Authorization at domain level

Similar Messages

• How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level.

  How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level, There is a requirement from my client  and i propose two methode
  1- Creation of Ztcode ZVL32N and do changes ABAP program level
  2- Disablement via Authorization/Role level - but how can i find the auth object/ Authorization corresponds to POST GOODS RECEIPT button in VL32N

  I think you can make use of SHD0 - Transaction variant to achieve this. You can make it as grayed out while recording steps in SHD0.

• Domain Level and Backup AD as VM?

  We're currently running Windows 2012 R2 Essentials (25 users license default) as the DC.  We're thinking to have the 2008R2 as the secondary (backup) DC.  Questions are:
  1. We have AD recycle bin enable, would it cause any issues lower the domain level to 2008R2?
  2. Can 2008R2 run as a VM on a Hyper-V (the host is 2008R2 and part of the domain, but not DC)?
  Thank you,

  Yes you can run a VM and promote it as a Domain Controller, however if your domain / forest functional level is set to Windows Server 2012 then you cannot have a Windows Server 2008 R2 as a domain Controller. For this you need to have Windows Server 2008
  R2 domain functional Level.
  Domain Functional Level and Forest Functional level cannot be downgraded. if it's already set to Server 2012 functional level then you cannot downgrade it to 2008 R2. Please go ahead and check what's ur Forest & Domain functional Level
  https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
  https://msdn.microsoft.com/en-us/library/cc753104.aspx
  https://msdn.microsoft.com/en-us/library/cc730985.aspx
  Nirmal Madhawa Thewarathanthri
  Sorry but you are wrong.  I just lowered the levels to 2008R2.

• Restrict Authorization at Material level during production confirmation

  Hi SAP Gurus,
  I would like to ask if its possible to restrict authorization at Material Level during production confirmation.
  Our scenario is we have SFG and FG which are handled by different group of people but it has the same Order Type. Now we want to restrict authorization such as one department can only confirm SFG and the other department can confirm FG only.
  Is it possible to set authorization at material type or production scheduler level. IF not possible, is there other way except creation of new Order Type?
  Thanks,
  Raymond

  Hi Raymond,
  DO you mean I should create a customized table for this?
  Yes
  Are there no standard way?
  As per my knowledge, you can control through production order type, so you need to create seprate order type for this
  Thanks,
  Sankaran

• Built-In Domain Level Groups dont have permissions on domain they should on 2012

  Hello,
  First this is a brand new domain environment with everything running server 2012 datacenter edition.
  Second I've never seen anything like the following occur in a domain environment. What I had is what appears to be a bad 2012 AD structure however so far all AD tests come back good. The problem is the built-in domain level groups do NOT offer any level
  of access that they should. For example if I add a user in the administrators group, they don't have any permissions that group is supposed to have. THe same with every other builtin, backup operators, server operators, account operators and on and on. The
  only way a user gets that level of access is if I add them into the domain admins group. As you can imagine this is crazy and not a solution for my help desk crew. (having them all be domain admins that is) So while I could very well use delegation, I need
  to find out why my builtin groups don't function as they should.  Anyone have any ideas on what to check or where to look?  I'm at the point of opening a case with Microsoft on this.
  Thanks in advance

  Because those builtin groups AREN'T domain level groups in the way you're thinking. The Administrators group on the server gives users administrator permissions on the server, but that doesn't mean permissions on the entire domain.
  If you look in the user list in ADUC you'll see that while Domain Admins are a Global security group, Administrators is only a local group, eg local to the server (or more accurately since they no longer have local details, to domain controllers), so doesn't
  grant permissions to anything outside of the domain controller. On all non DC's the machines have their own local administrators group which is independent of the domain one, and can have different memberships.
  So if you only need a user to have permissions to the DC then administrators is fine, but if you need them to have access to the entire network, eg other servers and workstations, then they need to be members of domain admins. If you only want them
  to have limited permissions then you need to grant those permissions either via a global/universal group, or by adding them to the relevant local group on each machine they need access to.

• Domain level security issue with InfoPath Form

  I have followed the article “Submitting Data from InfoPath 2007 to a SharePoint List” which can be found at
  http://msdn.microsoft.com/en-us/library/cc162745.aspx.
  But instead I am using SharePoint and InfoPath 2010.
  I get the following error after deploying and running the form with its security level set to domain.
  “A query to retrieve form data cannot be completed because this action would violate cross-domain restrictions. If this form template is published to a SharePoint
  document library, cross-domain access for user form templates must be enabled under InfoPath Forms Services in SharePoint Central Administration, and the data connection settings must be stored in a UDC file in a data connection library in the same site collection.
  If this is an administrator-approved form template, the security level of the form must be set to full trust, or the data connection settings must be stored in a UDC file by using the Manage data connection files option under InfoPath Forms Services in SharePoint
  Central Administration.”
  How do I get this form working on the server and client using domain level security?
  Extra Note: On an additional not the form works fine in SharePoint and InfoPath designer when the security level is set to Full Trust.

  Hi, Is this possible over a SharePoint "LIST"? I'm hitting brick walls and can't set the Security level on my form at all. Everything that I'm reading refers to Document Libraries but nothing about SharePoint List. It seems that this should work over a list,
  but I'm hitting brick walls all the way around. Here is a copy of the question that I posed below under Todd.Wilder's post:
  Hi,
  Following this forum question/comment I am attempting to set the security on my Infopath form to Full Trust. But, I don't have the Security and Trust option. I can set the Trusted Location through the Trust Center but I can't find anywhere to set security.
  I am using InfoPath 2010. What am I missing? Everything that I'm reading says that this is the problem and my error message is exactly like SomeGuy's message. One more piece to this is...this is a form over an Existing SharePoint List. I've found that I can
  see the Security if I start InfoPath and start a New Blank Form, but by editing the form from a SharePont list, the option to edit Security is not there. HELP!!
  I am following the instructions below that come from:
  http://msdn.microsoft.com/en-us/library/ee526352.aspx
  The InfoPath form designer automatically selects the appropriate security level (either Restricted or Domain) based on the features that you are using in the form. The security setting is always as restrictive as possible, starting at Restricted, to help
  ensure a greater level of protection for you and your data. Users can manually override this automated setting to select a level of security that is more appropriate for the form by following these steps:
  Click the File tab, and then click Form Options on theInfo tab.
  In the Categories list, click Security and Trust.
  Uncheck the Automatically determine security level (recommended) check box.
  Select the desired security level.
  Thank you,
  ~Tina~
  ~Tina~

• How to get the domain level values in web ui pick list

  Hi Gurus,
              I was added one field through EEWB transaction and i was maintained the values in domain level.now my requirement is i was added this field in web ui.but i don't know how to get the values which are we maitained in domain level. pls send me the solution it is very needful for me..
  Regards,
  Bixamaiah.B

  Hi Bussa,
  Refer to the documentation on drop-down Boxes in UI here:
  CRM Web Client UI Framework [original link is broken]
  This should help you, but do get back if you face any issues in implementing the same.
  Regards,
  Padma Guda

• PM Organization Units Authorization on User Level

  Hello experts,
  Is there a way to add authorization for an organization unit (i.e. Planning Plant) on a user (SU01) level and not on a authorization objects (PFCG) level?
  For example,
  I would like to create the following Role (profile):
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY
  This role should be able to display equipment from the Plant Maintenance module.
  However our problem is, we would like to create authorization levels with organizational units for each user:
  For example:
  User jsmith has ZPM_AUT_EQM_EQUIPMENT_DISPLAY assigned but can only display equipment from Planning Plant SL01.
  We know we can create this authorization creating several roles, like:
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SL01
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SJ01
  ZPM_AUT_EQM_EQUIPMENT_DISPLAY_AG01
  but our idea is not create several roles, but to assign the Planning Plant authorization on a user level and leave just one role so we would only need ZPM_AUT_EQM_EQUIPMENT_DISPLAY.
  Is there a way to do this?
  Thank you in advanced for your replies.
  Best regards,
  Fernando Montenegro

  Hi ,
  Could you share about your solution ? I think I have face the same problem as yours.

• Organization Units Authorization on user level

  Hello experts,
  Is there a way to add authorization for an organization unit (i.e. Company Code) on a user (SU01) level and not on a authorization objects (PFCG) level?
  For example,
  I would like to create the following Role (profile):
  ZFI_AP_REPORT_DISPLAY
  This role should be able to display AP report from the Financial module.
  However our problem is, we would like to create authorization levels with organizational units for each user:
  For example:
  User Anson has ZFI_AP_REPORT_DISPLAY assigned but can only display Report from Company Code 3202.
  We know we can create this authorization creating several roles, like:
  ZFI_AP_REPORT_DISPLAY_3201
  ZFI_AP_REPORT_DISPLAY _3202
  ZFI_AP_REPORT_DISPLAY_3203
  but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.
  Is there a way to do this?
  Thank you in advanced for your replies.
  Christine Tseng

  I agree with Jurjen.  There is no point creating a "new" authorisation concept for a few transactions.  If you use standard authorisation objects for the check in your custom tcodes then you will likely have very little work to do if you assign those tcodes to existing roles.
  Even using a custom auth object & creating the variants will take up no more time than doing something like repeating the variable functionality in BI or messing about with PIDs in the UMR (which I definitely do not recommend).  By sticking with the standard concept you ensure consistency, making it much easier to support and/or handover if you move on from the role.

• Edit Authorization at Entity Level

  Problem: I am trying to Edit Authorization at entity level but my changes are not getting saved.
  Discription:
  I have use case that I want to make an entity read only for a role defined in my jazn.
  To do so, I am opening my entity, and in struture window...on right clicking the entity name I get this option to Edit Authorization.
  On Edit Authorization window, I get name of all the roles listed and options to select Read, Update and Delete in from of each Role.
  When I select "Read" for the role I want only read access and close this Edit Authorization window...my changes are not getting saved.
  Does anyone know why this is happening? Or any other way I can restrict users of a specific role to change the data for an entity.
  Thanks
  Vikas Kumar

  Hi,
  not sure what you mean by "changes are not saved". Are you saying they are physically not saved in that they don't show in the jazn-data.xml file ? If so, then this sounds odd and you should file a bug. If it is only that authorization is not enforced,have a look at this video as authorization on entities is a two step task
  http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/AdfSecurity/AdfSecurity.html
  Frank

• 2003 forest/domain level

  I am currently looking at upgrading our domain from 2003 to 2012.  I currently have 4 domain controllers spread out and all replication is healthy.  I have two 2003 domain controllers and two 2008rs domain controllers.  I need to know what
  is the best practice for promoting a 2012r2 server to a DC and would that cause log on issues?
  I've read some articles online that state all the current domain controllers should be fully updated before bringing in a 2012 domain controller.  Can someone point me in the right direction?  Are there articles I can read regarding this?
  Thank you

  Hi
  CRMNoon,
  If you want to have a 2012 forest and domain level you need to have 2012 DC's only.
  Make sure your domain is healthy. Then when promoting a server 2012 R2 to a DC, you need to consider the current environment and which domain controllers are for the FSMO roles placement.
  http://community.spiceworks.com/how_to/57636-migrate-active-directory-from-server-2003-to-server-2012-r2
  Here is the link for Active Directory Migration from Windows Server 2003 to Windows Server 2012 R2:
  http://blogs.technet.com/b/canitpro/archive/2013/05/27/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
  Know issues for upgrading Domain Controllers to Windows Server 2012 R2
  https://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_KnownIssues

• Constrained Delegation for MBAM Web User with 2003 Domain Level?

  Hi,
  i installed MBAM 2.5 in our environment and now stopped at the point where i should configure constrained delegation for the mbam web application pool account. I cannot find the delegation Tab in the user properties within Active Directory. Our domain is
  (unfortunately) still running Windows Server 2003 Domain Level. Is it maybe related to this? Within my test environment (Domain Level 2012 R2) it is working fine.
  Is there any other chance to configure constrained delegation in my situation?
  Thanks
  Stefan

  I found an older MSDN blog post that may help in this situation. It states that the delegation tab does not show up until there is at least one value set in the servicePrincipaName attribute.
  Delegation tab in ADUC not available until a SPN is set
  Hope this helps,
  David
  MDOP on the Springboard Series on TechNet

• ACS and Domain Level

  Hello All,
  Since I recently updated my MS AD domain lever from 2008 to 2008 R2, my ACS AD authentication no longer works. It appears the Cisco client does not support a 2008 R2 Domain Level. Has anyone ever reverted backwards ?
  Cheers
  Colin

  Hi Colin,
  Could you please clarify which version of ACS you are using?
  For example, if this is ACS 4.2 appliance with a remote agent installed on the Windows server, then Windows 2008 is not supported:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp308532
  If this is ACS 5.2, then Windows 2008 R2 should be supported:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1248491
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Domain Level

  What domain level does the domain need to be for you to be able to sign in with a domain account on a Windows Technical Preview for Enterprise pc?  I installed Windows technical preview for enterprise on a pc and joined it to our domain which is 2003. 
  When I log onto the pc it doesn't create a profile, it only creates a Temp profile.

  Yes, we have Windows Small Business Server 2003 and the domain level is set to 2003.  So after joining the Windows Technical Preview for Enterprise PC to the domain it only creates a temp profile not a legit user profile. 

• Block Cookies at Domain Level

  In early Firefox I would set cookie rules at the domain level using the wildcard - for example - *.tubmogul.com would be accepted, blocked, or allowed for session.
  In current 3.x and 4.x implementations this does not appear to be possible and I feel like I am spending a good portion of the day blocking the various "n.domain.com" where "n" varies by site and within a site.
  Ideas?

  Don't use a wildcard with *. Only specify the domain, that includes all sub domains: tubmogul.com