Authorization in WEB UI
Hello, Guru!
I want to create company wich generate lead. When i go to create Compaign (in role SAP_CRM_UIU_MKT_PROFESSIONAL) i see next error
Cannot display view MKTPRJ_COMMCHNL/OVEFChannels of UI Component MKTPRJ_COMMCHNL
An exception has occurred Exception Class CX_BSP_DLC_CONFIG_GENERAL_ERR - Error creating configuration model
Method: CL_BSP_DLC_VIEW_DESCRIPTOR=>LOAD_APPL_MODEL
Source Text Row: 27
When i add role Z_OBT i don't see this error and a see communication chanel.
How i can search authorization key which resolve this error?
Vladimir,
For localization your problem read this document:
How To Guide: PFCG Roles and Authorization Concept
http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00515e75-f1d0-2c10-bebb-e5675f470ee6
Denis.
Similar Messages
-
How can I authenticate and authorize with Web Service on ESB ?
Hello,
I want to authenticate and authorize client with Web Service published
by HTTP/SOAP BC.
Simply if it is an Web Service as J2EE application, I will use
Basic Authentication with JAX-RPC and Realm.
But I think that Web Service published by HTTP/SOAP BC is not belong
to J2EE Application. Threre is no place to describe security role mapping
(like web.xml).
JBI 1.0 the section "5.5.1.1.3 Normalized Message Properties" comments
JAAS Subject is given in the NM Properties. Really in this package
com.sun.jbi.internal.security.*
implements JAAS autentication and authorization (at JaasAuthenticator).
But I can't see how to configure my Service to use this.
How can I authenticate and authorize with Web Service on ESB ?
I referred to the resources.
Mutual Authentication for Web Services: A Live Example
http://developers.sun.com/prodtech/appserver/reference/techart/mutual_auth.html
XML and Web Services Security
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security7.html
JAAS Authentication Tutorial
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html
Thanks,
Takurou
- environment ---------------------------------------------
OpenESB : Project Open ESB Starter Kit
AppServer : Sun Java Systems Application Server 9.0 PE
OS : Windows XP
I don't assume to use SSL (if It's necessary I will try).
User information is stored in a LDAP Server.
-----------------------------------------------------------Hello,
I read this resource.
SecurityDesign
http://www.glassfishwiki.org/jbiwiki/Wiki.jsp?page=SecurityDesign
Then I think [non-ssl and ssl/tls and so on] securing by basic authentication is ongoing feature at this time.
But I can't see well why this page comments 'HTTP over SSL, TLS'.
HTTP/SOAP Binding Component Overview
http://download.java.net/general/open-esb/docs/jbi-components/httpsoap-bc.html
Does BC support only "SSL server authentication" ?
Doesn't BC support "SSL client authentication" by username/password ?
Thanks,
Takurou -
TACACS Authorization of Web Interface on Aironet 1200 AP
I have the Aironet 1200 AP setup to authenticate and perform authorization for the CLI via TACACS. That is working fine.
However, the web interface is failing "ip http authentication". (Slight caveat - it works for a local user in the local AP DB - it does not work when it goes to CiscoSecure ACS to authenticate/authorize).
I can get to some pages (prompt and pass authentication), but certain pages (e.g. Services>>SNMP) where configuration steps are taken cause a second prompt is presented, username and password is provided, and it fails.
This is only evident from the output of a "debug ip http authentication"
What do I need to configure in ACS to make this work?
Relevant portion of config:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
no ip http server
ip http authentication aaa
ip http secure-server
Sep 7 13:40:59.885: HTTP AAA picking up console Login-Authentication List name: default
Sep 7 13:40:59.885: HTTP AAA picking up console Exec-Authorization List name: default
Sep 7 13:40:59.909: HTTP: Authentication failed for level 15
Sep 7 13:41:06.757: HTTP AAA picking up console Login-Authentication List name: default
Sep 7 13:41:06.757: HTTP AAA picking up console Exec-Authorization List name: default
Sep 7 13:41:06.780: HTTP: Authentication failed for level 15
This document appears to describe a scenario similar to mine, but is for http - not HTTPS:
Local Authentication for HTTP Server Users
http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a0080178a51.shtml#tac-win
Any ideas what I may be missing here?
Thanks,
JeffI found the answer was to use a more specific "ip http authentication" statement. Specifically,it required the following:
CiscoSecure ACS:
Group Settings
Shell (exec)
Priv Level = 15
On the AP:
had to enable:
ip http authentication aaa login-authentication AP_Web (Named Method List) -
Check user role/authorization during Web report run-time?
Hello again,
I ran into a problem. I need to check <b>user's authorization during webtemplate execution (run-time)</b>. I want to have a possibility to allow in one web template extra functionality (through template menu) to key users. Normal users, who are running same report, should not have this extra menu visible.
Is it possible to check user authorizations or roles during web-template run-time?
Thank you!
VitaliyHi Harinam,
From my logic your are right.
The restriction is in two new roles (Requestor and Approver role).
But ->
If I assign my approver role the selection possiblities of the request types during the AR creation is restricted and the AR search function does not work.
If I assign my requestor role the restriction of the request type is not there, but the AR search function works again. :-(
If I assign the original approver role of sap I have the same behavoiur for the AR search.
Both new roles are a 1:1 copy of the SAP standard roles - > Exception, ristriction on request type 'Execption Approval' is not displ.
I have execute ST01 now. If I try to open the log, the system syst "No records that correspond to these search criteria".
But I have found something else.
The problem appears only if I search for Process ID "Access Request Approval Workflow".
If I select other Process ID such as "Control Assignment Approval Workflow" or "Fire Fighter Log Report Review Workflow", everything works fine.
Very strange!
BR
Melanie -
Hi ,
I amfacing a authorization problem when executing the query in web.plz consider the senario below
there are 2 seperate roles ,one for web and other for bex version
we are having an authorization object for one characteristics. We are restricting this with auth variable in the query.I have created a particular role wih restriction on certain values on authorization obj.If I am executing the web version with this role alone then i am get an authorization error.If I am executing the web with * auuth for the auth obj then it is getting executed without auth error.
Can some body help me and explain how authorizatio works in case of web reports.There is also a precalculation job scheduledHi,
Sorry for the confusion in the earlier mail.plz read the below mail
My requirement is to have user specific precalculation of webtempletes.ie different users should see values for which they are authorized to when they login with their id in Web.(after precalculation job is executed)
I checked precalculate user -specificaly flag in the reporting agent setting and executed the precalculation job. But when I logon with any id added in the reporting agent setting it is showing the " Requested document not found".
Can somebody help me in solving this ? Thanks -
Hello Experts,
One of my user wants to see a report in the web and wants an authorization for the same. When he is trying to execute the query in the WEB he is facing the follwoing error.
User SCANESIN has no RFC authorization for function group SDIFRUNTIME.
What steps do i need to follow to resolve this issue.
Regards,Hi,
You can solve this problem with the help of your basis person.
Go to the role of that use using RSECADMIN. Find the authorisation object S_RFC. Include SDIFRUNTIME in
'Name of RFC to be protected' field. Activate the role.
Regards
Githen -
Authorization about Web Dynpro ABAP
Dear all:
I have some problem withs the authorization about the web dynpro for abap.Please give me some advices.
For example: In my web dynpro abap,i have two tabs,one is "upload",anthor is "preview".Now there are two users,
in this example ,i assume user A and user B.If user A have the authorization of "Upload",and the user B have "Preview".
Now how can i solve the problem ? If i do not want to use the code to implement it , is there any solution for it ? Thank you ~
Best wishes !Hi,
There are many ways to achieve this, but without code changes I guess this would be the easiest route:
Create 2 application configurations: one with Upload button Hidden and other with Preview Button Hidden.
Now to run you application you have 2 URL's by vritue of 2 application configurations.
Give the appropriate URL to required set of people.
Learn more about [App Configuration Here|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/media/uuid/af5e19e7-0b01-0010-37af-bc816f9a240c]
Hope this helps.
Regards
Manas Dua -
Hi all,
I'm trying to understand security in web services and i've been
studiying web services security blue prints in glassfish. But all the
samples work with authentication and message security (stock
samples).
My question is how to implement the authorization part in
web services, is there some way/sample to authorizing a
specified role to execute some web service? I'm interested
in a declarative way.
I haven't found any way to specify this except in EJB
security-constraints part. Maybe web services are just the entry
point and relays authorization and real work to underlaying
EJBs. Is that the right thing to do?
thanxPlease provide me with a reply as this is an urgent situation.
Thanks in advance,
Geet -
Authorization and Web Services
Hello guys,
I've posted this question on the Identity Management forum, but since I had no answer I'm trying here (since this forum takes question about OWSM).
I'm taking part in a mission to advise how to protect Web Services with OWSM.
The authorization to execute a Web Service will be provisioned by the IAM Suite (OIM/OAM/OID etc)
But before getting into the technical details I'm hoping to find a Best Practices guide for approaches on how to determine/map WHO is authorized to execute which Web Service.
Since SOA promotes an heterogeneous environment where a Web Service can (and should) be reused by other process, and even other Web Services, I don't see clearly what drives this rules.
For example, the authorization rules should be based on :
a) User vs Web Services ?
b) User Role vs Web Services ?
c) Apps (or Business Process) vs Web Services ?
d) All users are authorized to execute all Web Services as long as they are authenticated ?
e) Something else?
Thanks for an insight or any direction to papers about this subject.
Adriano.
Edited by: user11994311 on 1 oct. 2012 01:08You can find more information under this blog.
https://blogs.oracle.com/owsm/
I would recommand to go through what OWSM can provide then you can decide what you want.
https://blogs.oracle.com/owsm/entry/owsm_concepts_11g
Thanks,
Vijay -
Roles & Authorizations for Web Reports...
Hello Experts,
We are newly implementing Web Reports in our organization. I need your great thoughts regarding implementing Authorizations for users to access the reports.
We are using a report menu page that contain links to all the reports. The page opens by clicking on a link on the portal. The individual reports are basically accessed from this page by clicking on the corresponding button (links a URL ).
I wonder if there is any way to look into the menu page (XHTML code of that web page/application) when ever the users click on the reports link and disable those buttons that the users are not allowed to access depending on the roles users are assigned to. Otherwise is there any better way to do it.
And also how to call a function from web applications.
This is a kind of urgent issue any quick ideas would be greatly appreciated.I apologize for the difficulty in reading this I will repost.
We have had no training or received any documenation on WAD. The below was created from internet research. Hence there may be WAD functionality that would allow easier maintenance, however; this is what we use.
With our dashboard, I have a web template that contains hyperlinks for our reports. I will call this HeaderTemplate1. For each web page I have report templates. These report templates have the HeaderTemplate1 mentioned above as well as the report tables, charts, text elements, tabs, etc.
The JavaScript logic for accessing the urls of the specific report templates is contained within our HeaderTemplate1.
Below is how our setup was tested. Keep in mind, this was only for testing basic functionality. If this is something we use I will most likely create a master data table that houses the user ID and an attribute for the header type. Thus, any report menu changes can be altered quickly without changing the javascript of each report template. Also this will accomodate the few thousand users we have.
To add the functionality of different 'menus', I created another header template with the same hyperlinks of HeadertTemplate1 with the exception of one or two hyperlinks. This, HeaderTemplate2, was added to each report template just below HeaderTemplate1. Note that both HeaderTemplate1 and HeaderTemplate2 were set as visible on each report template.
Also, on each report template I added a text element. The 'List of Text Elements'property was set as such; Element Type = General Text Sympol, Element ID = SYUSER. This Text Element was linked to a query or view from BEx via the dataprovider. On the HTML side, I surrounded this Text Element with
<Font ID="UserID",,,textelement....</Font>
Each Report template has this javascript function, fnRepOnLoad, which is triggered at the OnLoad event.
[<SCRIPT language = "JAVASCRIPT">
function fnRepOnLoad()
var user_ID=document.getElementById("UserID").innerHTML;
if (user_ID=='USER123')
document.all["HEADTMPLT1"].style.visibility = 'hidden';
document.all["HEADTMPLT1"].style.position = 'absolute';
else
document.all["HEADTMPLT2"].style.visibility = 'hidden';
document.all["HEADTMPLT2"].style.position = 'absolute';
</script>
The function results as this. If the user is USER123, HeaderTemplate1 is hidden, leaving only HeaderTemplate2 visible. Otherwise HeaderTemplate2 is invisible leaving on HeaderTemplate1 visible.
We do not use buttons as our global leaders prefer hyperlinks but buttons can be enabled or disabled similarly.
As mentioned before, if this method is implemented, I will create a reportable master data table. Create a customer exit variable to retrieve the header template required for the user. This header template variable value will then be pulled by a text element on each report template. The script function will act as follows. If many report headers are necessary I may use a case statement.
Var User_template=document.getElementById("UserTmplt").innerHTML;
If UserTmplt = HeaderTemplate1
--> make all header templates other than HeaderTemplate1 invisible
else
--> make all header templates other than HeaderTemplate2 invisible
etc...
I hope this helps. Please keep me posted with your solution. I am very interested to learn what others are doing.
Best Regards,
Larry -
Authorization for web shop users
Hi Experts,
How can we Control the users at webshop level?. Can anybody explain me the step by step process to set up authorization group for web shops.
Regards,
S ReddyHello,
In each web shop there is an authorization group. If left blank, any user can enter the web shop. If it is populated with a value, only users with special authorization can enter the web shop.
The authorization set is: CRM_ISA_SP
You maintain a value for the authorization object in role maintenance and assign it to your web show (as described above).
You also to a user to control the user access to a particular web shop.
The way it works is the system checks any user attempting to enter the shop. If the user has the authorization object value assigned to it, the user can enter the shop. Otherwise, he is denied access.
I hope this helps.
Deb -
Authorization on web interface urls
Hi there.
Is it possible to restrict user access to certain web interface urls? i.e. we want to distribute the 'URL BSP APPLICATION' for various input templates to end users.
We have played around with the authorization object r_webitf but it doesn't seem to do what we want.
Thanks.Hi,
Once you have the URL BSP Application, you can set authorizations for it in txn SICF.
An entry would be there for this service (the application you have created) under /default_host/sap/bc/bsp/sap/ node.
You can change the properties of this node in SICF, assign your authorization value in 'SAP Authoriz' field in the 'Service data' tab. Once you assign a value here (say 'abc'), users authorization will be verified for authorization object s_icf for this value (ie 'abc' in this case). You can now setup your authorizations as you wish. Users will get an error if they do not have authorization for this service.
cheers, -
Authorization for Web applications
Hi, friends,
We have already developed some Web applications and we stored the user id and encrypted password in the database using JCE. We can handle authentication by ourselves. But we want to set up authorization on these Web applications, for example setting up authorization on a certain Web directory holding a bunch of JSPs. How can we do that ?
Thanks
JohnHi John
We am writing a basic J2EE framework where we have pluggable Authentication modules using Kerberos etc. I was jus curious as to what your Authentication system uses and how its done.
Gracias
Ram
I will add some of my comments on authorization as soon as the document is complete. -
Authorization for Web Application Designer
Hello,
I'm trying to grant authorizations for the WAD without having to grant SAP_ALL and SAP_NEW. What authorizationobjects do i have to use?
We're working on a BW7.0 (SP12) system.
Kind regards.
Joost Krukhi Joost,
take a look
http://help.sap.com/saphelp_nw70/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/frameset.htm
Business Explorer - BEx Web Templates (NW 7.0+)/S_RS_BTMP
Authorizations for working with BEx Web templates
Business Explorer BEx reusable Web items (NW 7.0+)/S_RS_BITM
Authorizations for working with BEx Web items
BEx Broadcasting authorization for scheduling/S_RS_BCS
Authorization for registering broadcast settings for execution.
Business Explorer BEx texts (maintenance)/S_RS_BEXTX
Authorizations for the maintenance of BEx texts
hope this helps. -
Web Reporting Authorizations for Web Application Designer
Hi,
any information on authorizations in context with the Web Application Designer would be appreciated. I know the data access is regulated the normal class RS and RSR authorization objects. Any way to secure and regulate access to the Web items in the WAD?
thanks,
MichaelHi Michael,
Security settings are the standard ones (RS/RSR) as you mention plus limiting access to Web templates using roles.
I do not know any mean to limit access at the web item level; you can define security restrictions on the underlying queries though.
Best regards,
LauQ -
Problem - acs command authorization and web access control
Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.
It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
configure
permit terminal
exit
permit Unmatched Args
interface
permit Dot11Radio0
no
permit shutdown
permit cca
ping
permit Unmatched Args
show
permit Unmatched Args
shutdown
permit Unmatched Args
telnet
permit Unmatched Args
write
permit memory quiet
Thanks for the help !
Maybe you are looking for
-
Error 3253 Network Connection was reset
This is my first experience with iTunes and it may be my last! I am trying to download from iTunes. Several times the download has progressed for 9 minutes, but then when I reach 7.8 of 7.9MB completed the download stops and it gives me "error 3253."
-
[SOLVED] Rapidly changing pixels in X (Intel 945GME)
Hi, A few days ago I managed to install Arch Linux on my EEE Box B202 (thanks, devs), containing an Intel 945GME chipset. Everything looks fine, but when I start X, the screen goes black for a few moments (monitor complains 'no sync') and when it is
-
My iTunes ext/int drive question a little more clear:
How do you fully restore a back up of itunes? i have one fully saved on an external drive called 'backup' and it was from february, but i have only added some cd's since then, so they can be re-added later. So how do i clear what is in my internal ha
-
OO python - access instance in which object was created?
I'm playing with python and qt a bit. Just for fun. To clarify what i meant with the title of this thread, i'll elaborate on what i'm doing. I've imported one "mainwindow" widget, and one "regular" widget constructed in qt designer. The idea is to ha
-
Question - reset default OS Install Permissions for /etc - Solaris 9
Hello, I'm hoping that someone might be able to help me out or point me in the right direction. I have a Solaris 9 installation on an E250 where a cohort of mine accidentally did a "chmod -R 755 /etc" when instead his intent was to just apply "chmod