Access Level - Granted vs Effective

Similar Messages

• Schedule Access Level as Edit Objects granted

  Hi,
  I am currently working on implementing and testing XI3.1 Security.  While testing, I have noticed that the Schedule Access Level has General --> Edit Objects as explicitly granted and this should not be the case.  Has anyone come across this before?
  Thanks
  NT

  Srinivas Ganapathi wrote:
  As the earlier poster mentioned, the only relevant right name I see is 'Edit objects that the user own'. Is this the right you mean?This right is explicitly granted. We're however on SP1 (so there's no LCM).
  >
  > Best,
  >
  > Srinivas
  No, its definetely General --> Edit Objects that is Explicitly Granted.

• What is the use of access level

  Hi Experts,
  What is the access level and what is use of each option in access level
  1  Application
  2  Superior component
  3. Top Component
  4. Sap
  5. Global
  and in Details section what is the use Properties tab
  1. Application Component
  2. Software Component
  3. Development Package
  4. Settings Class
  Please explain Each option use.
  Thank you in advance,
  Srini M.

  Hi Srini,
  just read the documentation (although the current status on SAP Help Portal isn't really up-to-date):
  1. [Entry point|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/cc/85414842c8470bb19b53038c4b5259/frameset.htm]
  2. [Setting an Access Level|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/32/6aba9c49fd41a5a14f710e121220f1/content.htm]
  W/r to "Application Component" etc., docu on Help Portal is definitely not sufficient. Here, the following applies:
  An application offers attributes for the application component and the software component. The application component and software component have to be the same as defined for the development package. Application and software component are automatically derived from the development package if they are not set explicitly.
  For the definition of the development package, application component, and software component, we recommend that you choose the same values that are in effect for the software solution that you want to enhance by a new BRFplus application. This simplifies all activities related to the software infrastructure, especially transports.
  CU
  Claus

• Problem with user access level

  David,
  I have so far succesfully implementend your tutorial on users registering and having to validate their emailaddress (both part I and II).
  Part I: http://cookbooks.adobe.com/post_Registration_system_that_requires_the_user_to_vali-16646.h tml
  Part II: http://cookbooks.adobe.com/post_Registration_system_that_requires_the_user_to_vali-16649.h tml
  When creating a login form however, I don't get it to work based on the access level verified = y. The database is set up exactly as you described in the above tutorials.
  This is the HTML for the log in form (index.php):
  <form ACTION="<?php echo $loginFormAction; ?>" method="POST" id="logon">
  <label for="user">Username</label>
  <input type="text" id="user" name="username" />
  <br />
  <label for="pass">Password</label>
  <input type="password" id="pass" name="password" />
  <br />
  <label for="done"> </label>
  <input type="submit" value="Log On" />
  </form>
  Below the code that is found above the <html> tag in the index.php file:
  <?php require_once('../Connections/conn.php'); ?>
  <?php
  if (!function_exists("GetSQLValueString")) {
  function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
    if (PHP_VERSION < 6) {
      $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
    $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
    switch ($theType) {
      case "text":
        $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
        break;   
      case "long":
      case "int":
        $theValue = ($theValue != "") ? intval($theValue) : "NULL";
        break;
      case "double":
        $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
        break;
      case "date":
        $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
        break;
      case "defined":
        $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
        break;
    return $theValue;
  ?>
  <?php
  // *** Validate request to login to this site.
  if (!isset($_SESSION)) {
    session_start();
  $loginFormAction = $_SERVER['PHP_SELF'];
  if (isset($_GET['accesscheck'])) {
    $_SESSION['PrevUrl'] = $_GET['accesscheck'];
  if (isset($_POST['username'])) {
    $loginUsername=$_POST['username'];
    $password=$_POST['password'];
    $MM_fldUserAuthorization = "verified";
    $MM_redirectLoginSuccess = "overview.php";
    $MM_redirectLoginFailed = "index.php";
    $MM_redirecttoReferrer = false;
    mysql_select_db($database_conn, $conn);
    $LoginRS__query=sprintf("SELECT username, password, verified FROM users WHERE username=%s AND password=%s",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));
    $LoginRS = mysql_query($LoginRS__query, $conn) or die(mysql_error());
    $loginFoundUser = mysql_num_rows($LoginRS);
    if ($loginFoundUser) {
      $loginStrGroup  = mysql_result($LoginRS,0,'verified');
      //declare two session variables and assign them
      $_SESSION['MM_Username'] = $loginUsername;
      $_SESSION['MM_UserGroup'] = $loginStrGroup;          
      if (isset($_SESSION['PrevUrl']) && false) {
        $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];    
      header("Location: " . $MM_redirectLoginSuccess );
    else {
      header("Location: ". $MM_redirectLoginFailed );
  ?>
  On the overview.php page, I applied the restrict access to page behaviour, which results in the following code:
  <?php require_once('../Connections/conn.php'); ?>
  <?php
  if (!isset($_SESSION)) {
    session_start();
  $MM_authorizedUsers = "y";
  $MM_donotCheckaccess = "false";
  // *** Restrict Access To Page: Grant or deny access to this page
  function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
    // For security, start by assuming the visitor is NOT authorized.
    $isValid = False;
    // When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
    // Therefore, we know that a user is NOT logged in if that Session variable is blank.
    if (!empty($UserName)) {
      // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
      // Parse the strings into arrays.
      $arrUsers = Explode(",", $strUsers);
      $arrGroups = Explode(",", $strGroups);
      if (in_array($UserName, $arrUsers)) {
        $isValid = true;
      // Or, you may restrict access to only certain users based on their username.
      if (in_array($UserGroup, $arrGroups)) {
        $isValid = true;
      if (($strUsers == "") && false) {
        $isValid = true;
    return $isValid;
  $MM_restrictGoTo = "index.php";
  if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {  
    $MM_qsChar = "?";
    $MM_referrer = $_SERVER['PHP_SELF'];
    if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
    if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
    $MM_referrer .= "?" . $QUERY_STRING;
    $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
    header("Location: ". $MM_restrictGoTo);
    exit;
  ?>
  Any idea/thoughts on what I'm not adding to the page in order to work?

  David,
  Thank you for that insight, I figured it would be something like that and when I woke up this morning, it all made sense. I changed somthing from the tutorial (part I) you wrote and now it works fine.
  I had trouble with the validation link in the email that is sent automatically. In your tutorial, section "generating and sending the validation email", you write:
  $message .= urlencode($_POST['username']);
  $message .= '&amp;t=';
  $message .= urlencode($token);
  When using the code like this, it wouldn't set the verified column to y. However, when I changed the middle $message to
  $message .= '&t=';
  it updated the verified column to y. The URL that displayed from the original code displayed the & sign as &amp; in the URL itself.
  Next to that, whenever I try to add something to the e-mail, the validation link becomes not clickable anymore.
  As the login problem concerns, encrypting indeed did the trick.
  if (isset($_POST['username'])) {
    $loginUsername=$_POST['username'];
    $password=sha1($_POST['password']);
  Putting the $_POST['password'] between brackets, adding sha1 in front of it. It works just fine now.
  Hopefully no further problems on this anymore! Thanks a lot for your insights!
  EDIT: I can't mark this thread as answered anymore?

• Need access levels to access database

  hi ,
  i am doing project with jsp in ms-access database. this webapplication should be accessible to 10 people. all should be view the data but levels should be there.how can i get the access levels to the database like reading access to some 2 people. writing and modifying access to some 5 people.inserting can be done by other 2 people . please give the solution for this. i have netbeans4.1 ide , and tomcat bundled server.
  so, kindly give the jsp code and msaccess solution.
  thanks .

  I am not informed if the ms-access DB supports SQL-92. In that case you should be able to define the users and set the rules using GRANT sql command. So it is more or less an off topic entry here for a java forum.
  Else if you try to implement the authoization business logic out of your DB domain in java (or C or whatever), it is no more coupled with the DB and most likely that is not what you are supposed to deliver.

• Multiple Access Levels per User

  In a site I'm building, I need the ability to allow an administrator to intuitively assign different access levels to different users. There may ultimately be roughly 25 different pages to which a user may be granted access. One user may have access to section/page levels 1, 4, 5, 7 and 21. Another user may get access to 2, 3, 4, 17, 19 and 24, etc. While this is possible under the existing ADDT user login system by creating a separate access value that includes only the permissible pages (access level 1 could get to page 1, 4, 5, 7 and 21; access level 2 could only get to pages 2, 3, 4, 17, 19 and 24) it becomes impractical for the administrator since the developer (me) would have to come up with an access value and corresponding permissible pages for every possible combination. Every time a new combination was needed, my client would have to contact me to add that access integer and modify all the corresponding sections/pages that the user could access.
  The ideal solution IMHO in this scenario would be for the administrator to simply be able to select or deselect a checkbox at will for each page to which the user is granted access (this is actually the scenario to which another of my feature request post refers:
  http://www.adobeforums.com/webx/.59b75119
  In searching the old InterAKT forums, I came across a post in which this exact scenario was requested. The user and Ionut came up with a solution which I was able to modify to enable the system I describe above. Rather than repeating the solution, here is a link to that post:
  http://www.interaktonline.com/Products/Dreamweaver-Extensions/MXUserLogin/Product-Forum/De tails/110205/Access+level+based+on+pages.html
  While it appears this solution will work for me, it took me quite a while to find it, and even longer to understand it.
  So, that's my feature request: The ability for an administrator to easily assign any combination of pages to which a user is granted access, preferably with a set of checkboxes.
  Thanks!

  This is functioning now.  With 9.0 you simply use a forward slash between device IDs.
  [device ID #1]/[device ID #2]
  Put this information in the "Mobile Device ID" field on the user form.
  It also has been verified with 8.82 PL15-16, but I don't know how far back it goes.

• Multiple Access Level Management

  Let's say there are 8 pages on a web site. Each of the pages
  until now has had a different access level defined in the database.
  A user logs in, and access levels are checked via the predefined
  levels on the pages he is attempting to view. Now users begin to
  require access to different combinations of the 8 pages. So user A
  might require page 1, 3, 5, 7 user B 1, 2, 3, 4 and user C wants 2,
  4, 6, 8.
  Is there a way to tell coldfusion to examine a string in the
  access level field in which case a 1 means grant access and a 0
  means no access? In other words, a string of 11001000 would grant
  access to page 1,2 and 5 while a string of 00011100 would grant
  access to 4, 5 and 6.
  It seems as though this should be relatively easy, but after
  searching the documentation, I cannot find any solution.

  It would be easier to store individual database records
  resembling
  user_id has_access_to
  1 1
  1 3
  1 5
  etc

• DBA Proviledge and Access Level

  Dear all,
  Issue: DBA should have the required access level to maintain the database without having access to the business data in certain schema (user)
  Details: I am looking for a solution to enable the DBA to do all his administration work and maintain the database and at the same time he should not have any access to the data objects (specially the data in the tables) in certain schema in the database. The question is: How can I create a DBA then I revoke from him the access to the DB objects in certain schema?
  Best Regards,
  Abdo.

  Do not give the dba the DBA role; instead ceate your separate role, named, say SECURED_DBA, grant SELECT CATALOG ROLE, ALTER SYSTEM, ALTER DATABASE, etc., but not sweeping privs SELECT ANY TABLE, etc. This will help the DBA manage the database but not have access to the table data.

• SRKIM: R12: Concurrent Report Access Level

  PURPOSE
  r12 에서는 다른 user 에 의해 수행된 report output 을 볼 수 있는 user 권한을 어떻게 부여 하는지에 대해 알아 보도록 한다.
  EXPLANATION
  R11i 에서는 profile option: "Concurrent: Report Access Level" 을 지정 하여 concurrent request 의 output 에 대한 access level 을 지정 할 수 있었다.
  R12 에서는 이 profile 대신 UMX 의 Role Based Access Control (RBAC) 이 누가 request 의 output 을 볼 수 있는지를 지정 할 수 있도록 한다.
  administrator 는 한 request group 의 개별 프로그램이나 프래그램 set 혹은 모든 프로그램이나 셋에 대해 사용자나 role 에 대해 권한을 부여 할 수 있다.
  해당 기능을 구현 하기 위해 아래와 같은 permission 이 seeded 되어 있다.
  • Permission "Submit Request"
  • Permission "View Request"
  • Permission Set "Request Operations" containing the permissions "Submit Request"
  and "View Request"
  • Object "Concurrent Programs"
  • Object Instance Set "Programs that can be accessed"
  • Object Instance Set "Request sets that can be accessed"
  Request security group 에 대한 access 를 특정 role 에 부여 하기 위해서는 아래 steps 대로 수행 한다.
  1. UMX Responsibility 에서 user role 을 define 한다.
  2. System Administrator responsibility 에서 request security group 을 정의 한다.
  3. Functional Administrator responsibility에서 grant 를 정의 한다.
  1) grant 에 대한 이름과 description 을 입력한다.
  2) 해당 grant 에 대한 Security Context 를 입력한다.
  3) Data Security 항목에서 "Concurrent Programs" 혹은 "Request Sets" 를 object 으로 지정하고 next 를 click 한다.
  4) Object Data Context 에서 "Instance Set" 을 선택 후 "Programs that can be accessed" 이나 Request Sets that can be accessed 를 선택 한다.
  5) Instance Set Information 을 review 후 Instance Set Details 에서 request group 과 해당 application을 입력한다.
  6)"Request Operations" 에서 permission set 을 지정한다.
  Viewing Requests
  위에서 언급한 대로 RBAC 를 통해 viewing requests 권한을 control 할 수 있는데 아래와 같은 instance sets 이 그 역할을 한다.
  • All requests submitted by a user
  • All requests submitted by a user for a given application
  • All requests belonging to a program submitted by a user
  • All requests belonging to a request set submitted by a user (irrespective of the constituent programs' owning application) to another user (or a group of users - via a role).
  REFERENCE
  NOTE. 736547.1 - Concurrent Report Access Level

  Hello Kai,
  would you mind giving me a hand and post here the answer to your question? The mentioned metalink note is just referencing a whole section within 120sasg (B31451-05.pdf). If you would provide a short summary what needs to be done would be very welcome.
  Thanks a lot
  Volker

• Mebody Keep on getting a message that says write access not granted if i whant to safe my edited images! Please help? Preview check box already unchecked

  please help me with this problem? I keep on getting a message saying write access not granted, so i cant safe my files!

  The drive appears in the sidebar with a tiny lock icon, and when I try to copy a file from my internal HD to the external (top level directory, or drag the items right onto the icon), the following things happen:
  Open the Terminal in the /Applications/Utilities/ folder and enter the following:
  chflags nouchg
  followed by a space; next, drag the disk into the Terminal window and press Enter. The lock should now be gone.
  The fact that my account was named both as owner and group seemed odd, since in Group the access was "read only".
  Recent versions of Mac OS X create a group with the same name whenever you create an account from the Setup Assistant or System Preferences. The Group permissions don't apply in this case.
  I changed the Group access to "read & Write", but it's not "sticking" -- when I close teh details field and reopen it, or close the get info window and reopen, the Group access settings go back to "read only".
  Did you get an error message after doing this?
  Verify/Repair permissions were dimmed for this drive (I assume becuase it doesn't have MacOS X installed on it?)
  That is correct. The Repair Permissions mechanism uses data from the /Library/Receipts/ folder on a disk to function, and this data is only present on disks which have Mac OS X installed.
  (12377)

• Can not assign custom access level with a user login

  Hi,
  I am using Business objects XiR3. When I am loging in with a user having full control access and then I select a folder added a principal from user sercurity and when I am trying to add custom access level it gave me error
  An error occurred at the server during security batch commit: Request 0 of type 38 failed with server error : You do not have sufficient rights to make the requested security changes.
  it allow me to give access to standard access levels. also when I tried to assign custom access level with administrator user, it assigns custom access level to a principal without error.
  Can any body tell me what I am doing wrong?
  Thanks in advance,
  Rajendra

  Hi Rajendra,
  You have to make sure that the user group has the right 'Use access level for security assignment' assigned as granted on the access level you created. You can find this right under System / Access Level. That should do the trick!
  Hope this helps...
  Martijn van Foeken
  Focuzz BI Services
  http://www.focuzz.nl
  http://nl.linkedin.com/in/martijnvanfoeken
  http://twitter.com/mfoeken

• QaaWS Access Level

  All,
  I am setting up access level for users in the production environment for QaaWS tool. All users can view QaaWS in production, but they CAN'T create/modify/delete QaaWS in production. What access level do I need to enable this?
  I tried to use the "View" access level out-of-the box, but I got this "You are not authorized to design or edit a query. Please contact your administrator (QWS 02718)."  If I use "Full Control" access level, the user can login fine, but the issue is that user can create/modify/delete QaaWS in production. I am puzzled as to what access level can give me the view ability...
  Please advise...
  thanks...

  qaaws is a query tool designed for editing wsdl's. If you grant view that is most likley for infoview not for opening with the client. So I believe this is by design. If you do not get anyone to verify this then I'd suggest opening a case with support admin team so they can test it and verify that for you.
  Regards,
  Tim

• Provisioning varying admin access levels by Planning plan types

  How can I provision admin access levels by plan types? For example, I'd like to grant a user full admin access to one plan type, but limit their access for another plan type within the same application? The plan type I want to limit them to is basically a workforce plan type which I do not want to allow them to have any admin access to. Anyone know how to do this?

  I took a look at the blog and my current setup design mostly follows what is on the blog. I too have a workforce plan type along with other plan types in the Planning application. What I'm trying to see if it's possible is to setup a user with admin access to manage and modify the member outlines for 2 out of the 3 plan types in Planning, but not give him access to the workforce plan type as that has sensitive compensation information. But it appears that if he's granted admin access to modify the application outline, then he would be able to grant himself access to the workforce members, which then means I can't provision him with limited admin rights while also preventing him from access to the workforce information.

• How to change lookup code  with Access Level as 'System'

  Hi,
  I need to append new lookup codes in a lookup type having access level as 'SYSTEM'. Is there any standard way to do the same or just updating the customization level column will do ? Please let me know if you have any solution for this.
  Regards
  Girish

  You can also change the meaning on that value to something like "*** DO NOT USE***". This will make it obvious to the user that he/she should not choose it.
  You can try to add a when-validate-record personalization to show error if someone selected a disabled value.
  You can also try to modify the list of values associated with the field using personalizations.
  If nothing else works, you can use a SQL to uncheck the enabled flag. The risks involved in this are well known.
  Hope this answers your question
  Sandeep Gandhi
  Independent Consultant
  513-325-9026

• How to include group access level in a ws call

  I want to include a Group Access Label in a Permission for a Course using an iTunes web service call.
  I don't see how to do this in the docs.
  (The example in iTunesUAdministratorsGuide.pdf at page 111 doesn't include the Group Access Label.
  And it's not in the schema for the ws xml document at http://deimos.apple.com/iTunesURequest-1.0.xsd)
  Is this an obvious omission or am I missing something? Anyone know how to do this?
  Background:
  We're creating most Courses programmatically.
  Obviously, we'd strongly prefer not to require an administrator to go into every Course and manually add a common Group Access Label to the Permission. (This manual piece is essentially what's now missing from the ws call or at least from my understanding of it.)
  Either way -- manually by an administrator or programmatically -- our instructors would then be able to set Permissions themselves on any Group they create -- doing this themselves and without the help of an administrator.

  To resume with a little progress made:
  I have a Section
  * with Access Level == Edit for Credential == Instructor@...${IDENTIFIER} with no Group Access Label, and also
  * with Access Level == Download for Credential == Student@...${IDENTIFIER} with Group Access Label == Student.
  I'm doing ws calls to add a Course including an identifier. This is successful, and I can then go into the iTunes client as Instructor@...${IDENTIFIER} (substitution made) and manually add Groups and change Access to each individually. (I'm adding Groups "Download", "Shared Uploads", and "Drop Box", changing the Access Level accordingly for Group Access Label "Student".
  But naturally I want to do the manual part programmatically, to save n instructors from having to learn how to do this same thing and then to do it.
  So I'm trying to change my ws call to add the Groups, including Permissions. Schema http://deimos.apple.com/rsrc/xsd/iTunesURequest-1.1.xsd doesn't include Group Access Label for Permission. What does this mean?
  I've tried the actual Credential == Student@...${IDENTIFIER} (with IDENTIFIER substitution made before the call) and also Credential == Student (to see if I'm supposed to match the Group Access Label, instead).
  For either of these trials, the ws call successfully adds the Groups and a ShowTree includes the Permissions for the Groups. But in the iTunes client user interface, it's as if I gave no Permissions in adding the Groups.
  Am I approaching this wrong or is there a bug here?
  (I haven't tried yet a separate call to add the Group Permissions, not wanting to suffer the processing wait of getting handles for the three Groups.)
  Anyone else doing this? (successfully or not ) Thanks.