may be created for all dialog and reporting transactions. However, there are certain restrictions that apply to their use, depending on how their corresponding transactions have been realized internally.
  Transaction variants may not be created for transactions already containing pre-defined parameters (parameter transactions and variant transactions).
  The following sections contain additional information on how to create and maintain transaction variants:
  Maintenance
  Additional Functions
  Transport
  Regards,
  Srilatha.

• User Access when User belongs to multiple teams

  I have a user that belongs to two teams:  one of the teams has a task profile that includes only eAnalyze and is assigned a member access profile that has read only access to the application; the other team has a task profile that includes eAnalyze and SubmitData and is assigned a member access profile that has read and write access to the same application.
  Because one of the teams has a lower member access profile of read only, does that mean that if the user tries to submit data, the submission will be denied?
  In other words, if a user effectively has multiple user access profiles, does the LOWER access always win out?
  Thanks in advance,
  Valerie Dixon

  Hi,
  As already indicated, the higher profile wins. The best way to understand this is to create a union of the different profiles assigned to the same user through different teams. The result what you get after union is the final profile of the user.
  Hope this helps.

• Problem with tab access after user deleted from group

  9ias version 9.2.0.1
  There seems to be a problem (potential bug???) when deleting a user from a portal group. I have a portal page set up with multiple tabs. These tabs can only be accessed by users belonging to certain portal groups. When i add a user to a group, the user sees the necessary tabs when authenticated. However, if i delete this user from the group there is a problem. When the user re-logs into portal, they will see all the tabs belonging to the group they were deleted from. However, when they select this tab nothing happens and the portal goes into a state of flux (doesn't navigate). One way to resolve this is to go in as a portal admin, edit any tab and select apply. The portal then seems to refresh.
  This solution isn't practical. Is this a bug? Is there a patch or another solutions??? Thanks

  Hi Turloch! Thanks for your help!
  Those SQL Statements were extracted from the MS Access application that we will continue to use to access the data , now on an Oracle Database.
  I don't know what I can do to make this kind of statements works as it is on Access database. The first query, that I called Query1 works fine on Oracle, I just mentioned it because the 2nd Query , named Query2, use it.
  I'm not able to understand why when I change the 1st. query to a "make-table" query the Query2 works as desired, but if I keep the Query1 and Query2 as it is on the MS Access Application I got the ODBC error message and the ORA-00904 error message , related (I think!) to the FieldTmp field used on the LEFT JOIN statement (AND).
  As I told before, if I change the AND clause to compare to another field, as instance, field1 :
  FROM Query1 LEFT JOIN Table3
  ON (Table3.field1=Query1.Field2) AND
  (Table3.field5 = Query1.Field1)
  it works.
  Please, is there anything that I can do to keep the MS Access Application unchanged?
  Oracle = 8.1.6
  Oracle ODBC Driver = 8.1.6.4
  Oracle Migration Workbench = 1.3.1
  Thanks in advance,
  Elaine Viel Denadai