Authorization and security

can any body help me out for security profile and authorization.
in my report functional spec they hav given  three object for authozation like
v_vbak_aat
v_vbak_vko
s_tcode
with a transaction code.
how to use those ,where to use in my coding,
pls help me out
i am desprate for an sample code.
with thank and regards.
durga.

Hi
In your report
CLick button PATTERN --> select AUTHORIZATION-OBJECT --> Give the object there and press enter..
It is just like calling a FUnction Module from code...
Reward if helpful....

Similar Messages

  • User Authorizations and security

    Hi,
         I need to know that , is it required to give <b>SAP_ALL</b> to <b>functional consultants and ABAP developers user id</b> created , or there are some different set of roles to be created. where do I find these security best practices , so that I can implement them.
    Regards
    Puneet

    Sathi,
    Yes, you can in fact do this...it is a fairly involved process but once done it works very well.
    Remove ALL authorization objects pertaining to BUKRS (in this particular example you only want to limit users to a company code) from your role. We'll call this first role ZT_role. You will have your transaction codes in here.
    You will have a number of other authorization objects that you could do this same thing with. We are currently not only doing this with company code, but cost center/profit center, plant and several more. The process is the same. If you don't want to allow certain users access to a company code, plant...etc. pull the auth obj out of the transaction role.
    Next, create a brand new role WITHOUT T-CODES in it and name it something like ZD_Locking_role (whatever you want to call it...but in a sense you are locking users down with this role).
    In this 2nd role you will need to manually enter each Authorization Object that uses BUKRS from your 1st role and then add in the company code(s) you want to allow people to see (again...manually add those auth objects needed as mentioned above for cost center/plant etc.).
    Now, you shoudl be able to assign the 1st AND 2nd role to a person. Now, they will will only be able to see the company codes you placed in the locking role.
    If you only assign the 1st role, they will not be able to view/change by company codes. By adding the second role, the SAP system checks the auth object against their entire profile in their master record and should allow them work fine.
    Good luck!
    For those that care...
    We not only do the above, we took it many steps further. We created derived roles broke those down to display only and create/change roles. In other words, the locking role would read something like Z_DISPLAY_XXX or Z_CRT_CHG_XXX (where XXX is the company).
    User roles assigned to associate Joe Smith - As an AR Manager this person needs access to ALL AR function for creation/display and change but only allowed to display all AP documents and not change all within company code XXX:
        Transaction roles:
    ZT_AP_DISPLAY role (AP needs to run XK03 or XK04...any and all t-codes are locked down to display only! [03 or 08...etc.])
    ZT_AR_MANAGER role (AR Manager needs to display (only) AP stuff but not be able to change. They also need to be able to perform all other functions (create/change) as an AR Manager)
        Locking Roles:
    ZD_DIS_BUK_XXX (XXX is company code) [display only]
    ZD_CRT_CHG_BUK_XXX (XXX is company code) [create change]
    With a thoroughly thought out system you can have a very sight system while being able to allow user the versatility to see only certain information.
    Good luck!

  • I am so angry - there has to be a misundering.  my Itunes was disabled as there was a charge that I did not authorize and I cannot find the phone

    I am so angry - there has to be a misunderstanding.  my Itunes was disabled as there was a charge that I did not authorize and I cannot find the phone number for security and the dingbat girl who I'm emailing send me a link that does not work.  And I am extremely frustrated.   Please help.  I need a phone # to contact security.

    Contact Apple Support here:
    ACCOUNT SECURITY CONTACT NUMBERS
    Cheers,
    GB

  • Security-role and security-role-assignment not working in WL7.0

    Hello all..
    Some EJB components that worked fine in WebLogic 6.1 no longer work in
    WL7.0. It has to do with the security-role and security-role-assignment
    descriptor elements no longer allowing anonymous users to be included in the
    authorization for a bean.
    For example, in WL6.1 placing these items in ejb-jar.xml:
    <assembly-descriptor>
    <security-role>
    <role-name>Employees</role-name>
    </security-role>
    <method-permission>
    <role-name>Employees</role-name>
    <method>
    <ejb-name>CustomerEJB</ejb-name>
    <method-name>*</method-name>
    </method>
    </method-permission>
    and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
    <security-role-assignment>
    <role-name>Employees</role-name>
    <principal-name>guest</principal-name>
    <principal-name>system</principal-name>
    </security-role-assignment>
    worked fine for clients creating their context using a simple
    InitialContext() constructor without specifying SECURITY_PRINCIPAL or
    SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
    the security-role-assignment element above told WebLogic that "guest" was in
    the Employees role for purposes of this EJB archive.
    Worked in WL6.1, no longer works in WL7.0. Client receives typical
    permission exception:
    java.rmi.AccessException: Security violation: insufficient permission to
    access method 'create'
    If I explicity connect as "system" things are fine, or I can create a new
    user in the default realm in WebLogic, put a matching <principal-name>
    element in the section above, and connect as that user. Note that if I leave
    off the <security-role> section completely, or set the required role name to
    "everyone", the anonymous access works fine. Apparently the anonymous user
    is a member of "everyone" behind the scenes even though "everyone" does not
    appear in the realm list of groups or roles.
    So, my question boils down to this: Is there a "magic" username in WL7 like
    "guest" was in WL6.1 that can be mapped to the required role name, or must
    every client connection use a true weblogic-created user with appropriate
    role assignments used to map it to the required role name.
    -Greg
    P.S. Note that none of the EJB examples provided with WL used
    <security-role>..
    Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
    www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

    Below are the screen shots for PFCG:

  • E-commerce site and security

    I am likely to begin working on a large e-commerce site soon and would like to get everything straight before I begin.
    I have a reseller account on a virtual dedicated server at the hosting provider everyone loves to hate. Generally my modus operandi is to create a folder and point a subdomain to that folder so the client can see the site. Unless there are serious security issues or the need for a huge amount of server space, I leave the site in that folder and point to domain name to it when it is completed.
    Does an e-commerce site need to be on a dedicated server as a matter of prinicple? If I use Cartweaver or VirtueMart and a payment gateway such as Paypal or Authorize.net, does it matter if the site is on a dedicated server behind SSL? Or can I simply leave it on my hosting account and put the Paypal Verified graphic on the site?
    Or could I create a new virtual dedicated reseller account just for e-commerce sites? Or would an economy account suffice?
    The issue of testing in one account  and then moving to another is one I don't like. Do you have a way of testing and cloning the site?

    Hello Peavo,
    A shared host is fine for e-commerce... But let me qualify this by adding - a shared host that KNOWS e-commerce and how to help you attain PCI certification, and  - this is really an important one - offers very good, quick, support! If your revenue generating site is down you want help NOW, not a "call back" or an email a day or two from now.  I echo the statement that you should avoid GoDaddy, more like run screaming in the other direction.  They, and many cheap, super high volume hosts, are fine for run of the mill HTML sites or even the occasional WordPress blog, but for the complexities of and security required by an e-commerce site they are woefully inadequate.
    All that being said, there are literally thousands of Cartweaver , and other e-commerce sites happily motoring along on quality shared hosts. So with some caution and having your homework done, there's no worries there.  I can recommend GoWestHosing.com - very good smaller host that specializes in dynamic and e-commerce sites and knows all the ins and outs of PCI compliance.
    If you expect to have an extremely high volume site, then looking into a VPS is not a bad idea, but truthfully, for most average shopping cart sites a quality shared hosting account will do, and cost significantly less.  You could start out with a hosted account, then always migrate to a VPS if need be.
    Here's a blog post about PCI that you may find helpful.
    http://blog.cartweaver.com/?s=PCI
    Hope this helps!
    Lawrence Cramer - *Adobe Community Professional*
    http://www.Cartweaver.com
    PHP & ColdFusion Shopping Cart for Adobe Dreamweaver
    Stay updated:
    http://www.facebook.com/cartweaver
    http://www.twitter.com/cartweaver
    http://blog.cartweaver.com

  • Simple Authentication and Security Layer

    Hi All,
    What is Simple Authentication and Security Layer (SASL)?? and what it's function in Oracle Beehive??
    Thanks,
    Dha_Suh

    wikipedia :
    Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another. Authentication mechanisms can also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 is an example of mechanisms which can provide a data security layer. Application protocols that support SASL typically also support Transport Layer Security (TLS) to complement the services offered by SASL.
    SASL was originally specified in RFC 2222, authored by John Gardiner Myers while at Carnegie Mellon University. That document was obsoleted by RFC 4422, edited by Alexey Melnikov and Kurt Zeilenga.
    SASL is an IETF Standard Track protocol, presently a Proposed Standard.

  • ACS - ASA Authorization and Accounting

    Hi
    I have some questions regarding authorization and accounting on ASA via ACS server
    when I enable the command "aaa authorization       command " to control SSH users commands  I get locked out on       console then i have to configure the console , telnet , and enable to be       authenticated via tacacs too , is there any way to authorize SSH via       tacacs while keeping Console and telnet authenticated locally or even no       authentication ?
    i issued  accounting command "aaa accounting       command TAC" on ASA but i noticed that the ACS just logs commands in       configuration mod "privilege 15 " not any show command or       privilege 1 , is there any way to fix this ?
    does RADIUS support SHELL authorization ?
    thanks for your support

    1.] Unfortunately, there currently isn't any way to exclude command authorization from the  serial/ console or ssh users while having it apply to other access methods in case of ASA. Once you issue this command, it would be applicable for ALL methods like ssh,telnet,enable,http and console. This can be easily achieved in IOS (routers and switches) by creating a method list.
    2.] When you configure the aaa accounting command command, each command other than  show commands entered by an administrator is recorded and sent to the accounting server or servers. This is a default behaviour on ASA. IOS does send/record all show commands on ACS/Tacacs.
    http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html
    Regards,
    Jatin
    Do rate helpful posts-

  • I have forgotten my apple security questions, when I go to My Apple ID and click on password and security, there is no option to reset my security questions even though I have a rescue email adress, how do i reset my security question ?

    I have forgotten my security questions but when I click on My Apple ID and got to password and security, there is no option to rest my questions and/or send my self a rescue email, what do I do now ?

    You need to contact Apple. Click here, phone them, and ask for the Account Security team, or fill out and submit this form.
    (89174)

  • Start up problems after Safari 3.1 and Security update

    Updated safari and security update last night.
    Safari downloaded and installed but there was an error downloading or installing the security update, I forgot.
    After I restarted everything booted up fine, but was stuck on "Starting Mac OS X" screen.
    Did a fsck and zap the pram, still stuck.
    Today I tried booting up in safe mode, stuck on the gray screen with the apple logo.
    Then I tried booting up from an external firewire dvd drive. Repaired permissions, repaired the disk, but it is still stuck on "Starting Mac OS X" screen. Help please...
    Thank you

    Ok i had a similar problem, with all the recent updates for Leopard, including the 10.5.2 combo update... the 12" PowerBook G4 kept getting stuck on the grey apple and spinning wheel... if it managed to get past this it would get stuck on the blue screen!!!
    The way i got around this, after trying all these other tips was: Archived & Installed 10.5; restarted, waited; downloaded 10.5.2 Combo update, installed; restarted, waited; waited; waited; after getting back to desktop, restarted, waited; then ran Software Update only installing one at a time, and after each install, restarted, waited; when all Software updates completed, proceeded with iLife updates etc... It took a while (still quicker than the 3 days of failed installs and updates) with a lot of waiting on the blue screen (5-20mins) but we got there in the end. Disks where checked with Leopard Disk Utility before and after, permissions where checked before and after completing all installs, also with a DW 4.1 optimization. Also note worthy is the RAM was upgraded from the initial 256Mb (!!!) with an extra Gb.

  • Bursting with translation and security attributes?

    Hi folks,
    I've been lurking on the forum for a while and despite not always finding a solution, existing threads normally pointed me in the right direction - so thanks :)
    I'm working on EBS 11.5.10 with the latest Bi-Publisher 5.6.3 (5472959) and bursting (5968876) patches installed.
    I have successfully done the following individual AR Invoice Bi-Publisher tasks:
    1. translated an invoice RTF template by attaching an xliff file to the data definition,
    2. applied security attributes to the template to restrict updates on the resulting PDF,
    3. burst a custom AR invoice print and emailed the resultant pdf's.
    The PDF generated by the combined Invoice print correctly applies the translation and security attributes; however when I run the "XML Publisher Report Bursting Program" to the XML file the resultant burst PDF's do not apply the translation or security attributes. I assume this a limitation of bursting control files? If so, is this on the list of future enhancements to Bi-Publisher?
    Here's an example of my control file document entry, I have included locale and pdf-security entries - these don't cause an error but equally don't generate the desired result (p.s. I know I'm emailing on a PRI filter - it's just a test):
    <xapi:document output-type="pdf" delivery="att_email">
    <xapi:template type="rtf"
    location="/usr/tmp/xxxINVOICE3.rtf"
    locale="fr-US"
    pdf-security="true" pdf-encryption-level="1" pdf-permissions-password="xxxxxx"
    filter=".//G_INVOICE_HEADER[PRINTING_OPTION='PRI']" >
    </xapi:template>
    </xapi:document>
    Thanks
    Dave

    =================
    ==Properties Idea's
    =================
    You would have happened to try applying the security stuff in the application for your template? Try that and see if the pdf properties get set.
    If that doesn't work your left with two options:
    1. create a java concurrent program and set the properties manually.
    2. Log a tar.
    =================
    ==local idea's
    =================
    Are you sure you don't have to create template config for the locale? i suspect that's why it's not applying the xliff translation. Also, your NLS_LANG needs to be set to FRENCH for the approriate template to be applied. If your logged-in as english your french format template will not be applied, neither will the translation. As an example you can query vl table and you'll only get american (us) but if you alter your session you'll get the translation for that language when your query the table.
    location="xdo://xxxAR.xxx_XML_PRINT.fr.US"
    try it out and see if that works. Note: This will only work if your session NLS_LANG is set to FRENCH.

  • How to Set up HTTPOnly and SECURE FLAG for session cookies

    Hi All,
    To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
    I have found the below solutions.
    For setting up the HTTPOnly for the session cookies.
    1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
         this.sessioncookie.httponly = true;
    For setting up the secure flag for the session cookies.
    2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
         this.sessioncookie.secure = "true"
    Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
    <cfapplication setclientcookies="false" sessionmanagement="true" name="test">
    <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
      <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
      <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
    </cfif>
    But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
    Your timely help is well appreciated.
    Thanks in advance.

    BKBK wrote:
    Abdul L Koyappayil wrote:
    BKBK wrote:
    You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
    I couldnt understand this. I mean how are you relating this with my question.
    When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
         If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
    Name:
    JSESSIONID
    Content:
    782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
    Domain:
    xyz.abc.pqr.com
    Path:
    Send for:
    Any kind of connection
    Accessible to script:
    No (HttpOnly)
    Created:
    Wednesday, September 3, 2014 2:25:10 AM
    Expires:
    When the browsing session ends
    BKBK wrote:
    2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
    Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
         I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
    BKBK wrote:
    3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
    It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
         I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

  • HT2534 My friend created me an itunes store account with his credit card , his credit card is about to expire and they are asking me to re-enter the credit card and security card number .... I don't have these numbers ... How can i create new itunes accou

    My friend created me an itunes store account with his credit card , his credit card is about to expire and they are asking me to re-enter the credit card and security card number .... I don't have these numbers ... How can i create new itunes account without credit card?????

    Why do you need to create a new account?
    Just change the payment method.
    http://support.apple.com/kb/ht1918

  • How can I authorize and access my itunes account on a new computer if I cant access my old computer to enable home sharing

    How can I authorize and access my itunes account on a new computer if I cant access my old computer to enable home sharing

    Authorization
    Macs:  iTunes Store- About authorization and deauthorization.
    Windows: How to Authorize or Deauthorize iTunes | PCWorld.
    In iTunes you use the Authorize This Computer or De-authorize This Computer option under the Store menu in iTunes' menubar. For Windows use the ALT-S keys to access it. Or turn on Windows 7 and 8 iTunes menus: iTunes- Turning on iTunes menus in Windows 8 and 7.
    To deauthorize a computer you don't have:
    De-authorizing Computers (contributed by user John Galt)
    You can de-authorize individual computers, but only by using those computers. The only other option is to "de-authorize all" from your iTunes account.
      1. Open iTunes on a computer
      2. From the Store menu, select "View my Account..."
      3. Sign in with your Apple ID and password.
      4. Under "Computer Authorizations" select "De-authorize All".
      5. Authorize each computer you still have, as you may require.
    You may only do this once per year.
    After you "de-authorize all" your authorized computers, re-authorize each one as required.
    If you have de-authorized all computers and need to do it again, but your year has not elapsed, then contact: Apple - Support - iTunes - Contact Us.
    For more information on authorization and de-authorization: iTunes Store- About authorization and deauthorization.

  • I forgot the answers for the security questions and when I try to change them (My Apple ID - Manage your account - Password and Security) I'm asked to answer the exact questions I'm Trying to change because I don't remember the answers. How can I do it?

    I forgot the answers for the security questions and when I try to change them (My Apple ID -> Manage your account -> Password and Security) I'm asked to answer the exact questions I'm trying to change because I don't remember the answers. How can I do it?

    Can't you try the email option instead?

  • [Request] Move Windows Control Panel applet from "System and Security" to "Programs"

    The "Flash Player (32-bit)" Windows Control Panel applet should be  moved from "System and Security" to "Programs" where the Java applet is.
    Vote: https://bugbase.adobe.com/index.cfm?event=bug&id=2953107
    Thanks

    njb,
    Why not just run the ThinkVantage System Update and let it install as usual. You can also "un-check" those drivers that you don't want to install.
    *Non Lenovo employee*
    I have a Y2P (i5) ... Feel free to ping me if you want me to test some applications with your Y2P if you have the same model. I don't mind keep doing recovery on it if needed .... =)

Maybe you are looking for

  • Sun Java System Application Server8 can not startup (help me )

    I work in an japanese compay in China. recently, my JSC can not work who can help me the error infomation is : The Sun Java System Application Server could not start: Possible reasons: 1.port conflict 2.Incorrect server configuartion 3.corrputed depl

  • Is it possible to restrict the user from opening the WSDL page in a browser

    Hello All, The user should be able to send requests to the webservice, but not be able to view the wsdl file in the browser. How can we do this in Weblogic 10 ? is this configurable ? We need to do this because, the webservice is going to be exposed

  • IGS in Cluster Portal

    Hi Experts,   We do have a Microsoft Cluster Portal(SAP EP7 SP 18), with two app servers, IGS is working in one of the application servers not on the other one, Do we need to do any configuration to make it run on the other App server, as well? If no

  • Why i can't Upload some pdf files?

    Hello.. i want Ask About the problem when i upload the some of pdf file it is not uploaded i don't what is the reason for not upload process did . is there limit of space can i upload it ? or there some polices for upload pdf file ? please answer me

  • I do not have any phones with SMS messaging, so how can I use iCloud?

    iCloud asks for a phone number with SMS for verification. I have no such phones. I have plenty of phones and phone numbers, but NO SMS on anything. Why isn't there some other way?