Security and Control - Creation of ORG Roles

Similar Messages

• Masking HTTP inbound URL for security and control - Seeking Ideas

  I am working to transition an application to XI that is based on HTTP posts from vendors to provide data. In order to use the XI Plain HTTP adapter for inbound requests, I need to provide the vendor a very long url and query string that identifies the target system as XI (since the query string structure) and makes it difficult to make changes to the configuration without notification of the vendor (because of the values required in the query string).
  Has anyone found a way to mask the query string using a BPM page or another method to provide a simple url to integration partners that will translate into the fully qualified url within my environment?

  We solved this by using reverse-proxy with URL rewriting on network (NETAPP) appliance.

• Mitigating Control creation and application in SAP GRC 10

  Hi Expert,
  We have SAP GRC Access Control 10 being implemenmted for our client.  While trying to create Mitigating Control, we just realized that Before creating mitigating controls you need to create a Root Org entry, this replaces the Business Units in previous AC versions which is visible only when we activate the GRC-PC Application.
  My queries are:
  1. Is it that Mitigation control can only be created if PC is enable.
  2. What about Licencing if GRC-PC Application is used for Mitigating Control Creation.
  Thanking you i advance.
  Thanks & Regards,
  Abhimanu Kumar Singh

  HI,
  Thank you for the response, I just checked and could find that I can create Mitigating control without PC application. It is just that PC relevant fields are not displayed.
  However can anybody answer as to what happens if I use PC to create Mitigating Control, Do I have to purchase the license for SAP GRC PC or it is ok for shared resources.
  Thanks again.
  Thanks & Regards,
  Abhimanu Kumar Singh

• Mass role creation and addition of tcodes to role menu

  Hi Folks,
  We've a requirement of building 1000's of single roles for an implementation. Our security matrix is ready with the role names and the list of tcodes to be embedded in each of these roles. What I would like to know is if we can automate a part of the process of role building i.e the following 3 steps only.
  1. Creation of the Role
  2. Addition of the tcodes in the role menu
  3. Save
  I'm aware of Ecatt/LSMW through which we can create the roles but i'm not sure if we can add the tcodes to the menu of the roles since the number of tcodes to be populated in each role will vary.
  Could anyone of you shed some light if it is possible to automate the addition of  tcodes to the role menu taking into consideration that each role will have different number of tcodes to be added to the menu and what's the best possible way to achieve this if there exists one.
  Thanks in advance for your time and suggestions!
  Guest...

  Whilst I agree that there are probably too many roles being built here, which is more of an issue with the role design / strategy, the issue of how to easily create a role for a given list of transactions is something that SAP supports via the import menu from text file option in PFCG.
  Yes you may need to write a script to cycle through all the possible role names, but we have recently had to build some roles based on actual usage, so exported transaction usage history to excel and then formatted the transactions into text files that could be imported to build the role menu.
  You will still then need to ensure any object authorisation object have the correct values set - i.e. not just starred in - but as one of the pains in build a role is getting the menu to look reasonable, I'd suggest having a look at this approach.
  Copy Menus -> Import from File is the function in PFCG in the menu tab for the role you are building
  OSS note 389675 has details of what the text file of transactions for the menu should look like.
  That should answer the question posed, rather than criticising the role design being followed.

• Security and roles in Nakisa TVN

  When a Nakisa role is mapped to an SAP role, does it limit the data that the person who is running that role sees?  For example, if an employee logs in and is assigned a "Employee" role, is it possible to limit the org chart that the employee sees to only his org unit and below?

  Hi there,
  This depends on which architecture you are using, Live or Staged. In Live OrgChart uses SAP structural authorizations and therefore the user only sees what data they can see in SAP. In the Staged version you have to build roles and map SAP roles to them. In STVN2.1 OrgChart there are 5 pre-configured security roles available out of the box, which do include a "derives and below" security role ("Derives and Below" allows a user to see information about objects in the structure below them).
  It is possible through configuration to allow a logged-in user to start at their location in the structure and also to prevent them from navigating up the structure. This configuration can be very complex and requires full knowledge of configuration of authentication as well as authorisation (ie roles) in order to achieve what you want. It is also possible to limit data fields and fields in the search etc through less complex configuration and if you're really clever you can customise the application in order to do things based on particular roles (like display a pop-up message at login etc). However, that takes a thorough knowledge of how the application works to achieve and only few consultants outside of Nakisa and provide that level of customisation.
  I hope that helps.
  Luke

• Any ideas for security and parental control software yet???

  Just received two of the touchpads from the fire sale and gave them to my kids, both under 10.  I am very interested in limiting the sites that can be accessed through the browser, as well as a few other things.  Has anyone found a practical means of doing this?  I'd hate to give up on this and switch it over to Android, especially since there is only Gingerbread available.  But, I just don't know what else I can do about these.  Any ideas? 
  Thanks!
  Post relates to: HP TouchPad (WiFi)

  Please take this post with a grain of salt. I don't claim to be a security and parental control software expert, but I have researched these solutions and have some personal experience with them. That being said, here's some ideas to get you started.
  As speedtouch mentioned, OpenDNS is a fantastic solution for website filtering. They have a great set of filters that can be customized and are one of the easiest systems to set up. Simply install an updater app on one of your desktop computers (or directly on your router if it's supported), configure your router to use their DNS servers, and you're good to go. I personally use this system mysefl and it works really well. The only downside in my experience is that there is not a temporary override system (at least, not in the free version that I use). An example of when this might be handy: my wife goes clothes shopping and looking at new bras. Every once in a while, a perfectly legitimate site might get blocked (in this case, probably something I don't want my kid looking at but perfectly fine for my wife). The option to "temporarily override the block" or "temporarily allow" the site would be nice, but it doesn't exist.
  Another FANTASTIC solution that I've used in the past is the Astaro Security Gateway. They have a free home version of their "Software Appliance" that goes above and beyond OpenDNS. I haven't used it in a while, but when I did it was able to not only filter web sites but also monitor Instant Messaging and other online activites. It's a bit more involved as you need your own hardware (I used an old computer with 2 network cards and stuck it in between my router and my broadband modem), but the results are pretty powerful.
  The downside to all these solutions, however, is that they will only work when the TouchPad is on your network. If they connect to a neighbors network of if the go to a friends house, all of these systems will be moot because they are completely bypassed. The only way to monitor that content from ANY network would be to install an application on the device itself and to my knowledge, none exist.

• Link does not work for-End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System 5.4

  Link does not work for
  End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System 5.4
  How do we get Cisco to fix?
  see attachment

  Give it a couple of days - it looks like they just sent out the notification before the notice was published on the public page.
  Once the ACS 5.4 EoS/EoL notice is published you should see it linked from this page.

• Even after set Mo:Security and HR:Security,user not able to restrict require Inventory Org.

  Hi All,
  Even after set Mo:Security and HR:Security,user not able to restrict require Inventory Org.
  Both the profile option have set at responsibility level.
  Reagrds,
  Sandesh

  2785222 wrote:
  Hi All,
  Even after set Mo:Security and HR:Security,user not able to restrict require Inventory Org.
  Both the profile option have set at responsibility level.
  Reagrds,
  Sandesh
  Hi Sandesh,
  First note that HR:Security Is for HRMS module for restricting data for respective OUs
  MO:Security is for other Modules such as Inv, PO, AR, AP etc., for restricting data
  Change the inventory Org to the one you want and then query data...
  Hope it helps.
  Regards,
  Shahzad.H.Magsi

• Security  and roles while upgrading to bi7

  hi
  Guys  i ha ve question about upgrade
  what will happens to security and roles while upgrading from bi3.5 to 7 ?
  is this can be migrated into bi7 from bw 3,5 , if so how ?
  or do we need to create separate  again in Bi7 ?
  u r answer will be much apreaciated

  Hi,
  this can be upgraded but it is not a must. SAP recomend to use the new concept provided by NW 7.0...
  You can switch on/off obsolete Authorization concept with RSCUSTV23. For security and clarity reasons make a u201Ecleanu201C new setup u201Efrom the scratchu201C (much easier, less complex than in 3.x)...
  Check this upgrade guide it will give you all informations:
  [SAP NetWeaver 7.0 BI Upgrade Specifics|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/10564d5c-cf00-2a10-7b87-c94e38267742]
  New BI Authorizations set in SPRO (maintenance in RSECADMIN)
  - During technical upgrade, and if you used an authorization concept in BW3.x
  switch back to u201Cobsolete Concept with RSR Authorization Objects)u201D
  - Important: After technical upgrade switch back to the new Concept and see
  note 820183 and 923176 New BI Authorizations set in SPRO (maintenance in RSECADMIN)
  - During technical upgrade, and if you used an authorization concept in BW3.x
  switch back to u201Cobsolete Concept with RSR Authorization Objects)u201D
  - Important: After technical upgrade switch back to the new Concept and see
  note 820183 and 923176
  Other links/notes which could be helpful:
  Note 923176 - Support situation authorization management BI70/NW7.0
  New Analysis Authorizations for BI Reporting:
  http://help.sap.com/saphelp_nw04s/helpdata/en/80/d71042f664e22ce10000000a1550b0/
  content.htm
  Regards
  Andreas

• How to avoide the control recipe creation step and control recipe complete

  Hi
  in process order procedure has configured in our syayrm ...like
  orde creation,release,control recipe created at time orede release, then order conformation ,order inal conformation, control recipe comlete , order TECH., ...Like ths our order process configured..
  here we not useing any control recipe functions ... and control recipr complte ...so how to remove this step from order process...pls could any one guide inthis issue.
  Rgards
  HGVD

  Dear HGVD,
  Assuming there is only one order type(process order type) is used in both the manufacturing plants,then create plant specific
  production scheduling profile in CORY,for the plant 2000,assign the prod.schd.profile with the default order type and
  do not include the check box for generate control recipe and save the data,but in the same CORY,assign the same order
  type,with including the check box for generate control recipe.
  Check by this way and revert back.
  Regards
  Mangalraj.S

• I downloaded Macfee security and parental control.  The settings have gone back to basic settings but if I try to customise the toolbar by add the "home" icon or adding "contact" to bookmarks until I close and when I open they are gone. Any ideas

  I downloaded Macfee security and parental control.  The settings have gone back to basic settings but if I try to customise the toolbar by add the "home" icon or adding "contact" to bookmarks until I close and when I open they are gone. Any ideas

  Make that four.
  If you have any commercially advertised/available antivirus software installed on your Mac, completely uninstall this per the instructions on the AV developer's website.
  Antivirus software can slow down the normal operation of OS X and can negatively affect OS X performance and operation.
  Do you have apps like MacKeeper or any other maintenance apps like CleanMyMac 1 or 2, TuneUpMyMac or anything like these apps, installed on your Mac? These types of apps, while they appear to be helpful, can do too good a job of data "cleanup" causing the potential to do serious data corruption or data deletion and render a perfectly running OS completely dead and useless leaving you with a frozen, non-functional Mac.
  Plus, these type of apps aren't really necessary. They really aren't.
  There are manual methods to clear off unnecessary data off of your Mac that are safer and you have complete control over your Mac and not just leave a piece of auto cleaning software in charge of clearing off data off of your Mac.
  Their potential of causing OS X issues outweighs the implied good and benefits these types of hard drive or memory "cleaning" apps are written to do.
  Plus, the software companies that write these apps make it hard to easily uninstall these apps if something DOES go wrong and these apps work in a way where you have no recovery or revert function to return your Mac back to its former, working state in the event something does go wrong.
  It is best to never, EVER download and install these types of apps.
  The risk to your system and data is too great a risk!
  Search the web to learn how to correctly and properly uninstall these kinds of apps.
  They all uninstall differently.

• Where did the securables go? Created Databse Role add Securables and Permission but it disappeared.

  Hello my friends:
  Create a Database Role, added Securables and set the Permissions. These are all stored Procedures.
  When I clicked Okay I get a message that the role was created successfully.
  Now I go back to the database role, click properties and the securables are not showing?
  Is this normal behavior? Where did they go?
  Thanks!

  I have sufficient rights: The DB Role is working because Users who I have assigned the Role Are able to do what they need. I just cannot see the securables when I go to properties. I also have a SYS Admin account, I log in as SYS Admin and still cannot see
  the securables.
  However, if I click on an individual user who is assigned to the role, I can see the securables from the properties tab.
  Hi,
  First check that you can see the role using a query:
  USE AdventureWorks2012;
  GO
  CREATE ROLE ArielyRole322
  GO
  Select * from sys.database_principals where name = 'ArielyRole322' and type = 'R'
  GO
  and now you can use the GUI interface as well:
  open the database -> security -> Roles -> Database Roles -> and here it is :-)
    Ronen Ariely
   [Personal Site]    [Blog]    [Facebook]

• Security and/or filtering error in data form creation

  Hi,
  I am getting this error when I am trying to preview my data form.
  This is the first time I am creating an application and data form in Hyperion.
  The data form is multicurrency and plan type is Plan1.
  Row:
  Account members: Descendants(Account)
  Column:
  Year:Descendants(FY10)
  Period:Descendants(YearTotal)
  Page Dimension(s)
  Entity:Descendants(Entity)
  Scenario:Current
  Version:BU Version_1
  POV:
  Currency:USD
  Disabled all options in "Other options" and Not selected any business rukes.
  When selecting preview data form I am getting below error:
  Security and/or filtering has resulted in a required dimension not being represented on this data form
  I have not selected any security/filter settings as of now. Please suggest whats causing this.
  Thanks,

  Hi Jake,
  I did what you suggested,but I am still getting same error.
  Here I would like to point out that. I have selected my application to support multicurrency, but 'HSP_RATES' does not come in Dimension selection drop down. I can see 'HSP_RATES' in Performance settings tab, but I cant see it in Dimensions tab or Evaluation order tab.
  Is this causing problem? Should I add it manually?
  Thanks,
  Rajni.

• Hacker violating my privacy even though I have security and have changed passwords several times. Who ever it is, they want me to know because they have the nerve to take control over this computer even when I am logged in. The cursor just starts moving.

  Someone is stealing my private information and logging onto my computer at the same time that I am logged into it. The cursor moves by itself and they log me out of whatever page I am working on. I have security and have reported it to my internet provider.
  I have spent so much money trying to keep them out of my system to no avail. I also attend school on line and this is a huge problem for me. This thief changes my internet picture right in front of me. 
  I have tried to report this to the police, but they are no help at all and this is not right. They need to at least try and see who it is. 
  What do you suggest, I really want to know who is doing this.
  Thanks,
  [email protected]

  Hi!
  This could be done in many ways so it's quite hard to pin point what's going on and how it's done.
  The first thing I would do is to reset the the router you have, creating a new password for loging on in case they have gained access this way, then create a new password for the wireless network if you are using it.
  Then reinstall your computer, if they/you have installed some software and gotten a Trojan, the only way to get rid of it to 100% is to reinstall. There is no meaning in trying to find it and uninstalling it since it's gotten this far allready.
  Depending on what router you have, you might be able to get the logs and see from where they are connecting and trying to pinpoint their location.
  There are probably other ways to find out more, but if this happened to me, the first thing I would do is to get rid of the problem, ignoring who they are.
  Best regars
  Andreas Molin
  Andreas Molin | Site: www.guidestomicrosoft.com | Twitter: andreas_molin

• Problem with ADF security and task flow calls

  Hi.
  I am using JDeveloper 11.1.2.0.0.
  I encountered a problem when tried to apply ADF security to my application.
  The way to reproduce the problem:
  1. Create new Fusion Web Application;
  2. Import Business Components from Tables from any existing schema and add at least one table to the ApplicationModule.
  3. Create "welcome page" (for instance, welcome.jsf). Add a button with fixed action outcome "test".
  4. Create test page, for instance, test.jsf. Drag and drop any view object from Data Controls onto the page and create a form with navigation controls. Add a button with fixed action outcome "return".
  5. Create bounded task flow, name it "test", drag and drop our test page on it - the page will be the default activity. Add a task flow return activity. Add a control flow case from the default view activity to the return activity, set From Outcome property to "return". So our return button should cause the task flow to exit.
  6. Open adfc-config.xml in diagram mode and place our welcome page on it. Then drag and drop the test task flow to create a task flow call activity. Add a control flow case from welcome page to task flow call activity, set the From Outcome property to "test". So our test button should call the test task flow.
  7. Configure application to run the unbounded task flow starting with Welcome view activity.
  At this point all works as expected: when application runs, the welcome page is displayed with test button. Pressing the test button results in displaying the test page, return button leads back to the welcome page.
  Now let's configure ADF Security.
  Run the ADF Security configuration wizard, choose ADF Authentication and Authorization.
  On the second page select Form-Based Authentication, check the Generate Default Pages flag.
  On the third page choose No Automatic Grants.
  On the next page keep the Redirect Upon Successful Authentication unchecked. Press Finish.
  Open jazn-data.xml to configure roles, users and resource grants:
  1. Create application role test-role.
  2. Grant the test-role privileges to view the test task flow.
  3. Create user and grant him the test-role.
  Now we have the public available welcome page and the test page with restricted access.
  When application runs, the welcome page is displayed as expected. Pressing the test button redirect us to auto-generated login page. After successful authorization the test page is displayed. But nothing happens if we click now the return button for the first time. When we click the return button once more, the application crushes with Error-500 and message "Target Unreachable, identifier 'bindings' resolved to null". The exact error trace depends on UI control bindings, but looks like this:
  javax.el.PropertyNotFoundException: //C:/Users/DUDKIN/AppData/Roaming/JDeveloper/system11.1.2.0.38.60.17/o.j2ee/drs/Test1/ViewControllerWebApp.war/test.jsf @10,120 value="#{bindings.Id.inputValue}": Target Unreachable, identifier 'bindings' resolved to null
       at com.sun.faces.facelets.el.TagValueExpression.isReadOnly(TagValueExpression.java:122)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer._getUncachedReadOnly(EditableValueRenderer.java:476)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.getReadOnly(EditableValueRenderer.java:390)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.wasSubmitted(EditableValueRenderer.java:345)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.decodeInternal(EditableValueRenderer.java:116)
       at oracle.adfinternal.view.faces.renderkit.rich.LabeledInputRenderer.decodeInternal(LabeledInputRenderer.java:56)
       at oracle.adf.view.rich.render.RichRenderer.decode(RichRenderer.java:342)
       at org.apache.myfaces.trinidad.render.CoreRenderer.decode(CoreRenderer.java:274)
       at org.apache.myfaces.trinidad.component.UIXComponentBase.__rendererDecode(UIXComponentBase.java:1324)
  (the rest of lines skipped).
  Any suggestions?
  Edited by: user13307311 on Apr 16, 2013 11:39 PM

  @Lovin_JV_941794
  The welcome page is public available since it does not have appropriate PageDef file.
  Login page comes not from the welcome page, it comes after attempt to access the test page. So after the login succeeded the test page appears, because redirect to welcome page after successful login is not configured. I do not need to return the welcome page at this moment, I need to go to the test page.
  It seems the task flow call stack to be destroyed after redirect to login page.
  Edited by: user13307311 on Apr 17, 2013 12:45 AM