Auditing / Restricting Users Use

Similar Messages

• DUN Bluetooth connection to PocketPC, Vista and restricted user rights

  Hallo,
  I've successfully established a DUN connection to my Pocket WM5-based QTEK 9100 smartphone via Bluetooth and the Toshiba Stack, latest version. My notebook is a X200-21D with Vista Home Premium.
  Everything works well as far as I don't change the Vista user to an user with restricted rights, for the user with Administrator rights the Bluetooth Utility created a new DUN connection and a new modem with a virtual COM port. The user with the restricted rights isn't allowed to setup a new connection but this is necessary to connect to the smartphone with the Bluetooth Utility. On the administrative account the radio button to allow the connection to be dialed from other users is disabled and greyed out, so there is now way to open it for other users.
  How can I setup an Bluetooth DUN connection for a user with restricted rights ?
  Thank you in advance !

  Should the Restricted user use the same DUN configuration like the Admin ?
  If so, then you can use "Bluetooth Settings-> Custom Mode". This allows you to
  select the "33600 Standard Modem" from the list which was configured before by
  the Admin. So every DUN which was configured by the Admin can be used by the
  Restricted user with this method. Restricted users can not install hardware, so
  if the Admin has not installed a modem, then also the Restricted user can not use it.
  The Admin can pre-install a modem with the Bluetooth stack installation.
  This is useful if the restricted user should be able to configure a DUN connections
  with advanced modem settings which are not used by the Admin.
  This should be possible if the "as.ini" file has a line "MODEMINST = 1"

• Restricting User from creating new records using when-validate-record

  Hi,
  I have a requirement for which I have to restrict he user from creating a record in the Supplier Master form if the suppliier type is 'Affiliate Supplier'.
  I have done the following setups
  Seq 10
  Description Restricting user from creating Affiliate records
  Level Function
  Enabled Yes
  Condition:
  Trigger Event WHEN-VALIDATE-RECORD
  Trigger object VNDR
  Condition "${item.VNDR.VENDOR_TYPE_DISP_MIR.value} is NOT NULL
  and
  ${item.VNDR.VENDOR_TYPE_DISP_MIR.value} LIKE 'Affiliate%'
  Processing Mode BOTH
  Context
  Level User
  Value User Name
  Action Sequence 1
  Type Message
  Action Description Saving Affiliate record
  Language ALL
  Message Type Show
  Message Text You Cannot Create Affiliate records Here
  Action Sequence 2
  Type Builtin
  Action Description Stop Proceesing
  Language ALL
  Action Enabled Yes
  Builtin Type RAISE FORM_TRIGGER_FAILURE;
  This is working good on one instance but when I moved it to another instance
  when I query the form and try to navigate to the bank accounts tab of the form which is based on a differnt block i.e VNDR_USES block, the when-validate-record trigger fires there also and stops the processing.
  Any suggestions on this would be higly appriciated.
  Thanks in Advance.

  Hi Srini,
  Yes, it does work...but in a Form Session if i Create more then one Item, in some cases it fires for the first records and not sleeps for the second.
  Sometimes it doesn't give any response.
  Appreciated if you divert to the link to check the Pacthes for 11.5.10 on Form Personalization.
  Please share any ideas/example if yiou have to achieve the below requirement.
  Requirement:
  Once New record is created , a Custom Procedure should be invoked.
  with out closing Form i am able to create n number of Items, so for every Item it should invoke Custom PLSQL Code on Save.
  Let me know if i can achieve the same in Custom.pll .....as i can use either of Options.(Form Personalization/Custom.pll)
  Thanks & regards,
  Edited by: user632004 on Mar 16, 2010 7:50 PM
  Edited by: user632004 on Mar 16, 2010 8:09 PM

• Restrict same user using same internet explorer session

  Hi,
  I encountered a problem here. Hope some one had deal with this problem can help me out.
  The application was written in BSP. The users are using Internet Explorer 6.0 and 7.0 to use the application.
  The problem I encountered here is after an user is logged in to the system through the browser, then he open another new window or tab (ctrlN or ctrlT), the application will not prompt him to login again because the sessions were shared between this two internet explorer. I do not want this to happen because it giving problem and causing data loss.
  Any possible way to restrict user to open two same application within same session? Because the problem will not occur if the user open two same application within different session.
  I really appreciate for those who can help me on this.
  Thanks you.

  Check OSS notes for this - there are a number about aspects of BSP logons.
  I believe this is to do with a cookie being held / kept alive that should not be.  There are some OSS notes about this issue - you may have to redefine how the user logs on so that HTTP Basic Authentication is not used.
  Andrew

• Restrict users from using Manual series

  Hi SAP,
  Is there a way to restrict users from using the Manual series?
  Thanks,
  Janice

  Hi Rahul,
  Ok, i have seen already the authorization for document manual numbering and it is available only for 8.8 versions and not on 2007 version of SAP.
  Anyway, when im doing the testing i found out that for banking transactions like incoming, user can still use the manual series even if he has no authorization for manual document numbering.
  Another concern from our client was  the use of manual series only, is it also possible in SAP? I tried to give user authorization in the manual document numbering and no authorization to series group no but user cannot already open the transaction window. Let us know if their inquiry is possible so i could inform them that only manual series can be restricted.
  Thanks for your help.
  Regards,
  Janice

• Restrict User Connections Using Logon Trigger

  Hi all,
  Now I am restricting user connections from selected terminals, using following logon trigger.
  It allows users with DBA privileged user.
  How to restrict DBA Privileged users users ?
  Note:- As per my application needs DBA privilege.
  CREATE OR REPLACE TRIGGER on_logon
  AFTER LOGON
  ON DATABASE
  DECLARE
  VPROGRAM VARCHAR2(30);
  Vusername VARCHAR2(30);
  VTERMINAL VARCHAR2(30);
  CURSOR user_prog IS
  SELECT UPPER(program),UPPER(username),NVL(TERMINAL,'X') FROM v$session
  WHERE audsid=sys_context('USERENV','SESSIONID');
  BEGIN
  OPEN user_prog;
  FETCH user_prog INTO Vprogram,Vusername,VTERMINAL;
  IF VTERMINAL NOT IN ( 'APP1','APP2','APP3')+
  and Vusername='ABUL'+
  THEN
  RAISE_APPLICATION_ERROR(-20001, 'You are not allowed to login');
  END IF;
  CLOSE user_prog;
  END;
  Thanks i Advance
  Abk

  Your application needs the DBA role? That is a terrible design-- it violates every principle of secure coding.
  Login triggers don't fire for users with the DBA role, so you won't be able to use a login trigger here. You could ditch the login trigger and configure invited and excluded nodes in the listener's sqlnet.ora file, i.e.
  tcp.validnode_checking = yes
  tcp.excluded_nodes = (hostname1,hostname2,hostname3)You'll have to restart the listener after making that change.
  Justin

• Restriction of values in a field to user using form personalization

  Hi,
  i need to the restrict the query results on a form based on specific user using personalization feature only.
  at present on querying , form displays 10 records. for this particular user, i need to restrict him to view only
  the one record on form.
  please provide me a possible approach , how it can be acheived thru form personalization.
  thanks
  enthu

  Hi,
  Not sure if this can be achieved. However, you may review the forms personalization documents and see if it helps.
  Forms Personalization Document
  Re: Forms Personalization Document
  Regards,
  Hussein

• Restricting owa 2013 from internet for group users using ARR

  I am trying to restrict owa access from internet for group of users using ARR.
  http://www.msexchange.org/articles-tutorials/exchange-server-2013/mobility-client-access/iis-application-request-routing-part1.html
  please suggest

  Hello,
  Thank you for your question.
  This is a quick note to let you know that I am trying to involve someone familiar with this topic to further look at this issue.
  Regards,
  Winnie Liang
  TechNet Community Support

• Restrict users to change value in user id field in SM36

  Hi,
  Our users are currently given authorization objects S_BTCH_NAM, S_BTCH_ADM and S_TCH_JOB in order to be able create background jobs and execute using batch admin userid, and not under their own userid.
  I like to know is there way to restrict users to execute transaction SM35, SM36, SM37 to create a job under another person's userid.
  I am looking at grey off the userid field in SM35, SM36, SM37 when users execute these t-code in online mode. I want to restrict them from schedule job to run under another person userid.
  However, if users perform a transaction and call a customised program to create a batch job in background to be executed under batch_admin userid, without failing the job.
  How can it be achieved? Does SAP allows configuration to grey off userid field?

  The problem is that our customized program will first create a job under user "X" userid for audit trail purpose. Because user "X"does not have necessary authorization to perform full update of all other transactions or tables update, in the job, the program will indicate a non-user account with SAP_ALL authorization to perform the update.
  Since your custom program check for S_BTCH_ADM and S_BTCH_NAM from User's authorization we cannot put S_BTCH_ADM=N there and in that case, users would be able to create jobs with other user ID by executing SM36 directly.
  Option 1: Discuss with your developer if it is possible to create a custom exit in the Sm36 program to perform the above authorization check in your Batch user ID's authorization instead of your dialog users. In that case your custom program would run as expected as long as your Batch user ID has proper authorizations for S_BTCH_ADM and S_BTCH_NAM and your dialog users can be restricted to S_BTCH_ADM= N
  Option2: Create a transaction variant for SM36 in tcode SHD0 and make field "User" invisible and then link the transaction variant to a custom tcode which is to be created with start type "Transaction with Variant (variant transaction)".
  Please refer to an SDN article for process of [creation of a transaction variant and linking it to a variant transaction|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40d1443e-0184-2c10-c68d-c612f771fe6f?quicklink=index&overridelayout=true]
  Then have your custom program updated to call the custom tcode instead of SM36 and modify your user's roles to replace SM36 authorization with ZSM36 (Check indicator values of SM36 are pulled into the role). This will ensure your custom program can create jobs under a different user whereas when your user executes SM36 online, the field to change 'user' will not be visible and by default they would be forced to create jobs under their own IDs inspite of having S_BTCH_ADM=Y and S_BTCH_NAM= <your Batch user ID>
  Hope this helps!
  Sandipan

• Solution: WinXP Restricted users connecting to Oracle

  For a while we've been having the problem that with a default install of the Oracle Client (in our case 9.2 - Not sure if the problem exists with earlier versions), restricted users on WinXP (possibly 2K too, I've not been able to test it) cannot connect to any server because they cannot see the oracle client files. For some reason, the oracle client install sets strange permissions that mean only administrators can access the client files. Worse still, any attempt to reset the permissions on the ORACLE_HOME directory and propagate them down all the sub directories always fails with Permission Denied (even for admins?!?!?!). Even attempting to take ownership fails.
  Anyway, we've found a solution:
  Logged in as an admin, we copied the c:\oracle\Ora92 directory from a fresh install of the oracle client on WinXP to a machine with Fat32 (Win98) - Thereby removing all permissions from the files. We then renamed the old Oracle directory on the WinXP PC, created a new one and copied back the Ora92 directory from the Win98 PC - This resulted in the c:\Oracle directory and all sub directories having default permissions, specifically Read and Execute to all users and Full to admins. We also reset the permission on all sub-directories of c:\program files\oracle to those of c:\program files\oracle ( Using the "Reset permission on all child objects and enable propagation of inheritable permissions" check box in windows advanced security ).
  The end result is that restricted users can now access the necessary oracle client files, but don't have permission to alter them (which prevents them changing any connection parameters).
  The problem still remains that the installer creates strange permissions on files in the Oracle Home directory, but at least there is a workaround until Oracle sorts out the installer.
  Anyone think of a better way to get the same result?

  if you set the restricted users into the power users group you may be asking for other troubles as these users will then have update permissions to most files on the system, including those files in the winnt folder.
  it is not clear to me whether you are unable to set the file permissions to read/write access, or whether you are able to do so but that after you do so the users still get errors launching the client. it sounds like the solution to your problem may have been setting the read/write access in the \program files\oracle folder.
  you should make sure you install oracle when you are logged in as administrator. note that this is different than doing the install while logged in as user "X", where "X" is a member of the administrator group.
  if after doing the install as administrator you still have problems, i would recommend that you turn on auditing, reboot the system, launch the client as a restricted user, and then review the event log to see what file(s) are being denied access.
  to set up auditing, go to start->programs->administrative tools->local security policy. select local policies, then audit policies. set "audit object access" to failure. then go to my computer, right click on C:, select properties, then the security tab. click on the advanced button, then the auditing tab. select the "everyone" group, then click ok. in the next window, check all boxes in the "failed" column. click ok.
  don't forget to reverse the process and turn off auditing once you have found the problem files and set the necessary permissions.

• Retrieving ALL values from a single restricted user property

  How can I retrieve ALL values of a single restricted user property from within
  a .jpf file?
  I want to display a dropdown list within a form in a JSP which should contain
  all the locations listed in the property 'locations'. I ever get just the default
  value when I access the property via
  ProfileWrapper pw = userprofile.getProfileForUser(user);
  Object prop = pw.getProperty("ClockSetup", "Locations");

  Well, the code you've got will retrieve the single value of the property
  for the current user. You're getting the default value because the
  current user doesn't have Locations property set, so the ProfileWrapper
  returns the default value from the property set.
  I assume you want to get the list of available values that you entered
  into the .usr file in Workshop. If so, I've attached a
  SetColorController.jpf, index.jsp, and GeneralInfo.usr (put in
  META-INF/data/userprofiles) I wrote for an example that does just this.
  It uses the PropertySetManagerControl to retrieve the restricted values
  for a property, and the jsp uses data-binding to create a list from that
  pageflow method.
  For a just-jsps solution, you can also use the
  <ps:getRestrictedPropertyValues/> tag. I've attached a setcolor-tags.jsp
  that does the same thing.
  Greg
  Dirk wrote:
  How can I retrieve ALL values of a single restricted user property from within
  a .jpf file?
  I want to display a dropdown list within a form in a JSP which should contain
  all the locations listed in the property 'locations'. I ever get just the default
  value when I access the property via
  ProfileWrapper pw = userprofile.getProfileForUser(user);
  Object prop = pw.getProperty("ClockSetup", "Locations");
  [att1.html]
  package users.setcolor;
  import com.bea.p13n.controls.exceptions.P13nControlException;
  import com.bea.p13n.property.PropertyDefinition;
  import com.bea.p13n.property.PropertySet;
  import com.bea.p13n.usermgmt.profile.ProfileWrapper;
  import com.bea.wlw.netui.pageflow.FormData;
  import com.bea.wlw.netui.pageflow.Forward;
  import com.bea.wlw.netui.pageflow.PageFlowController;
  import java.util.Collection;
  import java.util.Iterator;
  * @jpf:controller
  * @jpf:view-properties view-properties::
  * <!-- This data is auto-generated. Hand-editing this section is not recommended. -->
  * <view-properties>
  * <pageflow-object id="pageflow:/users/setcolor/SetColorController.jpf"/>
  * <pageflow-object id="action:begin.do">
  * <property value="80" name="x"/>
  * <property value="100" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="action:setColor.do#users.setcolor.SetColorController.ColorFormBean">
  * <property value="240" name="x"/>
  * <property value="220" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="action-call:@page:index.jsp@#@action:setColor.do#users.setcolor.SetColorController.ColorFormBean@">
  * <property value="240,240,240,240" name="elbowsX"/>
  * <property value="144,160,160,176" name="elbowsY"/>
  * <property value="South_1" name="fromPort"/>
  * <property value="North_1" name="toPort"/>
  * </pageflow-object>
  * <pageflow-object id="page:index.jsp">
  * <property value="240" name="x"/>
  * <property value="100" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="forward:path#success#index.jsp#@action:begin.do@">
  * <property value="116,160,160,204" name="elbowsX"/>
  * <property value="92,92,92,92" name="elbowsY"/>
  * <property value="East_1" name="fromPort"/>
  * <property value="West_1" name="toPort"/>
  * <property value="success" name="label"/>
  * </pageflow-object>
  * <pageflow-object id="forward:path#success#begin.do#@action:setColor.do#users.setcolor.SetColorController.ColorFormBean@">
  * <property value="204,160,160,116" name="elbowsX"/>
  * <property value="201,201,103,103" name="elbowsY"/>
  * <property value="West_0" name="fromPort"/>
  * <property value="East_2" name="toPort"/>
  * <property value="success" name="label"/>
  * </pageflow-object>
  * <pageflow-object id="control:com.bea.p13n.controls.ejb.property.PropertySetManager#propSetMgr">
  * <property value="31" name="x"/>
  * <property value="34" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="control:com.bea.p13n.controls.profile.UserProfileControl#profileControl">
  * <property value="37" name="x"/>
  * <property value="34" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="formbeanprop:users.setcolor.SetColorController.ColorFormBean#color#java.lang.String"/>
  * <pageflow-object id="formbean:users.setcolor.SetColorController.ColorFormBean"/>
  * </view-properties>
  public class SetColorController extends PageFlowController
  * @common:control
  private com.bea.p13n.controls.ejb.property.PropertySetManager propSetMgr;
  * @common:control
  private com.bea.p13n.controls.profile.UserProfileControl profileControl;
  /** Cached possible colors from the User Profile Property Set definition.
  private String[] possibleColors = null;
  /** Get the possible colors, based upon the User Profile Property Set.
  public String[] getPossibleColors()
  if (possibleColors != null)
  return possibleColors;
  try
  PropertySet ps = propSetMgr.getPropertySet("USER", "GeneralInfo");
  PropertyDefinition pd = ps.getPropertyDefinition("FavoriteColor");
  Collection l = pd.getRestrictedValues();
  String[] s = new String[l.size()];
  Iterator it = l.iterator();
  for (int i = 0; it.hasNext(); i++)
  s[i] = it.next().toString();
  possibleColors = s;
  catch (P13nControlException ex)
  ex.printStackTrace();
  possibleColors = new String[0];
  return possibleColors;
  /** Get the user's favorite color from their profile.
  public String getUsersColor()
  try
  ProfileWrapper profile = profileControl.getProfileFromRequest(getRequest());
  return profileControl.getProperty(profile, "GeneralInfo", "FavoriteColor").toString();
  catch (P13nControlException ex)
  ex.printStackTrace();
  return null;
  // Uncomment this declaration to access Global.app.
  // protected global.Global globalApp;
  // For an example of page flow exception handling see the example "catch" and "exception-handler"
  // annotations in {project}/WEB-INF/src/global/Global.app
  * This method represents the point of entry into the pageflow
  * @jpf:action
  * @jpf:forward name="success" path="index.jsp"
  protected Forward begin()
  return new Forward("success");
  * @jpf:action
  * @jpf:forward name="success" path="begin.do"
  protected Forward setColor(ColorFormBean form)
  // set the color in the user's profile
  try
  ProfileWrapper profile = profileControl.getProfileFromRequest(getRequest());
  profileControl.setProperty(profile, "GeneralInfo", "FavoriteColor", form.getColor());
  catch (P13nControlException ex)
  ex.printStackTrace();
  return new Forward("success");
  * FormData get and set methods may be overwritten by the Form Bean editor.
  public static class ColorFormBean extends FormData
  private String color;
  public void setColor(String color)
  this.color = color;
  public String getColor()
  return this.color;
  [GeneralInfo.usr]
  [att1.html]

• How to restrict users from creation of varients in report transaction

  Hi All,
  I have a requirement where buisness wants to restrict users in creating varients in report transactions.because of create options users will be creating more screen varients which will be disturbing for the other users to select a particular standard varient.Kindly give ur input regarding this
  With regards
  Girish A

  Hi,
  First edit the role assigned to users using PFCG.
  Then go to Authorization tab and click on "Change Authorization Data".
  It will opened up the profile of the role. now find the authorization object "S_PROGRAM".
  In that edit "User action ABAP/4 program" object.
  Remove "VARIANT" check box if it was checked and save. Now press
  Generate button or "Shift+F5".
  That's it.
  You can ask for this to your basis team. They can perform this task  easily.

• How can we restrict users from changing the data in HFM.

  Hi All,
  We have requirement from users where, They don't want the base data being loaded from SAP to HFM via FDM through ERPi to get changed in HFM at <Entity Currency>. They want data to be read only and no body should be able to change neither Grid nor Forms and neither Smart View. If we restrict by Shared services access then again they can't change ownership management value.
  Regards,
  Sushil

  Hi Thanos, Thanks for your reply.
  Yes i am aware of the security class, so your suggestion is to use security classes to restrict users? And how can i use the phased submission for the same?  I am new to HFM so please bear with me.
  I have one more question that my Application is HFM EPMA application. So is it necessary to have Application Administrator to change hierarchy and Deploy the Application from EPMA?
  Thanks,
  Sushil

• How to audit a user at same time it is created?

  Hi, I got a problem and I hope someone can help me.
  Is there any way of auditing a user at same time it is created?
  For example I create the user "Eddy" and I want this account to be automatically audited so I don't have to execute "audit session username;" each time a new user is created.

  I wasn't aware but it seems that most of DDL operations are not available directly from system triggers. Anyway, you can log the user created in a table (stored in ora_dict_obj_name) for being processed later with a scheduled job.
  All in all, it seems much more easier to use two sentences create + audit.

• How to restrict users from printing documents and exporting to local file

  Hi SAP gurus,
  I have two questions.
  1. How can I restrict users from printing a document? i.e. billdoc? I would like to know if I could block it though authorization. If yes, what auth obj to use?
  2. How to restrict certain users from exporting to local file? the System> List>Save-->Local File. I have tried restricting it using auth object S_GUI but it seems it is only applicable to older versions of SAP. im on ecc6.
  Thank you in advance.

  Hi,
  Check this:
  Create your own gui status and attach it to the list in the event START-OF-SELECTION.
  In the menu painter extra -> adjust template.
  Make it a list status and you will see all the standard list options appear including list->download
  Deactivate the ones you don't want. 
  If you just want to prevent users from downloading the list you can achieve this with authorization object S_GUI, activity 61. Menu option will still be there though.
  Please note that if you remove authorisation for S_GUI activity 61 then all downloads will not be possible. 
  If you just want to disable downloads only for a particular report, you can try this test program:
  Code:
  REPORT ztest. 
    DATA: PROGNAME LIKE SY-CPROG value 'Z_CHECK_AUTH', 
          FORMNAME LIKE SY-XFORM value 'F_CHECK_AUTH'.
  START-OF-SELECTION. 
      CALL FUNCTION 'SET_DOWNLOAD_AUTHORITY' 
           EXPORTING 
                FORM    = FORMNAME 
                PROG    = PROGNAME 
           EXCEPTIONS 
                OTHERS  = 1.
    WRITE: / 'TEST'.
  You also need this:
  Code:
  PROGRAM z_check_auth.
  FORM f_check_auth USING pe_result TYPE i. 
    pe_result = 5. 
  ENDFORM.
  Also have a look at the exit SGRPDL00.
  Hope this helps you.
  Rgds,
  Raghu