Authorization in which user receive rights to see specific node in Orgunit

Similar Messages

• Which user type to user for RFC receiver channel

  Hi Forum,
  I m developing XI scenarios which include RFC receiver chhanel (in IB: Integration Directory), to call a function moule in a R/3,
  which kind of user should i use for this purpose, i mean to say,
  which user type:
                  SYSTEM
                  Dialog
                  Communication
                  System
                  Reference
  and what should be the roles of that user,
  which type of the user doesnt gets locked, on wrong attempts

  Hi,
  Generally S_RFC and S_SERVICE authorizations  are nedded while calling RFC module from R3. Also check for role S_RFC_ADM
  The backend should have the authorization to execute the RFC on the backend.
  You can test the module in R3 and create a role using PFCG assign the tcode - SU53 (authorization check) and also assign the S_RFC and S_SERVICE to role.
  Refer
  RFC Logon user authorizations
  Question on service userid - for RFC call
  End User Authorizations and Roles
  Calling R3 RFC via http
  For RFC different authorization object is requried. You can ask your basis team to add the relevant authorization object in a new role and then add the new role to any existing service user or better create a new system user and add the role.
  Thanks
  swarup

• Regarding where can I check logs to see which user ID

  Hi,
  In RSA1, if some one deletes the source system, where can I check logs to see which user ID did it and when.
  Thanks
  Vasu.

  Transaction RSA1 "BW Administrator Workbench"
  Users need an authorization for object S_RS_ADMWB with field RSADMWBOBJ = "SOURCESYS".
  Source systemes are stored in table RSDS. Table change log is not active (see transaction SE13) but as far as I can read the source code some critical events are logend in the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/3a/c8263712c79958e10000009b38f936/frameset.htm">Application Log</a>. View the entries for object LSYS_DELETE_<logsys> with message 618(RSAR) using transaction SLG1 .
  Kind regards
  Frank

• How to know that User having Authorizations to which Tcodes?

  Hi,
  This is regarding Security.
  How can I Find that an User  having  the authorization to which  transations?
  SUIM will show me the all transation where the user having  authorizations.
  But my requirment is, say  i will enter 10 T-Codes, then the program should check these T-Codes  against with SUIM and show me the  result  of these 10 T-Codes which the user having the permission.
  Is there any standard program to do this? or I need to write a custom program?
  Points will be awarded for solution.
  Thanks All
  Siva

  I dont think there is any way through which you can give a list of t-codes and the system will come up with whether the user has authorization to exexute some or all of them or not.
  The best way as per me is to goto suim-> transactions->executable for users.
  Give the user name and download the list of transactions in an excel file . And finally apply v-lookup with your list of tcodes.

• Regarding where can I check logs to see which user ID did it and when

  Hi,
  In RSA1, if some one deletes the source system, where can I check logs to see which user ID did it and when.
  Please help me..
  Thanks.

  Hi,
  Check if there is any job in sm37 with DEL ans user as *. Perhaps you may get some clue.
  Bye
  Dinesh

• Is it possible to see list history (e.g: which user removed column from list)

  Hello there,
  I know it is possible to see version history of items and pages, but what about the lists itself?
  For example:
  Is it possible to see which user added/removed a column from a list?
  Is it possible to see which user changed a certain view from a list?
  Thanks in advance!

  There's an auditing event fired when a user modifies content types or columns in a list. To make use of this you'll need to enable auditing if it's not already enabled.
  I'm not sure about the view and I'm having trouble trying to find information about it because most of the documentation talks about VIEWing the audit reports. :)
  Jason Warren
  @jaspnwarren
  jasonwarren.ca
  habaneroconsulting.com/Insights

• Please tell me SQL to see, what tables are locked by which user

  could you please tell me the query
  so that I can see, what tables are locked by which user in a databse
  Thanks

  The only way you can ensure that only one transaction touches the data at any one time is to use a select .. for update nowait statement to select the rows to be updated.
  Try this::
  Where I select the data i want to update in a cursor Incase the row is locked due to any reason it will throw me an error as shown below;
  SQL>DECLARE
    2   cursor c
    3   is
    4   select * from emp
    5   where empno = 10
    6   for update nowait;
    7  BEGIN
    8 
    9   for rec in c
  10    Loop
  11     update emp set ename ='J' where empno = 10;
  12    End Loop;
  13   
  14  DBMS_OUTPUT.PUT_LINE('Record Updated');
  15 
  16  EXCEPTION
  17 
  18  WHEN OTHERS THEN
  19 
  20  DBMS_OUTPUT.PUT_LINE(sqlcode || sqlerrm);
  21 
  22  END ;
  23  /
  -54ORA-00054: resource busy and acquire with NOWAIT specified
  PL/SQL procedure successfully completed.Edited by: J99 on Jul 28, 2009 4:57 PM

• Saprouter service on windows -  which user rights are required?

  Hi,
  We have the saprouter service running in a windows 2003 server, this service is started by a user account named 'saprouter' which has its password set to never expires.
  Due to security concerns, our IT Security Deparment have ask us to apply all the following restrictions to the 'saprouter' user:
     1) 'Logon locally' user right is disabled
     2) Userid is not a member of the Administrators group
     3) Deny access to the user rights: 'Access this computer from network' and      'Logon through Terminal Services'
  As per our security policy, non-expiring passwords are allowed only for users that can meet all the conditions listed above.
  The questions are ¿Which user rights should be granted to the user account that starts the saprouter service? ¿Could we apply the conditions listed above without impact the saprouter service?
  Thank you for your kind attention.
  Sokram

  following permissions are required to set SAPRouter working :
  1. password never expires
  2. user never change the password
  3. should be member of administrator
  4. profile --> home folder :c:\user\sap\saprouter (path of instllables)
  5. end disconnected session : never , active session limit : never , idle session limit : never
  check if you can apply above points for your users
  Regards,

• Which user has which authorizations

  Hi all,
  I need to know which user has which authorizations.
  In which tables can I find these data?
  Thanks.
  deniz.

  Hi,
      Check this .
  USR01 contains the runtime data of the user master records
  USR02 is the table containing logon information such as the password
  USR03 includes the users' address information
  USR04 contains users' authorizations
  USR05 is the users' parameter ID table
  USR09 contains user menus
  USR10 is the table for user authorization profiles
  USR11 contains the descriptive texts for profiles
  USR12 is the user master authorization values table
  USR13 contains the descriptive short texts for authorizations
  USR14 contains the logon language versions per user
  USR30 includes additional information for user menus
  USH02, USH04, USH10 and USH12 contains Users and profile and
  authorization change history data.
  Tables related with authorizations objects and authorization fields are as follows:
  TOBJ is the authorization objects table containing the authorization
  fields for each.
  TACT contains the list of standard activities authorization fields
  in the system.
  TACTZ is the table which defines the relationship between the
  authorization objects and the activities in those objects containing
  the Activity authorization field.
  TSTC is the transaction code table where authorization objects
  and values can be defined.

• How to find out which user has the permission to execute startsap ?

  Hi All
  How do I find out which user has the permission to execute the startsap and stopsap? Do I control the permission on those script using windows standard authorization? For example: only allow certain user have the read and write permission?
  Thank you.!
  Vincent Lo

  Well to me this is really weird question..
  <b>noone un-authorized should have access to OS on your system</b>
  If this is valid you do not need to solve problems who can and who cannot start/stop SAP, because if you want to prevent some users from shutting down the SAP you have really hard job to do - there are many ways how to kill the SAP (for example killing relevant process from task manager, killing of database, messing with services etc.) - yes, this is harmful way of stopping SAP, but we are talking about attack, right? I would contact some Windows specialist to help you disable all the ways how to harm the running SAP. But still after that - there are many files that can be modified/deleted so SAP will crash after restart - you need to protect them too, etc.
  In case you take the first assumption as granted (and you really limit access to this server) you do not need to worry who can stop or start SAP - at the other hand it may be handy to be able to start/stop SAP from other users - for this you can run the stop/start script "under different user".
  But to answer the question - to me this is question just of access control (but really never tried that myself):
  <a href="http://technet2.microsoft.com/WindowsServer/en/library/c6413717-511e-42bd-bd81-82431afe4b2a1033.mspx">Permit or restrict access to a snap-in for a domain</a> (or see other related links down there on this page)
  Please award points for useful answers.
  Thanks

• Users are unable to see their own profile photo although everyone else can see it in Lync 2013 client

  We have Lync 2013, Exchange 2010 and several AD
  servers in mixed mode 2003/2008.
  All user are unable to see their own profile photo
  either in the main Lync window, in the settings or in a chat although other user can see that their photo is there and displaying. The user experiencing the issue can go open Outlook 2013 client and will see their photo displaying correctly in the file menu
  (and elsewhere) here.
  I have confirmed this happens with any new users I set up as well. We have gone through a fair amount of troubleshooting with other Lync photo issues and simple fixes such as deleting the SIP cache folder etc proves to be ineffective.
  Our Cs-ClientPolicy Global is set to websearchonly.
   We have "Replicate this attribute to the Global Catalog" set
  for the ThumbnailPhoto attribute in AD.
  We are also forcing photos from AD only (or no photo) by setting the following:
  "Set-CsClientPolicy -Identity PhotosControl -DisplayPhoto
  PhotosFromADOnly"  
  and finally we are importing the photo in ad using this PS command:
  "Import-RecipientDataProperty -Identity "Test User"
  -Picture -FileData ([Byte[]]$(Get-Content -Path "C:\pictures\testuser.jpg" -Encoding Byte -ReadCount 0))"
  The pictures being uploaded are under 10KB in size.
  I have followed many threads and will provide any information I can to help find the problem. Thank you in advance.
  EDIT: I have also tried the following but with no success: https://knowledge.zomers.eu/misc/Pages/How-to-fix-your-photo-not-showing-up-in-the-Lync-client.aspx

  Hi Jdentremont,
  Lync client gets user photos by first querying the Address Book Web Query (ABWQ) service on the server, which is exposed through the Distribution List Expansion web service. The client receives
  the image file and then copies it to the user's cache to avoid downloading the image each time it needs to be displayed. The attribute values returned from the query are also stored in the cached Address Book Service entry for the user. The Address Book Service
  deletes all cached images every 24 hours, which means that it can take up to 24 hours for new user images to be updated in the cache on the server.
  To troubleshoot your problem, please follow the steps below:
  1.  Navigate to
   “X:\share\1-WebServices-1\ABfiles\000000000\000000000” folder. (ABS file share)
  You should see some photo files in this folder as the following screenshot.
  2. Delete all the files in this folder.
  3. On test PC, delete local cache files.
  %userprofile%\AppData\Local\Microsoft\Office\15.0\Lync\[email protected]
  4. Sign-in Lync with the test account.
  5. Go back to the ABS file share, check if there is any Photo file in the folder.
  Best regards,
  Eric
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Run with User's rights not working as expected

  I have a VBscript that runs the Quest Client Profile Updating Utility for migrating Outlook e-mail profiles to a new Exchange Server.  For this tool to work it must be run using the User's security context when the user is logged onto the computer. 
  What I have found is that the script fails to run because SCCM is running the script with elevated privileges.  The program is set with 'Only when a user is logged on' and a run mode of 'Run with user's rights'.  The advertisement is set to run from
  a distribution point and has two mandatory re-occuring schedules (Logon, and at 6:00 a.m. every day).
  To test what is happening I created a separate Program that has the same program settings but only runs 'Cmd.exe /k echo' for the command line.  If I run this SCCM program as a user who is not a member of the local administrators group
  I can execute privileged programs like regedit.exe.  If I run the Command Prompt from the Start\Accessories folder and try to run Regedit I receive an 'Access denied' message.  It appears SCCM is running with elevated privileges.
  Does SCCM run a program with elevated privileges?  How can I make a program run without elevated privileges.
  thank you for your help.

  Actually I ran into a similar issue today trying to gather info about mapped network drives and found this thread when trying to troubleshoot it.  Here's a summary of what I've done:
  I have an SCCM package set up to run a script to dump the users' mapped drives to a text file.  The program is set to run only if a user is logged on and to run in the logged on user's context.  UAC is enabled.  For users who are members of
  the local Administrators group, the resulting text file was empty, as if no drives were mapped.  Running the script manually (not via SCCM, just double-clicking the script) populated the text file with the expected results.  So the script works correctly. 
  I suspected SCCM was running the package elevated, since drives mapped in the non-elevated context aren't visible to the elevated context.
  To test, I created another package & program that runs a command I know requires elevation (ipconfig /registerdns) and pipes the output to a text file. I configured it in the same way, and for users who are in the local admin group, the text file results
  indicate that the command ran successfully (which means it ran elevated). If I take the user out of the local admin group, making no changes to the package, then run the package again, the text file results say "This command requires elevation."
  So, it appears SCCM is running with the highest elevation level for which the user has rights.  I guess this makes sense, and it's not doing anything the user wouldn't normally have rights to do, but it does cause a problem when a program needs to run
  under the user's non-elevated token.  Any suggestions?
  Thanks,
  Matt

• Which user is used to execute command defined in File Adapter?

  Hello,
  in my receiver file adapter I specified a OS command to be executed after message processing. However this command doesn't get executed. After investigation I figure out that it's because the user that is used to executed the command does not have enough authorization to run the program (It's a unix system).
  So anyone knows which user is used to execute the command? Or anyone know how to go around this security issue with OS command in Unix system?
  Thanks
  Eric

  Hi,
  As Bhavesh replied you earlier the OS command is executed by the user <sid>adm in Unix or SAPService<SID> in windows.
  Do check the note 841704 - XI File & JDBC Adapter: Operating system command.
  From Note 841704
  Also note that the command is run as user "<sid>adm" (Unix) / "SAPService<SID>" (Windows).
  Thanks
  SaNv...

• Jdeveloper JSP-Struts (which is the right way to decalre a DataSource)

  Hello to all..
  I'am developing web application for a car assicuration.
  I would like to know which is the right "connection" (jndi name) to use in my application..
  I have made a JDBC connection to my production databse...
  Then I have made a Data Source from menu (Jdeveloper -> Tools -> Embeded Oc4J -> Current workspace -> Datasources...
  Here I have created a new DataSource from "Autocreate from IDE..."...
  My Question is.. which Class name I must use?
  Default class is: com.evermind.sql.DriverManagerDataSource
  I see that there is also a: oracle.jdbc.pool.OracleConnectionPoolDataSource..
  Which Class I must select? My application is used by many users online..
  Is there any axample on oracle to see how to use JNDI connections (connection pool)..
  I'am using Jdeveloper version: 10.1.2.1.0
  best regards
  Peter

  AFAIK all connections, DataSource ones included are created by calling the DriverManager. A DataSource is a factory for Connection objects (from JavaDocs)
  If you're talking about managing connections then it depends on the application. A DataSource is great for apps that can support many clients or are multi-threaded, but may require a JNDI implementation to get to it.
  If however you have an single threaded app that hits the database in a serial fashion, then DataSource is probably an overkill.
  Dave

• Which user and which procedure takes snapshots for AWR in 10g??

  Hi, all.
  Which user and which procedure takes snapshots for AWR in 10g??
  The snapshot interval is 1 hour.
  I checked dba_scheduler_job, and dba_job.
  However, I was not able to find a job which takes a snapshot.
  On EM, I can see snapshots are being taken per one hour.
  Thanks and Regards.
  Message was edited by:
  user507290

  Dear Shmyg and VAS.
  Thanks for your reply.
  MMON takes a snapshot and stores snapshot information in DBA_HIST_** tables.
  Right??
  Does MMON have something to do with dbconsole and emagent??
  Even when I stopped dbconsole and emagent, snapshots are being taken.
  If so, what does do dbconsole and emagent??
  Thanks and Regards.
  Message was edited by:
  user507290