A question about CA Role Seperation

Similar Messages

• Questions about Database roles

  Hi, 
  Need to setup a new (Windows) user which has varied access to tables, views and procedures in about 8 different schemas all in the same database. 
  I've created a instance level login and then gone to the database to set the more granular details. 
  First question.  Does this user need to own the schemas they will access? 
  Secondly, I'm assumign the best bet would be to create a database role and then apply the privs against that? 
  I need to give access to all stored procedures (and future procedures) in a couple of these schemas and none in the others.  Is it possible to grant execute on all procedures in a schema whist prohibiting others? 
  Then I would assign the database role to the new instance login? 
  Thanks 

  In the database he has access to a number of schemas but I wish to explicitly exclude him from all views in those schemas and in addition to this all the sys catalogs, e.g
  Also have no idea how to restrict access to the user created views without doing them all manually, but then what happens in the future if new views are added? They are not going to be explicitly denied. 
  David nailed the problem.
  There is no way to differentiate SELECT permission between Tables and Views. If they are all in the same schema and tables are allowed and views not.. out of luck and have to include the allowed object one by one (as opposed to denying the not allowed ones
  with the risk of missing some in the future)
  This is why database design should have security in mind from the very beginning and views, being a way to access (aka "access-schema") data in tables should ideally be placed in a separate schemas
  Andreas Wolter (Blog |
  Twitter)
  MCM - Microsoft Certified Master SQL Server 2008
  MCSM - Microsoft Certified Solutions Master Data Platform, SQL Server 2012
  www.andreas-wolter.com |
  www.SarpedonQualityLab.com

• General Questions about Oracle Roles/Privileges

  Hi,
  I have a few questions I'm hoping to get clarification on:
  1 - Is there a view similar to DBA_SYS_PRIVS/DBA_TAB_PRIVS that shows which system privileges have been assigned to users/accounts ONLY, filtering out roles? If not, how would one go about obtaining this list?
  2 - Is there a view similar to DBA_ROLE_PRIVS that shows also just shows which users have been assigned to which roles ONLY, again filtering out roles? If not, how would one go about obtaining this list? I assume some type of recursion has to be done here to flatten out the roles.
  My end goal is this:
  - List of all users and directly assigned system privileges only
  - List of all users and directly assigned table/object privileges only
  - List of all users and all roles (if role X contains role Y, this list should show user has role X and Y)
  Many thanks!

  1 - Is there a view similar to DBA_SYS_PRIVS/DBA_TAB_PRIVS that shows which system privileges have been assigned to users/accounts ONLY, filtering out roles? If not, how would one go about obtaining this list?
  it's simple:
  select grantee, privilege from dba_sys_privs where grantee in (select username from dba_users);
  select grantee, owner, table_name, privilege from dba_tab_privs where grantee in (select username from dba_users);
  2 - Is there a view similar to DBA_ROLE_PRIVS that shows also just shows which users have been assigned to which roles ONLY, again filtering out roles? If not, how would one go about obtaining this list? I assume some type of recursion has to be done here to flatten out the roles.
  select grantee, granted_role from dba_role_privs where grantee in (select username from dba_users);
  select grantee, granted_role from dba_role_privs where grantee in (select role from dba_roles);Hope this helps...

• Question about the role Reporting Developer

  Hi Experts,
  I created a role for reporting developer. With this role a user can create queries without problem. But I faced an error when I tried to attach the map.
  The error messages are:
  "System error when downloading shape files from BDS."
  "Data connection for map "cntry200" could not be established."
  "Query can not be displayed on a map."
  another question is, what does authorization object Broadcast Settings mean? It would be more helpfull with examples.
  Thanks a lot!
  Ziyang

  Hi,
  With your help I've got the authorization object Broadcast Settings. Thank you very much!
  In transaction RRMX l get this message.
  For instance, now I am working as a reporting developer or a reporting user.
  step 1: run RRMX Analyzer
  step 2: open a query
  step 3: now I want to attach a map into the report. Layout -> attach map
  And then I get this message.
  However, it is no problem when I run Layout -> attach chart.
  Thanks

• Question about Kurts comments discussing the seperation of AIA & CDP - Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy - Kurt L Hudson MSFT

  Question about the sentence in bold. What is the meaning behind this comment?
  How would you separate the role of the AIA and CDP from a CA subordinate server? I can see where I add a CES and CEP server which has those as well, but I don't completely understand his comment. Because in this second step, (http://technet.microsoft.com/en-us/library/tlg-key-based-renewal.aspx)
  he shows how to implement CES and CEP.
  This is from the guide located at: http://technet.microsoft.com/library/hh831348.aspx
  Step 3: Configure APP1 to distribute certificates and CRLs
  In the extensions of the root CA, it was stated that the CRL from the root CA would be available via http://www.contoso.com/pki. Currently, there is not a PKI virtual directory on APP1, so one must be created.
  In a production environment, you would typically separate the issuing CA role from the role of hosting the AIA and CDP.
  However, this lab combines both in order to reduce the number of resources needed to complete the lab.
  Thanks,
  James

  My concern is, they have a 2-3k base of xp systems, over this year they are migrating them to Windows 7. During this time they will also be upgrading hardware for the existing windows 7 machines. The turnover of certificates are going to be high, which
  from what I've read here, it worries me.
  http://blogs.technet.com/b/askds/archive/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp.aspx
  The application then can go to those locations to download the CRL. There are, however, some potential issues with this scenario. CRLs over time can get rather large
  depending on the number of certificates issued and revoked. If CRLs grow to a large size, and many clients have to download CRLs, this can have a negative impact on network performance. More importantly, by
  default Windows clients will timeout after 15 seconds while trying to download a CRL. Additionally,
  CRLs have information about every currently valid certificate that has been revoked, which is an excessive amount of data given the fact that an application may only need the revocation status for a few certificates. So,
  aside from downloading the CRL, the application or the OS has to parse the CRL and find a match for the serial number of the certificate that has been revoked.
  With the above limitations, which mostly revolve around scalability, it is clear that there are some drawbacks to using CRLs. Hence, the introduction of Online Certificate
  Status Protocol (OCSP). OCSP reduces the overhead associated with CRLs. There are server/client components to OCSP: The OCSP responder, which is the server component, and the OCSP Client. The OCSP Responder accepts status
  requests from OCSP Clients. When the OCSP Responder receives the request from the client it then needs to determine the status of the certificate using the serial number presented by the client. First the OCSP Responder determines if it has any cached responses
  for the same request. If it does, it can then send that response to the client. If there is no cached response, the OCSP Responder then checks to see if it has the CRL issued by the CA cached locally on the OCSP. If it does, it can check the revocation status
  locally, and send a response to the client stating whether the certificate is valid or revoked. The response is signed by the OCSP Signing Certificate that is selected during installation. If the OCSP does not have the CRL cached locally, the OCSP Responder
  can retrieve the CRL from the CDP locations listed in the certificate. The OCSP Responder then can parse the CRL to determine the revocation status, and send the appropriate response to the client.

• A question about users assigned roles extraction

  Dear all,
  I have a question about users assigned roles list extraction. I need the list of the users who have already been created along with their assigned roles. According to what I found on Google, there is a table named AGR_USERS which provides the roles assigned to each user. Yet, this table provides only the SAP ID of each user along with the assigned roles. What I need more is to have also the first name and second name of each user.
  So, do you know any table providing at least the following information:
  1) First name of each user
  2) Second name of each user
  3) SAP ID of each user
  4) All assigned roles to each user.
  NOTE: I really need to have first name and second name in separate columns
  Thanks in advance,
  Dariyoosh

  >
  Shekar.J wrote:
  > Agr_users for the user ID and role assignments
  > USR02 to check the validity of the User ID
  > and USER_ADDR for the first name and last name
  >
  > You can create a Table join of the above 3 tables to retrieve the data you require
  Thanks to you and others for your attention to my problem
  I don't know anything about ABAP programming, is there any transaction allowing to create this join? As it seems to me the column "UNAME" in the table "AGR_USERS" and the column "BNAME" in the table "USER_ADDR", both refer to the SAP ID of the user. As a result the condition of the join would be "WHERE (UNAME = BNAME)", is there  any transaction/programme allowing to create this join?
  Thanks in advance,
  Dariyoosh

• Question about the order to creating Account, Contact, Contact Role

  Hi, my friends,
  I have some questions about the order of creating Account, Contact, Contact Role, etc in Web Service 1.0. I could create them in the following case:
  1. Insert Contact object and get contactId (now new contact exists in CRMOD)
  2. Insert Account object with Contact Role child associated with contactId
  My questions are:
  1. Do we have the following order? Insert new Account with new Contact child and Contact Role child (Contact is new and does not exist in CRMOD).
  2. Looks like system need accountId, contactId, etc to make the objects relationship. Is there other field having the same function?
  Thanks
  Ray

  Hi Ray,
  In response to your questions:
  1. Do we have the following order? Insert new Account with new Contact child and Contact Role child (Contact is new and does not exist in CRMOD).No. Both the Account and Contact must already exist. The Role value is an attribute on the Account Contact relationship, this relationship must exist in order to assign a role value to it. This is consistent with the behaviour of the UI, when you press the New button on the Contact child applet, you are taken to the Contact New page where you can create a Contact record. Once you save, the relationship is created but you cannot assign a role value unless you click the Edit Roles link next to the new Contact.
  2. Looks like system need accountId, contactId, etc to make the objects relationship. Is there other field having the same function?Correct, the system needs to know which Account/Contact pair is being assigned a role value. To do this the Account and Contact values must be uniquely identified using the Id values for each.
  I hope this helps.
  Thanks,
  Sean
  Edited by: Sean Duffy on Jan 25, 2010 10:11 AM

• Follow-up question about forms and SharePoint Online

  I asked a question about life after InfoPath earlier, and got a good answer:
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/fb23b3d9-8a09-4267-aab5-09929f6a3082/life-after-infopath-seeking-advice
  After looking at all of the limitations of SharePoint Online, I'm wondering how developers are dealing with the limitations. Lets say you are asked to develop something that has complex logic, including fetching data from external web services, dynamically
  displaying parts of a process to people depending on role, and ending up with a printable document. In our on-premises environment, InfoPath is well suited to this task, with some code behind for some things. Or, if not using InfoPath, we would use application
  pages and workflow.
  Neither of those are available in SharePoint Online, so what would you do?

  Some things, such as the conditional display of content, can be done via JavaScript. More advanced items, such as integrating external web services would likely require a SharePoint "app". A SharePoint app is essentially a link to a separate site
  that is running an asp.net web app (or PHP, or whatever). This asp.net site can do anything it needs with any web services, or conditional formatting, or anything. Because it's registered as a SharePoint app, it can also call back into the SharePoint site
  and work with data. So, a SharePoint App could present the user with a robust form that simply sends the data back to a SharePoint list. The SharePoint app can also be surfaced on the SharePoint site itself in an iframe, so the user won't know that the form
  is hosted by another server.
  By the way, the ideas behind the app model permeate the entire SharePoint environment: instead of having the SharePoint server itself run all kinds of custom business logic, that workload is handled by other servers, so the SharePoint servers can be focused
  on running the core bits of SharePoint. InfoPath puts a large load on the servers, so it's out.  XSLT list views also put a load on the server, so they're also out. SSRS is an amazingly fantastic tool, but is not supported in the cloud (and there's no
  alternative). Timer jobs, event handlers, workflow, and many other things have been re-architected to take the load off the SharePoint servers.
  Mike G.

• Re: Questions about Plan structure

  Reply-To: "Duncan Kinnear" <[email protected]>
  Q. if you have an Employee class with related EmployeeSubordinate and
  EmployeeSalaryHistory classes, should these all be in the same plan?
  A It is better to have them in the same plan.It depends on the design
  you have
  Q Why should the Managers be separated from their business classes?
  A Managers are usually service objects which might require different
  resources.
  These managers when deployed might be required by several other
  applications.
  Seperating them as a different plan will help in just using one
  installed partition to be
  Used by different applications (refer about Reference Partition)
  Q If you have the Database managers separate, what scope does each DB
  manager cover?
  A It is better to have the DB managers in user scope.
  It depends on the numbers of users, u have for the system.
  Since u are talking about 100 tables. It's a huge system.
  It also depends on the user licenses u have for the backend.
  Take care that u use proper load balancing of DB Managers for the
  system.
  Krishna CVSR
  GoldStone Softech Inc
  >
  Hi there,
  We are in the middle of designing the structure of a new system.
  I have read/heard that it is best to break down the plans into the
  following categories:
  Business Classes
  Managers/Services
  Clients
  I have a few questions about this structure:
  Should related business classes be grouped together in Plans? E.g. if
  you have an Employee class with related EmployeeSubordinate and
  EmployeeSalaryHistory classes, should these all be in the same plan?
  Why should the Managers be separated from their business classes?
  E.g. if there is an EmployeeMgr service which deals with anything to do
  with the Employee business class, why separate them in different
  plans? If you need the manager to access the class, you will always
  need both.
  Some of the Forte documentation talks about "Policy" managers and
  "Database" managers. How do the functions of these managers differ
  for a simple CRUD (Create Read Update Delete) class?
  If you have the Database managers separate, what scope does each
  DB manager cover? I.e. do you have one for the entire database (over
  100 tables in our case), or do you break it down by sub-system?
  Thanks in advance for any answers.
  Cheers,
  Duncan Kinnear,
  McCarthy and Associates, Email: [email protected]
  PO Box 764, McLean Towers, Phone: +64 6 834 3360
  Shakespeare Road, Napier, New Zealand. Fax: +64 6 834 3369
  Providing Integrated Software to the Meat Processing Industry for over 10 years
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>
  Get Your Private, Free Email at http://www.hotmail.com
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>

  Reply-To: "Duncan Kinnear" <[email protected]>
  Q. if you have an Employee class with related EmployeeSubordinate and
  EmployeeSalaryHistory classes, should these all be in the same plan?
  A It is better to have them in the same plan.It depends on the design
  you have
  Q Why should the Managers be separated from their business classes?
  A Managers are usually service objects which might require different
  resources.
  These managers when deployed might be required by several other
  applications.
  Seperating them as a different plan will help in just using one
  installed partition to be
  Used by different applications (refer about Reference Partition)
  Q If you have the Database managers separate, what scope does each DB
  manager cover?
  A It is better to have the DB managers in user scope.
  It depends on the numbers of users, u have for the system.
  Since u are talking about 100 tables. It's a huge system.
  It also depends on the user licenses u have for the backend.
  Take care that u use proper load balancing of DB Managers for the
  system.
  Krishna CVSR
  GoldStone Softech Inc
  >
  Hi there,
  We are in the middle of designing the structure of a new system.
  I have read/heard that it is best to break down the plans into the
  following categories:
  Business Classes
  Managers/Services
  Clients
  I have a few questions about this structure:
  Should related business classes be grouped together in Plans? E.g. if
  you have an Employee class with related EmployeeSubordinate and
  EmployeeSalaryHistory classes, should these all be in the same plan?
  Why should the Managers be separated from their business classes?
  E.g. if there is an EmployeeMgr service which deals with anything to do
  with the Employee business class, why separate them in different
  plans? If you need the manager to access the class, you will always
  need both.
  Some of the Forte documentation talks about "Policy" managers and
  "Database" managers. How do the functions of these managers differ
  for a simple CRUD (Create Read Update Delete) class?
  If you have the Database managers separate, what scope does each
  DB manager cover? I.e. do you have one for the entire database (over
  100 tables in our case), or do you break it down by sub-system?
  Thanks in advance for any answers.
  Cheers,
  Duncan Kinnear,
  McCarthy and Associates, Email: [email protected]
  PO Box 764, McLean Towers, Phone: +64 6 834 3360
  Shakespeare Road, Napier, New Zealand. Fax: +64 6 834 3369
  Providing Integrated Software to the Meat Processing Industry for over 10 years
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>
  Get Your Private, Free Email at http://www.hotmail.com
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>

• Question about Id3-tags and song managem

  Hello, I am getting ready to buy a Zen Touch 20GB in a couple of weeks and I have a few questions about the management software.
  (Correct me if I am wrong about something)
  ) Are songs organized into groups by Genre instead of just folders like on the Ipod?
  2) Are Id3-tags used instead of filename for identification?
  3) What parts of the tag are needed besides title and artist?
  4) Which version of tags does the Zen Touch recognize: Version or Version 2?
  5) If I edit my tags using an external program such as Id3-TagIT, will the tags carry over to the Creative software and to the player?
  Thanks a lot for your help. I want to make sure I have my music collection in order before I get my Zen Touch.

  euph_jay wrote:Ok, so lets say I have all my music in folders right now seperated into different categories on my hard dri've. Some folders denote the artist, some the album, and some a genre. Example: Folder: Chicago Contents: Chicago .mp3 files Folder: Techno Contents: various Techno artist's songs What is the best way of organizing my folder system, so that the transition will be easy to the player?
  Folders are pretty much irrelevant. What the software will do is look at the *tags* in the files and then use these to build the player's library.
  Will imbedded folders work on the player? (like Techno->Crystal Method->Cystal Method .mp3's)
  Again the player has no concept of folders, although if you set Techno as a Genre tag you will be able to view via this in the Music Library.
  Or, am I misunderstanding how music is stored into the mp3 player. Instead of storing music in a "folder like" system (like the Chicago folder or Techno folder), does it store all the songs individually on the device? Then you have to sort it by artist, album, or genre?
  Using your example, in the Music Library you have essentially three categories: Album, Artist, and Genre. So under Album you would see "Vegas" (the Crystal Method's album), under Artist you would see "The Crystal Method", and under Genre you would see "Techno" (and then either the album or artist under this... I forget which it is offhand).
  Make sense?

• Question about ERMS push

  Hi Guru,
  I am prototyping the ERMS push solution in CRM7 and have some questions about the solution SAP help provided.
  Below is the detail about ERMS push:
  Here the e-mail is first handled by the e-mail pull mechanism: it is converted into a
  SAPoffice mail and analyzed by ERMS to find out more details about the mail (like language and certain keywords).
  Then the mail (including the additional information from the ERMS analysis) is transferred to the
  CMS (Communication Management Software). The CMS determines the appropriate agent team and
  dispatches the mail via the push process to an available agent of that team.
  Below is the sap help link:
  http://help.sap.com/saphelp_crm70/helpdata/EN/0e/6a22b86821468691bd5abb51dfd81e/content.htm
  I have below questions about the solution in the help link:
  1. It mentioned about the email profile (set the agent inbox as email provider) and I changed the u201Cdefaultu201D profile delivered by sap. I setup the rule policy according to the help and assigned it in the service manager profile. The purpose of ERMS push is to push email to CMS instead of sending to agent inbox using ERMS. Which business role should this email profile be assigned to? Is it IC_agent?
  2. The help also mentioned about setup u201CERMS_ACTIONu201D as communication system ID in CRMM_BCB_ADM. Does this ID need to be added in the CMS profile? If so, which business role should this CMS profile be assigned to? Is it IC_Agent?
  3. The ERMS uses workflow WS00200001. After the email is pushed to CMS, what status should the workflow be, in progress or complete? Also does it suppose to have agent assigned in the workflow task?
  4. After the CMS pushes the email back to CRM, it will be a pop up for agent to accept or reject. Will it create an interaction record once the agent clicks the accept?
  It would be great if you could shed some light on this.
  Thanks in advance!
  Zhi Jie Kong
  Edited by: Zhijie Kong on Apr 28, 2011 4:32 PM
  Edited by: Zhijie Kong on Apr 28, 2011 4:47 PM

  Hello Zhijie,
  Let me see if I can help address some of your questions.
  1) It doesn't matter which business role you use. You can copy IC_AGENT for example. The important thing is, as Mariusz mentions in this thread, [ERMS email push: problem with CAD and transfer;,your E-Mail profile must be set for E-Mail Provider = 2 (Agent Inbox).
  2) No, this ID itself does not need to be added to any business role (as I assume it is hardcoded in the SAP workflow as Mariusz mentions).
  3) From what I remember, the ERMS Push emails are not set to complete by the system, and therefore can still get inadvertantly routed to agents! I recommend to have a second rule in your Rule Modeler policy to route the ERMS Push emails to a special, separate queue where you can close them out easily without worrying about them getting assigned to any agents!
  4) Yes, the email will arrive like a phone call with the accept/reject buttons flashing (though it will show as an email, not a phone call). And yes, when the agent accepts an Interaction Record will be created by the system automatically.
  I hope this helps you!
  Regards,
  John

• Questions about Access Manager tutorials available in netbeans site

  Hi
  Thank you for reading my post
  I have some questions about two tutoral which i find in :
  http://www.netbeans.org/kb/55/amsecurity.html and
  http://www.netbeans.org/kb/55/amsecurity-liberty.html
  here is my problem :
  we have some web services, now we want to have authentication applied for consumer who try to access our web services.
  we need to have most possible flexibility because we may deploy the server for a customer with an already established Identity database ( Database Table with user details)
  Also we need to have Transport level security using SSL.
  I read and studied both of them and now i have some questions :
  -I think Securing Web Services Using the SAML or UserNameToken is what we need for authentication and autorization of web service consumers?
  is that right?
  -Does Sun Java System Access Manager provide flexibility to authenticate user/password with a database table content?
  -How we can apply roles in Sun Java System Access Manager when we authenticate users ?
  Thanks

  Imagine that we want to have an end to end security for our web services
  we thought that we could use message level encryption to protect the soap message and also we should protect our web services from un-authenticated acess,
  we will use userName token for this.
  Our customer has large database which contains many user/password and role of those users.
  some of web services should be available to higher role (manager) and not for all users.
  so we should check a user role before we allows him/her to access a web service.
  my question is whether Sun Access manager can help us with this? or there are other configuration or packages that we should apply to have this feature.
  to explain more :
  our client side is a swing application, users enter username/password to login into system. after they loged in, we send user/pass every time user want to request some data from some services. (is it good to send user/pass every time?)
  We want Sun Access Manager to handle users authentication .
  We also need to handle role related authorization, can Sun access manager handle this?
  Thanks

• 2 question about GPU and Lens correction ,cs5

  Hi
  i have 2 questions about Gpu and lens correction in Cs5
  1)Filter->lens correction->search online
  i get often and almost every connection time out at the first click on search online , at the second click i get no online profile
  is it normal?
  2) question is about Gpu
  it run faster , but talking about ajustament layer
  like saturation or vibrance for example
  i found with the gpu on , a light slow refresh compared with gpu off
  i have set cache  levels 6 ,history 20
  i guess are the defaul
  well i add a saturation layer and move the saturation slide ,increase o decrease saturation
  with Gpu Off , the changes are immedially , i mean i can see in real time the increase o decrease of saturation
  with Gpu On it takes a few(very few) time more
  again is normal ?
  don't be angry , i'm going to buy cs5 and i'm unsecure ... the price make a big role
  thanks

  For what it's worth, I also see a timeout on the first [ Search Online ] click, after about half a minute delay.  Second click turns up results immediately.  This happens each time Lens Correction is started, even without restarting Photoshop, and in both 32 and 64 bit versions.  Also note that I started with one profile listed by default (though from the wrong camera) for my 40D with 28-135 zoom.
  I alsow noticed that I was seeing progress bar activity in the Lens Correction dialog while I was typing this (even though Lens Correction was NOT the active window) every time I hit the 'L' key.  Strange.
  Windows 7 x64.
  -Noel

• Require information about the Role of Data Analyst

  Hi All,
  I know this might be irrelevent question in this forum, but after a long search, I could not find any suitable place where I can get the information about the role of Data Analyst ( DA ). What all activities the DA needs to perform? Can anyone suggest me anything related to this?
  Thanks in advance
  Himanshu

  As with just about any role, it really depends on the organization. There are dozens if not hundreds of jobs that different organizations might label "Data Analyst." A lot of what a statistician, an economist, or an actuary does would count as data analysis. So would a lot of what a business analyst does. So would a lot of what an software architect does.
  Justin

• Question about permissions in portal content

  Hi all,
  I'd like to ask you guys a question about permissions given to pages in the portal content (EP 6.0).
  When a user accesses a page that contains an iView (for example one for a Web Dynpro, or for a BSP), and the page permissions are correctly set for the user (or a group the user is member of), everything works fine and the user can see and use the application contained in the iView.
  If the Page has no permissions set and the user tries to access this page, an empty page appears instead and the "Detailed Navigation" column appears on the left.
  I know I should not let the user see the link to the page he is not authorized to use (this is done managing the roles given to the user), but I'd like to know from you if it is possible to show a message like "unauthorized user" instead of the empty page that appears.
  Can you also tell me how to keep the "Detailed Navigation" column hidden on the extreme left?
  Thank you for any hint you can give to me.
  Lorenzo

  Hi Lorenzo,
  a way how you might go ahead and hide or show content for specific user groups is via roles merging (see documentation <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/53/89503ede925441e10000000a114084/content.htm">http://help.sap.com/saphelp_nw2004s/helpdata/en/53/89503ede925441e10000000a114084/content.htm</a>
  In essence, this means that you create for example 2 roles (A and B): A contains some content everyone can see, B more secure content for another group. You merge those 2 roles via a merge ID - and if a user has both roles, he sees the content in this workset with all the navigation options. If somebody only has role A, he will only see this content.
  Maybe this is someting that could help with you considerations (always depending on the number of items that are affected, this might be a useful way, or leading to too much confusion, because you have too much different roles).
  Best regards
  Jana