Shared Services Security Issue with Financial Reporting - 11.1.1.3

Hi,
So we have some users that are provisioned in some groups. Those groups have Essbase Server Access and Planner access to an application. That access is working great. They have access to the app and they have access via Smartview to the cube.
Now we need them to be able to see all the Financial Reports (FR) created for that application. There are so many provisioning choices under 'Reporting and Analysis', that I'm not sure how to get this done correctly. Right now we have to assign 'Viewer' access and 'Explorer' access under 'Content Manager' tree in order for this to happen. I just think this seems wrong. We just need the user to be able to run and view a report from Workspace.
Any help is appreciated as this is a very green area for me.

Hi,
You will need both Viewer and Explorer access for users to run reports.
the reason is that without the Explorer, users will not be able to see any reports or the explorer in Workspace.
Without Viewer, users will not be able to view/open any of the reports. You also have to give report access to users anyway related to the groups.
You can see anll information about different security roles for Reporting and Analysis in the shared Services admin guide.
The documentation is the best place to start for any information needed and confirming what fulfills your needs.
Cheers
RS

Similar Messages

  • Severe Security Issue with Sharing Permissions and Windows

    I recently discovered a severe Security issue with the windows sharing an permission settings:
    I have two users, an admin user and a parental controlled user. On my mac mini, i have a external harddrive connected. On the harddrive, i have three folders, Itunes, Iphoto (Package) and a Temp Folder. I want to share the Harddrive RW for the admin, but only R for the parental user. But the Temp folder should be accessible for RW for the parental as well.
    1. I set the Drive checkbox "ignore ownership" off.
    2. I set the permissions of the drive to admin RW, parental R and Everyone to "no access"
    3. I apply to enclosed Items
    4. I set the permission of the Temp folder to admin RW, parental RW and Everyone to "no access"
    5. I apply to enclosed Items
    6. I go to "File Sharing" in the Preferences and activate SMB sharing for both users
    7. I delete all previous shares
    8. I add the Disk and use the proposed permissions which are admin RW, parental R, Everyone "no access"
    9. I add the Temp folder and use the proposed permissions which are admin RW, parental RW, Everyone "no access" - Funny, there is a new Group called "Temp" created which has custom access on both sharepoints
    10. I connect to the mac over a Windows machine (NTLM auth set appropriatly). Now I try to create a folder on the root of the Disk share, I get a denied message.
    BUT WHEN I GO INTO A SUBFOLDER (eg. ITUNES or IPHOTO), WHICH HAS ALSO JUST "R" PERMISSION FOR THE PARENTAL USER, I AM ABLE TO RW, DELETE AND DO EVERYTHING!!!
    TO RECAPITULATE: THE SHARING PERMISSIONS ARE "R", AND THE FILE PERMISSIONS IN THE RESPECTIVE FOLDERS FOR THE RESPECTIVE USER ARE ALSO JUST "R". BUT THE USER CAN DO EVERYTHING IN THE SUBFOLDERS!!!

    I recently discovered a severe Security issue with the windows sharing an permission settings:
    I have two users, an admin user and a parental controlled user. On my mac mini, i have a external harddrive connected. On the harddrive, i have three folders, Itunes, Iphoto (Package) and a Temp Folder. I want to share the Harddrive RW for the admin, but only R for the parental user. But the Temp folder should be accessible for RW for the parental as well.
    1. I set the Drive checkbox "ignore ownership" off.
    2. I set the permissions of the drive to admin RW, parental R and Everyone to "no access"
    3. I apply to enclosed Items
    4. I set the permission of the Temp folder to admin RW, parental RW and Everyone to "no access"
    5. I apply to enclosed Items
    6. I go to "File Sharing" in the Preferences and activate SMB sharing for both users
    7. I delete all previous shares
    8. I add the Disk and use the proposed permissions which are admin RW, parental R, Everyone "no access"
    9. I add the Temp folder and use the proposed permissions which are admin RW, parental RW, Everyone "no access" - Funny, there is a new Group called "Temp" created which has custom access on both sharepoints
    10. I connect to the mac over a Windows machine (NTLM auth set appropriatly). Now I try to create a folder on the root of the Disk share, I get a denied message.
    BUT WHEN I GO INTO A SUBFOLDER (eg. ITUNES or IPHOTO), WHICH HAS ALSO JUST "R" PERMISSION FOR THE PARENTAL USER, I AM ABLE TO RW, DELETE AND DO EVERYTHING!!!
    TO RECAPITULATE: THE SHARING PERMISSIONS ARE "R", AND THE FILE PERMISSIONS IN THE RESPECTIVE FOLDERS FOR THE RESPECTIVE USER ARE ALSO JUST "R". BUT THE USER CAN DO EVERYTHING IN THE SUBFOLDERS!!!

  • Shared services security- Is this even possible?

    I want to know if the following is possible using shared services security:
    I want to set up an MSAD group that will have say 50 sub groups.
    I will define this super group as an external directory in SS.
    I will then assign security (both roles and filters) to each of the 50 sub groups.
    There will be no groups or users in the native directory.
    Based on user needs, the MSAD team will move users from one subgroup to another without logging into Shared Services.
    My expectation is when they move the users from one subgroup to another, the user will have the security of the group they were moved to.
    Is it possible to set up security this way in shared services? I have been experimenting and having a miserable time getting it to work. So just wanted to know if I am doing something wrong or just wasting my time.

    I think this will work, but note that you are not really using SS inherited security.
    What you might do is something like this:
    MasterGroup <--Assign provisioning here
    |_Subgroup1 <--Assign filter
    |_Subgroup2 <--Assign yet another filter
    |_Etc.
    With the above layout you define provisioning roles once at the topmost group (MasterGroup) and then assign unique security at the subgroups.  The users are in the subgroups and their usernames will go to their ids (which will have no provisioning), then their immediate group (ditto), and then the parent group (which will). 
    What you have defined for security (as opposed to provisioning) sounds good to me although I have never tried to do this with MSAD groups.  I don't see a reason for it not to work.
    Regards,
    Cameron Lackpour

  • Security issues with connecting pdf to database

    I have a pdf form that is being called from a webform as part
    of a web application. The PDF has two dropdown lists that I was
    populating from a SQL Server Database. I had created a special user
    that had select access only to the tables for the dropdowns.
    My question is are there any known security issues with
    regard to allowing a pdf to connect to a database this way. The PDF
    is being called from a secure connection but I don't know if
    opening this database connection to populate these dropdowns
    exposes a security hole of any sort. If it does, do you have a
    solution to make this secure? I am asking because another developer
    on the project brought up the issue of this design creating a
    security risk and I haven't been able to find anything online
    discussing it either way.
    Thanks!
    Maureen

    Hello Maureen,
    Thanks for posting, but I'm not sure I see if your question
    relates to Acrobat.com
    Are you using any of the Acrobat.com Services as any part of
    your workflow?
    Thanks!
    Pete

  • Privacy/Security Issue with Adobe Flash 10

    Not sure if anyone has noticed this or not, but there is a
    bizarre (if minor) privacy/security issue with Adobe Flash Player
    10. I came across it while attempting to upload a file to Flickr.
    Previous versions of AFP do not exhibit this problem.
    Specifics: using Firefox 3.x, Vista.
    The problem: When Flickr calls the "open file" dialogue in
    Flash 10 (in order to upload files) via the "Upload Photos and
    Videos" link, at the bottom of the dialogue, to the right of the
    "File Name" box, sits a common UI element that brings up a dropdown
    menu of what appear to be (or at least are supposed to be) recently
    viewed or downloaded or accessed files. Actually I'm not sure how
    Flash 10 compiles or accesses this list of files, but at any rate,
    a list of files come up.
    The problem is that, as far as I can tell, the list of files
    that come up reference a long list of files, some that are very old
    and that no longer exist, and that there is no way that I can find
    to clear the list. This is a minor security/privacy issue, as
    generally there should be a way to prevent a dialogue from
    displaying a long list of past-accessed files by clearing a cache
    somewhere or other -- imagine if it was impossible to clear the
    history of a web browser, for example -- this would be considered a
    pretty significant privacy issue. I have tried everything from
    flushing the browser cache to uninstalling and reinstalling the
    browser to uninstalling and reinstalling Adobe Flash to using the
    Flash Settings Manager to clear out the Flash saved sites to
    turning off Vista indexing to clearing out Vista's Recent Items
    list. None of these actions did anything to clear out this list of
    files. I can find no references to these files anywhere when I use
    Vista Search (with unindexed and system files searched as well),
    and I can find no reference to the files anywhere in the registry
    (I checked just in case Flash 10 was storing this index in some
    really bizarre place.) I've linked to a screenshot below of what
    I'm talking about -- most of the files listed below were deleted a
    long, long time ago, and so I have no idea why this dialogue refers
    to them.
    Screenshot
    Is there a simple work-around for this that I'm unaware of?
    Even if there is, there needs to be some more obvious way to clear
    out this list. Where is this information being stored, and what
    criteria does this list use to "put a file on the list"?

    Thanks for putting me on the right scent. That's what I'd
    originally thought, too -- it's just that the file-> open dialog
    was giving an entirely different list of files with other
    applications, so I assumed that it must be Flash that was the
    culprit. Turns out the reason it was different with Flickr was
    because it was restricting the file results via a long string of
    video and picture filetypes that are compatible with the Flickr
    service.
    It turns out the information I'm looking for is buried deep
    within the registry. The only way to clear out this list of files
    is to delete the following key (or specific subkeys):
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidl MRU
    Seems more than a little stupid to store such information in
    the registry if security is your concern. Vista beguiles me
    sometimes.

  • Security issue with unlocking my iPhone 4?

    I'm not sure if anyone here will be able to help me but I am trying to get my iPhone unlocked with AT&T. I bought my iPhone on contract through AT&T in December 2010. My account is in good standing. I paid my ETF, it's technically eligible to be unlocked. I called AT&T on April 9th for an unlock and it's now April 19th and still no wordd from them. I've called several times and they won't tell me what's going on other than that "there is a security issue with unlocking my iPhone and the issue is with Apple, but they are working on it." From my understanding, all AT&T needs is the unlock code to enter into the system and unlock it from there. I don't know what security issues could possibly exist that would create a problem. The only thing I can think of is that when I orginally bought my iPhone it turned out to be a lemon and had to get it replaced the day after I bought it. I did this through an Apple store since it was around Christmas. The IMEI number on my phone doesn't match the one AT&T has on file, but that shouldn't matter? I gave them the right IMEI number that is on my current phone. Does anyone know what "security issues" can exist when it comes to unlocking an iPhone 4?

    Don't stress over the words used by the customer service people at AT&T. Half of them don't know what they're talking about more than half the time.  You are probably correct in that it has something to do with their database being inaccurate. 
    Give it a few days, then contact them again and ask for it to be escalated.
    Ignor rNair. The idea that Apple made it mandatory for AT&T to do anything is complete and total bunk. (S)He has no idea what (s)he's talking about

  • Performance Issue with VL06O report

    Hi,
    We are having performance issue with VL06O report, when run with forwarding agent. It is taking about an hour with forwarding agent. The issue is with VBPA table and we found one OSS note, but it is for old versions. ours is ECC 5.0. Can anybody know the solution? If you guys need more information, please ask me.
    Thanks,
    Surya

    Sreedhar,
    Thanks for you quick response. Indexes were not created for VBPA table. basis people tested by creating indexes and gave a report that it is taking more time with indexes than regular query optimizer. this is happening in the funtion forward_ag_selection.
    select vbeln lifnr from vbpa
         appending corresponding fields of table lt_select
         where     vbeln in ct_vbeln
         and     posnr eq posnr_initial
         and     parvw eq 'SP'
         and     lifnr in it_spdnr.
    I don't see any issue with this query. I give more info later

  • Using latest version of fireFox to access Think Central, pages will not load and they say that this is a security issue with FireFox?

    Teachers in our district are supposed to use www.thinkcentral.com with FireFox.
    Some have no problem accessing the lesson plans.
    Most when they login click on a lesson plan and an icon shows up that says loading but never does.
    If you reboot the computer and login you can open a page once but not a second time and no other lessons will open.
    Think Central support says this is a security issue with Firefox.
    I have updated FireFox, all the Adobe, Reader, Flash, Air and Shockwave. As well as Java.
    I have allowed the pop ups to the think Central web site.
    Any help would be appreciated

    Are there any notification icons on the left end of the address bar? If so, please click them to see whether they related to security issues (such as blocked content - shield icon: [[How does content that isn't secure affect my safety?]]) or a plugin requiring permission (Lego-like icon).
    Does Think Central have any help pages about this issue? Without an account, it is difficult to explore the issue first-hand.

  • Variable input values issue with Portal reports in WAD

    Hi Gurus,
    We have issue with our reports which are created in WAD and when executed through CRM portal. We are executing the report with some selection criteria by changing default values, and once we get the out put we use SAVEAS option to save the report to favourites. But  the issue arises when we open the reprot again by clicking OPEN tab next to SAVEAS button. It opens our report, but the selection screen vaues are getting changed to default instead of showing the values which we entered before saving the report.
    ex: we have fiscalyear/period: default value is 001.2009 - 010.2009, but i changed the value to 001.2010 - 010.2010 and saved the out put of the report. when i reopen the report useing open option, it is showing 001.2009 - 010.2009 in input screen.
    Please let me know if some one has come accross this issue, or is it standard SAP behaviour. It is working fine when executed through Query designer. This is not related to personlization of variabl.es.
    Regards,
    Yada

    Hi Hari,
    Thanks for your promp response...but is there any settings to get the variable values with out saving as variant, because its working fine when executing through query designer....
    Regards,
    Yada

  • Issues with BEx Reports in SAP Enterprise Portal

    Hello Experts,
    I am facing issues with BEx reports integrated in portal. Below are more details:
    Scenario 1:
    Execute a BEx report in the portal, save it in 'My Portfolio' using 'Save As' button. Now open the saved report from 'My Portfolio'. Below is the issue for this scenario:
    When I open the saved report, I get 2 error messages and 1 info message at the top of the report. They are as follows:
    The metadata of 'ITE' 'TEMPLATE_PARAMETERS' are incorrect for parameter 'COMMAND_PROCESSING'
    The metadata of 'ITE' 'FILTER_PANE_ITEM' are incorrect for parameter 'TEXT_WRAPPING'
    Variables for characteristic Fiscal year/period[0FISCPER] cannot be processed
    Scenario 2:
    Execute a BEx report in the portal, save it in 'BEx Portfolio' or 'Favourites' using 'Save As' button. Now open the saved report and click on 'Send' button. As expected, the BEx broadcaster wizard should appear but, it shows '400 BAD HTTP REQUEST'. While if I open the report (not the saved one) and click on 'Send' button, it works.
    Helpful pointers appreciated.
    Thanks
    Vikash

    HI Suman,
    I am not adding the report to favourite using browser favourite. Below is the flow:
    Run the report in portal.
    There is a 'Save As' button at the top of the report. When I click that button, I get a pop-up with 3 tabs  for saving the report.:
    Favourite
    BEx Portfolio
    My Portfolio
    save the report in the favorites or BEx portfolio tab and then open it and press 'Send' button
    BEx Broadcaster Wizard should appear but instead of that, it shows '400 BAD HTTP REQUEST'.
    If I press send for unsaved report, then BEx broadcaster Wizard is shown.
    Thanks,
    Vikash

  • User issue with a report supply planning area today monthly

    this is a support issue....the user has an issue with a report supply planning area today monthly.  The user is getting wrong values in BW, it sums PLOs and POs under production (config).  for eg:  BW says we are producing 46T while in R/3 we have 4T.

    The issue was related to the heap size being too much and as a result the Class block memory was not getting enough memory. I think we can make a use of -XXCompressedRefs:32 parameter in the Java start up to allow the heap size to increase till 32 Gb.

  • Issue with Scheduled Reports

    Having an issue with running reports.  We have created the folder under C:\Program Files\Cisco CRS Historical Reports\reports ..to resolve a bug but now the user gets the attached error message every morning.  Any ideas?
    Thanks,
    Joe

    Hi Joe
    No attachment?
    Aaron

  • How can Manage Permissions for DB in Shared Services Security Mode

    In shared services security mode, after provisioning users for Essbase applications, only can assign database calculation and filter access. How can I grant permissions "Access Databases" like in native mode?

    Essbase will be default be in shared services security mode in 11.1.2, the wizard will not migrate security when in this mode.
    It is possible to revert it back but if you don't know the process then it is worth looking at alternatives first.
    You could use LCM to export the provisioning and then import into your target environment.
    Cheers
    John
    http://john-goodwin.blogspot.com/

  • Auto Logoff while in Shared Services Security Mode

    Pretty simple question but I still haven't found the answer.
    My client's essbase server is set up in Shared Services Security Mode, so now the auto logoff options for the server don't apply. Is there a way to set this via shared services? Or is there some other means perhaps?
    Thanks for your time.

    Essbase will be default be in shared services security mode in 11.1.2, the wizard will not migrate security when in this mode.
    It is possible to revert it back but if you don't know the process then it is worth looking at alternatives first.
    You could use LCM to export the provisioning and then import into your target environment.
    Cheers
    John
    http://john-goodwin.blogspot.com/

  • Shared Services Security during LCM migration in 11.1.2.1

    I am migrating a Planning app from 1 environment to another.
    I vaguely remember ( from some presentation) that once I export Shared service security I need to modify the file to reflect the correct Essbase server name and than import the Shared service security file.
    Is this a mandatory step ? If yes which file should I modify ? Is it just listing.xml or any other file as well ?

    If you run an export of provisioning then for essbase you should by default see something like "EssbaseCluster-1", if your target environment is configured in the same way it should also be "EssbaseCluster-1" and you will not need to edit any files.
    If you don't start marking your posts I am not going to reply to any of your questions in future, hopefully everybody else will take that stance seeing as you have so many unresolved questions.
    Cheers
    John
    http://john-goodwin.blogspot.com/

Maybe you are looking for