Restricting access for top Hierarchy in queries

Similar Messages

• Restrict access for Vendor Master Data

  Hi all.
  Our company structure is like below:
  Single instance, just one mandant.
  Company codes like 1001, 3001, 6002, 6006, etc... over the world.
  At some companies just the central administration can create vendor for the companies using the transaction XK01.
  Now we need to give access to users from one of our company from other country but we can´t give access to transaction XK01 because just the central administration can create the master data for the vendors.
  I already read about the object F_LFA1_AEN that is possible to create some field groups and give access just for the rigth groups. I also read that this authorization groups don´t have effect on the vendor master data like address.
  How can I restrict access for the vendor master data? I´m thinking to give access to transaction FK01 and MK01 and restrict access for create a new vendor, I only want that the users can create the data for a new company or new purchase organization.
  Thank you
  Darlei Friedel

  among many other authorization objects, you find following three:
  F_LFA1_GEN general data
  F_LFA1_BUK company code data
  M_LFM1_EKO purchasing org data.
  If the user does not have authorization for F_LFA1_GEN , then he cannot maintain general data.

• Restrict Access for Asset with Ubuntu

  Hello guys,
  now i have a problem for you and i hope, that you could help me.
  The ArtBox have some problems on my ubuntu system. The error message shows me "Restrict Access for Asset".
  Can somebody give me some tips, how the error could be recognize or how i can fix it?
  Thanks for the help.

  Hi,
  After you finish installing Artbox , you must now make sure that samba is setup correctly. I just plan to try ArtBox and ubuntu using virtualbox, hope it can work fine.

• Restricting  Access for SQ01 User Group

  Hi ,
  Please let me how to Restrict  Access for a   User Group  to only some of  the specific users?
  Thank you
  Edited by: Vibhor Arora on Apr 12, 2010 7:29 AM

  Hi,
  Can you please clarify what exactly you want to know, your request can be interpreted in a few different ways.
  If you are concerned that people have access to all user groups, then you need to remove access to S_QUERY activity 02 and I think activity 23.  They will lose access to all user groups that they are not assigned to via SQ03.

• Restricting access for servlet

  Hi,
  I've two servlet urls:
  http://mymachine/servlet/f60servlet?config=One
  and
  http://mymachine/servlet/f60servlet?config=Two
  I want One to be open for internet and Two only open for intranet. With:
  <Location /servlet >
  order deny,allow
  deny from all
  allow from mynetwork
  </Location>
  in jserv.conf I can restrict access to my intranet but this restriction is applyied to both my applications.
  How can I restrict access for Two but not for One?
  I use iAS 1.0.2.2 on a Sun Solaris 8 machine and Forms6i patch 10.
  kind regards,
  Ivan

  Hi,
  I did open a tar with Oracle and the problem is solved by
  1) creating an alias for /servlet/f60servlet in zone.properties:
  servlet.f60listener.code=oracle.forms.servlet.ListenerServlet
  servlet.f60servlet.code=oracle.forms.servlet.FormsServlet
  servlet.f60servlet.initArgs=configFileName=/u01/app/oracle/product/8.0.6/forms60/server/formsweb.cfg
  servlet.f60listener1.code=oracle.forms.servlet.ListenerServlet
  servlet.f60servlet1.code=oracle.forms.servlet.FormsServlet
  servlet.f60servlet1.initArgs=configFileName=/u01/app/oracle/product/8.0.6/forms60/server/formsweb_internet.cfg
  In formsweb_internet.cfg is only the web-form app defined that should be open for internet
  2) in jserv.conf :
  <Location /servlet/f60servlet>
  order deny,allow
  deny from all
  allow from <mynetwork>
  </Location>
  <Location /servlet/f60servlet1>
  order deny,allow
  deny from all
  allow from all
  </Location>
  See also Doc ID: 180741.996 on metalink.
  Hi,
  I've two servlet urls:
  http://mymachine/servlet/f60servlet?config=One
  and
  http://mymachine/servlet/f60servlet?config=Two
  I want One to be open for internet and Two only open
  for intranet. With:
  <Location /servlet >
  order deny,allow
  deny from all
  allow from mynetwork
  </Location>
  in jserv.conf I can restrict access to my intranet
  but this restriction is applyied to both my
  applications.
  How can I restrict access for Two but not for One?
  I use iAS 1.0.2.2 on a Sun Solaris 8 machine and
  Forms6i patch 10.
  kind regards,
  Ivan

• FERC Code of Conduct - Restricting access for employees

  hello - I am project lead for an effort to separate market and transmission data from certain employees in our company. I'm finding this to be a monumental task, since we have a large SAP implementation. FI/CO, MM, HR (postion-based security), Customer (IS-U-CCS), PM, PS, xRPM. We have implemented SOD for SOx compliance, but this is an entirely different effort. Unlike SOx, we need to totally restrict transactions that could contain non-public market and transmission data, so we need to separate the data behind the transactions. Does anyone have experience with this? Would love to hear what approach you took and swap ideas.
  Annette M Alboreo, FirstEnergy Corp.

  Hi Annette,
  First of all, good luck! Data segregation is always a tricky one to manage and needs to be carefully thought out.  This sort of activity has a large security and functional overhead and you need to make sure you have access to them.
  When I've worked on this sort of thing in the past, there are a few things that you need to identify
  - What data is sensitive?  The business should ID <b>all</b> sensitive data and the functional team translate that into fields etc.  What data needs to be legally segregated, what data is nice to have segregated.  A set of rules should be drawn up to say who get's what in which circumstances.
  - How are people accessing data? What transactions give access to sensitive data? Standard SAP tx, custom tx (which may need auth checks changing), access to SE38/SA38, SQ01, SQVI etc.  All of the routes to the data need to be identified.
  Once it is known what data needs to be restricted then it is possible to address how to restrict access to it.  A reasonable amount of it should be able to be catered for in the standard auth concept.  It's also likely that there will be the requirement for additional config & customising (e.g hide fields, change screens, user exits) to meet these new control needs.  I think it goes without saying that the more that you can fix with the standard auth concept, the easier it tends to be.  If this means removing some transactions from users then in some cases it may be less costly than knocking up a whole load of custom code to solve the problem - of course this is dependent on the situation.
  Hope that is of some use
  Cheers
  Alex

• Restricting access for condition types in VK11

  Hi
  ZWX1 and ZWX2 are SD discount condition types, I should use these condition types  only for sales deal , hence , I will create condition record only in VB21 with reference to sales deal.
  Some other users may create condition records in VK11 mistakenly, I need to avoid it, so these condition types should not be accessible to create condition records in VK11 or anywhere except  VB21.
  Any thought ? how can I achieve this ?   
  thanks

  Hi
  If you want to restrict the access for the condition types then you give the authorization for VK11 for maritaining  the condition records only to those users who has  to maintain the condition records for that condition types.So you have to take the help of BASIS team
  Regards
  Srinath

• Restricted access for user in SU01

  Hi All
  How can we give authorisation to a User to modify access (Create/Delete/Password Change/Role assign /Role Delete..etc) for other user IDs but that user should have only display access for his User ID.
  Please Help me in this.

  Hi,
  I have worked with many clients, and the requirement of handling the user Administration and Role Administration is different from each client to other client.
  Some client may ask for the same person should handle both User and Role ADministration, but some client may ask for separating the tasks.
  In your case, if you want to restric the person to maintain the other users but not the own user id, this can be achieved by doing the following:
  Create a separate user group who is doing the administration part and create other user groups for other users.
  Create a role with SU01 and restrict the Standard objects with all user groups except the administation one and add S_USER_GRP authorization object manually into the same role and provide only 03 with the administration object.
  The above will solve the problem of administration not able to update the own user id, but the other users.
  Regards
  Anandm

• Ver 8.8 Restricted access for BP and activities

  Currently, I am not aware of a way to restrict access to certain BP accounts, including the related activities for a BP. For example, our bank, HR consultants, etc. where I would like to limit the access to these BP accounts and related attachments to certain users, such as our management group.
  Primary importance would be to limit access to related activities where sensitive information may be stored in the form of emails, attachments, etc.
  Our previous CRM allowed us to flag BP accounts as restricted and set up permissions to authorized users.
  Is anyone aware of a way to limit access to these activities?
  If not, this is a great enhancement for future releases.

  Current system design has only set up confidential GL Account but not for BP. You probably need to post it on the R&D forum here:
  /community [original link is broken]
  Thanks,
  Gordon

• Sales Partner Functions - Restricted access for assigned partners

  Sales Department would like to use a partner function to assign a responsible salesman to a customer.  They would also like to restrict the access of the salesman to only those customers (and their associated sales orders/deliveries) that are assigned to him.
  How is this done from an authorization perspective?

  Hi,
  This can be achieved thru user exit.  You might need to create the authorization objects for document type, partner function and this has to be assigned to the concerned user.  The validation can be done with the field ERNAM and SYUNAME. 
  Thanks
  Krish.

• Password restricted access for published Groupwise calendar

  Hello,
  we want to publish our internal calendar. But I want to prevent, that everyone who knows the link-address has access to this calendar.
  So I tried to add the LDAP-authorisation to the /etc/opt/novell/groupwise/calhost/gwcal.conf as described in Novell-doc 7000659.
  But the access to the (for testing) published calendar is still open for every who knows the link-address.
  Another directory I published from the same apache2 with the same entrys in the config file in /etc/apache2/vhosts.d/xxxx.conf works fine, if the user wants to get access, he has to login with his uid/password.
  Is there another way to restrict the access to the public calendar via LDAP as described?
  Thanks for your help,
  Holger

  Originally Posted by trixlopez
  Hi Laura,
  Has there been any update on the authentication mechanism built into Calendar Publishing? One of our executive wanted to have his GW calendar access by an external user for business purposes.
  We have the Calendar Publishing working but user has some concerns about privacy, if it can be password protected. Any other option/suggested is greatly appreciated.
  Thanks.
  For example NetIQ Access Manager would be one option to handle this problem.
  Thomas

• Restricting access for import manager and syndicator

  Hi All,
  I wanted to know whether is there any way on how we can restrict the access to import manger and syndicator.
  I have one scenario whether user needs to be given the access to data manager only but not to other components.It is ok if they are able to open but should not be able to import or syndicate.
  Please help in this
  Thanks
  Nitin

  Hi Nitin,
  No i get your point Nitin,I said if a unwanted user logs into Import manager he can try to add/modify/replace record,this can be stopped if he is not given the rights.For this go to Console,Admin table and goto Roles and set rights and privileges on that.
  whenever a user logs into Import Manager he has to give his user id and password,and from there we can control this.
  If he tries to import records,it will fail.also if he tries to modify map,it wil fail too.
  To get a clearer picture try doing it for one user and run this scenario.
  An excerpt froim reference guide:
  "The groups and functions displayed in the Name column are listed in Table 89; access privileges for each function are directly editable in the Functions pane"
  record - Add records
   Modify records
   Modify checked out records
   Delete records
   Merge records
   Merge checked out records
   Protect records
   Unprotect records
   Check out records
   Check out new records
   Check in owned records
   Roll back owned records
   Check in non-owned records
   Roll back non-owned records
   Modify join permissions for non-owned records
  Consolidation and distribution - Add import maps
   Modify import maps
   Delete import maps
   Add syndication maps
   Modify syndication maps
   Delete syndication maps
   Enable key mappin
  You can control these setting privileges in Console.
  thanks,
  Ravi

• How to restrict access to views for some users in the app?

  Hi SDN!
  I have an WD application wich embedded in the portal. Appication has 2 iViews (and 2  pages respectively). These iViews consist several views connected with each other (e.g. one view provide list data, second view is add/edit form for this data). I need to restrict access for some users for view with add/edit form. I can't make separate page for this view.
  What I've done:
  1) create yet another UIContainer for this view in main window and embed view to this container. It was be done for create separate iView for form.
  2) in the portal I create iView for this form but don't embedd in any page.
  When I try to call my form from list data (that is one iView from another) I get exception:
  <b>com.sap.tc.webdynpro.services.exceptions.WDRuntimeException: duplicate usage of view .MyCarRentalAddCity</b>
  Is there a way to get needed functional?
  Thanks,
  Lev

  Hi,
  do you need to remove the IView from the portal menu or do you just want to make a View container in your WD application invisible if the user doesn't have the rights to see it.
  If so, you could create your own roles on the app server:
  You need to create a new class that extends NamePermission like:
  import com.sap.security.api.permissions.NamePermission;
  public class ApplicationAccessPermission extends NamePermission {
             * @param name
            public ApplicationAccessPermission(String name) {
                 super(name);
             * @param name
             * @param action
            public ApplicationAccessPermission(String name, String action) {
                 super(name, action);
  Also, you have to create an Action.XML file that looks like this:
  <BUSINESSSERVICE
       NAME="com.vendor.administration">
       <DESCRIPTION
            LOCALE="en"
            VALUE="actions view usage"/>
       <ACTION
            NAME="View Permission">
            <DESCRIPTION
                 LOCALE="en"
                 VALUE="Show view"
                 />
            <PERMISSION
                 CLASS="com.vendor.utilities.ApplicationAccessPermission"
                 NAME="ShowView"
                 />
       </ACTION>
  </BUSINESSSERVICE>
  If you have created these to files in your packages, you can access this function like:
  IUser user ;
  try {
            user = WDClientUser.getCurrentUser().getSAPUser();
            if(user.hasPermission(new ApplicationAccessPermission("Show view"))){
                 wdContext.currentV_UIElement().setViewVisibility(WDVisibility.VISIBLE);
            }else{
                 wdContext.currentV_UIElement().setViewVisibility(WDVisibility.NONE);
       }catch (WDUMException e1) {
            wdContext.currentV_UIElement().setViewVisibility(WDVisibility.NONE);
                  e1.printStacktrace();
  You have to bind the ViewVisibility attribute of the context to the View Container you want to hide.
  The applicationAccessPermission you defined in the XML File will be visible in the UME Manager of you J2EE engine. With this action you can create a new role and group that you can map to the users that should see you view.
  But, the exception you get is because you have embedded one view twice, which is not possible.
  Hope this helps.
  Regards,
  Dennis

• Restricting access of to auth relevant characteristics

  Hello Experts,
  We have a requirement wherein I have to restrict access for a user by which the user would not be able change the poroperties of characteristics even in the local view in the query designer.
  The requirement is like the user should be able to go into change query (local view) and change rows and columns but the user should not be able to change the properties of any characteristic.
  In our case the user is trying to change the properties of a authorisation relevant characterstics which the user should not.
  Thanks in advance.
  Best Regds,
  Suyog.

  Hi Suyog,
  As per my knowldge, you cant control change acceess only to rows and column only in query designer. Also please note that maintaining auth. relevant charactristics as processing type authrization or customer exit is BW developers job, as BI security consultant you can give suggestions to maintain such varaiables.
  Hence you give change  query access in Dev and  give only display in QA & production.
  Best Regards
  Imran

• Restrict Access to certain users based on if a variable in the SQL database is set to 1

  Hey guys,
  I am quite new to PHP and MySQL and I have a question concerning access  restriction. For a website project I am experimenting with Dreamweaver's  login and restrict access behavior, which works fine. However, on the  website I would like to restrict access for users that only have a 1 set  in the corresponding MySQL database (which means that e.g. each page has a different variable in the database that can be set to 1, which would allow me to personify access beyond the level of the out-of-the box option, where each user can only have one access level). So it is quite similiar to the  out-of-the-box restrict access to page based on user group, but just  depending on another variable in the database.
  I guess it can be done with an if condition that checks in the database if the logged in user has a 1 in this variable, and if yes give her/him access if not redirect to another page. However, I could not figure out  how to implement that.
  Your help is highly appreciated!
  Thanks in advance!

  Hello guys,
  I spend quite some time on the internet reseaching my wish and redefined my need: I would basically like to have the possibility to assign a user multiple access levels. There would be e.g. 10 pages for each I create an access level. Then a user with e.g. access to pages 2 and 8 can only access these two pages. So my basic question is if and if yes how I can assign a user muliple access levels at a time and store these values in the MySQL database.
  Thanks a lot for your help!!