Forbid a user group to modify an specific metadata field??

Similar Messages

• User group [$CLASS] not an Org level field in IA, whereas it is in DA

  Hi All,
  We have an authorization problem that we faced while SAP Upgrade. In the development system while we upgraded all the roles, we did not face any issue. User group field [$CLASS] was actually an org level field in that system and the roles were upgraded based on that condition.
  When the Integration system was up and the upgraded roles were transported to IA, we noticed that they ended with a warning. On checking the logs we found out that User group [CLASS] actually was not an Org level value in the INtegration system, whereas it was an org level field in the development system.
  Can someone tell me the reason why it is different? Is there any settings we have to change to make User group  an org level field in IA. Thanks a lot for your help.
  Vijith

  Hello, I ran into this also and found these notes to explain why this is suddenly an org value and how to fix it:
  http://search.sap.com/notes?id=0001580048
  http://search.sap.com/notes?id=0001739055
  Basically, GRC 10 add-on makes the user group an org value and the note instructs how to undo this manually, but there is a required pre-requisite because you cannot modify this for SAP delivered fields normally.
  You know what else would be nice.... maybe there's a note that explains why Account Type is an org value.  It REALLY should not be, IMO.

• Restrict metadata field during an update to a specific user group

  Hello everyone,
  I am having some trouble figuring out the best way to restrict permissions to change some metadata fields for 2 different groups of users.
  I have two user groups, A and B. Group A will be checking in documents that the B group will then review for accuracy and quality. Group B will then update an optionlist field called "Status" with either "Recommended" or "Not Recommended".
  This is not a workflow situation as the scope requires that all documents are immediately available for searching. I currently have a CheckIn and Search profile for the content permitting read write access to groups A and B. The "Status" field is hidden on the CheckIn page. Can anyone please suggest a good way to restrict the field "Status" on an Update page to just "B" users? Groups A and B should be able to update all fields with the exception of the B restricted "Status" field.
  Thanks!
  Edited by: user6750815 on Jun 2, 2010 4:11 PM

  Hey rMac,
  I understand it this way you have one profile for A and B user groups. On this profile Status field is hidden.
  If this is your problem you can approach it from two places, while making the rule for hiding the Status field, use rule activation condition. Make it active only for users with Role A . This way even with single profile some of the user with Role B will be able to see the Status field.
  otherwise you can put similar code in Restrict Personalization Link where in you make this hidden field editable and compulsory for Users in B.
  cheers,
  sapan

• Document library Permission - users/group can add/upload/modify but same time not to see other documents

  Hi,
  I have a question regarding SharePoint document library permission. I am using SharePoint 2013.
  I have 3 SharePoint groups (SP-Group-NL, SP-Group-US & SP-Group-BR).
  I have given the contribute access to all 3 groups in the document library, so that people can with in these group can upload/add/modify document inside it.
  Now I want that people from specific group can only view those document which they uploaded and not all.
  Note - (a) I don't want to use audience targeting. (b) I don't want to right any code.
  Regards,
  Yogendra

  Hi Yogendra,
  Per my understanding, you might want users in a specific group can view only the documents uploaded by themselves.
  In the OOTB list view settings, we can set filter on a list view to only display the documents created by the current user:
  However, if you want this filter only apply to users in a specific group, Audience Targeting or custom code would be required as there is no such OOTB feature in SharePoint
  list can meet this requirement.
  With Audience Targeting, a possible solution is that, we can add two list view web parts into one page, set Audience Targeting on one of them to display only when
  the current user is in the specific group, then modify the view settings to apply filter on this list view web part to make it only display the documents created by current user.
  Thanks 
  Patrick Liang
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• After 10.1.2 upgrade, Create/Modify User/Group requires re-authentication

  I have 3 systems - 2 were 9.x (AS10g R1) upgraded to 10.x (AS10g R2), 1 was installed as 10.x. On the two upgraded systems, after a Portal user logs in (with administration privileges), navigates to the "Administration" tab and clicks either the "Create New User", "Modify User", "Create New Group" or "Modify Group" links, they are prompted for a username and password again. On the system installed with 10.x, this does not happen. Submitted iTar was unresolved. Has anyone seen this before?
  Thanks in advance.

  Please read this whole message before doing anything.
  This procedure is a diagnostic test. It’s unlikely to solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
  The purpose of the test is to determine whether the problem is caused by third-party software that loads automatically at startup or login, by a peripheral device, by a font conflict, or by corruption of the file system or of certain system caches.
  Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards, if applicable. Start up in safe mode and log in to the account with the problem. You must hold down the shift key twice: once when you boot, and again when you log in.
  Note: If FileVault is enabled, or if a firmware password is set, or if the boot volume is a Fusion Drive or a software RAID, you can’t do this. Ask for further instructions.
  Safe mode is much slower to boot and run than normal, with limited graphics performance, and some things won’t work at all, including sound output and Wi-Fi on certain models. The next normal boot may also be somewhat slow.
  The login screen appears even if you usually login automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.
  Test while in safe mode. Same problem?
  After testing, reboot as usual (not in safe mode) and verify that you still have the problem. Post the results of the test.

• HELP - Modify user group by bulk un CUCM 8.6

  Hi guys,
  I am having problem by update/modify user group on CUCM.
  There are already some users within user group with admin privileges. That should be changed, so I created a group with some privileges and then I tried to change the usergroup by bulk. but the bulk ADDS the usergroup to the correct and maintain both.
  After that I decided to have 2 rows, for the same user, one for the group with empty space (to delete it), and another with the new usergroup. But CUCM does not either do that. it sills maintain the user group..
  Does anyone has successfully changed the user group by bulk?
  I will appreciate your advices.
  Update Users - Custom File
  Begin Time : 04/29/2015 13:46:41
  Query :
  Update Users in CUCM_1L_Template.csv
  Failure Details :
  users Error Code Error Description
  ******** NO ERROR FOUND ********
  Result Summary :
  UPDATE for 2 USERS passed.
  UPDATE for 0 USERS failed.
  End Time : 04/29/2015 13:46:41
  Kind Regards.
  Juan Gerardo Hernandez
  CCNP Voice

  That's correct, what you're seeing is WAD, this topic has been discussed plenty of times before, the only option you have is SNR

• How to only synchronize one specific LDAP user group with SAP?

  Hi,
  Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
  Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
  Thanks, Oscar

  We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
  E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
  Then we also have a constant for the LDAP_STARTING_POINT
  For our AD Group Initial Load we filter according to these settings:
  LDAP_FILTER_GROUPS = (objectclass=group)
  LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
  The above example only reads AD groups starting at the specified OU
  Then in a Job From LDAP Pass the LDAP URL looks like this:
  LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
  I hope this helps
  Paul

• User with authorization to modify an specific field into the G/L Account

  Hi everyone,
  I´d would like to know if It´s possile GIVE AUTHORITY ONLY to some users will be able to modify the field SKB1 - ALTKT into the G/L Account Master Data through transacction FS02. In this way, only the selected users could introduce or modify information on this field.
  I´m not sure if it can be done trough a new Z object and assign the object to the transacction and also in the user profiles..or in other way...
  Thanks a lot for your help ¡

  Hello,
  I'm worried but there is no field group authorization for G/L account like customers and vendors. In customers and vendors you're grouping your changable fields and give auth for it. But in G/L master data, there is no solution like this.
  So I think you can use business transaction event for validation. You should use 00002310 BTE for this action.
  In this exit, you can validate I_SKB1-ALTKT is equal to SKB1-ALTKT for special user. You should create a user parameter like ZALKT and this 'X' value to this parameter for special user. And check user auth for parameter ZALKT = 'X' and then if it's ok compare I_SKB1 and database table SKB1 for ALTKT field. If this two value doesn't equal you can give error message while saving G/L account changes.
  Regards,
  Burak

• Last modified by for a user/group object

  Hi All,
  Is there any way to find out who has last modified the User/Group object in the portal.
  I can see the last account unlocked by for the user object. But is there any attribute to find out who has last modified the assigned groups/users for the user/group respectively or any change in the user/group profile.
  Thanks in advance,
  Siva
  Pts will be rewarded for useful answer.

  Hi Siva,
  as far as I know there is no standard way to find out who modified a user/group object in the portal. But I just checked the official API of <a href="https://help.sap.com/javadocs/NW04S/current/se/com/sap/security/api/IUser.html">IUser</a> (represents a portal user) and <a href="https://help.sap.com/javadocs/NW04S/current/se/com/sap/security/api/IGroup.html">IGroup</a> (represents a portal user group) and found out something interesting. <a href="https://help.sap.com/javadocs/NW04S/current/se/com/sap/security/api/IPrincipal.html">IPrinciple</a> (super object of IUser and IGroup) has a field LAST_MODIFIED_BY.
  Looks like you can write your own portal component, which allows you to find out who has modified your users last.
  Best regards,
  Martin

• Google drive does not work with specific group but works with all users group!!

  Hi,
  Why Google drive does not work with specific group but works with all users group?
  My rule :  Internal > external > all users = works fine
  But
                 Internal > external > A group = not working !!

  Hi,
  if you require user authentication in Firewall policy rules, the clients must bei Webproxy clients (for HTTP / HTTPS) or TMG clients (for TCP/UDP):
  http://technet.microsoft.com/en-us/library/bb794762.aspx
  regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote

• How to create user in specific user group in Microsoft Active Directory ?

  Hi,
  I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
  it get added to Domain Users group.
  Following is the code I am using which adds user to default group Domain Users.
  public LDAPResult createUserID(
  String userId,
  String pwd,
  String pId,
  boolean resetonLogOn,
  LDAPConnection ldCon) {
  boolean flag = false;
  int code=0;
  try {
  String pwdLastSetVal;
  String desName;
  String desc;
  /* Specify the DN of the new entry. */
  String dn =
  "CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
  /* Create and add attributes to the attribute set. */
  String objectclass_values[] =
  { "top", "person", "organizationalPerson", "user" };
  // LDAPEntry findEntry=null;
  /* Create a new attribute set for the entry. */
  LDAPAttributeSet attrs = new LDAPAttributeSet();
  /* Attribute sAMAccountName */
  LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
  attrs.add(attr);
  /* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
  attr =
  new LDAPAttribute(
  LDAP_PASSWORD_KEY,
  (byte[]) this.encodePassword(pwd));
  attrs.add(attr);
  /* Attribute Display Name */
  desName = userId + ":" + pId;
  //desName = userId ;
  attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
  attrs.add(attr);
  /** Attribute userAccountControl to enable the userid.
  attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
  attrs.add(attr);
  /* Attribute pwdLastSet to reset the password on first logon*/
  if (resetonLogOn == true) {
  pwdLastSetVal = "0";
  } else {
  pwdLastSetVal = "-1";
  attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
  attrs.add(attr);
  /* Attribute Description */
  desc = " Account Created by HelpNow App";
  attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
  attrs.add(attr);
  /* Attribute objectclass */
  attr = new LDAPAttribute("objectclass", objectclass_values);
  attrs.add(attr);
  /* Create an entry with this DN and these attributes . */
  LDAPEntry myEntry = new LDAPEntry(dn, attrs);
  /* Add the entry to the directory. */
  ldCon.add(myEntry);
  flag = true;
  }catch (LDAPException e) {
  flag = false;
  code=e.getLDAPResultCode();
  }catch (Exception e) {
  flag = false;
  code=LDAPException.OTHER;
  }finally {
  ldaprs.flag=flag;
  ldaprs.code=code;
  return ldaprs;
  }

  Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150

• Can I get the members of Domain Users group (AD specific) with JNDI?

  Hi All,
  I've found these forums very helpful and full of great information, I've been able to retrieve all members of groups that I search for (from the information on this forum), and get the member's attributes such as email addresses through that.
  The question I have is, is there a way to query the Domain Users group, since it's a special group in Active Directory, and retrieve the members of it? So far I have been unsuccessful. Here's a query I found that works on .Net:
  (|(&({ClassFilter})(memberOf={GroupDistinguishedName}))(distinguishedName={G
  roupDistinguishedName}))
  I haven't been able to get it to work with JNDI however. Can anyone point me in the right direction?
  thanks,
  Matt

  It's not so much that the Domain Users is a special group, it's more that because by default, all users have their Primary Group set to Domain Users, that it appears to behave differently.
  So the query that you're trying to execute via JNDI, would be something like:String searchFilter = "(&(objectClass=user)(memberOf=CN=Domain Users,CN=Users,DC=Antipodes,DC=Com))";And of course if everything has been left to defaults, it doesn't return any results.
  Similarly if you look at the member attribute of Domain Users, it will be empty.
  Assuming the defaults, and every user's Primary Group is set to Domain Users, the following query would return all the user's whose primary group is Domain Users:String searchFilter = "(&(objectClass=user)(PrimaryGroupID=513))";Note that 513 is the Relative ID (RID) for Domain Users.
  Now if you set a user's Primary Group to be something other than Domain Users, then the Domain Users group would now have a value
  for it's member attribute and conversely the respective user would now have Domain Users as one of the values of their memberOf attribute.
  So then your query would be something like:
  String searchFilter = "(&(objectClass=User)(|(memberOf=CN=Domain Users,CN=Users,DC=Antipodes,DC=Com)(PrimaryGroupID=513))){code}
  I guess the fundamental question, is why do you need to determine whuch users are members of Domain Users ?
  If this is for usie in an application, where the user has authenticated and you are using group membership to make authorisation decisions, perhaps the constructed tokenGroups attribute may be more useful  as it contains the Security Identifiers (SID) for all the groups the user is a member of ?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• Sharepoint 2010 get User Groups from specific site

  Hello,
  I was able to get all User groups from entire site Collection.
  But instead of getting user groups from entire site, I want read user groups only from one specified sub site.
  Please help!
  Thanks

  Assuming you have an SPWeb object named "web", example:
  SPSite site = new SPSite(http://yourdomain/sites/yoursite);
  SPWeb web = site.OpenWeb("mysubsite/subsbusite");
  web.Groups will return a collection of SPGroup objects for the current subsite. If this subsite inherits permissions from a parent site (web.HasUniquePerm = False), the list is the same as the Groups property of the parent site.
  SPWeb.Groups:
  http://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.spweb.groups(v=office.15).aspx
  SPGroup:
  http://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.spgroup(v=office.15).aspx
  You would be better results by posting coding questions in "SharePoint 2010 - Development and Programming" instead of "SharePoint 2010 - General Discussions and Questions".
  Mike Smith TechTrainingNotes.blogspot.com
  Books:
  SharePoint 2007 2010 Customization for the Site Owner,
  SharePoint 2010 Security for the Site Owner

• Restricting certain users groups to read only for certain folders

  Hi
  I'm not sure if this is the correct forum, but hey, hopefully someone might now the answer or direct me to the correct one.
  I'm writing a VB program to amend ACLs for specific user groups.
  Effectively, I make all prior year folders read only, whereas the default for the group is Modify, Delete etc.  This means they can continue to work in the "new year folders", but historic years is List/read only.
  I've got to the point the program does everything I want, i.e. stops folder creation7deletion, file & folder name changes, copying for the historic years, but does not prevent deletion of files in the folder.  Effectively I set Deny access on the
  historic folders.
  Testing using the Windows GUI would appear to resolve the problem is I change the Deny Special Permission (for the group) from "This folder only" to "This folder & files".
  Question then is how to I set this in VB, the default appearing to be "This folder only"
  Here's extract of my code
  Thanks
  IfvarDirectoryName.IndexOf("\"&
  Date.Now.Year) = -1
  Then
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.Modify,
  AccessControlType.Deny))
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.DeleteSubdirectoriesAndFiles,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ReadAndExecute,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ListDirectory,
  AccessControlType.Deny))
  Dim FileInfo3 As IO.FileInfo = New IO.FileInfo(varDirectoryName)
  Dim FileAcl3 As New FileSecurity
  If varDirectoryName.IndexOf("\" & Date.Now.Year) = -1 Then
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.Modify, AccessControlType.Deny))
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.DeleteSubdirectoriesAndFiles, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ReadAndExecute, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ListDirectory, AccessControlType.Deny))
  FileInfo3.SetAccessControl(FileAcl3)
  End If

  Ho Rohn
  Your right, when I added the flags I got the following error at execution
  {"No flags can be set. Parameter name: inheritanceFlags"}
  I've developed a work around, which gives me exactly - subject to further testing - what I want.  I simply mark each file in the relevant folders with a Deny Delete option.
  I will however explore the DirectorySecurity class option, but initial review of the www seems a little shy on VB examples.
  Thanks
  Perry
  You should be able to use FileSecurity and DirectorySecurity the same way (they have identical methods). Since this is a scripting forum, I'll provide a PowerShell example (which is fairly close to C# and VB; they all use the exact same classes):
  $varDirectoryName = "c:\folder"
  $GroupAdmin = "Admin Group"
  $FileInfo3 = New-Object System.IO.DirectoryInfo $varDirectoryName
  $FileAcl3 = $FileInfo3.GetAccessControl()
  $FileAcl3.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule (
  $GroupAdmin,
  [System.Security.AccessControl.FileSystemRights]::Modify,
  ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
  [System.Security.AccessControl.PropagationFlags]::None,
  [System.Security.AccessControl.AccessControlType]::Allow
  $FileInfo3.SetAccessControl($FileAcl3)
  I could have taken a lot of shortcuts when using the enumerations, but I think keeping it verbose helps show how similar the code can be.
  Does that make sense?

• How do I delete a User that does not appear in Users & Groups?

  A leftover user (former employee account) that won't go away. Phantom User account becomes the default login account regardless of the new employee's login attempts. The phantom account Home folder appears in the Users folder at the root level, but not in the Users & Groups panel in System Preferences. I have logged in as tech admin and deleted the phantom User folder (while it is not the Home folder), but it comes right back again as soon as the new employee logs in as himself. ***???
  I'd just updated this iMac to Yosemite, but this issue predates any specific OS update. Has persisted from 10.5 - 10.10. but is becoming an issue with permissions.
  Any thoughts other than having to reinstall the OS from scratch? I was about to, but thought I'd see if anyone else has ever heard of this.....

  Back up all data.
  Triple-click anywhere in the line of text below on this page to select it:
  /System/Library/CoreServices/Directory Utility.app
  Right-click or control-click the selected text and select
            Services ▹ Open
  from the contextual menu.* The Directory Utility application will launch.
  In the application window, click the lock icon and authenticate. Select the Directory Editor tool in the toolbar. Select Users from the Viewing menu in the toolbar, if not already selected. Locate the user you want to delete in the list and click the minus-sign icon at the bottom. Select Groups from the Viewing menu, and look for a group in the list with the same name as the user you just deleted. If found, delete. Quit Directory Utility.
  Be very careful when editing the directory. Many hidden users and groups are present by default, and are needed for the normal operation of OS X. Never delete or modify a directory entry unless you’re sure you know what you’re doing. If in doubt, leave it alone.
  *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select
             Go ▹ Go to Folder...
  from the menu bar and paste into the box that opens (command-V). You won't see what you pasted because a line break is included. Press return.