Administrator, Object Authorizer, Group User.. with Highest Priority

Similar Messages

• Windows 7, removed Administrator rights from my user with Administrator disabled..

  Windows 7, removed Administrator rights from my user with Administrator disabled..how solve without restore everything please??
  Cause drag&drop was disabling each time there was an high privilege process, I tough to fix this annoying trouble removing my user from Administrator group..in fact I fixed that situation.
  But NOW I have another serious problem: my user is not able to do nothing, and my administrator user was disabled and as only belonging to homeuser group I cannot enable it!!! In this moment I am crying because I have fear I will need to restore everything, please do you know a way to enable the administrator user again even if without admin privilege?? Do you know a software that fix it or an also not clean way to avoid a complete restore??
  Thanks in advance and ciaoo
  Fabio

  in control panel > user accounts > change account type select admin.
  Thinkpad R61 7733-1GU
  Thinkpad X61T 7762-54U
  Thinkpad X60T 6363-4GU
  Did a member help you today? Thank them with a Kudo!
  If a post answers your question, please mark it as an "Accepted Solution"!
  Regards,
  GMAC

• How to Control authorization for users with certain status for level 2 WBS Element

  Dear All,
  Is there any standard way or enhancement available to control authorization for users with certain status for WBS Element i.e. for example
  Pre-requisite:
  There is only 2 level of project i.e.
  Lev_ WBSE_______Description
  1___ 7-14.E_______summay outage controller
  2___ 7-14.E.2310__ Plant/unit # 2310
  2___ 7-14.E.2310__ Plant/unit # 2220
  Project Controller  (authorization role assigned "Z_PS_OP7_OTGCON_C") have all project level authorization
  Plant/Unit Controller (authorization role assigned "Z_PS_OP7_PLNTOTG_C_2310") have only level 2 authorization with enhancement that we did in system by Z table.
  User ID_ Plant #
  123345_ 2310
  122455_ 2220
  Issue:
  After System Status released and User Status approved the WBS basic date for Plant/Units should be restricted from updating/changing by Plant/Unit Controller level and only project controller should have this authority.
  Solution required: 
  Can any one tell how to control this scenario either by standard or enhancement available to control authorization
  BR
  Saqib Usman   

  Hi,
  Did you explore SAP Enhancement CNEX0002 Using Transaction CMOD?
  Thank you and regards,
  Varshal Kachole
  The SCN Rules of Engagement

• Azure RMS Group user with Ad-hoc policy

  Hi,
  In Azure RMS, the group users are unable to open the encrypted documants if the file is encrypted using ad-hoc policy(my policy)
  But, the same group users were able to open the encrypted document incase if the file is encrypted using templates(company policy)
  so, it would be great if you assist us in resolving this issue.
    

  Vivek, thanks for your reply. As mentioned I'm trying to integrate ASA remote access VPN in with Microsoft Active Directory via IAS. How can I configure RADIUS Attribute 25 on IAS to recv a value from AD and fwd it on to the ASA?
  What I'd really like confirmed first is whether group-lock functionality is available from AD through RADIUS?
  thanks, Graeme

• O authorize the user with Unix Login/Password ?

  Hi all,
  I am developing an web tier application with login page on unix server and deploying on WebLogic 8.1.2.
  I need to authorize the user login/password with unix user_id and passwd. Is there a document that describe the procedure ?
  Thanks,
  Satyam

  Hi all,
  I am developing an web tier application with login page on unix server and deploying on WebLogic 8.1.2.
  I need to authorize the user login/password with unix user_id and passwd. Is there a document that describe the procedure ?
  Thanks,
  Satyam

• Association of authorization group with authorization object

  Dear Colleagues,
  We are using ECC 6.0 system. There is a transaction EMMAC2 where in the user would pick the case categories & view/make changes as required in the cases.
  However, we would like to have a user to pick only those case categories for which he/she is authorized & view/change the data.
  This EMMAC2 is controlled by authorization object B_EMMA_CAS & this authorization object has field BRGRU (Authorization Group) along with ACTVT (activity).
  We would like to control this via authorization groups
  We would like to create authorizations groups based on case categories & those authorization groups would be assigned in this BRGRU field.
  Meaning, the end result should be such that, when that new authorization group is added in BRGRU field & that role is assigned to an end user, the user should be able to see data only for those case categories for which the new authorization group has been created
  If I use SE54 to create authorization group, it automatically associates itself with authorization object S_TABU_DIS & this does not solve my purpose.
  But we would like to create a new authorization group & associate it with authorization object B_EMMA_CAS.
  Can someone please let me know the steps on how to achieve it or any other method to achieve it(for above underlined text)?
  Does a developer or functional consultant also need to be involved in this?
  PS: I tried to search in Google & our forums but could not get any answers

  Dear Aninda,
  Thanks for the help.
  I created an auth group via SE16 in table TBRG & associated to B_EMMA_CAS
  A case category was then assigned to this auth group
  We tested it - below are the results:-
  1. The user is allowed to 'change' and 'display' the case for the case category for which the user is authorized: this works as per requirement.
  2. The user is not allowed to 'change' case for the case category for which the user is not authorized: this works as per requirement.
  3. However, he is able to 'display' cases for the case category for which the user is not authorized: this we do not want.
  If I remove activty 03 (display), then the user is unable to display the case for the case category for which the user is  authorized.
  How to resolve this?

• Authorization Group restrictions

  Hi Experts,
  I want to restrict user to access documents with help of Authorization Group field in DIR.
  But, problem is client required this Auth. Group field as selection field and not as an entry field available in standard DMS.
  How to provide selection list to user for Auth. Group field. With BADI & SAP Access Key possible but not useful in my case because of some client side restrictions.
  Can SAP Moderator guide me, why SAP chose not to offer a drop down on Authorization Group field with a user selectable list option? Also not even gave chance to consultant to do configuration for such a critical field.
  Thx in advance..

  Hi
  Check my Wiki on the same.
  If you need any more info, get back
  Link: [Authorization group|https://wiki.sdn.sap.com/wiki/display/PLM/UsingAuthorizationGroupfieldin+DMS]
  And if you want to activate dropdown F4 then check this wiki:
  Link: [F4 for auth group|https://wiki.sdn.sap.com/wiki/display/PLM/F4forAuthorization+group]
  Niranjan
  points welcome for useful info
  Edited by: Niranjan Dandekar on Dec 12, 2008 2:08 PM

• New group/user

  Whats the best way to create a new group/user with the same (or nearly the same) access priviledge as root.
  I am trying to install Oracle (freebie that came with 2.8), I created a group and user called TAC but i have run into all sorts of install issues.
  TIA

  you can specify initial group as 14 and other groups as 10.
  group 14 is sysadmins.
  You do not want to let oracle have access to any privileges. Give it it's own group and let it play in it's own specified dir.

• Highest priority symbol appears in Flag field

  I just updated to 10.4.3 from 10.3.9 and my Mail application also updated to 2.02. I like to flag the email that I want to respond to later and then sort by first clicking Date Received and then Flag. Those emails that I received which were sent with Highest Priority status also appear in the Flag column with the !! symbol. They are sorted along with the Flag symbol. I have been trying to get the !! to disappear, but have not had any luck so far. Any suggestions? Thanks.

  HI,
  Did you copy fields from Word/Text document. In this case spaces are shown as '#' in the debug.
  So instead of copy if you type the code then you will not see the '#'.

• Same user with administrative rights on all the servers in single domain versus domainadmin as a part of administrator group in all the servers

  same user with administrative rights on all the servers in single domain user as a part of administrator group in all the servers:
  same user is configured as administrator on all the servers in one domain at windows 2003 server. Should this user be made part of domain admin and then this can be set up in the group of administrator for all the servers.
  How this is technically different?
  If same user is set up as an administrator on all the servers in domain, will it have the same access on all the files as a domain admin user?
  dhomya

  If the account is not admin on the domaincontrollers and the account is not member of domain admins or any other privileged AD group, the account has only user privileges on AD and thus cannot perform actions like creating and managing  accounts,
  groups, OUs,policies, sites, ...in other words cannot potentially ruin Active Directory.
  I think that is a pretty big difference.
  In fact, it is bad practice to perform you daily server management with an AD privileged account.
  In regards of file access. The domain administrator will be just an admin, and thus has the privilies assigned to the local admin group, just as any other admin. But if it are different accounts they might be member of different groups assigning different
  privileges. Always be carefull when assuming resulting privileges will be the same.
  MCP/MCSA/MCTS/MCITP

• Display users with authorization objects assigened to them

  Hi,
      How can I display list of users with company code assigned to them?

  hello Rajesh,
  What you want is not straightforward. There is no SAP report for this as such. You need to find roles assigned to the user first then go to table agr_1252 anf give the value $BUKRS along with the role names.
  You will find out the company codes assigned to the user.
  This is not a very efficient way really and will involve too much of effort. If I needed such an information I would have written a simple ABAP report using joins of table AR_DEFINE and AGR_1252. Also check tables UST12 and AGR_1251.
  Hi Ben,
  Company code is present in several authorization objects other than F_BKPF_BUK. Check F_SKA1_BUK..There are several of them. So we need to check on basis of field BUKRS.
  Regards.
  Ruchit.

• Assigning of authorization object to authorization group

  I have created an authorization object and I have assigned this to already exsiting authorization group.I would like to assign the authorization object to a new  authorization group.Please confirm how to create an authorizaton group and assigning a authorization object to this new authorization group.

  hi,
  I have got a pdf related to this.
  I shall send that to you if i can get ur mail id.
  I too havent tried this. I dont have any authorizations to do with my server.
  Plz follow the following steps:
  1. Create a user (for example for SAP DEV, TEST, or PRD systems).
  2. Open the SAP Profile Generator (transaction PFCG) available in SAP R/3 versions 4.6 and above.
  3. Create an Activity group (Role since SAP 4.6C), for example ZBODI_ROLE.
  4. Enter a description for the role.
  5. Go to the Authorizations tab and click Change authorization data.
  6. On the Change Role: Authorizations screen, click the Manually,toolbar icon.
  7. The Manual Selection of Authorizations window opens.
  8. Type in the following authorization objects.
  S_ADMI_FCD*
  S_BTCH_JOB
  S_DEVELOP*
  S_DATASET
  S_PATH
  S_RFC
  S_TABU_DIS
  S_TCODE
  S_RS_ADMWB — for SAP BW
  9. Click OK
  10. Return to the Change Role: Authorizations screen.
  11. Manually configure components by entering the values  that support Data Integrator operations include:
  • Administration
  • Batch
  • BW loading
  • Development
  • File access
  • File system access
  • RFC calls
  • RFC calls in BW
  • Table source access
  • Transactions
  12. To complete the security profile, click the Back icon (or press F3), select
  the User tab, enter your SAP user ID for Data Integrator and click the Save icon.
  Regards,
  Sailaja.

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• Determine if user belongs to Authorization Group.

  My requirement is I have a authorization group (BRGRU) and I need to check if the logged in user belongs to that authorization group. Is there any FM for this or a Database table where in I can get list of users belonging to a particular authorization group.

  Hi
  check the tables
  UST12
  AGR_1252
  and check the Tcode SU21
  see the doc about authorizations:
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Reward points if useful
  Regards
  Anji

• Authorization Schemes, User Groups

  Hi Folks,
  I wish to create an authorization scheme and to do so with one of the user groups I defined in
  Home>Administration>Manage Application Express Users
  How can I set the authorization scheme to achieve this?
  Thanks for any and all help

  Are you looking for apex_util.current_user_in_group
  Create a new authorization scheme... PL/SQL function reuturning boolean
  begin
  if apex_util.current_user_in_group('MyGroup')
  then
  return TRUE;
  else
  return FALSE;
  end if;
  end;Reference:http://apex.oracle.com/i/doc/AEAPI/apex_util014.htm
  Regards,
  Shijesh