Authorization BI 2004s  : restricting access to infoproviders in multi prov

Similar Messages

• Restrict access to rows in tables using S_TABU_LIN

  Hello
  Is it possible to use this authorization object to restrict access to rows in data tables, based on role?
  Namely, a query is created for table holding financial documents data, and I would like users in charge of one company code, to only be able to see rows relating to that company code when they execute the query.
  I have defined and activated an organization criteria, and included it in the role authorization data restricted to only one company code value, but the user is still able to see all rows in the table.
  The system trace doesn't show a check for the S_TABU_LIN Object while the user is executing the query.
  Can anyone tell me what I'm missing?
  Thanks in advance
  A.

  If you activate S_TABU_LIN, whenever that org criterion is hit with table data being retrieved then the check will be performed.  If it is a standard SAP table field then that could potentially become problematic depending how you set it up.
  By extending the security in the infoset query you are turning the query from a quick and dirty tool to extract data into something that you can control as you would a bespoke report.  Once your dev team have worked out what they need to do, you can apply the standard auth concept to queries with relative ease and without impacting other parts of your security.
  Another thing to mention is that if your developers use logical databases to retrieve query data then there is usually auth checks incorporated in there (which don't show up in SU53 or ST01).

• ACS Shell Command Authorization Set + restricted Access

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi  ,
  I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side
  Thanks in Advance
  Regards
  Vineeth

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi Jatin ,
  first of all Thank you very much . It startted working after aaa authorization config-commands
  here I was trying to achive one  specfic  thing .
  I want to stop  the following commands  on ACS “switchport trunk allowed vlan 103” . I only want allow “add”  after “vlan” and block rest all arguments
  But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
  Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
  Thanks and Regards
  Vineeth

• Restricted access to attachments in SRM 7.0 web applications

  Hi,
  We have a very specific problem regarding the handling of attachments with SRM 7.0 web applications. The system is configured to use ArchiveLink for storing documents on a remote content server, which is working fine.
  Now we have a requirement which should restrict access to certain documents to specific user groups. As an example you could say that a Purchase order has (besides others) two documents attached, e.g.
  - signed contract
  - meeting minutes
  The contract should only be visible to a limited number of people, whereas the Meeting Minutes are accessible to everybody.
  Our problem is that apparently only one Content Category ("BBPFILESYS") is used by the SRM web applications for an upload. When granting authorizations on this content category, we cannot distinguish between contracts and meeting minutes anymore.
  Comparing this with the config in ECC we can freely define document types which can be used in AUTH profiles. Is there any similar solution that can be used in SRM 7.0?
  Any help would be greatly appreciated.
  Cheers,
  Mark

  Hello,
  Have a look at note 1334202. It provides some inputs.
  Regards,
  Ricardo

• Restrict access to buttons, regions, etc. on a per user basis?

  My application restricts access to buttons, regions, etc. on a per user basis.
  Here is my application logic...
  1. A User can only edit items they own.
  2. A Super-User can edit all items
  So, when a user logs in, I use a post-authentication process to set the user ID to an application level item.
  Now, for example, to have an edit button display on a page, I need to check the item's owner ID against the application level user ID...and check to see if this user is on the Super User list via a query.(which could be set to another application level item upon login...I guess)
  Question...What is the best way to do this? Conditional display? Authorization scheme?
  Would something like the following work for a Conditional Display?
  Condition: SQL Expression
  &USER_ID.=&P6_ITEM_OWNER_ID. OR USER_ID in (select USER_ID from table where USER_ID=&USER_ID.)
  How would I do this with an Authorization Scheme? (I like the idea of updating the logic in single location...but I'm not sure if it is possible because I have to check PX_OWNER_ID would be different on each page.)

  Hi Denes,
  Thanks for your code which allows user to edit (if authorized) and view (if not).
  But some how - I do not get the image to show up - instead it show a small underline.
  From SQL point of view - here is what I get - when i run the sql
  '<img src="/i/ed-item.gif">',2,CR TEST,,,,dune2.cit.cornell.edu,CRDMTEST.CIT.CORNELL.EDU,PSPROD,,,CRDMTEST
  Here is my wrap_image function
  create or replace function wrap_image(p_user_name in varchar2,p_dm_name_id in number)
  return varchar2 IS
  v boolean := False;
  ret_val varchar2(1000);
  begin
  dbms_output.put_line('user='||p_user_name);
  dbms_output.put_line('dm_name='||p_dm_name_id);
  -- Check authorization if the user is super user - return true, else if he has edit priv on dm_name_id - return true - else false
  v:=ACL_DMTOOLS_DM_PRIV(p_user_name,p_dm_name_id);
  if v then
  ret_val := '<img src="/i/ed-item.gif">';
  ret_val := ''''||ret_val||'''';
  dbms_output.put_line('TRUE');
  else
  ret_val := '';
  dbms_output.put_line('FALSE');
  end if;
  return ret_val;
  end;
  Thanks for your great educational site.
  Regards
  atul

• Restrict access to users in customer line item display FBL5N

  Hi all,
  We got a requirement from my client that, they want to restrict access of their users to view details of few customers  only. The user has a right to view FBL5N transaction code, but he cannot view all customers details.
  we created 4 customer account groups,we created like .. SD customers1
                               SD customers2
                               Onetime customers
                               FI customers
  These FI customers cannot be viewed by all users except who has authorization in Tcode  FBL5N, we need to restrict to display only SD and one time customers details.
  we have tried with Basis but its not working and its blocking to view all customers.
  anyone got this kind of requirement , Is it possible to restrict....please help me.
  Thanks
  Nagesh
  Edited by: nag on Dec 27, 2011 5:26 PM

  It is standard behaviour that the authorization object F_KNA1_GRP(account group authroization) is not checked
  in the transacion FBL5N. You can confirm this functionality in trans. SE24.
  As a workaround, I would suggest you to use the authorization object F_KNA1_BED Customer: Account Authorization
  If you assign an authorization group as the accouting group, perhaps you can get a similar functionality.
  Please note that for the 'drill-down' or direct call of FBL5N these objects are checked:
    F_BKPF_BLA Accounting Document: Authorization for Document Types
    F_BKPF_BUK Accounting Document: Authorization for Company Codes
    F_BKPF_GSB Accounting Document: Authorization for Business Areas
    F_BKPF_KOA Accounting Document: Authorization for Account Types
    F_BKPF_BED Accounting Document: Account Authorization for Customers
    F_KNA1_BED Customer: Account Authorization
    F_KNA1_BUK Customer: Authorization for Company Codes
  Kind Regards
  Soumya

• OIM 11g R1 (11.1.1.5.0) Restricting access to Modify resources by field.

  Is there a way to restrict the access to modify specific fields on a resource, based on roles? In design console you have the options of, "Allow Insert", "Allow Update", "Allow Delete" on the form associated with different roles. Is there any way you can restrict this access specifically to fields in the way you can restrict access to user attributes based on authorization policies?

  You are failing to utilize the product then.  You don't have to utilize a soa-composite for this.  They can be set to auto-approve anyway.  But you should not just grant admin access to the user and all their resources so easily.
  Not sure what kind of event handler you can even use.  You could try and explicitly deny access to those roles by adding them to the form permissions and unchecking all the values.
  -Kevin

• ToJSONString Showing Up in Restrict Access to Page List

  Working in DW CS3 with ADDT using PHP and MySQL. I'm having a issue which I don't think I had before when I use the Restrict Access to Page server behavior. I'm working with user access levels pulled from the 'levels' field in my database and everything appears to be working as expected. I can select any number of available integers to restrict access to those pages. However, I've noticed that if I go back to edit that list of access levels, a new entry appears below the last integer in the list called "toJSONString". (toJSONString does not show up when I initially add the server behavior, only if I go back in to change it).
  I did a quick search and turned up this info:"The JSONString interface allows a toJSONString() method so that a class can change the behavior of JSONObject.toString(), JSONArray.toString(), and JSONWriter.value(Object). The toJSONString method will be used instead of the default behavior of using the Object's toString() method and quoting the result." Unfortunately, I don't understand any of that.
  I don't know why toJSONString is showing up in the list and if I should be concerned. (Mac OS 10.5.5; DW CS3 (v( Build 3481] and ADDT 1.0.0)

  tyler4iq wrote:
  > OK. I'm trying to authenticate users through a log in
  page, but it always fail.
  It's a known bug in MX 2004:
  http://friendsofed.infopop.net/2/OpenTopic?a=tpc&s=989094322&f=8033053165&m=324102421
  David Powers, Adobe Community Expert
  Author, "Foundation PHP for Dreamweaver 8" (friends of ED)
  Author, "PHP Solutions" (friends of ED)
  http://foundationphp.com/

• Restrict access for Vendor Master Data

  Hi all.
  Our company structure is like below:
  Single instance, just one mandant.
  Company codes like 1001, 3001, 6002, 6006, etc... over the world.
  At some companies just the central administration can create vendor for the companies using the transaction XK01.
  Now we need to give access to users from one of our company from other country but we can´t give access to transaction XK01 because just the central administration can create the master data for the vendors.
  I already read about the object F_LFA1_AEN that is possible to create some field groups and give access just for the rigth groups. I also read that this authorization groups don´t have effect on the vendor master data like address.
  How can I restrict access for the vendor master data? I´m thinking to give access to transaction FK01 and MK01 and restrict access for create a new vendor, I only want that the users can create the data for a new company or new purchase organization.
  Thank you
  Darlei Friedel

  among many other authorization objects, you find following three:
  F_LFA1_GEN general data
  F_LFA1_BUK company code data
  M_LFM1_EKO purchasing org data.
  If the user does not have authorization for F_LFA1_GEN , then he cannot maintain general data.

• Restricting access to reports for certain users

  Hi,
  We have few reports on a Multicube with Reporting unit authorization object. A certain group of users has this authorization. Now, we want a few of these users not to have access to one particular report on this multiprovider.
  Can anyone suggest a way to achieve this?
  Thanks,
  Abhishek.

  Abhishek,
  Use S_RS_COMP authorization object to restrict by queries. You can create 2 roles based on this object, one role with access to all the queries. The second one will have access to all but one. You can assign this role to relevant people.
  Although, this is slightly more maintenance intensive as every time a new query is created, someone has to add the query to one fo the roles based on security required.
  -Saket

• Restricting access to Queries via Search

  Does anyone have any ideas on restricting access to queries from the Bex search. We have folks that are using the search functionality of Bex and are finding queries that we have not been published to a reporting role. We instruct our query writers that when devloping queries, do not publish them to a reporting role until they are finalized and tested. We are finding that folks are using search in Bex and finding these queries that may be in the middle of development and trying ot use them. In other words, we would like to restrict the Bex search to just queries published to reporting roles.

  Hi Diago,
       Our dilema is that restricting access of the search by query name (via the role) requires the query writer, when finished with the development of their query, to do a savas with a different technical name that falls into the role restrictions of the authorization. This then leaves two versions of the query out there until the original gets deleted, if the query writer happens to remember to do that. It would be great to limit the search mechanism to just published queries. What are other folks doing to get around this issue. It seems that everyone would be running into it unless the search could be restricted in such a manner.

• Restrict access with object F_LFA1_BEK - problem with F4 search

  Hello,
  we want to restrict access to some vendor accounts, which can be shown with transaction FK03 for example.
  There is an authorization object F_LFA1_BEK, which can be maintained in the special vendor accounts in field authorization group.
  A user with authorization for vendor account with authorization group ZZZZ in it can see all vendors with authorization group ZZZZ and all vendors with no authorization group. But he can't see vendor accounts with authorization group YYYY. To this point, it's ok.
  If the user uses the F4 search help he is able to see the vendor accounts with authorization group YYYY too. And this is the problem - the user should not see these vendor accounts. With this option user is able to see address data of a vendor account he should not see.
  Is there any possiblity to solve this problem?
  Regards,
  Julia

  I don't know the current status, but this is being looked into generally as it is not only limited to the F4 on LFA/B/M1.
  As you only access the name and some attribute data which you can display, it is not necessarily critical and there is no transaction data involved.
  Good news is that the BAPIs for search help make these same granular checks which you are expecting.
  If I hear something further about these developments I will let you know.
  Cheers,
  Julius

• Restricting access to system queries

  Hi experts!
  Is it possible to restrict access to system queries (in SAP reports) for a particular user?
  Also, can we restrict inventory reports generated to a certain item group only for a particular user? example: item groups available are Spare Parts, Raw Mat, WIP & FG. The user should only be able to generate inventory reports concerning Spare Parts.
  thanks.
  regards,
  tessa

  Hi Tessa
  You can restrict Access to System Queries by providing NO AUTHORIZATION to the option Saved Query - System.
  The same can be set under
  Administration --> System Initialization --> Authorizations --> General Authorizations --> Reports --> Query Generator --> Saved Queries - System
  Hope this helps.
  Regards
  Rohan S. Kamble

• Is there a way to restrict access to who can change the TVARVC table?

  Hi experts,
  We have a requirement where we need to restrict access to who can maintain the variables in tvarv table.
  How do we go about it?

  Hi,
  We had kind of a same scenario. We have table where we enter the Average Item values week wise. We wanted to restrict change and delete access to users for the entries which has already been saved. For this purpose we had created an ABAP program in the "Table Maintenace Generator".  The basic idea about this program is when you create an entry in the table or delete it, a specific event generates. We check the event id whether its "delete" or "change" on the click of save button. If it is Delete or Change, then an error message will be generated saying "You dont have authorization for deleteing or changing the data".
  You can try this approach.
  - Jaimin

• Unable to run app in Restricted access or Available to developers modes.

  Hi
  We want to run the application in either Restricted access or Available to developers modes. so that we can move the changes from our QA to production and test it. We are trying to login as ADMIN (having Workspace administrators access) user but unable to run the application. getting Access to this application is restricted to application developers, please try again later. and Access to this application is restricted, please try again later errors.
  Our apex version:3.0.1.00.08
  Changing application def attributes for Restricted access
  status = Restricted access
  Build status = Run and build application
  Restrict to comma separated user list (status must equal Restricted Access) : ADMIN
  Changing application def attributes for Available to developers
  status = Available to developers
  Build status = Run and build application
  Restrict to comma separated user list (status must equal Restricted Access) : (leaving blank)
  using sso authentication (do not know whether this impacts) for our application.
  Thanks for the help in advance.
  Ram

  Ram,
  1) not able change notification, application access restricted, Please try later(any way to put customized notification.?)I don't think so.
  2) Edit links are not available (any availability status to have these..?, other than available with edit links)No.
  You might want to implement this using authorization schemes. You would need a way to determine what privileges the authenticated user has then you could restrict access to the whole application or to certain pages based on the privilege.
  Scott