Authorization in WEB UI

Similar Messages

• How can I authenticate and authorize with Web Service on ESB ?

  Hello,
  I want to authenticate and authorize client with Web Service published
  by HTTP/SOAP BC.
  Simply if it is an Web Service as J2EE application, I will use
  Basic Authentication with JAX-RPC and Realm.
  But I think that Web Service published by HTTP/SOAP BC is not belong
  to J2EE Application. Threre is no place to describe security role mapping
  (like web.xml).
  JBI 1.0 the section "5.5.1.1.3 Normalized Message Properties" comments
  JAAS Subject is given in the NM Properties. Really in this package
  com.sun.jbi.internal.security.*
  implements JAAS autentication and authorization (at JaasAuthenticator).
  But I can't see how to configure my Service to use this.
  How can I authenticate and authorize with Web Service on ESB ?
  I referred to the resources.
  Mutual Authentication for Web Services: A Live Example
  http://developers.sun.com/prodtech/appserver/reference/techart/mutual_auth.html
  XML and Web Services Security
  http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security7.html
  JAAS Authentication Tutorial
  http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html
  Thanks,
  Takurou
  - environment ---------------------------------------------
  OpenESB : Project Open ESB Starter Kit
  AppServer : Sun Java Systems Application Server 9.0 PE
  OS : Windows XP
  I don't assume to use SSL (if It's necessary I will try).
  User information is stored in a LDAP Server.
  -----------------------------------------------------------

  Hello,
  I read this resource.
  SecurityDesign
  http://www.glassfishwiki.org/jbiwiki/Wiki.jsp?page=SecurityDesign
  Then I think [non-ssl and ssl/tls and so on] securing by basic authentication is ongoing feature at this time.
  But I can't see well why this page comments 'HTTP over SSL, TLS'.
  HTTP/SOAP Binding Component Overview
  http://download.java.net/general/open-esb/docs/jbi-components/httpsoap-bc.html
  Does BC support only "SSL server authentication" ?
  Doesn't BC support "SSL client authentication" by username/password ?
  Thanks,
  Takurou

• TACACS Authorization of Web Interface on Aironet 1200 AP

  I have the Aironet 1200 AP setup to authenticate and perform authorization for the CLI via TACACS. That is working fine.
  However, the web interface is failing "ip http authentication". (Slight caveat - it works for a local user in the local AP DB - it does not work when it goes to CiscoSecure ACS to authenticate/authorize).
  I can get to some pages (prompt and pass authentication), but certain pages (e.g. Services>>SNMP) where configuration steps are taken cause a second prompt is presented, username and password is provided, and it fails.
  This is only evident from the output of a "debug ip http authentication"
  What do I need to configure in ACS to make this work?
  Relevant portion of config:
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local
  no ip http server
  ip http authentication aaa
  ip http secure-server
  Sep 7 13:40:59.885: HTTP AAA picking up console Login-Authentication List name: default
  Sep 7 13:40:59.885: HTTP AAA picking up console Exec-Authorization List name: default
  Sep 7 13:40:59.909: HTTP: Authentication failed for level 15
  Sep 7 13:41:06.757: HTTP AAA picking up console Login-Authentication List name: default
  Sep 7 13:41:06.757: HTTP AAA picking up console Exec-Authorization List name: default
  Sep 7 13:41:06.780: HTTP: Authentication failed for level 15
  This document appears to describe a scenario similar to mine, but is for http - not HTTPS:
  Local Authentication for HTTP Server Users
  http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a0080178a51.shtml#tac-win
  Any ideas what I may be missing here?
  Thanks,
  Jeff

  I found the answer was to use a more specific "ip http authentication" statement. Specifically,it required the following:
  CiscoSecure ACS:
  Group Settings
  Shell (exec)
  Priv Level = 15
  On the AP:
  had to enable:
  ip http authentication aaa login-authentication AP_Web (Named Method List)

• Check user role/authorization during Web report run-time?

  Hello again,
  I ran into a problem. I need to check <b>user's authorization during webtemplate execution (run-time)</b>. I want to have a possibility to allow in one web template extra functionality (through template menu) to key users. Normal users, who are running same report, should not have this extra menu visible.
  Is it possible to check user authorizations or roles during web-template run-time?
  Thank you!
  Vitaliy

  Hi Harinam,
  From my logic your are right.
  The restriction is in two new roles (Requestor and Approver role).
  But ->
  If I assign my approver role the selection possiblities of the request types during the AR creation is restricted and the AR search function does not work.
  If I assign my requestor role the restriction of the request type is not there, but the AR search function works again. :-(
  If I assign the original approver role of sap I have the same behavoiur for the AR search.
  Both new roles are a 1:1 copy of the SAP standard roles - > Exception, ristriction on request type 'Execption Approval' is not displ.
  I have execute ST01 now. If I try to open the log, the system syst "No records that correspond to these search criteria".
  But I have found something else.
  The problem appears only if I search for Process ID "Access Request Approval Workflow".
  If I select other Process ID such as "Control Assignment Approval Workflow" or "Fire Fighter Log Report Review Workflow", everything works fine.
  Very strange!
  BR
  Melanie

• Authorization in Web reports

  Hi ,
  I amfacing a authorization problem when executing the query in web.plz consider the senario below
  there are 2 seperate roles ,one for web and other for bex version
  we are having an authorization object for one characteristics. We are restricting this with auth variable in the query.I have created a particular role wih restriction on certain values on authorization obj.If I am executing the web version with this role alone then i am get an authorization error.If I am executing the web with * auuth for the auth obj then it is getting executed without auth error.
  Can some body help me and explain how authorizatio works in case of web reports.There is also a precalculation job scheduled

  Hi,
  Sorry for the confusion in the earlier mail.plz read the below mail
  My requirement is to have user specific precalculation of webtempletes.ie different users should see values for which they are authorized to when they login with their id in Web.(after precalculation job is executed)
  I checked precalculate user -specificaly flag in the reporting agent setting and executed the precalculation job. But when I logon with any id added in the reporting agent setting it is showing the " Requested document not found".
  Can somebody help me in solving this ? Thanks

• Authorization for Web report

  Hello Experts,
  One of my user wants to see a report in the web and wants an authorization for the same. When he is trying to execute the query in the WEB he is facing the follwoing error.
  User SCANESIN has no RFC authorization for function group SDIFRUNTIME.
  What steps do i need to follow to resolve this issue.
  Regards,

  Hi,
  You can solve this problem with the help of your basis person.
  Go to the role of that use using RSECADMIN. Find the authorisation object S_RFC. Include SDIFRUNTIME in
  'Name of RFC to be protected' field. Activate the role.
  Regards
  Githen

• Authorization about Web Dynpro ABAP

  Dear all:
               I have some problem withs the authorization about the web dynpro for abap.Please give me some advices.
  For example: In my web dynpro abap,i have two tabs,one is "upload",anthor is "preview".Now there are two users,
  in this example ,i  assume user A and user B.If user A have the authorization of "Upload",and the user B have "Preview".
  Now how can i solve the problem ?  If i do not want to use the  code to implement it , is there any solution for it ? Thank  you ~
  Best wishes !

  Hi,
  There are many ways to achieve this, but without code changes I guess this would be the easiest route:
  Create 2 application configurations: one with Upload button Hidden and other with Preview Button Hidden.
  Now to run you application you have 2 URL's by vritue of 2 application configurations.
  Give the appropriate URL to required set of people.
  Learn more about [App Configuration Here|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/media/uuid/af5e19e7-0b01-0010-37af-bc816f9a240c]
  Hope this helps.
  Regards
  Manas Dua

• Authorization in web services

  Hi all,
  I'm trying to understand security in web services and i've been
  studiying web services security blue prints in glassfish. But all the
  samples work with authentication and message security (stock
  samples).
  My question is how to implement the authorization part in
  web services, is there some way/sample to authorizing a
  specified role to execute some web service? I'm interested
  in a declarative way.
  I haven't found any way to specify this except in EJB
  security-constraints part. Maybe web services are just the entry
  point and relays authorization and real work to underlaying
  EJBs. Is that the right thing to do?
  thanx

  Please provide me with a reply as this is an urgent situation.
  Thanks in advance,
  Geet

• Authorization and Web Services

  Hello guys,
  I've posted this question on the Identity Management forum, but since I had no answer I'm trying here (since this forum takes question about OWSM).
  I'm taking part in a mission to advise how to protect Web Services with OWSM.
  The authorization to execute a Web Service will be provisioned by the IAM Suite (OIM/OAM/OID etc)
  But before getting into the technical details I'm hoping to find a Best Practices guide for approaches on how to determine/map WHO is authorized to execute which Web Service.
  Since SOA promotes an heterogeneous environment where a Web Service can (and should) be reused by other process, and even other Web Services, I don't see clearly what drives this rules.
  For example, the authorization rules should be based on :
  a) User vs Web Services ?
  b) User Role vs Web Services ?
  c) Apps (or Business Process) vs Web Services ?
  d) All users are authorized to execute all Web Services as long as they are authenticated ?
  e) Something else?
  Thanks for an insight or any direction to papers about this subject.
  Adriano.
  Edited by: user11994311 on 1 oct. 2012 01:08

  You can find more information under this blog.
  https://blogs.oracle.com/owsm/
  I would recommand to go through what OWSM can provide then you can decide what you want.
  https://blogs.oracle.com/owsm/entry/owsm_concepts_11g
  Thanks,
  Vijay

• Roles & Authorizations for Web Reports...

  Hello Experts,
  We are newly implementing Web Reports in our organization. I need your great thoughts regarding implementing Authorizations for users to access the reports.
  We are using a report menu page that contain links to all the reports. The page opens by clicking on a link on the portal. The individual reports are basically accessed from this page by clicking on the corresponding button (links a URL ).
  I wonder if there is any way to look into the menu page (XHTML code of that web page/application) when ever the users click on the reports link and disable those buttons that the users are not allowed to access depending on the roles users are assigned to. Otherwise is there any better way to do it.
  And also how to call a function from web applications.
  This is a kind of urgent issue any quick ideas would be greatly appreciated.

  I apologize for the difficulty in reading this  I will repost.
  We have had no training or received any documenation on WAD.  The below was created from internet research.  Hence there may be WAD functionality that would allow easier maintenance, however; this is what we use.
  With our dashboard, I have a web template that contains hyperlinks for our reports.  I will call this HeaderTemplate1.  For each web page I have report templates.  These report templates have the HeaderTemplate1 mentioned above as well as the report tables, charts, text elements, tabs, etc.
  The JavaScript logic for accessing the urls of the specific report templates is contained within our HeaderTemplate1.
  Below is how our setup was tested.  Keep in mind, this was only for testing basic functionality.  If this is something we use I will most likely create a master data table that houses the user ID and an attribute for the header type.  Thus, any report menu changes can be altered quickly without changing the javascript of each report template.  Also this will accomodate the few thousand users we have.
  To add the functionality of different 'menus', I created another header template with the same hyperlinks of HeadertTemplate1 with the exception of one or two hyperlinks.  This, HeaderTemplate2, was added to each report template just below HeaderTemplate1.  Note that both HeaderTemplate1 and HeaderTemplate2 were set as visible on each report template.
  Also, on each report template I added a text element.  The 'List of Text Elements'property was set as such; Element Type = General Text Sympol,  Element ID = SYUSER.  This Text Element was linked to a query  or view from BEx via the dataprovider.  On the HTML side, I surrounded this Text Element with
  <Font ID="UserID",,,textelement....</Font>
  Each Report template has this javascript function, fnRepOnLoad, which is triggered at the OnLoad event.
  [<SCRIPT language = "JAVASCRIPT">                       
    function fnRepOnLoad()
      var user_ID=document.getElementById("UserID").innerHTML;
      if (user_ID=='USER123')
        document.all["HEADTMPLT1"].style.visibility = 'hidden';
        document.all["HEADTMPLT1"].style.position = 'absolute';
      else         
        document.all["HEADTMPLT2"].style.visibility = 'hidden';
        document.all["HEADTMPLT2"].style.position = 'absolute';
  </script>
  The function results as this.  If the user is USER123, HeaderTemplate1 is hidden, leaving only HeaderTemplate2 visible.  Otherwise HeaderTemplate2 is invisible leaving on HeaderTemplate1 visible.
  We do not use buttons as our global leaders prefer hyperlinks but buttons can be enabled or disabled similarly.
  As mentioned before, if this method is implemented, I will create a reportable master data table.  Create a customer exit variable to retrieve the header template required for the user.  This header template variable value will then be pulled by a text element on each report template.  The script function will act as follows.  If many report headers are necessary I may use a case statement.
  Var User_template=document.getElementById("UserTmplt").innerHTML;
  If UserTmplt = HeaderTemplate1
  -->  make all header templates other than HeaderTemplate1 invisible
  else
  -->  make all header templates other than HeaderTemplate2 invisible
  etc...
  I hope this helps.  Please keep me posted with your solution.  I am very interested to learn what others are doing.
  Best Regards,
  Larry

• Authorization for web shop users

  Hi Experts,
  How can we Control the users at webshop level?. Can anybody explain me the step by step process to set up authorization group for web shops.
  Regards,
  S Reddy

  Hello,
  In each web shop there is an authorization group.  If left blank, any user can enter the web shop.  If it is populated with a value, only users with special authorization can enter the web shop.
  The authorization set is:  CRM_ISA_SP
  You maintain a value for the authorization object in role maintenance and assign it to your web show (as described above).
  You also to a user to control the user access to a particular web shop.
  The way it works is the system checks any user attempting to enter the shop.  If the user has the authorization object value assigned to it, the user can enter the shop. Otherwise, he is denied access.
  I hope this helps.
  Deb

• Authorization on web interface urls

  Hi there.
  Is it possible to restrict user access to certain web interface urls?  i.e. we want to distribute the 'URL BSP APPLICATION' for various input templates to end users.
  We have played around with the authorization object r_webitf but it doesn't seem to do what we want.
  Thanks.

  Hi,
  Once you have the URL BSP Application, you can set authorizations for it in txn SICF.
  An entry would be there for this service (the application you have created) under /default_host/sap/bc/bsp/sap/ node.
  You can change the properties of this node in SICF, assign your authorization value in 'SAP Authoriz' field in the 'Service data' tab. Once you assign a value here (say 'abc'), users authorization will be verified for authorization object s_icf for this value (ie 'abc' in this case). You can now setup your authorizations as you wish. Users will get an error if they do not have authorization for this service.
  cheers,

• Authorization for Web applications

  Hi, friends,
  We have already developed some Web applications and we stored the user id and encrypted password in the database using JCE. We can handle authentication by ourselves. But we want to set up authorization on these Web applications, for example setting up authorization on a certain Web directory holding a bunch of JSPs. How can we do that ?
  Thanks
  John

  Hi John
  We am writing a basic J2EE framework where we have pluggable Authentication modules using Kerberos etc. I was jus curious as to what your Authentication system uses and how its done.
  Gracias
  Ram
  I will add some of my comments on authorization as soon as the document is complete.

• Authorization for Web Application Designer

  Hello,
  I'm trying to grant authorizations for the WAD without having to grant SAP_ALL and SAP_NEW. What authorizationobjects do i have to use?
  We're working on a BW7.0 (SP12) system.
  Kind regards.
  Joost Kruk

  hi Joost,
  take a look
  http://help.sap.com/saphelp_nw70/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/frameset.htm
  Business Explorer - BEx Web Templates (NW 7.0+)/S_RS_BTMP
  Authorizations for working with BEx Web templates
  Business Explorer – BEx reusable Web items (NW 7.0+)/S_RS_BITM
  Authorizations for working with BEx Web items
  BEx Broadcasting authorization for scheduling/S_RS_BCS
  Authorization for registering broadcast settings for execution.
  Business Explorer – BEx texts (maintenance)/S_RS_BEXTX
  Authorizations for the maintenance of BEx texts
  hope this helps.

• Web Reporting Authorizations for Web Application Designer

  Hi,
  any information on authorizations in context with the Web Application Designer would be appreciated. I know the data access is regulated the normal class RS and RSR authorization objects. Any way to secure and regulate access to the Web items in the WAD?
  thanks,
  Michael

  Hi Michael,
  Security settings are the standard ones (RS/RSR) as you mention plus limiting access to Web templates using roles.
  I do not know any mean to limit access at the web item level; you can define security restrictions on the underlying queries though.
  Best regards,
  LauQ

• Problem - acs command authorization and web access control

  Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.

  It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
  and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
  configure
  permit terminal
  exit
  permit Unmatched Args
  interface
  permit Dot11Radio0
  no
  permit shutdown
  permit cca
  ping
  permit Unmatched Args
  show
  permit Unmatched Args
  shutdown
  permit Unmatched Args
  telnet
  permit Unmatched Args
  write
  permit memory quiet
  Thanks for the help !