Approver permission level

Similar Messages

• What is the minimum permission level that allows users to view draft documents, other peoples' draft documents?

  What is the minimum permission level that allows users to view draft documents, other peoples' draft documents?
  Normally a person creates a draft document and when they are ready they publish it and the Approver approves it. However, what if a power user needs to be able to see all draft documents. Not just their own but other peoples'. What is the minimum permission
  level that allows then to do this?
  Cheers,
  Mark
  Learning SharePoint

  Hi Mark,
  Per my knowledge, there is no minimum permission level that allow users to view their own and other people’s draft documents.
  This is based on the Draft Item Security setting you choose for your list in Versioning Settings:
  You can follow the detailed steps in the link provided by Avni.
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• Getting error while opening a saved for later notification: The selected action is not available. The cause may be related to security. Contact your system administrator to verify your permission level for this action.

  Hi All,
  While opening a saved for later notification, we are getting "The selected action is not available. The cause may be related to security. Contact your system administrator to verify your permission level for this action". error.
  This is a custom notification.
  Please help.
  Thanks
  Raghava

  HI All,
  Please help on this issue.
  Thanks
  Raghava

• User analysis at Action level and Permission level

  Hi Gurus,
  I am totally confused by the way our CC is working while using it for User Analysis. I understand that during Risk Analysis for a user with Report Type "Action Level" will give the conflicts at the transaction level for the user and with Report Type "Permission Level" will give the conflicts at the Object level for the user. Also the permission level report includes the results of the action level report as well and hence Permission level report is more detailed & reliable.
  But now when I run the analysis report for a particular user both at Action & Permission level...the user is not getting any conflicts at Action level but it is showing conflicts at the Permission level. For another user the vice versa is happening. Could anyone help me in understanding the above 2 scenarios?
  Regards,
  Lakshmi.

  Hi
  A user to be need to have a action level conflict should have that transansaction code access only ie object s-tcode =  xyz transaction code.
  Similarly for a user to be reported in permission level conflict the user should have access to
  S_tcode = xyz transaction code Plus all other authorisation objects...Or in other words if the user is missing any authorisation object it wont be reported there...
  So just check what authorisation object level check is enabled for that transaction code in the rule architect tab.. Thereafter see whether user have access to all those authorisation object with the values specified...
  Parveen

• User Analysis at Permission Level - Detail Report (RAR SP12)

  Hello All,
  I have having question regarding the User Level Analysis at Permission level report. Currently, we are on GRC Access control 5.3 SP12.
  Per my understanding when you execute the User level analysis at Action level, you get SOD conflict reports based on T-code level and not on authorization / permission level. But, if you execute the user level analysis at permission level then SOD report is based on the authorization / permission object level.
  But now, when I execute the user level analysis at PERMISSION LEVEL in the Informer tab, in the report I am only able to see "Transaction Code Check at Transaction Start" name in the Permission Object Column and "Transaction Code" name in the Field column.
  Look forward to hear from you all.
  Thanks in advance,
  Regards,
  Angelica

  Hi Angelica,
  This behaviour is ok for those risks in which you have not enabled any Object/Field value. It will pick S_TCODE Object and show you the risk.
  This is useful because -
  1. If you have risks defiend at Tcode level - you can still catch them while running risk analysis at permission level.
  2. If you have Object Values defined in risk and you are running permission level analysis it will show risk only if Object Values meet. In that case permission level risk anlysis will not show risk if there is no actual risk.
  3. Running risk analysis at Action level can show false positives when risk is defined ta Object level. So, it is always better to r
  un alanysis at permission level, it will bring all actual risks skipping false positives.
  4. You can run only one level risk analysis in CUP and ERM and permission level covers all risks.
  If you have risk defined at Object Level and the role/user is not fulfilling all values, it should not show in permission level. In your case, if it is showing only "Transaction code check at start"  and the risk is defined at Object Level, then sure it is a bug.
  Regards,
  Sabita

• Error in SharePoint hosted app: Add permission level to the list programmatically

  I am trying to add permission to the list which I have created in my app. I am trying to give current user some permission to add update delete items from my list. I have used one article from MSDN(http://msdn.microsoft.com/en-us/library/office/jj247079.aspx)
  site. And my code is as bellow:
  function execOperation() {
  debugger;
  context = new SP.ClientContext(appweburl);
  var factory =
  new SP.ProxyWebRequestExecutorFactory(
  appweburl
  context.set_webRequestExecutorFactory(factory);
  appContextSite = new SP.AppContextSite(context, appweburl);
  var appContextSite2 = new SP.AppContextSite(context, hostweburl);
  var siteColl = appContextSite2.get_site();
  hostweb = appContextSite2.get_web();
  context.load(hostweb);
  web = appContextSite.get_web();
  context.load(web);
  user = web.get_currentUser();
  context.load(user);
  que_list = web.get_lists().getByTitle("MyList1");
  context.load(que_list);
  que_list.breakRoleInheritance(true, true);
  var permissions = new SP.BasePermissions();
  permissions.set(SP.PermissionKind.viewListItems);
  permissions.set(SP.PermissionKind.addListItems);
  permissions.set(SP.PermissionKind.editListItems);
  permissions.set(SP.PermissionKind.deleteListItems);
  // Create a new role definition.
  var roleDefinitionCreationInfo = new SP.RoleDefinitionCreationInformation();
  roleDefinitionCreationInfo.set_name('Manage List Items');
  roleDefinitionCreationInfo.set_description('Allows a user to manage list items');
  roleDefinitionCreationInfo.set_basePermissions(permissions);
  var roleDefinition = web.get_roleDefinitions().add(roleDefinitionCreationInfo);
  web.breakRoleInheritance(true, false);
  // Create a new RoleDefinitionBindingCollection.
  var newBindings = SP.RoleDefinitionBindingCollection.newObject(context);
  // Add the role to the collection.
  newBindings.add(roleDefinition);
  // Get the RoleAssignmentCollection for the target list.
  var assignments = que_list.get_roleAssignments();
  que_list.breakRoleInheritance(true, true);
  // Add the user to the target list and assign the use to the new RoleDefinitionBindingCollection.
  var roleAssignment = assignments.add(web.get_currentUser(), newBindings);
  context.executeQueryAsync(onSuccess, onFail);
  I have just copied the code from that article. But when I run my app it give me error :
  You cannot customize permission levels in a web site with inherited permission levels
  Any suggestions, What am I doing wrong?
  Thank you in advance...!

  Problem solved. 
  It turns out there should be NO leading '/' in the relative URL despite the example shown in http://msdn.microsoft.com/en-us/library/office/dn292553.aspx#Folders with "/Shared Folder".
  The correct GetFolderByServerRelativeUrl-parameter in my case is 'Lists/Productdocuments'.
  Unsure whether example is wrong or if it applies to other cases than mine.

• Permission level ruleset download.

  Hi,
  We have unmitigated risks showed up when the risk analysis is done by action level, and those transactions showed up in the   transaction usage history(stats) reports, but we use permission level risk analysis in AE and CC, so these risks dont show up and we didn't have to mitigate at the time of provisining.
  Now I'm in a stage where I need to prove that unmitigated risks are not really risks as per permission level. Because of the no.of risk ids showed up, i'm looking for some easy way to prove this instead of going by each risk id auth object values and comparing with user access in sap system.
  Also, looking for any way to download clean permission level rule set., so I could develop program for comparision. So I tried to download using 'Search permission rules'' report, but the format is not great, would require lot of changes in order to use downloaded for manual comparision in the excel.
  Thanks
  Laks

  SAP_ALL,
  Add SAP_ALL to the Permission level ruleset, before downloading.
  It will solve your problem.
  Thanks,
  Lakh

• RAR - Risk Analysis - Permission Level - V_VBAK_AAT||AUART - Error

  I have a trouble related with risk analysis at permission level, when the V_VBAK_AAT||AUART is activated in two functions of my customized GRC rule-set (VIRSA_CC_FUNCPRM) for controlling some "document types" for tcodes VA01 and VA02. When I execute this customization in RAR, the system says "No match / No conflicts" for the risks where these functions appear, however performing some queries in the back-end systems, I have realized there are more than 80 users in conflict for some of them, given the fact that they have value '*' in object/field V_VBAK_AAT||AUART.
  At a first time I thought that most probably would be related with the fact that these functions are part of risks that combine 3 and 4 functions at the same time, with OR logical activated in document types, but when I searched for the rules generated for these risks I noticed that only 34.000 rules were generated and this no overpass the limit of 45566 rules defined at RAR. Anyway, I performed some tests reducing the number of possible combinations and, basically, whenever the following line is activated, the outcome is u201Cno conflictsu201D:
  D VIRSA_CC_FUNCPRM FN15 VA01 GRC-C21 V_VBAK_AAT||AUART ZSO ZSO OR 0 null
  If this line is disabled, then, several users with conflicts are reported. As mentioned above, these users have value '*'   for object/field V_VBAK_AAT||AUART, so I do not understand why those users are not reported when the line above is activated.
  I have done the following checks, all of them correct:
  - The user/role/profile synchro has been done and all the users has been stored in table VIRSA_CC_
  - All the lines in VIRSA_CC_FUNCPRM part of my customized rule-set have been correctly inserted in the same Oracle table
  - All the combinations of rules has been created (including VA01 and VA02 with V_VBAK_AAT||AUART)
  Any suggestions?
  Thanks in advance

  I've detected the same problem for the following authorization objects:
  - F_BKPF_BLA||BRGRU
  - V_VBRK_FKA||FKART
  - M_MSEG_BWE||WERKS
  RAR reports no conflicts (at authoriztion level) when these objects are activated (of course having users with these conflicts in back-end systems)
  This problem has been proved in the installation of different customer with SAP GRC Access Control 5.3 SP12.
  Anybody else has experienced this issue????

• How to understand Permission level SoD analysis reports?

  Hi ,
  We would like to confirm whether our understanding is correct in analysing the SoD analysis reports at Permission Level
  Below is an example on how functions are configured at permission level
  Under Function 0C0004 we have t-code as below
  VA01 - Create Sales Order with Auth Objects
  B_USER_STAT  - ACTVT 01 AND
                              ACTVT 06 AND
  K_CKBS_CO-PC - ACTVT 01 AND
                               ACTVT 06 AND
  V_VBAK_AAT - ACTVT 01 AND 02 AND 06 etc.,
  Similarly we have another Function GA0001  with t-code as below
  F-03- Clear G/L Account
  F_BKPF_BLA  - ACTVT 01 AND
  F_BKPF_BUK -  ACTVT 01 AND
  F_BKPF_KOA - ACTVT 01 AND
  We have defined Risk betwee GA0001 & OC0004 with RISK ID 0045.
  Does this means that a User / Role which are having t-code VA01 with the above permission values should be thrown as a conflict if the same user/ role is having t-code F-03 with the above permission values.
  Do we need to understand the conflicts are only  between two transaction codes and their permission values? or
  Do we need to understand within the transaction code permission values also there are conflicts i.e. if a user is having  01,02 & 06 for V_VBAK_AAT in VA01 also.
  When SoD reports are thrown for a User/ Role it just provides the Rule ID number and the t-codes conflicting followed by the permission values of the t-codes as below
  004500101 : Transaction Code Check at Transaction Start  Transaction Code     Create Sales Order (VA01)   OC00004
  004500101 : Transaction Code Check at Transaction Start  Transaction Code      Clear G/L Account (F-03)      OCA00001
  004500101:  B_USERSTAT : ACTVT : Activity      Delete(06)                          OC00004
  004500101:  F_BKPF_BLA : ACTVT : Activity      Create or generate(01)      GA00001
  004500101: B_USERSTAT : ACTVT : Activity      Create or generate(01)      OC00004
  004500101: F_BKPF_KOA : ACTVT : Activity      Create or generate(01)      GA00001
  004500101: V_VBAK_VKO : ACTVT : Activity      Create or generate(01)      OC00004
  In the above scenario what exactly we need to understand ? Whether the conflicts are between t-codes & their respective permission values or the conflicts are intra conflicts i.e between permission values as well?  User should not posses both 01 & 06 for Auth Object B_USERSTAT and remove the access to any of them.
  Please provide your suggestions in our understanding.
  Thanks and Best Regards,
  Srihari.K

  Hi Sri,
            In RAR the conflict is always between Actions not permission. Permission level data is only for your info. All permission level details out of the box are not configured you have to activate it and fill in the value in the field. Now based on the value you feed in it will pull out the details.
  eg: if you enter * it will show all values, If you enter 01 it will show all  values with 01. 
         So to summarize the permission level details you need to configure based on needs and are not linked to conflicts they just show AS IS permission level details.
  Thanks,
  Darshan

• Regarding creating SharePoint custom permissions not permission level

  Hi All,
  i want to create or manage custom permissions under permission level.
  like
  for list items Manage Lists and add items etc.
  Thanks in advance.
  Kindly suggest me some suggestion
  Varsha Patil

  Use SPSecurityTrimmedControl control to for specific users or group. But still SPSecurityTrimmedControl will not work for full control so you also need to customize permission for full controls users.
  First go to permission level page and modify the permission for full control. uncheck the permission for whom you don't want to show this control (refer below link to know about base permission)
  http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions.aspx
  Then do the same for custom permission level. and now assign this custom permission to group. Later use  SPSecurityTrimmedControl in above menu and then hide/show control for users.
  http://social.technet.microsoft.com/Forums/en-US/9496525a-3f8f-47e3-a3c0-73d9a1670b0d/how-to-make-the-site-actions-menu-invisible-to-certain-users?forum=sharepointgenerallegacy
  http://social.msdn.microsoft.com/Forums/en-US/0dba2a60-204d-44d9-968f-84cd41f52e2d/how-to-hide-site-actions-menu-for-user-group?forum=sharepointcustomizationlegacy
  Hemendra:Yesterday is just a memory,Tomorrow we may never see
  Please remember to mark the replies as answers if they help and unmark them if they provide no help

• Permission Level

  I have custom permission level, however I need to break the permission from the parent site and set a custom permission for this sub site. Please advice detail instructions on how to do this without breaking the parent site permission level.
  Renee W

  Hi
  check this similar post
  https://social.msdn.microsoft.com/Forums/ro-RO/83bf0883-986e-4881-8470-9e012624bc05/custom-permission-levels-subsite-access-global-navigation-and-webpart-permissions-configuration?forum=sharepointadminlegacy
  Romeo Donca, Orange Romania (MCSE, MCITP, CCNA) Please Mark As Answer if my post solves your problem or Vote As Helpful if the post has been helpful for you.

• Permission level version history

  In what permission level does one can see the version history for a list record where versioning is enabled.

  HI,Apart from the restricted permissions and Limited access set to users.All other permission levels of users can able to view  the version history.
  Anil Avula[MCP,MCSE,MCSA,MCTS,MCITP,MCSM] See Me At: http://expertsharepoint.blogspot.de/

• Sharepoint 2010 Permission level Full Control and explicit deny

  I am facing a very frustating permission level issue with Sharepoint 2010. First, everything worked as expected up to few days ago.
  I have a user on my sharepoint 2010 env (publishing portal) named rjo who is site collection administrator and has also Full Control permission level.
  When I execute the Check Permission command from the ribbon I get the following:
  Permission levels given to xxxx\rjo
  Full Control
  Given through the "xxx Owners" group.
  The following factors also affect the level of access for xxx\rjo (xxx\rjo)
  Deny
  Manage Permissions
  Create and change permission levels on the Web site and assign permissions to users and groups.
  Deny
  Create Subsites
  Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.
  etc.. Seems like all the individual permissions are set to deny.
  If I remove the user rjo from the Full Control permission level, all the deny permissions disappear. I have tried creating a brand new permission level with Allow permission on al items but I still get the deny when I check the permissions. Notice that this
  happens for all the users.
  Does anyone experienced a similar issue? I suspect some kind of Windows update to have messed up the permissions but I cannot find a way to get proper permissions to my users.

  I had a similar issue.  When checking user permissions on any member of the site collection Owners group, the results were similar to those posted above.  Also noticed that some buttons on the ribbon were missing.  Also found that no user
  could add content to Library.  The Add button was missing.  Issue was only happening on one site collection in the web application, so it was not a Web App Policy issue.
  Eventually discovered that the site collection was locked as read-only.
  Central Administration > Application Management > Configure Quotas and Locks
  change the web application and site collection as needed to view setting for the affected site collection
  Found lock set to 'Read-only'  Changed to 'Not Locked'

• SharePoint 2013 check permissions unable to find permission level for AD user

  In our environment for SharePoint AD groups are associated with individual AD members and AD group is given access to SharePoint group with a permission level. When I want to check for a user who are part on the AD group using check permission to find their
  SharePoint permission level it returns "none", but when I check what permission level the AD group has check permission returns correct permission level.
  I am not sure if this is the right behavior for SharePoint 2013 not to display individual AD user permission using check permission, business users have to request IT every time they have to find a user permission level.

  Hi,
  As far as I know, the user permissions which set in AD Groups is not updated immediately to SharePoint Site. The AD group informations are converted into claims and packed into security token issued by the STS (Security Token Service).
  For troubleshooting your issue,you can configure the Token Cache to a smaller value and check the permission level of the user who is granted permissions through AD group:
  https://sergeluca.wordpress.com/2013/07/06/sharepoint-2013-use-ag-groups-yes-butdont-forget-the-security-token-caching-logontokencacheexpirationwindow-and-windowstokenlifetime/
  Thanks,
  Eric
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• TS1485 change the permission level for iTunes and iTunesHelper to allow full access. how do i do this

  How do i change the permission level for Itunes

  I have actually been using Amazon cloud for a while now and never had this problem. Actually, I think I did get locked out once and was able to get back in by contacting support and answering some questions. This option isn't available with Apple.. They lock you out for 90 days regardless of whether you can verify your ID. I know this because I contacted them recently and they verified my identity exhaustively and then said 'sorry-there's nothing we can do and you are not  getting a refund for time lost.'  I think I understand why the policy is there, but I think it's ridiculous that they make no exceptions even when the mistake is on their side, which I'm pretty sure it is in my case.