User Authorizations and security
Hi,
I need to know that , is it required to give <b>SAP_ALL</b> to <b>functional consultants and ABAP developers user id</b> created , or there are some different set of roles to be created. where do I find these security best practices , so that I can implement them.
Regards
Puneet
Sathi,
Yes, you can in fact do this...it is a fairly involved process but once done it works very well.
Remove ALL authorization objects pertaining to BUKRS (in this particular example you only want to limit users to a company code) from your role. We'll call this first role ZT_role. You will have your transaction codes in here.
You will have a number of other authorization objects that you could do this same thing with. We are currently not only doing this with company code, but cost center/profit center, plant and several more. The process is the same. If you don't want to allow certain users access to a company code, plant...etc. pull the auth obj out of the transaction role.
Next, create a brand new role WITHOUT T-CODES in it and name it something like ZD_Locking_role (whatever you want to call it...but in a sense you are locking users down with this role).
In this 2nd role you will need to manually enter each Authorization Object that uses BUKRS from your 1st role and then add in the company code(s) you want to allow people to see (again...manually add those auth objects needed as mentioned above for cost center/plant etc.).
Now, you shoudl be able to assign the 1st AND 2nd role to a person. Now, they will will only be able to see the company codes you placed in the locking role.
If you only assign the 1st role, they will not be able to view/change by company codes. By adding the second role, the SAP system checks the auth object against their entire profile in their master record and should allow them work fine.
Good luck!
For those that care...
We not only do the above, we took it many steps further. We created derived roles broke those down to display only and create/change roles. In other words, the locking role would read something like Z_DISPLAY_XXX or Z_CRT_CHG_XXX (where XXX is the company).
User roles assigned to associate Joe Smith - As an AR Manager this person needs access to ALL AR function for creation/display and change but only allowed to display all AP documents and not change all within company code XXX:
Transaction roles:
ZT_AP_DISPLAY role (AP needs to run XK03 or XK04...any and all t-codes are locked down to display only! [03 or 08...etc.])
ZT_AR_MANAGER role (AR Manager needs to display (only) AP stuff but not be able to change. They also need to be able to perform all other functions (create/change) as an AR Manager)
Locking Roles:
ZD_DIS_BUK_XXX (XXX is company code) [display only]
ZD_CRT_CHG_BUK_XXX (XXX is company code) [create change]
With a thoroughly thought out system you can have a very sight system while being able to allow user the versatility to see only certain information.
Good luck!
Similar Messages
-
End User Authorizations and Roles
Hi,
What all the authorizations i need to give to an End User, who uses the device.
Is it necessary for the userid to be same in <b>MI Client, MI server, Backend</b> systems.
Let me explain wat an end user does
>logs into MI client
>performs first synchronization
>Executes Mobile Application assigned
>and performs synchronization at the end of the day
rgds,
KiranHi Kiran
Probably I wanst clear with my reply. You need to assign both the above mentioned authorizations to the same user who is performing a sync from the MI Client. S_ME_SYNC is required for the user to perform a sync from MI Client to MI server. S_RFC is required for the same user so that the data can be transferred from MI server to SAP backend and vise versa.
Hope I am clear now
Best Regards
Sivakumar -
Check users authorizations and role
Hello!
How can I check the authorizations of
Web Dynpro application users and also his role.
Thanks
rgds
sasHI,
Pl go through Following link
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/wd%20java/web%20dynpro%20security.pdf
https://help.sap.com/javadocs/index.html
use the method isMemberOfRole.
Regards
Ayyapparaj -
can any body help me out for security profile and authorization.
in my report functional spec they hav given three object for authozation like
v_vbak_aat
v_vbak_vko
s_tcode
with a transaction code.
how to use those ,where to use in my coding,
pls help me out
i am desprate for an sample code.
with thank and regards.
durga.Hi
In your report
CLick button PATTERN --> select AUTHORIZATION-OBJECT --> Give the object there and press enter..
It is just like calling a FUnction Module from code...
Reward if helpful.... -
Network user permissions and security
We seem to have a permissions issue using the DIR
command.
We have a process that runs in SQL Server which executes a DIR command on the local network using a UNC path to check that the files generated by another system are all there, as part of an audit report.
Until this morning all was fine and dandy, we had no issues.
Last night the IT guys tightened up some permissions on the target directories for security.
Now a dir \\server\shared\dir_name fails with an
Access is denied error.
We can run this command against the local drive or alternate network UNC paths with
no problems.
We have the same issue whether we run from within SQL Server using xp_cmdShell or from the Command Prompt (after logging in to the server with the SQL Server account).
When logged into the server with the account in question, it is possible to browse the network, so Explorer permissions are ok
So it is not related to the SQL Server, nor is it related to the SQL Server Agent account.
It is specific to the rights of one network directory.
Thing is the sql server agent account is part of a domain group that DOES have Dir permissions on the target network directory.
We also can no longer use Dir against that network share from our own accounts, even though we are in a domain group that has Full Permissions on the directory!
So what is going on here - is it possible that somehow the Dir command has been blocked on that one directory share for just the SQL Server agent user?I was a bit puzzled ab about the proper location to ask this question, but I think this forum would be the best location to ask:
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/home?forum=sqlkjmanageability
Kind regards,
Margriet Bruggeman
Lois & Clark IT Services
web site: http://www.loisandclark.eu
blog: http://www.sharepointdragons.com -
Hello Experts,
We are using an ECC 6.0 systems. My question is apart form SM19 is there any other t_code to trace the user action that is a more detail trace on user action.
As you know SM19 settings will offer us the basic action of user that is what t_code or reports are being used by user. But I want to know what are they doing there that is they are trying to access some infortype in t_code like PA30 or they made in table definition change in SE16 like that.
Please let me know about this.
Thanks in advance.
Regards,
ParthaHi Partha,
You can use the following TCodes also.
1. STAD
2. STAT
STAD and STAT can also be navigated from ST03N. If you want to log a particular TCode (for e.g. PA30), then please follow the below steps:
Go to ST03N -> Expert user mode -> Collector & Performance DB -> Workload collector -> Parameters.
Enter the transaction codes for the transactions to be analyzed in detail in the Create transaction detail profiles for group box. Save your changes. (please read the message carefully in this screen).
3. STATTRACE
4. SM21
If you are in SM21, then please select all the options in "Settings" radio button. After getting the display of Log screen, you can further analyze a message in more details by double clicking it.
Still SM20 is really a good choice to view user actions.
Please re-check (in SM19) that all the Audit Classes are selected for the current filter you are analyzing. Before reading the audit log make sure to include all Instances (telling this, just to be sure).
Mark all in "Events" and "Statistic" tabs. Now display the data selecting the particular user and tcode.
Hope this discussion may help you to some extent. Please let me know for any more query.
Regards,
Dipanjan -
Issue in User Management and Permissions
Hi,
There is an issue found while working on user management and security. When an asset is uploaded to the DAM, even with create and modify permission it is not able to edit.
While analyzing, it was due to the following reasons.
When given “MODIFY” permission to the root folder, it is not applying to all the asset in that folder and sub-folders.
We have to provide “MODIFY” permission for each asset, in this case it won’t apply for newly added asset.
When given “DELETE” permission to the root folder, “MODIFY” permission is applying automatically to all the asset in that folder and sub-folders.
But “myRole” only should modify the asset but not delete.
Is it CQ functionality or an issue.?
Note: Using CQ5.5 version
Regards,
FazzIn CQ5.4 "MODIFY" permission at folder level is enough for modifying the assets under that folder. But in CQ5.5 "MODIFY" permission is necessary for every asset for editing.
Regards,
Fazz -
SAPB1 copy user authorizations
Hi Expert,
I am now setting up user authorizations and there are a group of more than 5 users login using the same authorizations and wish to have a shortcut by setting up one user and copy it to another 4 users in the SAME COMPANY database. Is there any SQL SCRIPT sample that can help up?
Thank you and regards,
Joan.Hi,
pls think of using Group authorizations, rather than copying . pls Refer the Authorizations doc for this.
Regards
CSM Reddy -
Hi CMS expert
when i export some object in IR in using Transfer to CMS Service I got a error.
it looks like user authorizations,
which users is going to responsible for this task?
Sent on 06. 1. 19 at AM 9:47: Unable to establish connection to CMS server http://cmssrv:50000. Unable to transfer the following transport lists: Export list for BUSINESS_PROCESSES, 1.0 of ka.kk.net (send time = 06. 1. 19. AM 9:47, component = BUSINESS_PROCESSES, 1.0 of ka.kk.net, ID = 15fa9530875311dac55a001018006446) Details: User User is not allowed to do this function is not allowed to do this function Check the availability of the CMS and the user authorizations and send the transport request again if necessary
thanks you & regards;i solved myself. I forgot to create XIREPUSER, XIDIRUSER
thanks -
How to provide user authorization and restrictions for DIR's?
Hi,
Please refer link below
http://wiki.sdn.sap.com/wiki/display/PLM/AuthorizationObjectsin+DMS
It has list of authorization objects for DMS using which you can control access to DIR.
Hope this is useful.
Regards,
Deepak Kori -
User Authorization don't work in MD01.
Hi!
I created the role with transaction MD01 only.
System generated two Authorization Objects:
1. S_TCODE - Transaction Code Check at Transaction Start:
MD01
2. M_MTDI_ORG - Organizational Levels for Material Requirements Planning:
MRP Controller (Materials Plan...
Activity types in materials pl MRP: total planning
Plant Unmaint. org. level
Next, I can don't write values of "Plant" or "MRP controller" in Authorization Objects M_MTDI_ORG. I can even delete Authorization Objects M_MTDI_ORG!
But the user with this role(only this) still can not only open MD01, but successfully complete planning. For any Plant or MRP controller.
Why it don't work? What i can do? I need to limit user authorization and i don't want to create Z-transaction for it
Thank you
Best regards,
EvgeniyHi, Caetano!
The Note contains only MDBT. But apparently, MD01 is also included in this rule.
If you use a user-exit M61X0001, a user must choose the user key in the selection screen. And user can change it. It's not what i need.
Thanks for your reply!
Best regards,
Evgeniy -
User name and password required to access Security settings
I have an HP5520e all in one printer. I am trying to set it to scan to my computer. The instructions say I should activate Webscan from the Administrator Options under Settings and Security. When I try to get to Administrator settings I am being asked for a user name and password. What username and password am I supposed to enter here?
This question was solved.
View Solution.gnomad899,
Welcome to the HP Forum.
Start with the standard:
admin = admin
password = password (or leave it blank)
This assumes, of course, you have not used EWS (embedded web server) and set a password for it previously -- which you CAN do while using EWS. Once you do set a password using the EWS page, everytime you want to look at certain settings, adjust certain settings, you have to enter the password you set up.
EWS is simply the web page interface to the printer -- like you use a web page to talk to your router software. Same thing - sort of, except you type in the printer IP on your browser instead of the router, of course.
============================================================================
If it won't let you in,
You can try resetting the printer. Be Aware that should you do this, you have to re enter any previously entered information (wireless settings, etc.).
You might be able to reset the printer on the front panel - settings > factory defaults (or similar).
OR
from TroubleShooting > Solve a Problem > Printer Does Not Maintain Wireless Connection
Step four: Reset the printer and wireless router, and then restart the computerFollow these steps to reset your printer and your wireless router, and then restart your computer.
NOTE:Consider bookmarking this page on your web browser so that you can reference it after restarting the computer.
Follow these steps to reset your printer, your wireless router, and your computer.
Press the Power button on the printer to turn it off.
Disconnect the power cord from the rear of the printer.
Disconnect the power cord from the wireless router.
Turn off the computer.
Wait 30 seconds.
Reconnect the power cord to the wireless router.
Wait 30 seconds, or until the router is fully on and ready.
Turn the computer back on.
Wait for the computer to reload.
Reconnect the power cord to the rear of the printer.
Turn the printer back on.
===========================================================================
Reference:
HP 5520 e All in One Printer
User Guide
Click the Kudos Thumbs-Up to show you appreciate the help and time from our Experts.
Although I strive to reflect HP's best practices, I do not work for HP.
Click Accept as Solution when the Answer is a good Fix or Workaround!
Kind Regards,
Dragon-Fur -
Good morning all,
I need some help achieving the following in our Exchange 2013 Environment. First off, we have Exchange 2013, but all our clients have Outlook 2010.
Here's what I would like to be able to do:
1) create/manage public calendars / rooms in exchange 2013
2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
Any one got any resources they can give to point me in the right direction?
I have already created two mailbox room resources, and have them set up in a room list in AD. But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
membership.
I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining. I just want it to show up.
Any help on this is greatly appreciated, thank you!1) I recommend using Room Mailboxes for resource calendars because it just works better.
2) This is a standard feature of a Room Mailbox.
3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
I don't know any way to just make them "show up". You'll have to teach them. Well written instructions can work wonders.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
ADF security - prompt for user id and password again on page forward
Hi,
I am working with ADF using JDeveloper 10.1.3 with Business Components and ADF Faces.
I have a Search page and a List page.
Both pages are based on the same view within the same application module.
The Search page is using the default Find and Execute Operations.
The Execute button has an action that navigate to the List screen.
faces-config.xml
<navigation-rule>
<from-view-id>/jspx/search.jspx</from-view-id>
<navigation-case>
<from-outcome>search</from-outcome>
<to-view-id>/jspx/list.jspx</to-view-id>
<redirect/>
</navigation-case>
</navigation-rule>
<navigation-rule>
<from-view-id>/jspx/list.jspx</from-view-id>
<navigation-case>
<from-outcome>find</from-outcome>
<to-view-id>/jspx/search.jspx</to-view-id>
<redirect/>
</navigation-case>
</navigation-rule>
Security (Roles and Users) is based on the jazn-data.xml and web.xml
URL Patterns for the pages have assigned to the role.
Login Configuration is HTTP Digest Authentication
<web-resource-collection>
<web-resource-name>APP_SUPPORT</web-resource-name>
<url-pattern>faces/jspx/search.jspx</url-pattern>
<url-pattern>faces/jspx/list.jspx</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>APP_SUPPORT</role-name>
</auth-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
</login-config>
Everything is fine when running the application from JDeveloper,
but when the application is deployed to the server (OC4J),
After logging into the system, the Search page prompt for user id and password again
on click of the Execute button.
Have anyone experience this problem before?
Thanks for any help.
JimHi,
does the same thing happen if you change your protected resource from:
<web-resource-collection>
<web-resource-name>APP_SUPPORT</web-resource-name>
<url-pattern>faces/jspx/search.jspx</url-pattern>
<url-pattern>faces/jspx/list.jspx</url-pattern>
</web-resource-collection>to:
<web-resource-collection>
<web-resource-name>APP_SUPPORT</web-resource-name>
<url-pattern>/faces/jspx/*</url-pattern>
</web-resource-collection>Brenden -
Grant access to help desk users to add members to distribution and security groups
Hello,
I am trying to create a set of help desk users that has full access to add or remove members from distribution and security groups as well as update users. We want it to bypass owner approval and essentially allow this group to add or remove members
in the FIM Portal and flow it down to ADS.
This obviously works fine if one is a member of the Administrators set, but we want a second tier of power users with limitied rights compared to FIM Admins. We have added the help desk team to the Security Group Users and Group Users set as
well as MPR "Security group management: Users can read selected attributes of group resources".
The help desk users can update users in the Portal with no issue. The can search groups with no issue but when they try to add members to a group they get the error "Access Denied".
Any help is greatly appreciated.
Thanks!I'm having very similar problem - I have users with delegated right to modify group membership only. User can add someone to group and it works fine, but when the same user is trying to remove and user from a group (even if this is the same user
which was added a minute ago) he gets Access Denied:
The
request included members which the requestor is not authorized
to add and/or remove from this group."
It is caused by default MPR:
Group management workflow: Validate requestor on remove member
Question is how this activity validates this request - any insight?
Maybe you are looking for
-
I've installed LR on my new Mac - How do I find/what is the name of the file that opens to bring up my existing photos (on my external hd)?
-
Can't back up to old Time Machine from new Macbook Pro.
TM wants to copy everything to external HD, not just back up the changes as per how i did it on my older 2007 Macbook. The external 320GB HD has only 13GB left and is trying to send all 300GB from new machine to it, not just any changes i've made in
-
Synchronizing many reader threads with one writer thread?
Hi I was wondering if there is a way in java to allow different threads to read an object simultaneously however to block them all only when the object is being updated. Here is an example: I have the following object which is shared between many Ser
-
Command line utilities (webtron.deploy on 6.1)
Hi, I can't seem to get the webtron.deploy utility to work. I've tried other utilities (shutdown, listing licences) and they work fine, but webtron.deploy is simply returning "null". Can anyone explain why? Below I've included a copy of a session at
-
The itunes store will not let me log in, it says that the request has timed out even though my internet is connected and my username and password are correct