Authorization in Client

Hi there,
I have one Customizing client and Development client.
I have created one Ztcode in Customizing client. When I run this Ztcode, shows a message " u r not authorized to this tcode". It shows this message for some standard tcodes also.  What is problem, pls reply.
regards,
Zakir.

Hi!
After you got this error message, run transaction SU53 in an another modus. This will show you, which authority is missing.
Then go to transaction PFCG to maintain a role for this missing right.
Then attach this role to your user in SU01.
Regards
Tamá

Similar Messages

  • 802.1x authorization while client is hibernated

    Hi,
    we run 802.1x in our LAN and it looks the authenticator tries to authorize Thin Clients who are in standby. This happens randomly almost every 10 minutes:
    007083: Nov 4 05:35:13 cet: %DOT1X-5-FAIL: Authentication failed for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015BA92754ADB
    007084: Nov 4 05:35:13 cet: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015BA92754ADB
    007085: Nov 4 05:35:13 cet: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015BA92754ADB
    007086: Nov 4 05:47:28 cet: %DOT1X-5-FAIL: Authentication failed for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015BC928081EC
    007087: Nov 4 05:47:28 cet: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015BC928081EC
    007088: Nov 4 05:47:28 cet: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015BC928081EC
    007089: Nov 4 05:59:43 cet: %DOT1X-5-FAIL: Authentication failed for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015BE928BB906
    007090: Nov 4 05:59:43 cet: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015BE928BB906
    007091: Nov 4 05:59:43 cet: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015BE928BB906
    007092: Nov 4 06:11:58 cet: %DOT1X-5-FAIL: Authentication failed for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015C09296F073
    007093: Nov 4 06:11:58 cet: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015C09296F073
    007094: Nov 4 06:11:58 cet: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015C09296F073
    007095: Nov 4 06:24:13 cet: %DOT1X-5-FAIL: Authentication failed for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015C292A225FA
    007096: Nov 4 06:24:13 cet: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015C292A225FA
    007097: Nov 4 06:24:13 cet: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (2c9e.fc4e.7f73) on Interface Fa0/23 AuditSessionID 9FE8005A000015C292A225FA
    Does anybody else experience this problem and has a fix for it?

    Hi,
    It looks like the supplicant is not responding to the EAP packets or those EAP packets which are sent from the supplicant are not reaching or being read by the authenticator. In order to understand if the supplicant is sending the packets, please check if the supplicant is correctly configured for EAP (whichever method is being used) and take a packet capture and check if for the protocol EAP, anything is sent from the authenticator or not.

  • Client Independent Authorizations

    Hi,
    I would like to know, whether there are any ways in performing authorizations checks, irrespective of clients.
    I have a scenario where only 1 user, say USER01 in client 100 should be authorized to view, execute, change certain programs and other data dictionary objects in the client 100. All other users in this client 100, should be authorized only to execute the program and not to view any of the programs and dictionary objects.
    This should not be the case with any other user of the other clients of the server.They should not have any rights over these specified objects.
    Kindly help me out with a solution for the same.
    Venkat

    Hi,
    The authorizations are client independent. Whatever auth objects that you create and assign to the users in a client will NOT reflect in other clients. In fact the users are also client dependent. Having access to one client, does not guarantee access to other clients.
    This is the defaul functionality.
    regards,
    Ravi
    Note : Please mark the helpful answers.

  • How to restrict user to change "Client" in sp01

    Hi,
    I have a requirement that must release my users to use sp01, but I want to restrict them to see only the spools in the logon client.  Recently, they can change the "client" field in t-code sp01, is there anything I can do to disable "client" field from specific users ?
    Diana

    You can restrict through the object S_ADMI_FCD below mention activity
    SP01     Use of SP01 (all users)
    SP0R     Spool request management (all users)
    SPAA     Spool administration (device administration)
    SPAB     Spool administration (general settings)
    SPAC     Spool administration (device type, character sets)
    SPAD     Spool administration (all clients)
    SPAM     Spool administration (cross-client job authorization)
    SPAR     Client-specific spool administration
    SPOS     Use of Transaction SP01 (all systems)
    SPTD     TemSe administration (all clients)
    SPTR     Client-specific TemSe administration
    ST0M     Change trace switches
    And you can restrict device also through the below mention object
    SPODEVICE
    S_SPO_ACT
    S_SPO_PAGE
    Provide the sp01 authorization as per your requirement

  • ISE 1.2 anomalous client suppression

    Is there a way to clear a client who has been flagged as an anomalous client ? We are hesitent to modify or change any of the settings without fully understanding the potential impact, but would like to know if there is a way to manually reset a client so that they may retry authentication.

    Hi Ageel,
    Thanks for the response.  The problem we are having is not related to a user, though.  With the anomalous client supression enabled for the RADIUS protocol (Admin->System->Settings->Protocols->RADIUS) set to reject users who fail subsequent authorizations, the client is in "reject" mode for the determined amount of time configured which is a default of 60 minutes.
    The problem we are facing is once the client is in reject mode we are unable to find a way to clear them from reject mode.  If I were to look at a client on my ISE deployment who is experiencing this I would see an attribute for IsEndPointInRejectMode set to true. 
    Deleting the endpoint MAC address from the ISE database does not fix the issue - so it seems to cache it somewhere.  We want to find a way to clear it.
    Thanks.

  • Cisco ISE - Reauthentication of client if server becomes alive again

    Dears,
    I have this case where Cisco ISE server is used to authenticate & authorize clients on the network.
    I configured the switch port to authorize the client in case the ISE server is dead (or not reachable).
    The thing is that I want to reauthenticate the client once the ISE server becomes alive again but I am not able to.. ("Additional Information is needed to connect to this network" bullet is not appearing and the client PC remains authenticated and assigned to the VLAN.
    Below is the switch port configuration:
    interface FastEthernet0/5
    switchport access vlan 240
    switchport mode access
    switchport voice vlan 156
    authentication event server dead action authorize vlan 240
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority mab
    authentication port-control auto
    mab
    dot1x pae authenticator
    spanning-tree portfast
    Anyone can help?
    Regards,

    Please check whether the switch is dropping the connection or the server.
    Symptoms or Issue
     802.1X and MAB authentication and authorization are successful, but the switch is dropping active sessions and the epm session summary command does not display any active sessions.
    Conditions
     This applies to user sessions that have logged in successfully and are then being terminated by the switch.
    Possible Causes
     •The preauthentication ACL (and the subsequent DACL enforcement from Cisco ISE) on the NAD may not be configured correctly for that session.  
    •The preauthentication ACL is configured and the DACL is downloaded from Cisco ISE, but the switch brings the session down.  
    •Cisco ISE may be enforcing a preposture VLAN assignment rather than the (correct) postposture VLAN, which can also bring down the session.
    Resolution
     •Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.  
    •Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.  
    •Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):  
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server vsa send accounting
    radius-server vsa send authentication

  • Speed up Client EXPORT and Client import

    Hi,
    how to speed up the client export/import process (from scc8/scc7)?
    There is no profile,if we want User master records and the client specific data. then can we over write the client 2times first with user master data and then followed by client specific import.
    Main requirement is to Export Production client Specific data and users with authorization as CLIENT EXPORT (finally we can import the requests generated by client export) after importing to DEV server once can use as Quality client.
    please give your valuable suggestions in having client export and import to make Quality client in DEV server.
    DEV and PRD patch levels are different (remote client copy will fail in RFC system comparison)
    request you to give your valuable inputs.
    thanking you in anticipation,
    best regards,
    Raghav

    Hi Chowdary,
    This is not a big issue.
    You please find the TR list which are not moved PRD.
    Goto PRD->STMS_IMPORT find the TR list (which are in white color symbol) not moved to PRD.
    Then ask the respective consultant about TRs. Then re-import the TR in QAS. The old configuration will be occured in QAS. The TR which is moved to QAS, Now also it will be in green color only.But just re-import it and get the confirmation form respective consultant.But the user details will not available.
    hope this is useful.
    Regards,
    Patan Thavaheer.

  • Declarative Security, Authorization and SSL

    Hi all, I'm trying to find the most elegant and simple way to restrict access to my web content and I'd like to have your opinion on how to make it better or how other solve similar tasks.
    The situation is:
    My web-site (Tomcat 5.5/JBoss) has 50% of pages with access restricted by declarative security in deployment descriptor.
    I use web container authorization (BASIC or FORM-based).
    Many of my prospective web-clients have old PCs with old web-browsers, so I consider usage of SSL everywhere is not a good idea. Neither DIGEST authentication is.
    Therefore, I want to secure with SSL only the stage of authorization. I realize that in this case the restricted content is not secure, but the information is not confidential. Only user's login and password are.
    How should I do that?
    The problem is that web container intersepts the request to the restricted content and tries to authorize the client via BASIC or FORM methods, but they are not secure, as the page where interception happens may be accessed not via SSL! And, therefore, all authorization interaction with client is not encrypted too.
    I found an ugly trick - in FORM-based authentication I changed the action of my login form to "https://j_security_check" - this ensures that login/password are sent via encrypted channel, but upon successfull authentication Tomcat brings you back not to the page originally requested: "http://mypage.jsp", but to "httpS://mypage.jsp"!!! I.e it does not switch back from SSL to unencrypted connection. In order to avoid this I can assign a special servlet filter to all pages with the restricted, but unencrypted contents, so that this filter will change httpS to http, but this is quite an ugly way, isn't it?
    Can you share some better ideas how to organize this?
    I just don't want to write my own security system while we have one allready.

    Hello,
    I use Tomcat 5.5.4 or 5.5.6 - not sure, home and work... or the other way around.
    Yes you would need to - perhaps it's time to use a header include? They are useful for this kind of thing. Anyway, it does not seem to be flawless; have you tested it on a couple of your pages?
    In my test setup I:
    (1) attempt to access a restricted resource as an unauthenticated user with http
    (2) get redirected to login page which tests for https i.e. isSecure() and redirects to itself with https if test fails
    (3) i login and get redirected to the resource which tests for http and redirects to itself using http if test fails.
    In theory its straightforward... but the redirects that are caused by failed protocol tests don't always 'succeed'; I get left with a blank screen! Of course when omitting these test everything works dandy. Still, hitting refresh a couple times then brings up the page (login or resource) that is expected... which leads me to believe authentication is not failing nor is the attempt to invalidate the session. I say this as I read somewhere that some balls-up causes the browser to get stuck in the j_security_check servlet (or something like that) but I can't remember what causes this. Perhaps you've also read this and can refresh my memory.
    Best regards,
    D

  • Is it possible to copy a user fm one client to another

    Hi'
      Is it possible to copy a user from one client to another client?
      e.g., in our DEV we have two client say 500 & 201.A user say dev_user is present in client 500 with some authorization.Now i want the same user dev_user with same authorization in client 201.
    note:-
      *according to my knowledge user is a client dependent.
      *plz avoide hint like
    1)create a new user in 201 with the same user name with the help of su01
    2)client copy.

    Hi,
    I am not sure of replication a single use, but u can move all users by CLIENT Export. That means , u will be creating a transport request which will contain all User master records using SCC8. here select the USER profile SAP_USER.
    Hope this helps
    Cheers !!

  • What are possible FI authorizations to users??

    Hi,
    I need to go to some company as func. consultant in FI & their requirement will be maintaining their users(they hav areound 3000 users) authorizations in FI .
    For ex: user can post to only certain G/L accounts etc.
    I know how to create users & profiles but dont know what will be authorizations the client will ask in general.
    plzz send me the related docs  & some idea ...if U hav any..
    points 'll be rewarded to say thanks to you..
    Krishna

    Hi
    Check  PFCG, where all the authorizaiton are maintained.
    Best Regards
    Ashish Jain

  • How can I use one motion controller to control two robotic independently?

    the help document says :
    Note  Configuring and clearing buffers is a processor-intensive operation on the motion controller that requires the allocation and deallocation of memory. You should configure and clear buffers only when motors are not moving and onboard programs are not running. For example, if you wish to execute three simultaneous contouring operations on axis 1, axis 2, and vector space 1 (with axes 3 and 4), you should first configure all three buffers before starting any of the operations. You can start the contour operations independently, and at different times, but should wait until all operations are complete before clearing any of the buffers.
    and i tried to conduct two contouring operation on two vector space. and tried to clear or configuring buffer for one vector when another one is still moving. so that i can start or end the movement at any time i want,and  it is ok.no error. but when i tried add a buffer  breakpoint output along with each vector movement. the bp doesn't work if the other vector is running . is there anyway to solve this problem.

    I think you've misunderstood what the dns attribute is for. The dns attribute returns the hostname of the client accessing your website, not the hostname of the website that linked to your website.
    For example, when someone using the Comcast ISP goes to a malicious website at example.com that loads images from your website at www.amigoo.net, the dns attribute will be something like "c-1-2-3-4.ca.comcast.net", not "example.com". ACLs are used for authentication and authorization of clients (not the websites those clients chose to visit), and they don't provide the functionality you're looking for.
    If I understand correctly, you want to prevent websites other than amigoo.net from linking to files in your d:/webserver/imat/pics_upload directory. You can achieve this adding the following lines to your obj.conf configuration file:
    <Object ppath="d:/webserver/imat/pics_upload/*">
    <Client referer="*~*amigoo.net">
    PathCheck fn="deny-existence"
    </Client>
    </Object>

  • How can i use the ACL file to control the access from the other website?

    Hello all~
    My Sun one is 6.1 sp3 on Windows 2003 SE, and I am try to use the ACL file to control the access.
    My ACL file is below:
    version 3.0;
    acl "path=my_path_on_HD";
    deny absolute (all)
    (user = "anyone") and
    (dns = "*.my_site.com");
    deny absolute (all)
    (user = "anyone") and
    (dns = "*.other_site.net");
    Once I add the "deny", anyone include my site is decline for vist the path specify in the ACL file. But if remove the "deny", everyone include other one's website can access the file.
    Can anybody tell me how to make it work?

    I think you've misunderstood what the dns attribute is for. The dns attribute returns the hostname of the client accessing your website, not the hostname of the website that linked to your website.
    For example, when someone using the Comcast ISP goes to a malicious website at example.com that loads images from your website at www.amigoo.net, the dns attribute will be something like "c-1-2-3-4.ca.comcast.net", not "example.com". ACLs are used for authentication and authorization of clients (not the websites those clients chose to visit), and they don't provide the functionality you're looking for.
    If I understand correctly, you want to prevent websites other than amigoo.net from linking to files in your d:/webserver/imat/pics_upload directory. You can achieve this adding the following lines to your obj.conf configuration file:
    <Object ppath="d:/webserver/imat/pics_upload/*">
    <Client referer="*~*amigoo.net">
    PathCheck fn="deny-existence"
    </Client>
    </Object>

  • Error while uploading a LOGO into SAP by using SE78

    Hi All
    we are not able to uplaod a LOGO into DEV200 but the same LOGO is successfully uploaded into DEV215. When we tried in DEV200 it is giving the error "ERROR LOADING FILE <PATH>".
    As a Basis/ Security consultant I checked:
    1) Authorizations
    2) Client settings ( in SCC4 ) and System Change Optioin in SE06
    These both are looks fine.
    Can anyone Please help to resolve this issue.
    Thanks and Regards
    Kasi

    Hi,
    Which type of scheduling setting have you configured for WBS scheduling and for n/w. ?
    Also, download calendar from SAP to MSP and then add column 'Task Calendar' in which select the downloaded calendar.
    Check SAP NOTE 579761
    Regards,
    Harsh.
    Edited by: Harsh Saxena on Aug 10, 2011 3:18 PM

  • Source system icons changes when connecting SAP BW to mySAP ERP 2004

    Hi,
    Just an Interesting observation in relation to the creation of source systems in SAP BW to SAP Web AS 6.40 based systems (mySAP ERP 2004, mySAP SRM, etc).
    I thought it would be interesting to share!
    The behavior is logical but can be a surprise for a BW administrator who is not aware of the new internal SAP BW systems within mySAP ERP 2004.
    Scenario:
    The customer was connecting a stand-alone BW system to two new systems with latest and greatest mySAP ERP 2004 (ECC 5.00) and mySAP SRM.
    Observation:
    In the past the SAP R/3 source system would be created with a "SAP R/3 icon" indicating a SAP Source system.
    <b>As of mySAP ERP 2004, the source systems will be created in the SAP BW standalone system with the "SAP BW System icon".</b>
    Note: This is also the same behavior for new releases of mySAP SRM, and other SAP applications that are <u>based on SAP Web AS 6.40 or greater</u>
    Why?:
    The standalone SAP BW system is connecting to a system that contains an internal SAP BW system. The standalone SAP BW system determines that it is possible to extract <u>both</u> from the internal BW System <b>and</b> from the Plug-in extractors. It simply denotes that this source system is a SAP BW system and uses the BW Source system icon. (Remember SAP BW is client independent*!).
    Note: This behavior will still occur even if you do not use the internal SAP BW system within mySAP ERP! It is there whether you use it or not.
    Second Note: You can still use the ERP Content extractors from the mySAP ERP Source System as you did in prior releases.
    Another related observation:
    I would expect that this case will probably be true even if you only use the internal SAP BW.
    Scenario: You use the internal SAP BW in another client in the mySAP ERP system than your ERP processing.
    Result: The connection between the BW client and the ERP client source system(s) (i.e. client 001 for ERP, client 100 for BW), both the 'myself' and ERP client source systems, will show up as BW source systems!
    Source system 001 and source system 100 will be displayed as SAP BW icons because SAP BW is client independent*
    user master and authorizations are client dependent
    I hope this was interesting.
    Cheers,
    Mike.

    Hello,
    I used my user id to login. I recieved a message :
    User already exists in source system  I continue:
    Anothre window pops up : "Check  RFC connection" and it asks
    'RFC connection already exists in source system . Do you want to check, use or cancel source system connection'
    Here I select Use - but i get an error : Error in source system'.
    how can i track down this error.
    Kindly inform.
    Regards,
    Nikekab

  • Change IP after ISE CoA

    I have heard of this issue before, but am not quite sure how to stop it...
    Client connects to switch, switch contacts ISE on the backend. Client gets IP address on VLAN 30 in the meantime. ISE determines client belongs in VLAN 60 and performs CoA. Switch changes VLAN, but client still has an IP address in VLAN 30.
    Anyone have a good way to stop this? The only thing I've heard is to put a pre-auth ACL on the port denying DHCP. But I am having issues even getting that to work.
    Thanks.

    This would actually fit my ultimate intended model, where an auth failure authorizes the client on the Guest VLAN. Is the critical auth VLAN able to be used in closed mode?
    Response: Yes, you can. I was really talking about the usage of the following commands:
    authentication event server dead action reinitialize vlan fail_safe_vlan
    authentication even server dead action authorize vlan fail_safe_vlan
    Those commands are very useful when you need to protect yourself against ISE/Radius outage. However, when you ave a pre-auth ACL and the Radius server is down, there is nothing (no Radius server) left to push a dACL and replace the pre-auth ACL. Thus, even though endpoints are allowed on the critical VLAN, the pre-auth ACL is still there, thus preventing clients from gaining access to the network. With the Cat3850 you can have a critical ACL. With the 3750s running IP Services you can configure an EEM script that can remove the ACL in the event of an ISE outage
    Leaving them all on the same with with SGTs isn't really an option here. The reason why is that many of these machines are machines that do not get updated regularly, so they are vulnerable. We have them in a VRF. Therefore, they need to be in a different VLAN.
    Response: SGT can actually provide layer 2 segmentation too :) SGT/SGA is really the future of TrustSec
    Thank you for rating helpful posts!

Maybe you are looking for

  • IPod not recognized by iTunes 6

    So it looks like a lot of people are having this problem, that after upgrading to iTunes 6, the iPod doesn't connect to iTunes, even though it flashes "do not connect" as it is plugged in. Further the ipod has an error message once unplugged and simp

  • Can I specify more than one para tag for master page mapping?

    Hi, I want to map the same master page to be used by four different tags. Must I create a new row in the mapping table for each or can I separate the tag names by a comma and a space, for example, "Body, Bullet, Heading1, Note"? I tried the latter an

  • After updating to Mavericks, I can no longer navigate to individual folders to save a file. HELP!

    When I wanted to save a file before, I just chose "Save As" and the menu would appear that allowed me to navigate to the folder where I wanted to save the file. If the folder name didn't show up, then I could just double-click (say for example, "Docu

  • DMS document output in SOP report

    Hi all, I want to OUTPUT a DMS document in SOP Report template. But it is not reflecting in my SOP report  though I have fullfilled the prerequisites.Here are my steps that i carried out 1)  I have linked the DMS doc. in a value assignment in user de

  • Rfc to ftp scenario

    Hello, I have a problem here. I am trying to get a simple communicationszenario of xi working. So I chose rfc to file. Furthermore I tried the configuration's wizard. He says at the last step that my receiver communication-channel is not configured p