AD user with no role assignment cannot login

Similar Messages

• Mitigation runs against role but not user with same role assignment

  Hello, I'm currently running Compliance Calibrator 4.0. I've created a Mitigation Control and assigned a number of Risks to the Mitigation Control.
  I've then assigned the Risks in that Mitigation Control to a specific role.
  When I run the SoD check, the role no longer shows any issues. This is good and expected.
  However, when I run the SoD against a user that has that role assigned the user is reported with issues when no SoD issues should be shown.
  Am I missing something? I don't believe I need to assign Mitigation Control to the user, because one day the risk might be valid to that user, but just not for the role I'm trying to mitigate against. Many thanks.

  Hi Dylan, the system is reacting correctly.
  When you mitigate a role, you mitigate the risk associated with the role and under 'Role Analysis' you will see that this role has been mitigated.
  However when u run a User analysis, the system will still identify him if there is a 'RISK' associated with the user and this is regardless of whether the associated Role is mitigated or not because what you want to know is the risk of the user and not what roles this user has.
  You will need to specifically mitigate the User in order for the mitigation control to show against the User in the report.
  This is the same Vice Versa. when you mitigate a User, it also does not mean that all the associated Roles that the user have are mitigated. The risk associated with the roles will still appear when you do 'Role Analysis'
  Cheers!

• Users with same role but cannot acess/see the restrcited page

  Hi, SDN Fellows.
  I have a requirement as stated below:
  Said, I have Role A, which have WorksetA , that contains Page1, Page2,Page3.
  The requirement is: User A was assigned to RoleA, he can see all the pages in the role hierarchy.
  But User B was assigned to RoleA too, but I want to restricted this user to see Page3.
  In this, case, how should I manage that? Can we set some authorization from the page? If yes,  is it going to be troublesome for the system admin to maintain that?
  Thanks.
  Kent

  Hi Kent,
  > Can we set some authorization from the page?
  No, you can't. Permissions ar set on the unique object within the PCD, this is the role in your case.
  The standard scenario is to create two roles A and B, where user A is assigned to both roles and user B only to role B. Role B contains WorksetA and Page3, whereas role A contains WorksetA and Pages 1 & 2 -- an both roles are merged.
  By this, you have one navigation structure but user B only sees page3, whereas user A sees all three pages under the workset entry (from the navigational point of view).
  See http://help.sap.com/saphelp_nw04s/helpdata/en/53/89503ede925441e10000000a114084/frameset.htm for details.
  Hope it helps
  Detlev

• Report to see user type and roles assigned to users in EP?

  Hi,
  a) Is there any reporting mechanism in EP? Any specific report which throws up user types and roles assigned to the users? There is an option of 'Export' in the user management role but unfortunately it does not give information on User Type.
  b) If  the group is assigned a role, How can we see ( in any report) the roles assigned to a group? In the 'export' option of the 'User Management' this information does not come.

  By default Portal UME comes along with the installation of portal.
  Sometimes we may integrate external users using LDAP. At that time users come from ABAP stack or some active directories.  But you can also create users in the portal UME.  The purpose of using LDAP is to maintain the users centrally rather than creating again in portal.
  You can check them in user administration->identity management and search for the users.
  THere you can see some users will be from UME and some from LDAP.
  User Admin tool is nothing but User Administration only.
  Raghu

• Performance tab not working in Enterprise Manager for user with dba role

  Database: 11g2
  New to Oracle. Don't want share SYS user account among dbas. Tried to create user with dba role to perform all tasks.
  1. Removed DBMS_JOB, DBMS_LOB, UTL_FILE, UTL_HTTP, UTL_SMTP, and UTL_TCP from PUBLIC
  2. Created user dbauser1 with dba role
  3. Log in as dbauser1 in Enterprise Manager
  After click Performance tab, it just went straight to "Database Login" page. No error message.
  Any suggestions or advice will be appreciated.
  piaoma

  Hi Gourav,
  This is the wsdl url:
  http://hostname:8000/sap/bc/srt/wsdl/bndg_E04711310A0E55F1A0E3005056B03D6F/wsdl11/allinone/ws_policy/document?sap-client=450
  Kind Regards,
  Richard

• How i can associate my app user with database role

  In my application (oracle forms application developed in-house - We are using Oracle Forms 11gR2 with WebLogic 10.3.5 ), i want to use "application user" instead of database user.
  I have an application users table, actually, i have database users,and of course, menu application works with database roles (It was developed with oracle forms menu module), my question is, How i can associate my application user with database role, for reusing oracle forms menu funcionality?. It's possible?
  Thanks,
  Edward

  user8929172 wrote:
  In my application (oracle forms application developed in-house - We are using Oracle Forms 11gR2 with WebLogic 10.3.5 ), i want to use "application user" instead of database user.
  I have an application users table, actually, i have database users,and of course, menu application works with database roles (It was developed with oracle forms menu module), my question is, How i can associate my application user with database role, for reusing oracle forms menu funcionality?. It's possible?
  Hi Edward
  You can do this by assigning the role functionality to the application user. For example
  create the table to enter user name.
  create table to enter group name.
  create table to assign user to group.
  assign role to group.
  assign functionality for the user by coding.
  hope this helps

• Restiction on SAP Lumira user with BI_DATA_ANALYST role

  Hi,
  Is there an option to disable the SAP Lumira user with BI_DATA_ANALYST role from loading the Excel data into SAP Hana?   We would like the user to be able to create story boards and publish it on SAP LUMIRA server using HANA views but not allow him to load any flat file data.
  Thanks,
  Lakshmi

  Manish - if you are on BI4 there is no need for the SAP Integration Kit with Web Intelligence
  You can connect using the BEx Query
  For Lumira right now you can connect using the BEx query but only in the Visualize room - more enhancements are planned in 1.27 - see SAP Lumira Webcast including H1 Plans with BW Updates
  I don't think Gateway is needed in these scenarios
  Tammy

• Partner with Partner role AP  cannot be converted

  Hi,
  When order are getting created in CRM, we are getting an error 'Partner with partner role AP cannot be converted'.
  We have checked the R/3 contact person and it is empty.   We have checked the table CRMC_BUT_CALL_FU  and tried
  removing the entry from CT_BP_STRUCT and still this does not resolving the issue.
  This is issue is with only certain orders in only one sales area.  So I think that no notes can be applied.
  Regards
  Sunil

  Hi Sunil,
  Cna you consider note :
  1997323 - Partner with the partner role AP cannot be converted (Notification E C
  (010) - Deleting a contact person in the master data
  Best regards
  Christophe

• Users created in ABAP tool cannot login to Portal

  Hello,
  I have created a user in abap and assigned them the role SAP_J2EE_ADMIN but cannot login into Portal (Message: User authentication failed) with that user. If I login to portal as J2EE_ADMIN and search for that user I get "No element found." Is there something that needs to be done to get users into Portal? Does authentication not occur against the abap system? Also is the J2EE_ADMIN user only valid within portal and not the abap backend?
  I am using EP7.
  Thanks for any help.

  Hi Kelly,
  I changed it under System Administration>>System Configuration>>UME Configuration>>ABAP System tab. If you read ealier in this thread however, I could not restart the j2ee server after that....so change it at your own risk!
  If you do change it and cannot restart,  go into the config tool and navigate to Global server configuration >> services >> com.sap.security.core.ume.service and find the ume.r3.connection.master.client key. Change that back to it's original value. I was able to restart after that.
  Hope that helps.

• User with 2 permissions assigned via groups, not able to utilize the higher privilege

  User has been assigned Publishing Editor, this was assigned by being a member of a group, where group's permission is publishing editor. 
  In addition, the user has been assigned Reviewer, this also was assigned by being a member of a group, where group's permission is Reviewer. 
  The issue: The user can only perform functions related to the Reviewer role, and can't perform functions available via the Publishing Editor.
  Any Ideas what is going on? 
  *Removing the user from the Reviewer group is not an option. 

  Hi,
  The easiest way is to grant the single user Publishing Editor permission of that folder directly, check if the issue persists.
  Right click on the folder, Properties -> Permissions -> Add the user with Publishing Editor permission.
  Regards,
  Melon Chen
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• How add Authorization check for user with assigened role for t.code-MIR4

  Hi All,
  Regarding authorization how to check authorizations check for user whith assigned roles for the t.code MIR4  using ABAP.
  In Detail:2)     All users are allowed to go to MIR4(invoice number), But ONLY for users with role: MM_RELEASE_INVOICE can proceed to do the posting.
  suggest me...
  Thanks,
  srii..

  Hi Sri ,
  first u need to find out  in which user rules u are using this object , after that if u want to restrict users then remove create/change values from that object values .
  make use of Tcode SUIM to find out all roles which are using this Object.
  or
  ask ur basis guy to remove authorizations to create/change....
  regards
  Prabhu

• CISCOWORKS LMS and CISCOSECURE ACS Authenticate any user with HD role

  Hi:
  We are using CiscoSecure for authentication and authorization for differente apps.
  Specifically, any user already in the ACS database is authenticated to log in CiscoWorks LMS, with HD role (this happens although none of the CiscoWorks apps have been checked for this group). 
  Why is this happening?
  We don´t want that any user (although they are only permitted the HD role) could login.
  Thanks a lot
  Julio

  Follow the ACS integration guide to ensure the group you don't want to have access to LMS have the roles set to "NONE" instead of the default HD roles.
  http://www.cisco.com/en/US/partner/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html

• Windows 8.1 update 1 - users with domain mandatory profiles cannot open windows 8.1 Store

  Hi,
  After the update 1 on windows 8.1.  All of our domain users get "you cannot access the windows store because you're signed in to this pc using a temporary or guest account......" while opening windows 8.1 store.  All my users use mandatory
  profiles.  Could some one guide me onto:
   -how and what changes should I make on my base image of 8.1?
  -how/where what changes should I make on the domain in Group policy to make my profiles work?
  -I also run sccm 2012 R2 if that makes the things easier I can use it for deploying store apps, but I prefer to make a base windows 8.1 image throw all required apps on it.  I would like to make sure that my domain user can open up windows store after
  that I can capture this image and deploy.
                                Need help thanks
                                Note: Before this update 1 of windows 8.1 things worked great.

  Thanks Kate Li,
  Domain profile is not corrupt.  I have checked the registry settings.  In my question I am mentioning that I am using mandatory profiles for domain users.  Need help.
  I am on update 2 now and the same error for domain users with mandatory profiles.
  Also error 1001 is generated every time the user tries to open the store(the user with mandatory profile)
  Log Name:      Application
  Source:        Windows Error Reporting
  Date:          9/30/2014 8:52:17 AM
  Event ID:      1001
  Task Category: None
  Level:         Information
  Keywords:      Classic
  User:          N/A
  Computer:      TCO-TTTEST.mydomain.com
  Description:
  Fault bucket , type 0
  Event Name: WWAJSE
  Response: Not available
  Cab Id: 0
  Problem signature:
  P1: winstore_1.0.0.0_neutral_neutral_cw5n1h2txyewy
  P2: Windows.Store
  P3: 3e43
  P4: FFFFFFFE
  P5: (null)
  P6: 0_0
  P7:
  P8:
  P9:
  P10:
  Attached files:
  ErrorInfo.5160.3992.txt
  C:\Windows\WinStore\AppXManifest.xml
  These files may be available here:
  Analysis symbol:
  Rechecking for solution: 0
  Report Id: 9b46f622-48a0-11e4-bec5-6036dd67e10b
  Report Status: 262144
  Hashed bucket:
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Windows Error Reporting" />
      <EventID Qualifiers="0">1001</EventID>
      <Level>4</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-09-30T12:52:17.000000000Z" />
      <EventRecordID>366588</EventRecordID>
      <Channel>Application</Channel>
      <Computer>TCO-TTTEST.mydomain.com</Computer>
      <Security />
    </System>
    <EventData>
      <Data>
      </Data>
      <Data>0</Data>
      <Data>WWAJSE</Data>
      <Data>Not available</Data>
      <Data>0</Data>
      <Data>winstore_1.0.0.0_neutral_neutral_cw5n1h2txyewy</Data>
      <Data>Windows.Store</Data>
      <Data>3e43</Data>
      <Data>FFFFFFFE</Data>
      <Data>(null)</Data>
      <Data>0_0</Data>
      <Data>
      </Data>
      <Data>
      </Data>
      <Data>
      </Data>
      <Data>
      </Data>
      <Data>
  ErrorInfo.5160.3992.txt
  C:\Windows\WinStore\AppXManifest.xml</Data>
      <Data>
      </Data>
      <Data>
      </Data>
      <Data>0</Data>
      <Data>9b46f622-48a0-11e4-bec5-6036dd67e10b</Data>
      <Data>262144</Data>
      <Data>
      </Data>
    </EventData>
  </Event>
  Thanks
  Followed :
  http://support2.microsoft.com/kb/2890783  Made a brand new profile.  No luck same error.

• Exchange 2010 - Users in a restricted OU cannot login to OWA externally only - internal works

  I have an OU setup where user in this OU have Log On To... rights have restricted which computers they can log onto.
  This is the only restriction other than some IE browsing settings via GPO. The problem for these users is that... 
  They cannot login to OWA externally using the https://mail.domain.com/owa - it continues to prompt for authentication. 
  They CAN login to the same URL internally.
  Troubleshooting...
  I did give them Log On To... the MAIL SERVER rights.  
  Other users can login that are NOT in this OU.
  May have started after SP3 for Exchange was installed.
  Have rebooted. 
  HELP?

  Hi,
  The Log On To setting will specify a certain computer to access a user account. Please change this user can log on to
  All computers in ADUC to have a try.
  Thanks,
  Winnie Liang
  TechNet Community Support

• How to uplode user with more roles by Users_gen?

  Hi, everyone,
       I can uplode users by user_gen ,but only one role,  I don't know what format to more roles.
       anyone  tells me ,I will give points to reward.
  the format with one role:
  C00213452,Benali,50000001,dd'@'dd.com,CN,SAP_EC_BBP_BIDDER
  Best regards!
  Jesse

  Hi,Nanaji.V
  I know the way that you say.   I think it still cann't solve my question. could you please explain your way detailed?
  Best regards
  Jesse