Authorization best practices
Hi all,
I need to set up authorization checks within a BSP application but I'm not really sure how to do this in detail. Would it be the best way to create new authorization objects and user roles? Or would it fit to manage user rights with simple customizing tables?
Does anybody have some helpful documents about this issue or experience in the management of user rights?
Thanks in advance for any posts to this topic!
Best regards
Dominik
We felt it was better to stick with the approach of authorization objects and user roles. In our model classes (or any place else you put application logic) we also have calls to authorization checks coded in ABAP. Likewise as we call BAPIs many of these have authorization checks within them already.
To add to this we have also setup authorization checks on the service node in transaction SICF. This is similar to setting the security on the TCode within the SAPGui environment. This is the gateway to say that you can even launch an application. This uses authorization object S_ICF. In SICF you can also set the Error level in a failure:
The values have the following meanings:
1 = an A message is dispatched (program abort)
2 = an X message is dispatched (program error)
Any other value in this field causes an E message to be created in the case of an error.
Similar Messages
-
User Authorization, best practices for this custom application requirement?
JDeveloper 12c (12.1.2)
We want to use external LDAP (active directory) with ADF security to authenticate and authorize users.
One of our custom application requirements is that there is a single page with many interactive components. It has probably about 15 tables and each table would need to have the following buttons (or similar components):
- delete: (if certain row is selected) to delete it
- edit: (if certain row is selected) takes user to 'edit page' where changes can be made
- create: to create new record for this particular VO (table)
So let's say that would be 3 x 15 = 45 different actions that single user can possibly perform. Not all users have same 'powers' ie some users can only edit CERTAIN tables, and delete from one or two. Most users can create and edit most VOs etc
Back when this application was originally developed using (I believe) 10g JDeveloper with UIX, the way it was done is that we maintained a table in database with 'user credentials' as Y or N flags.
For example: DEL_VO1, EDIT_VO1, ADD_VO1....
So when user is authenticated we would then pull all these credentials from the DB table and load them into the session variables. Then we would use EL to render or not render certain buttons on the page. For example: rendered="#{sessionScope.appDelVo1 == 'Y'}"
Moving forward into latest ADF technology, what would be the best practice to achieve described functionality?Hi,
ADF BC could have permissions added to the entity level (includes remove and update). So you can create permissions for the entity (as it doesn't matter for data security how data is accessed. If as a user you are nit allowed to change a database table then this is for tables and forms). You can then use EL to check the permission, thus no need to keep the privileges in the database.
If a user is allowed to update an entity then you can check this using EL in the UI
<af:inputText value="#{bindings.DepartmentName.inputValue}"
readOnly="#{!bindings.DepartmentName.hints.updateable}">
whatch this for a full coverage of ADF Security: Oracle ADF Security Overview - Oracle JDeveloper 11g R1 and R2
Frank -
Authorization best practices in AS Java
I have been assigned the responsibility to create an authorization structure on the java stack.
We would like to create groups with corresponding roles for developers and system administrators.
Are there any best practices out there regarding this subject?
I have currently started with looking at the standard actions and roles available in EP and will start from there, any other ideas?Dear Colleague,
SAP NetWeaver Application Server (AS) Java includes the [identity management|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/5069e9d6253912e10000000a42189b/frameset.htm] application for administration of users, groups, and roles. This [section|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/ad6a169eff35b7e10000000a42189d/frameset.htm] lists administrative tasks, general and specific, for the management of users, groups, and roles.
Regards
Alvaro Raminelli -
External Table Authorization Best practices
Hi,
I am working on OBIEE External table Authorization. I am able to successfully implement for one Project (catalog). The field for Authorization table (AuthTable) are
Windows_ID Employeeid Name EmpEMail GroupName Process_ID Process_Name Portal_Path
Here as per requirement a user should see data for a few process. So, I put a column for Process_ID and subsequently I created a INIT block in repository where query are like
Select 'PROCESS_ID',AuthTable. Process_id
From AuthTable
WHERE upper(AuthTable.AD_ID) = upper(':USER')
Then for User Groups I applied FILTERs for all the tables E.G for every Logical Table I applied Filter
Dim_Process."Process ID" = VALUEOF(NQ_SESSION."PROCESS_ID")
I checked data and every thing is correct. But My question is:
We have many projects/catalog for which Filter Criteria will be different so shall we insert a new column for each criteria in SAME AuthTable or there is any other and better way to maintain it. Because if we maintain one table for all the projects/catalog it will be very messy I would prefer to keep different tables for different projects/catalog as there data marts are different.
But Problem is for all other session variables we may use different INIT BLOCKS and hence different tables BUT for PORTALPATH there should be only one INIT BLOCK so only for PORTALPATH sake we need to keep every thing in same table ?
Tell me if I am wrong some where in my understanding or there is a better way to do it.
Regards
SaurabhHi,
Pls refer to this link. Kumar explained it very clearly
http://obieeblog.wordpress.com/category/obiee/obiee-security/
Pls award points, if helpful
Regards,
Sarat Nallapati -
Authentication & authorization best practices
Hello!
From what I understand of various documentation and videos, the Azure API app is just a web api with some extra metadata. However in the previous product (Mobile Services) there were extra facilities to handle authentication - both for custom providers
and for other social providers.
Has this all gone? Are we going back to this method here:
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
... and then doing all our social authentication manually / using other libraries like before?
If the authentication plans are unfinished (as this is preview after all) it would be good to know so I can prioritise my work. :-)
Thank you!Hi Guang, thank you for your help (on this post and so many others!)
So from a code perspective, I can just grab those Nuget packages and load them straight into this API App project and code for it too, is that right?
I've started by making the project in VS rather than provisioning one in the portal so I haven't seen those settings yet. I'll just get myself a bit of a relevant demo going, then I will provision one and see the rest.
Thanks again, let me know if those mobile service libraries are the right ones to grab. -
Authorization Scheme -- Best Practices?
Hi All --
We have a reporting application containing approximately 300 pages and 60 or so menu items all using authorization schemes (exists SQL method) as a means to determine whether or not a use can see the menu items and/or access the pages. We've been seeing an issue where a user logging into the application experiences poor performance upon login and have traced it to our access checks and the number of "exists" queries run when a user logs in and before our menu is displayed.
What would be considered best practice in a case such as this? Does anyone have any ideas on how to increase the performance on these authorizaton checks?
Thanks,
Leigh Johnson
Fastenal CompanyLeigh - No, the asktom post Joel referred to is posted above: http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:62048567543425
We just want to know if this post if from you folks or not.
About the authorization schemes for each page, I would think that whatever scheme you code to authorize a link to a page, e.g., on a menu, would be the same scheme you'd want to attach to the page itself.
So the authorization has to take place first at the point you render (or suppress) a link to a page and again at the point the page is requested (the latter being necessary because a user can bypass the menu links and try to access pages directly by entering the page ID in the URL.
So again, if you have X links on the menu page, each requiring a distinct query for authorization, you'll have to pay the price to do all that authorization once per session because of the design of the menu page. More precisely, the authorization scheme code, e.g., their EXISTS queries, have to be executed once per session per resource access attempted. For performance purposes, the results of these checks are cached for the duration of the session (because you set them up to be evaluated once per session and not on every page view).
One thing that might help you is region caching (or page caching) for the menu. You'd use the Cache By User option, of course. Then if the same named user logged in and out numerous times during the "cache valid" period, which is adjustable, the user would see the cached menu "instantly". Authorization checks will not have been performed during these page requests however, so you'd want to be sure that it makes sense to present cached versions of these links. However, the corresponding authorization schemes that you'd attach to the pages themselves would be evaluated when the user clicked on a "cached" link, so you'll get the protection you need, ultimately.
Scott -
Authorizations for tasks (R_UC_TASK) / Best Practice SEM-BCS authorization
Dear Experts,
I am quite new to authorizations and in particular to SEM-BCS authorization. So I would be happy if you could help me with the following requirement:
We have to setup an authorization concepts for SEM-BCS. Among others we want to setup authorizations for consolidations tasks using authorization object R_UC_TASK. With this authorization object certain tasks can be restricted to certain characteristic values u2013 e.g. for a certain consolidation group or a certain consolidation unit. We have defined a role each for certain consolidation tasks. These roles are not restricted to any characteristic value yet. We have for instance a role u201Cregional controlleru201D who is allowed to perform certain BCS tasks on a regional level (consolidation unit level). This would mean that we would have to create the role u201Cregional controlleru201D for all consolidation units u2013 see example below:
Role 1: Regional Controller u2013 Cons. Unit 1000
Role 2: Regional Controller u2013 Cons. Unit 1100
Role 3: Regional Controller u2013 Cons. Unit 1200
Role n: Regional Controller u2013 Cons. Unit n
We have more than 400 consolidation units. So this would require a high effort. Is there instead a possibility of creating one role based on authorization object R_UC_TASK which just defines which activities can be performed (without restricting access to a certain consolidation unit). , and using second role which defines the consolidation unit access? u2013 see example below:
A
Role: Regional Controller
Role: Cons Unit 1000
B
Role: Regional Controller
Role: Cons Unit 1100
C
Role: Regional Controller
Role: Cons Unit 1200
In this case we only would have to maintain one role u201CRegional Controlleru201D and we only would have to assign the restriction for the consolidation unit. How could this be realized? Or do you have any other ideas to solve this requirement in a simple way?
Moreover I would be happy if you could tell me where I could find best practice scenarios for SEM-BCS authorizations.
Thanks a lot in advance!
Best regards
MarcoHello Marco,
you can enter a master role in the description tab of a role. All fields populated via program PFCG_ORGFIELD_CREATE can be maintained in the role. All other fields will be taken from the master role. So you only need to populate the field for unit with the program.
Good luck
Harry -
Command Authorization Config best practice using ACS
Hi
Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
Regards
V Vinodh.Vinodh,
The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
Please check this link,
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts -
Best practice to set up the user authorization
Dear expert,
I have a question regarding the user authorization access. I've attend the BOE training but I'm still blur in term of user authorization planning. Currently, I have around 50 named users that need to access the BOE server. But the certain user will be restricted to access to certain folders or reports. May I know what is the best practice to set up the user authorization access? Should I set up first in the development machine and once its firm, then I migrate it to production machine..or is there any steps that I need to follow...?
Really appreciate if you can let me know on what should I look into first before set up the authorization. Is there any doccument that I can referring to..?
Thanks & Regards,
-Syahida-Create User Group for each folder (for eg. Sales/Marketing etc) and also based on the type of access you want to provide.
Like Sales VOD/ Sales View/Sales Schedule, and add users to the User Group based on the type of rights you want to provide them. Then add the User Group to respective report folders.
First deploy it in the Development environment, once you have everything finalized then you can replicate the same to QA and Prod environment by migration. Also make sure that in Development environment developers will have full control to develop/add reports to folders, you have to restrict that in QA & Prod environment. -
Error while Connecting report Best Practices v1.31 with SAP
Hello experts,
I'm facing an issue while trying to connect some of my reports from Best Practices for BI with SAP.
It only happens when it's about info sets, the other ones that are with SAP tables go smoothly without a problem.
The most interesting is I have already one of the reports connected to SAP info sets.
I have already verified the document of steps of creation of additional database that comes with BP pack. They seem ok.
Here goes what Crystal Reports throws to me after changing the data source to SAP:
For report "GL Statement" one of the Financial Analysis one which uses InfoSet: /KYK/IS_FIGL_I3:
- Failed to retrieve data from the database; - click ok then...
- Database connector error: It wasn't indicated any variant for exercise (something like this after translating) - click ok then
- Database connector error: RFC_INVALID_HANDLE
For report "Cost Analysis: Planned vs. Actual Order Costs" one of the Financial Analysis one which uses InfoSet: ZBPBI131_INFO_ODVR and ZBPBI131_INFO_COAS; and also the Query CO_OM_OP_20_Q1:
- Failed to retrieve data from the database; - click ok then...
- Database connector error: check class for selections raised errors - click ok then
- Database connector error: RFC_INVALID_HANDLE
Obs.: Those "Z" infosets are already created in SAP environment.
The one that works fine is one of the Purchasing Analysis reports:
- Purchasing Group Analysis -> InfoSet: /KYK/IS_MCE1
I'm kind of lost to solve this, because I'm not sure if it can be in the SAP JCO or some parameter that was done wrongly in SAP and I have already check possible solutions for both.
Thanks in advance,
Carlos Henrique Matos da Silva - SAP BusinessObjects BI - Brazil.I re-checked step 3.2.3 - Uploading Crystal User Roles (transaction PFCG) - of the manual where it talks about CRYSTAL_ENTITLEMENT and CRYSTAL_DESIGNER roles, I noticed in the Authorizations tab that the status was saying it hadn't been generated and I had a yellow sign, so then that was what I did (I generated) as it says in the manual.
Both statuses are now saying "Authorization profile is generated" and the sign is now green on the tab.
I had another issue in the User tab (it was yellow as Authorizations one before generating)....all I needed to do to change to green was comparing user (User Comparison button).
After all that, I tried once more to refresh the Crystal report and I still have the error messages being thrown.
There's one more issue in one of the tabs of PFCG transaction, it is on the Menu one where it is with a red sign, but there's nothing talking about it in the manual. I just have a folder called "Role menu" without anything in it.
Can it be the reason why I'm facing errors when connecting the report to SAP infoSets? (remember one of my reports which is connected to an infoSet works good)
Thanks in advance,
Carlos Henrique Matos da Silva - SAP BusinessObjects BI - Brazil. -
Best practice for a deplomyent (EAR containing WAR/EJB) in a productive environment
Hi there,
I'm looking for some hints regarding to the best practice deployment in a productive
environment (currently we are not using a WLS-cluster);
We are using ANT for buildung, packaging and (dynamic) deployment (via weblogic.Deployer)
on the development environment and this works fine (in the meantime);
For my point of view, I would like to prefere this kind of Deploment not only
for the development, also for the productive system.
But I found some hints in some books, and this guys prefere the static deployment
for the p-system.
My question now:
Could anybody provide me with some links to some whitepapers regarding best practice
for a deployment into a p-system ??
What is your experiance with the new two-phase-deploment coming up with WLS 7.0
Is it really a good idea to use the static deployment (what is the advantage of
this kind of deployment ???
THX in advanced
-MartinHi Siva,
What best practise are you looking for ? If you can be specific on your question we could provide appropriate response.
From my basis experience some of the best practices.
1) Productive landscape should have high availability to business. For this you may setup DR or HA or both.
2) It should have backup configured for which restore has been already tested
3) It should have all the monitoring setup viz application, OS and DB
4) Productive client should not be modifiable
5) Users in Production landscape should have appropriate authorization based on SOD. There should not be any SOD conflicts
6) Transport to Production should be highly controlled. Any transport to Production should be moved only with appropriate Change Board approvals.
7) Relevant Database and OS security parameters should be tested before golive and enabled
8) Pre-Golive , Post Golive should have been performed on Production system
9) EWA should be configured atleast for Production system
10) Production system availability using DR should have been tested
Hope this helps.
Regards,
Deepak Kori -
Best practice for securing confidential legal documents in DMS?
We have a requirement to store confidential legal documents in DMS and are looking at options to secure access to those documents. We are curious to know. What is the best practice? And how are other companies doing it?
TIA,
Margie
Perrigo Co.Hi,
The standard practice for such scenarios is to use 'authorization' concept.You can give every user to use authorization to create,change or display these confidential documents. In this way, you can control access authorization.SAP DMS system monitors how you work, and prevents you from displaying or changing originals if you do not have the required authorization.
The below link will provide you with an improved understanding of authorization concept and its application in DMS
http://help.sap.com/erp2005_ehp_04/helpdata/en/c1/1c24ac43c711d1893e0000e8323c4f/frameset.htm
Regards,
Pradeepkumar Haragoldavar -
Best Practice for Production environment
Hello everyone,
can someone share the best practice for a production environment? or is there a SAP standard best practice to follow in a Production landscape?
i understand there are Best practices available for Implementation , Migration and upgrade. But, i was unable to find one for productive landscape
thanks.Hi Siva,
What best practise are you looking for ? If you can be specific on your question we could provide appropriate response.
From my basis experience some of the best practices.
1) Productive landscape should have high availability to business. For this you may setup DR or HA or both.
2) It should have backup configured for which restore has been already tested
3) It should have all the monitoring setup viz application, OS and DB
4) Productive client should not be modifiable
5) Users in Production landscape should have appropriate authorization based on SOD. There should not be any SOD conflicts
6) Transport to Production should be highly controlled. Any transport to Production should be moved only with appropriate Change Board approvals.
7) Relevant Database and OS security parameters should be tested before golive and enabled
8) Pre-Golive , Post Golive should have been performed on Production system
9) EWA should be configured atleast for Production system
10) Production system availability using DR should have been tested
Hope this helps.
Regards,
Deepak Kori -
Agent determination best practices
Hi, workflow dev team!
Another question about workflow best practices.
I build a workflow, the first step of each workflow, at least as I see it, is to determine agents for all steps in the workflow and store it in multiline WF-container. After that, to use this WF-container data to execute a step inside of workflow.
The questions are:
1. Suppose, I filled a WF-container with a list of all possible agents and their position (in order to supply more user-friendly approve/decline notifications) for the different steps inside of this workflow (username & position). As I understand, I can access to specific line of multiline container with &AGENTS[&INDEX&]& inside of EXPRESSION field (not via ABAP-code in method of class), but how can I access specific column of the WF-container? E.g. &AGENTS[1]& will return «USJOHN — Junior Manager», is it possible to retrieve username and position from multi line and pass it to the task as two separate container elements?
2. Is it possible to query specific line of multiline container element according to some logical condition inside of EXPRESSION field (not via ABAP-code in method of class) or in order to do this I have to implement that logic inside of ABAP class method?
And the last question, probably, less connected to the questions asked above.
3. If I need to define agents for the task, what is the best approach to do that:
— define the task as General Task and insert the relevant agents as multiline container element via EXPRESSION field;
— to play with Agent Assignment (try to implement agent determination logic there) and not to define the task as general one.
Thanks.Ronen already had great input, but here are some additional points:
-In general I would try to avoid some kind of "Let's get all the agents at the beginning of the workflow into a multiline container, and try to pick up the correct ones for the individual steps" approach. Of course if your aim is just to display the list of agents somewhere (task description etc.,), then this might be OK approach.
-Rules are better than expressions in agent determination (at least in most cases). If the approvers change during the process, you can (as an WF admin) just click the "Execute agent rule again" functionality, and the system will find the correct new approver for the work item. Otherwise you need to go to manipulate the container element(s) (and first figure out that who is the approver).
Answer for 3: You don't need to use only expressions/container elements. Try to check if you can use rules. In some rare cases you might consider of using the tasks' agent assignment (the same place where you set the task as general task). Let's say that you want to send the work item to all users that have certain authorization role. Now you can set the role as a "restricting entity" at the task level (=same place where you set the general task). This will mean that only the users who have the role are the possible agents for the task. And now if you leave the agent determination part at the workflow template empty (no expressions, no rules etc), you are done!
Regards,
Karri -
Cisco ISE: 802.1x Timers Best Practices / Re-authentication Timers [EAP-TLS]
Dear Folks,
Kindly, suggest the best recommended values for the timers in 802.1x (EAP-TLS)... Should i keep default all or change or some of them?
Also, what do we need reauthentication timers? Any benefit to use it? Does it prompt to users or became invisible? and What are the best values, in case if we need to use it?
Thanks,
Regards,
Mubasher
My Interface Configuration is as below;
interface GigabitEthernet1/34
switchport access vlan 131
switchport mode access
switchport voice vlan 195
ip access-group ACL-DEFAULT in
authentication event fail action authorize vlan 131
authentication event server dead action authorize vlan 131
authentication event server alive action reinitialize
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level 30.00
spanning-tree portfast
spanning-tree bpduguard enableHello Mubashir,
Many timers can be modified as needed in a deployment. Unless you are experiencing a specific problem where adjusting the timer may correct unwanted behavior, it is recommended to leave all timers at their default values except for the 802.1X transmit timer (tx-period).
The tx-period timer defaults to a value of 30 seconds. Leaving this value at 30 seconds provides a default wait of 90 seconds (3 x tx-period) before a switchport will begin the next method of authentication, and begin the MAB process for non-authenticating devices.
Based on numerous deployments, the best-practice recommendation is to set the tx-period value to 10 seconds to provide the optimal time for MAB devices. Setting the value below 10 seconds may result in the port moving to MAC authentication bypass too quickly.
Configure the tx-period timer.
C3750X(config-if-range)#dot1x timeout tx-period 10
Maybe you are looking for
-
How can I display de last items of a region from other page in Portal?
I want to display de last five items (f.e.) included in a region (with attributes created) from other page. I've tried using custom search, but it also shows the attribute names, and I want show the attribute values (I don´t know how can I format the
-
Can i create activex component of AcroExch.PDDoc in Adpbe 9.0 version
I tried to create obeject of AcroExch.PDDoc in my application where ia have Adobe reader 8.0 installed on my machine. So can the problem will be solved if i will install Adobe 9.0 on my machine. Thanks in advance for any suggestion..
-
I forgot I changed my passcode and my iPad is now locked. I have no access to iTunes how can I unlock it?
-
Regarding File name schema in Receiver com. Channel
Hello, I have gone thru the blog The specified item was not found. "The same filename from a sender to a receiver file adapter - SP14 for Dynamic configuration" by Michal Krawczyk....And here in this Scenario in ID (in Reeiver communiation channel)
-
Emails disappear when placed in categories
I moved several emails to one of my categories. They were there 2 days ago, but when I wanted to access now they went missing. Yes, I am sure I didn't accidentally delete. Not the oly category gone missing.