Access to PA20 - conflicts

Similar Messages

• Access List and Conflict Resolution Problem!

  My configuration for Allow and Deny is not allowing me to load images and CSS files through the gateway on a URLScraper channel.
  I'm trying to figure out how to control access to resources using the Access List service, and I'm running into trouble. The Sun ONE Portal Server, Secure Remote Access 6.0 Administrator's Guide (Doc 816-6421-10) states:
  Setting the Conflict Resolution Level
  You can set the priority level for the dynamic attributes. If a user inherits multiple attribute templates, say from an organization and a role assignment, and there is a template conflict between the attributes in the two templates, the template with the highest priority is inherited. There are seven settings available ranging from Highest to Lowest.
  See the Administration Guide, iPlanet Directory Server Access Management Edition for more details on conflict resolution.
  Unfortunately the referenced Adminstration Guide for DSAME contains exactly 0 occurances of the word "conflict" in its 136 pages, so that reference was less than helpful. Chapter 17 of that document (Doc 816-5620-10) describes URL Policy Agent Attributes, which sheds some light on what the URL Deny and URL Allow settings mean. The key sentence is, "An empty Deny list will allow only those resources that are allowed by the Allow list."
  So, I've set up my Access List services as follows:
  o URL Deny is blank on all Access Lists
  o URL Allow set as follows
  ---- isp
  ------- http://portal.acme.com/portal/* (company name changed to protect the guilty!)
  ---- acme.com organization
  ------- Conflict Resolution: Highest
  ------- http://portal.acme.com/portal/* (same as above)
  ---- Acme Customers Role - shared role for all Acme customers
  ------- Conflict Resolution: Medium
  ------- http://www.acme.com/*
  ------- http://support.acme.com/*
  ------- http://support2.acme.com/*
  ---- RoadRunner role - specific role for a specific customer
  ------- Conflict Resolution: Medium
  ------- http://roadrunnerinfo.acme.com/*
  The Desktop services in each of the above two roles includes channels from the hosts in the URL Allow lists.
  The behavior I'm seeing with this configuration is that the desktop channels include information from the scraped HTML, and the URLs are rewritten for the included images and CSS files and such. However, the gateway is denying access to the images referenced by the rewritten URL. That is, an image with a URL of https://portal.acme.com/http://roadrunnerinfo.acme.com/images/green.gif shows up as a broken image on the desktop. Attempting to access the URL to the image directly results in an "Access to this resource is denied !! Contact your administrator" error message.
  If I set the conflict resolution on the acme.corp organization to Medium (or anything lower than the two role conflict resolution levels) results in the same error message as soon as the customer logs in (no desktop rendered). The same error occurs if I set the conflict resolution in the two roles to Highest (same as the top level organization), again with no desktop rendered on login.
  If I put all the above referenced URLs in the acme.com organization Access List service, then I am successfully able to fetch all the resources (images, CSS, etc.) in the URLScraper HTML. Likewise if I put "*" in that Access List. However, this is less than ideal, as it would potentially allow other customers to view data that isn't theirs (Wile E. Coyote user should not be able to get to Road Runner data, and vice versa, and neither one of them should get at Acme private information!).
  So, what am I doing wrong? Also, does anyone have any leads on where I can read up on how Access Lists and conflict resolution are supposed to work, since Sun neglected to include a valid reference in the Administrator's Guide, Portal Server 6.0 SRA?
  Thanks!
  -matt

  Did you ever get anywhere with this. My experiments seem to inidicate that you cannot successfully combine Access and Deny directives, across roles or organizational defaults and a role.

• Can't print through wireless hookup. Printer says there is a router/access point channel conflict.

  I cannot print. Printer is wirelessly connected to the airport extreme router.
  My printer says that the network connection passes all tests but there is a note: "A router/access point channgel conflict has been detected.
  The Epson Printer utilitie says only "Communication error". I've tried changing channels to no avail.

  I finally figured out how to fix this after a few weeks of being with out my printers.  I tried the reboot of everything and it didn't work.  I went into the airport utility and start poking around.  I tab through all the various setting and everything looked good.  By virtue of tabbing the "update" button was active.  I hit that and the airport extreme router rebooted and bingo the printer works for all my PCs and MACs.  This seem to have started with the last epson update but who knows.  Good luck

• DRIVER ODBC - ACCESS ERROR "WRITE CONFLICT" on numeric format

  Hello
  We have an Oracle (Oracle 10g) table with a NUMBER(15,2) column
  We try to update it with Access 97 (we use the oracle odbc driver 10.2.0.1) and for some records it works, and for other we have the "write conflict" error.
  See the example below :
  SQL> desc test_number
  Name Null? Type
  CLE_X NOT NULL VARCHAR2(5)
  NUM_01 NUMBER(15,2)
  TXT_COMMENT VARCHAR2(30)
  SQL>
  insert into test_number values ('VAL1', 123.45, 'Ligne OK');
  insert into test_number values ('VAL2', 3456.78, 'Ligne OK');
  insert into test_number values ('VAL3', 1345.37, 'Ligne NOT OK');
  insert into test_number values ('VAL4', 1345.38, 'Ligne OK');
  commit;
  => The update with Access does not work with the 3rd record (1345.37) but there is no issue with the other records.
  Could you please help ? Is it due to the driver ?
  Remark : the problem does not appear with the Microsoft odbc driver.
  Thanks

  I don't know the internals of ODBC, but I'm having this problem only with the Microsoft driver. I neither had it with PostgreSQL, SQL Anywhere or FreeTDS.
  The unixODBC documentation is not very well maintained or consistent. Once it's written that data sources are read from ODBCINI + /.odbc.ini, at another part it says ODBCINI itself must by a full path to a file. http://www.unixodbc.org/internals.html doesn't
  give much more details. And actually, having a full path in ODBCINI does work (as soon as this file is writable), whereas specifying only the directory does not.
  It seems drivers are doing part of the job on its own and therefor they behave differently?

• Access Anywhere file conflicts

  Hi, 
  I have access anywhere being used by a company accessing files to another. The external company can't view files that are currently open by the internal company. Is this intended by the Access Anywhere facility and is there a way to prevent this to allow
  the external company to view all files weather they are open or not. 
  Thanks.

  I don't think this is going to work,
  If a file is open internally, it will be locked so it wont be available to be used via RWW, or probably even via SMB.
  Why the need to open files that are also open internally?
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+

• PV00 and PA40,20,30 conflict

  hi all thanks for all for replyng me previously..
  but i need some deep explanation from you , my reqirment is pv00 has to have all PA access and pa20,pa40,pa30 should only have one PA area(JKSB)..
  so what shall i do , theese two sets of T-codes has to assign to one user..
  truly appricjiate your expertice
  regards
  buddhike

  Buddhike,
  Why does PV00 have to have all PA* access (I am assuming you mean infotypes?). Looking at what PV00 requires it should only need access to the following infotypes 0000, 0001, 0002, 0007, 2001, 2002 and 1000, 10001 with subtypes of A020, A025, A040, B020, B025, B040.
  Can you be more specific of what it is you are trying to do?

• SAP Access Cross Pollination

  We are implementing SAP ECC in our organization, and I had a question about SAP access cross pollination.  We may have instances in our organization where people may need different access in SAP, based on the organization they are working with.
  For example: an individual needing to park (but not post) documents for company code 0001 and post (but not park) documents for company code 0002 
  From what I remember, one has to be careful because crossing authorization objects/values for certain t-codes will lead to opening up unintended access and SOD conflicts for a user.
  Is there a way to design security roles on SAP ECC to so that we can assign a user the ability to run F-02 for Company 0001 and FBV0 for company 0002 without having them inherit access to be able to park and post documents for companies 0001 and 0002?
  Thanks in advance!!

  The use of parking documents has been abused a bit in the name of SoD im my opinion.
  As far as I know, it was intended for when a soccer match is about to start or the accountant wants to go to the toilet and the SAPGui timeout is set too low or the network itself is unstable.
  If you want to achieve this, then you might want to look into WAPIs (workflow application program interfaces). They are BAPIs (business application program interfaces) on steriods.
  I would speculate that user training and some business process monitoring would be an easier route and has other advantages as well.
  On a serious note without development effort: You can look to see whether config and the "B-segments" of the authority-check give your a usable option to "isolate" an object to a specific transaction code context, or if you are brave then turn one of them off (No-Check in SU24) so that you can hobble the activity '77' check for that use-case. But it should be treated with care.
  Have fun paralyzing your business efficiency with SOX requirements for end-users....
  Cheers,
  Julius

• Confidential access restriction

  Hi all,
  We have implemented EP 7.0 with ESS/MSS with JAVA Stack and back end with SAP ECC 6.0 with ABAP Stack. The portal roles like end user, admin are created in the portal and assigned in the portal for each user. But for any user to access this portal the userid will be created in back ECC 6.0 and some basic ESS/MSS Functions role will be assigned. Basic ESS/MSS functions role is a customized role taken a copy from standard SAP role with all values given in the role.
  So any end user USER1 logging in to the portal will be able to access his own functions from Portal role and the overall functionality role from Backend which is working fine and if the same user tries to login into ECC 6.0 the system shows the no authorization for the tcodes PA20 etc. since only the values are maintained.
  Now there is a user from Core HR  (USER2) who already has an access to PA20 in ECC 6.0, and the portal roles assigned to the same userid. Now this user logging into portal is able to view/change own data but when logging into ECC 6.0 the user able to see all the details of the company. This happens because of the ESS function role assigned in that userid.
  Hope i have explained the scenario clearly and understandable too.
  Is there anyway where the USER2 should not be able to take the access of ESS Functionality role assigned to that userid when logging into ECC 6.0.
  Or
  Is always the ESS Function roles are given with all the values for portal functioning or is there a way for restricting to some values.
  Request you all to help on this issue.

  To be able to use ESS in portal, user does not need to have authorization to view details of everyone else in the system. You need to get your security team to restrict authorization to view only his information.

• Do searches conflict with cursors?

  Greetings,
  I think I know the answer to this, but I could not find a definitive answer in the docs. If I open a cursor to iterate x number of duplicate keys, then during the iteration call another function that might do a search into the same table, would the search affect the cursor?
  Performance question: Say you needed to retrieve about 15 records with duplicate keys. Would it faster to iterate the duplicate keys with a cursor, or to ensure each of the 15 records would have a unique key and perform 15 lookups?
  My databases are all btree and opened read-only in a bdb environment with a cache large enough to hold every table in RAM.
  Thanks,
  Matthew

  Hi Matthew,
  Read-only accesses do not conflict for logical locks. That is, there is nothing that will indefinitely block a read-only access while another thread has a cursor open. That said, there are some sources of contention inside Berkeley DB that may lead to performance degradation under these conditions, but not outright blocking.
  The fastest way to retrieve the 15 records would be to use duplicates, with all records having the same key. Then use a single multiple-get operation to read all of them (with the DB_MULTIPLE flag to DB->get, see http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/db_get.html).
  Regards,
  Michael Cahill, Oracle.

• My ipad with retina display can't find my epson artisan 730 wireless printer. They are on the same network and printer's wireless connection is excellent. What are the steps to fix this?

  My imac won't pick up the printer either. Even after I updated it's software.  My ipad is new.  Any help would be appreciated. Thanks!

  No change. The printer still doesn't show up on my devices even though they are all on the same network.  On the printer's connection print out the connection reads Pass and that the network is working correctly.  However, then it states "*A router/access point channel conflict has been detected. If you have problems printing or scanning, Improve your wireless network environment." "*If the problems persist, see your documentation for help and networking tips."
  I've gone through all the documentation and still can't figure out what the problem is.  I've had the router checked out by my building and they claim everything is in order.  I have a excellent signal.

• Wireless laptop to wireless EPSON WF2660

     I tried to install a wireless printer to my Lenovo- ThinkPad  Edge 540 computer and am having just a bit of difficulty getting this done. I have Windows 8.1 pro and am not using explorer. I use Chrome,so I have to tap or click on the windows
  icon to go to all things Microsoft. The computer downloaded the info for the printer and the printer recognized it, and I thought all systems we go.... NOT! I ran a diagnostic on the printer and got an error message stating "a router/access point channel
  conflict has been detected" "Confirm the connection and network setup of the PC". I'm a first time user for Windows 8 so it is a bit confusing at times since I DO NOT have a touch screen! Is there anything I need to do to my computer prior or
  after to re-install, like Hardware and Sound which consists of: config a device or using a printer or Network and Internet? Both programs seem to target printers and are on the control panel. In addition PC settings also has PC and devices, which has a add
  a device option. Also should "Download Over Metered Connections" be off or on ? a XPS document writer is listed as Printer 1 and is listed in Print Management.I uninstalled all printer programs associated with this printer on the computer and did
  the same with the EPSON.My Internet provider CenturyLink, is totally clueless in this matter. I have my Roku,which is recognized  and The Find contents and devices app is on. Should the PROPERTIES  information on that page be part of what the printer
  is trying to link up with?Would you be able to provide me with some instruction/insight to get back on the right track?
  Regards,
  Alice J. Fischer (MADCAT70) 

  Hi,
  As mentioned in the epson document, WF2660 is fully supported in Windows 8
  http://www.epson.com/cgi-bin/Store/jsp/Product.do?BV_UseBVCookie=yes&sku=C11CE33201
  I suggest you refer to the user guide to correctly setup the wireless printer
  [PDF]User's Guide - WF-2660 - Epson America, Inc. - Download
  (Please pay attention to the "Wi-Fi or Wired Networking" part)
  NOTE
  This
  response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you.
  Microsoft
  does not control these sites and has not tested any software or information found on these sites.
  Yolanda Zhu
  TechNet Community Support

• List of Standard Reports

  Is there any transaction I can run to obtain a list of available HR standard reports within the system?
  Thanks in advance!

  Hi Some standard reports
  Program     Description
  H99CWTR0     Wage Type Reporter. Returns pay for particular wage types. To submit from new report you will need to create copy and export value to memory.
  RHGRENZ0     Delimit IT1000 and related 1001s. Program will delete any 1001 infotypes whose start date is after the delimit date.
  RHGRENZ1     Extend the end date on delimited records. Very useful when you delimit a bunch of records incorrectly, and need to change the end date.
  RHGRENZ2     Delimit infotypes (IT1001)
  RPCMPYG0     Statutory Maternity Pay(SMP)
  RPCSSPG0_HIST     Statutory Sickness History(SSP)
  RPDTRA00     List all HR transactions and there uses
  RPTPSH10     Personal work schedule, also accessed via PA20/PA30 infotype 2001
  RPUAUD00     HR Report to list all logged changes in infotype data for an employee. Uses the PCL4 Audit Cluster.
  RPUAUDDL     HR Report to delete audit data from the PCL4 Audit Cluster
  RPUDELPN     Delete all info for an employee number, including cluster data and infotypes
  RPUP1D00     View/Delete records from PCL1 Cluster
  RPUP2D00     View/Delete records from PCL2 Cluster
  RPUP3D00     View/Delete records from PCL3 Cluster
  RPUP4D00     View/Delete records from PCL4 Cluster

• RAR 5.3 Alerts

  Hi all,
  I'm attempting to configure RAR 5.3 alerts via e-mail (in the implementation that we are doing we are not employing the use of CUP) and have done the following:
  1) defined administrators with the relevant e-mail address for notifications
  2) scheduled alert notification for immediate run
  3) applied mitigating controls/ provided a user with access to 2 conflicting t-codes - with relevant administrators
  As such , i did not receive any email still. Is this to do with how the job is scheduled? or could it be to do with the fact that the CUP workflow is not involved? Kindly advise, thanks!
  Rgds,
  Edwin

  Hi Edwin,
  I had the same problem, and we have it solved. (it's now being filed to SAP)
  Did you define the risks in a language different than English?
  If yes then check in with your user in RAR in the English language (ume -> user -> comm.lang).
  Go and find your risk and you'll see that its description is missing. Fill it in. Rerun the alert generation job and get the email notification.
  Whether this email notif is customizable in an ini.xml I don't know yet, but dont think so. maybe sometime in the future.
  Cheers, Feri

• Transaction Number for Qualifications

  I am aware that Infotype 0024 can be accessed as a seperate transaction without using PA20. I am looking to grant access to our security so they can update their records on SAP rather than a spreadsheet, and would be wanting to restrict any access to PA20/PA30. Does anybody know the transaction number?
  Neil Garrett

  Hi Neil,
  You can use OOQM to attach qualifications to objects ( if you select O type P this means employee).
  Regards,
  Dilek

• Infotype 0002

  Hello,
  Is any one could help me on these infotype, I'm looking to hide the date of birth. I would like to give access to display only without this infortype BUT when I'm doing this the users can't do any search by names any more !! Not handy ! The purpose is to give the user access to PA20 so he could see the name and address for instance but it shoudn't see the date of birth it's a sensitive subject at this moment !!!Help !
  All suggestion will be more than welcome
  Regards,
  Martine

  Hi,
  If you want the give him the access for the search only then.
  Give Infotype 0002 with Authorization Level M only.
  It should work
  Hope this helps
  Manohar.