Defining roles and access for OWB Designer
Hi,
Can i Define roles and access rights to different on 1 OWB Designer repository?
I want to send my mappings for code review but i dont want them to log into the OWB designer with write access.
How can i achieve this in the same OWB designer repository as the one i am using?
I am using OWB 10.1.
I found some table - WMP_USER_ROLES,WMP_GROUP_ROLES,WMP_GROUP_REPOSITORIES
when i logged into the designer schema through sqlplus
Thanks
Sagar
Hi Sagar,
Yes you can do that. Basically you can create a db user, and then register the user with a repository. By default that user has all privileges, however it now is audited per user as to what he/she did. How to do this look at the doc (find SecurityHelper)
To enable you to protect metadata there are a couple of strategies (implemented via a simple PL/SQL API). For an example (this one works with policies on the module level) take a look here (http://www.oracle.com/technology/sample_code/products/warehouse/files/Dev_Status_Policy.SQL)
This would work as follows:
- Create user REVIEW
- Register user REVIEW to repos QA
- For a module you want review for, set the status to QA
Now the REVIEW user logs in and he can look at QA but cannot touch.
Hope this helps,
Jean-Pierre
In your situation
Similar Messages
-
SAP Roles and Access for SAP Implementation team members
Hi,
Is it correct practice to give SAP_ALL role access for all SAP Implementation team members in Dev and QA?
If not, what is the correct practice?
Kindly let me knowMadhu,
It is NOT correct practice to give anyone SAP_ALL in any of the systems; not DEV, not QAS, and certainly not PRD. However, many implementation teams (and particularly consultants from SIs) insist that they cannot possibly do their jobs without it. This is completely incorrect as there are specific roles for them to use for that purpose. The only circumstance where it could be justified is if you require a special "firefighter" role - and even then, I would still be a bit doubtful.
You should also consider that once you have given someone SAP_ALL, they will fight tooth and nail to keep it. It also means that they probably are not testing the user roles correctly. Most of those that insist they need it simply do not understand the security issues and probably don't care.
Just think; if they have access to do soemthing that they shouldn't and then cause a big problem, are they the ones that will have to fix it or are they going to expect you to do it? If they expect you to clear up after them, then you have the right to insist on restricting their access to cause issues in the first place.
But I know just how demanding they can be....
Best of luck
Tony -
hi,
How can query user roles and access in whole database? I want to list username, status, rights, and role
thanks
PHi,
The data dictionary view dba_users has one row per user.
The data dictionary view dab_role_privs has one row for every distinct combination of user and role that actually occurs ion your database,
Are you interested in system privileges? See dba_sys_privs.
Are you interested in individual grants, like the privilege to UPDATE a given table, or the privilege to execute a given stored procedure? See dba_tab_privs. (Don't be fooled by the name; it's not just for tables.)
I hope this answers your question.
If not, post some CREATE statements, that create tables, roles, and whatever else you want, and some GRANT statmeents that grant privileges on those objects. Pos the results that you would want to get from those objects and grants. -
Does a new customer buying creative cloud include download and use of Photoshop, Fireworks, Bridge and Acrobat for one designer/individual?
Cloud Plans https://creative.adobe.com/plans
-and subscription terms http://www.adobe.com/misc/subscription_terms.html
-what is in the entire Cloud http://www.adobe.com/creativecloud/catalog/desktop.html
-http://www.adobe.com/products/catalog/mobile._sl_id-contentfilter_sl_catalog_sl_mobiledevi ces.html -
One schema for OWB Design repository, runtime repository and target schema
Currently we have contents of OWB Design schema, runtime schema and target schema all combined into one schema of the same database in OWB 9.0.2 as well as OWB3i. We like to move to OWB10g in very near future. Can we keep the same structure for convenience of migration in OWB10g? Is it mandatory that OWB design repository (and components) must be separate from OWB run time repository (and components) and target schema? In other words is it possible and workable to use only one schema to contain OWB design repository, OWB run time repository and target schema in OWB10g environment with repositories to be situated on Oracle v9.2.0.1.0? Also what special considerations should be taken to create the database v9.2.0.1.0 and installation of OWB10g. What are the problems/side-effects to have all in one schema?
Also please let me know how to install Oracle Workflow server to be used along with OWB. Will OWB10g work with repository on Oracle database v9.2.0.1.0?
Your prompt advice will be very well appreciated.
SankarThe design repo is a metadata repo that stores all the design-time objects and so forth.
It is an architectural decision that you or your team need to decide on. There are many flexible ways to architect an OWB infrastructure.
Also, your repository users will be using the design repository on the the other DB instance to do their design work...potentially less people always hitting the target database all the time.
-Greg -
ABAP User Roles and Query for accessing particular T- codes and Reports
dear Gurus
I have one problem, i want to know about ABAP User Query ,i have one requirement my user wants to Lock all the HR Std versus Customized reports in T- code SQ01,other department peoples also see the Payslips and Hr personal reports which is harmfull to the dept so i want to Lock all the reports in Std T- code in SQ01 and i have created one Customized User Roles or Query in which the T-codes and Reports are assigned only those particular user can access the T-codes and Std reports .how can it be possible i dont have any idea about user roles and Queries .
kindly help me out or send me some documents related to user roles and queries
regards ritesh sharmaHi Ritesh,
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/103cafc2-7a64-2b10-14b3-eddb7d324561
Regards,
Flavya -
Hi
I am a dba with no warehousing experience. I have been asked to configure and support an OWB installation v9.0.2.0.8. I have installed the server side runtime repository and target schema's - and have run the service_doctor.sql and evrything appears fine.
I have the following accounts now
1 x OWBRUNREP user (runtime repository schema)
1 x OWRUNACCES user (runtime access user)
1 x OWB9iDEV user (design repository user)
3 x target schema's (for data and deployment)
My question is - my users connecting through the client on their pc can only connect to the Design Rrepository user OWB9iDEV - is this normal ??? All other connections fail ???
I am assuming they have to connect to the design user --> then deploy into runtime environment using deployment manager for example ???
So is everything alright - or do I have a problem ??? I can;'t decide from the last 8 hours of reading docs ??
Any help greatly appreciated
[email protected]Hi!
Yes, the first time Runtime Repository Assistant is run it needs to be run on the host where OWB Runtime is installed. That's because the Runtime Service starts a java process that runs on the OS and not in the database. Subsequent operations of the Runtime Repository Assistant (such as to add more target schemas) can be remote.
The association of the Target schema with a Runtime Repository happens when you create a Target Schema using the Runtime Repository Assistant, which is why this is the only way to create a target schema, i.e. you cannot just start using any arbitrary schema as target schema for OWB if it hasn't been created this way.
Here is a good resource for your and others future reference. The OWB Architecture Wite Paper http://www.oracle.com/technology/products/warehouse/pdf/Architecture%20_White_Paper.pdf provides a condensed version of the architecture information contained in the Installation Guide. I personally found it the easiest way to make sense of the architecture.
Nikolai Rochnik -
Hi,
I have some basic conpectual problem about roles and rules.
What is the diffrenece between roles and rules in sap business workflow ? What is the Tcode for Role creation/Change/Display and Rule creation/Change/Display ?
I am using a standard workflow for PR Release "WS20000077".
I have done all the setting except this agent assignment using roles or rules. The default rules used in the task "TS20000159" is "20000026". The Binding from workflow to rules container is also defined by the workflow itself.
This rules is defined using a function module.When I am putting a breakpoint in this function module and tring to execute my workflow it is not going to the given breakpoint but the workflow is running successfully as shown in the event trace "SWE2".
What could be the problem..Pls suggest?Hi Tanuja,
Go through this link for [Rule Documentation|http://help.sap.com/saphelp_nw04/helpdata/en/bb/bdc296575911d189240000e8323d3a/frameset.htm]
And
http://help.sap.com/saphelp_nw2004s/helpdata/en/95/ed94ee764c11d3b535006094b9c9b4/frameset.htm
Go through this link for [Roles in Workflow|http://help.sap.com/saphelp_nw04/helpdata/en/f4/4a5536ad3d2a17e10000009b38f839/frameset.htm]
Hope this would help you.
Good luck
Narin -
Role and Privileges for OLAP metadata
Hi,
Is there any document which specifies what all roles and privileges are required for creating any OLAP meta data ( Dimension, Cube, Measure and Catalog etc)?
I think these are impt roles:-
SELECT_CATALOG_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
RECOVERY_CATALOG_OWNER
OLAP_DBA
OLAP_USER
Through system/manager I created one user TEST_BI_OLAP and granted CONNECT.
After login as TEST_BI_OLAP I am able to create dimension. Why it is possible whereas doc says user should have OLAP_USER or OLAP_DBA role associated with it.
OR only CONNECT is sufficient for creating OLAP metadata!!!!!
regds
PThe difference is in what the end user sees. Say you want to deploy an analytical workspace based off of a ROLAP dimensional cube. Here is how I've been approaching the problem:
1. Create a new user with the OLAP_USER role to hold the AW (say "AW_USER")
2. Now log in with a userid that has OLAP_DBA role, and create the AW utilizing the ROLAP cube - but direct the AW to be stored in the AW_USER schema. Note that because it is in a separate schema from the ROLAP cube, you will not need to append characters to the dimension or measure names.
3. Have end users log in using the AW_USER name. Then they will see the AW information, but they will not have access to the ROLAP cube data.
Hope this helps,
Scott -
One schema for OWB Design repository, runtime repository
Can we use only one schema for the design and runtime repositories on the same database instance and leave the target schemas separate? What are the advantages and disadvantages of this approach?
Thanks a lot for your time and reply.Hello beatbisig
You got it right. Starting from OWB10gR2, the two types of repositories have been merged in to one. So if you have your design work hosted on one database, but want to keep the production database off-limits from developers you deploy from your design repository to the production repository. If you then connect to the production repository using the Design Center you wouldn't see any mappings there.
Why this wasn't done in the first place, even using the Oracle Designer repository I never understood ...
Borkur -
Standred Roles and profiles for OSS Connection User
Dears,
We open OSS connections several times for SAP support in which we also provide login credentials to SAP to login in our system.
Is there any standred roles or profile for this user in QAS and PRD that we can give to maintain our servers confidentiality.
Please suggest.
ShivamNot really. A note related to your question popped up in a previous discussion:Re: Exclude T-code from SAP all
> If you take a look at [SAP Note 1118396 - Roles for support activities|https://service.sap.com/sap/support/notes/1118396] you will see this explained nicely... -
Roles and Privileges for 10g AWR and ASH reports
Are there specific roles and privileges are required for one to run AWR and ASH reports for users who don't have DBA roles? If so, I would like to know about them.
I think sysdba privilege need to run AWR report.
Also check, how privilege is granted to PERFSTAT user in $ORACLE_HOME/rdbms/admin/spcuser.sql, you might get some clue!!!
Cheer,
Virag -
File Server Role: Slow access for "opened files" and slow Explorer browsing
Since we migrated our fileserver from Windows Server 2008 R2 to Windows Server 2012 we are facing two major problems:
1. Opening files which are already opened by other users takes about 1 minute before the file actually opens. This is not only for Office files such as Excel and Word, but also for other (not office) files. Again, this problem only rises when the file(s)
is/are already opened by another user. There seems to be a sort of "Lock" check time which is about 45 to 60 seconds.
2. The other problem is browsing via Explorer through the network drive (all clients are Windows 7 clients). Half of the time there is some kind of "hick up" with displaying the results of the folder. I cannot figure out a patern, but if there
is no "hick up" then browsing is very fast (also in the busiest times of the working day)... If there is a "hick up" the result can take about 50 seconds to display the content of a folder.
I suspect the SMB implementation / settings of Windows Server 2012 which are causing the problems...
Things I tried:
1. Changed the Oplocks wait time to 10 seconds (which is the minimum). The result is that openening files does indeed go some faster (still taking about 45 seconds).
2. Disabled SMB2: the result is that browsing is fast... Opening files does go faster. BUT: we are then facing other problems like some files are not able to open... This setting was, after getting a lot of complaints from the users, changed back to enabled
SMB2.
3. Within the NIC card properties I disabled "QoS packet Scheduler", "Link-Layer Topology Discovery Mapper I/O Driver", "Link-Layer Topology Discovery Responder" and IPv6 (as we only use IPv4).
All above with not the promising results.
The server is a dedicated (virtual machine on vSphere 5.1) fileserver.
Please Advice since this is not workable, and we have postponed the migration of the fileserver for our aother location.Hi Dave,
I suggest you disable all third party applications like Anti-Virus application to test if it could reduce the waiting time when accessing a file.
Here are some related threads below that could be useful to you:
DFS Slowness when Opening Microsoft Documents and Excel Spreadsheets
http://social.technet.microsoft.com/Forums/windowsserver/en-US/61ec9a99-0027-44cb-815c-0da9276c1c96/dfs-slowness-when-opening-microsoft-documents-and-excel-spreadsheets?forum=winservergen
Opening files over network takes long time
http://social.technet.microsoft.com/Forums/windows/en-US/c8ddb65f-8a17-4cee-afd4-dfc09e99d562/opening-files-over-network-takes-long-time?forum=w7itpronetworking
opening folder or file takes over a minute on Windows 2008R2 File server
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b9aa98c4-3ef7-4e6d-810d-6099e72b33f6/opening-folder-or-file-takes-over-a-minute-on-windows-2008r2-file-server?forum=winserverfiles
Best Regards,
Amy Wang -
PBC 10 user users/teams/roles and access data profiles
Hello experts,
couples of questions with regards to BPC 10 security
1) In PBC 10, version SAP NetWeaver , if a team or a user was created in BPC not in BW, can the created user/team has access to SAP BW? Can the created team/user be imported and assigned assigned rights in BW? Or , if I need a user who will have acces to both SAP BW and BPC , do I HAVE to create the user in SAP NetWeaver (BW) and assign rights?? or
2)
If the defined attributes are Currency=Euro: Read and Country=France: Write, then Entity102 is writable.
Assuming that a write access to Currency = Euro : Write produce the same output as in the above, How can ensure that I can give a write access on a dimension without having allowing the write access to the whole entity as in the above case?
Thanks
JhHi John,
For your 1st question, to add a BPC user, you need to create BW user first on BW. Then add this BW user as BPC user. When you create a BW user, you need to assign two roles
/POA/BUI_FLEX_CLIENT, /POA/BUI_UM_USER.
Actually, once you created the BW user, you can use this BW user to log on to BW now, but this user has few rights, such as no rights to execute some t-code RSA1, etc. To make this BW user more powerful, you need to assign the corresponding rights directly on BW, not from BPC. The rights(Data Access profile or task profiles) added from BPC only works on BPC object, such as members, cube, etc.
Best Regards,
Charlie -
OIM 11g R2 - AD provisioning based on Role and Access Policy
Hi, for Active Direcotry integration i used some prepopulation plugin for populationg resource form (based on http://fusionsecurity.blogspot.sk/2013/01/populating-request-attributes-in-oim.html).
It's work fine - requested account was fully provisioned.
Can i use this plugins for Role based provisioning?
I try to create access policy and associated role but when attached the role to the user and run Evaluate User Policies Job, account can't be provisioned.
In diagnostic.log i found.....
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Immediate consequences are returned with event - InitiatePolicyEvaluationAndProvisioning
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Next Waiting child process is ..........6380 sync = false
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] First Waiting child process is ..........6380
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel executing default validation with process id, event id, entity and operation 6,380.0.Resource.ACCESS_POLICY_BASED_PROVISION
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel completed the child orchestration - 6380.6379
[oracle.iam.platform.kernel.dao] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Inserting records for orchestration cleanup
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Completed orchestration with action result - 113Hi, all
I try to fill Access policy Process Form. Account request was created and provisioned when field AD Server and Organization Name was filled in, but pre-population plugin doesn't fired
The question is.... How can i use pre-population plugin for populating request dataset used with request generated by access policy....
Is it possible to use plugins for requests generated based on access policy?
a.
Maybe you are looking for
-
please!
-
I am trying to upgrade EPM 8.9(8.49.23) to EPM 9.1 (8.53.08). During dataconversion step the AE process finished succssfully in few seconds. When i see the log it says "There are no conversions to run for upgrade path PF89 (18028,10003)". Please let
-
ITunes charges for the Million Hit Lowdown free previews
I downloaded one of the previews yesterday without any issue and no charge, but today when I went to watch the other two I got charged 1.99 each for the intro video and the preview itself... e-mail sent to support. Windows XP
-
Transparent box not showing in Acrobat
I have a customer that created a page in ID CS 4 with a white box (63%Tr) over 2 cmyk pics and a separate box of type laid over the Transparent box w/100k type. I have checked this file over extensively and see nothing out of the ordinary. She create
-
So I just purchased iweb and plan to create a website for when i travel to South Africa. Problem is I declined to sign up for .mac because I really only need it for 4 months and don't want to pay $99. Godaddy.com seems to have some better prices but