Authorization -- Roles
Hi All,
We are moving our applicaiton from Oracle Forms to Apex. I am basically a forms developer and I didnt understand the authorization/roles in Apex.
For eg in our database we have 2 roles app_lookup ( privs - insert,update, delete, select) and app_guest( privs select) . And we use the database authentication for forms. If we have 2 end users Super with role app_lookup and operator with role app_guest, and if I want to implement the database role, how can it be done in Apex.
End user Super ( with all privs) need to update/delete/insert/select in apex
End user Operator( with only priv select) need to select particular table/pages in apex.
Could someone throw lights on how this can be done in Apex.
thank you
rajesh
"user596620",
You can go to your control panel and give us your real name, or at least something easier than "user596620".
Why do I think Database Authentication is a dying trend?
- LDAP directories were designed from the ground-up to store information like Authentication and Authorization data.
- Almost every technology out there can use LDAP as an Authentication source.
- There are only a few technologies that can use the DB for an authentication source. What if your users don't want to have a separate username / password for their APEX apps than their email account? You're out of luck.
- Databases were never designed as user repositories. It's a square peg in a round hole.
- Mixing data schemas and user accounts in a database is mess to maintain. It's often difficult to tell them apart. Which ones contain sensitive data, which ones are just users?
- There are only a few attributes that you can store in a database "user". If you want to store phone, email, certificate, etc, you have to create your tables for it.
- If end users have accounts in a database, it's that much easier for them to connect with third-party tools and start poking around.
- There is no concept of delegated administration with a database. How do you give someone the ability to manage all users in a particular group?
- Managing roles and privs for thousands of database user accounts is a nightmare. It's much easier in a web environment to assign select / execute privs to the account used by the web application, vs all of the users accessing the application.
- Onboarding / off-boarding / auditing accounts scattered throughout a bunch of databases is impossible vs creating / deleting / auditing all accounts and groups (roles) in a single LDAP directory.
I'm probably missing a lot of points here, so I may ask someone one the Identity Management side of things to chime-in.
Tyler
Similar Messages
-
Can I get a list of users who have a specific authorization role?
Hello,
I'm wondering if there is a BAPI or FM that takes as input a single authorization role and gives me back a list of all users who have that role?
Thx.
Andy Jacobshi,
please check the below FM
'PRGN_1001_READ_USER_ASSIGNMENT'
jaffer ,
Please reward the helpful answers. -
Report on Positions directly linked to Authorization roles
Hello All,
Is there a report in SAP which can tell us which positions are assigned to Authorization roles or which Users are directly assigned to Authorization roles rather than through their Positions?
If not a report is there way we can find it out?
Regards,
AhmadNo Standard report available to show Positions directly linked to Authorization roles
-
How to achieve logical operator on [Authorize(Roles = ] in MVC
For example, I need to make a controller accessible a user with two roles; role "Admin" and "Editor". How to achieve it.
[Authorize(Roles = "Admins")]
public class SampleController : BaseController
How to do logical operator, such as AND and OR (maybe || and &&)
Thanks!
Hello klouapple,
Please post your question to ASP.NET forum instead of here.
Best regards,
Barry
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Urgent - create Standard Authorization Roles
Hi experts,
we urgently need to establish some basic roles for our key users and basic users, so they can create/run BeX querys and workbooks as part of the Test User's phase.
Based on several posts in SDN we have seen that a valid role template would be S_RS_RREDE for key users and S_RS_RREPU for normal users.
However, I cannot find those roles neither in tx PFCG nor at the Business Content.
What am I missing? How can I fin those template roles (or any other that can apply)?
Thanks and bets regards,
Enrichave you followed these instructions :
For 3.x authorizations:
Roles in BW (Authorization Objects)
for 7.0 authorizations :
/thread/509708 [original link is broken]
here you find a good Authorization Objects Overview:
http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/frameset.htm
Use TA PFCG to create a new role. http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6866e07211d2acb80000e829fbfe/frameset.htm -
Replicating authorization roles via HR replication from ECC 6 to SRM 5.0
Hi,
I'm interested in knowing whether anyone has used the distribution model to copy roles (AG objects) between ECC 6 and SRM 5.0.
Someone said that it's possible so I would like to validate that statement as I don't know whether it is possible and practical.
If you have any knowledge or experience could you please share it?
Regards,
JerryHello Yann,
I was told that it can be done but I don't know enough about the HR replication process to acknowledge or challenge, hence the question.
Are you implying that it's not possible or simply that it's not done?
I had an earlier post regarding assigning roles to positions in SRM Replicating authorization roles via HR replication from ECC 6 to SRM 5.0 that you replied to but never replied to my subsequent question. It can be done because one of my other clients is doing it. We're however unable to get it work at my current client's site. Do you have any experience with this subject?
Regards,
Jerry -
How to create authorization role for just displaying query prefix Q and X.
Hi Expert,
I hope someone can help me on how to create authorization role for just displaying and executing BEX Queries prefix Q and X. I'm currently using SAP BI 7.1.
Actually, I already created one role called : Z_FORINDO_ONLYDISPLAY_QX
where I only put in the Authorization Component (in the Role Maintenance - Tcode 'pfcg'):
-->Manually Business Information Warehouse
--> Manually Business Explorer - Components
Activity : Display, Execute, Enter, Include, Assign
InfoArea : *
InfoCube : *
Name(ID) of a reporting component : *
Type of a reporting component : Calculated key figure, Restricted key figure, Template structure
--> Manually Business Explorer - Components
Activity : Display, Execute
InfoArea : *
InfoCube : *
Name(ID) of a reporting component : Q* , X*
Type of a reporting component : Query
But, the problem is I still can make changes on that queries (Q* and X*). Even, I still can run query with prefix Z. I use S_RS_RREPU Tamplete for Query Display and execution.
Please assist. Very much appreciate your help. Thanks.
Edited by: nadiyah salleh on Mar 18, 2008 11:22 AMQuestion close. This issue has been resolved.
-
After BI 7.0 Upgrade, Authorization Roles and profiles are not visible
Hi Gurus,
We have an issue with authorization roles and profiles are not visible for all end users with new Bex Analyzer (BI 7.0) tool. But still they can see these roles with old Bex Analyzer ( Bex 3.5) tool.
As a developer I have SAP_ALL acces and I can see all authorization roles in new BEx Analyzer (BI 7.0).
I verified in SU01 for user access and every are assigned there roles and they are green.
Do we need to add any new authorization object to fix this issue, please let me know
Thanks and appreciate your help.
Thanks
Ganesh Reddy.
Edited by: Ganesh Reddy on Oct 26, 2009 4:41 PMHi Ganesh,
check the behaviour, if you assign
S_USER_AGR
ACT_GROUP = "..name of the assigned role.."
ACTVT = 03 (for "display")
b.rgds,
Bernhard -
Assign queries to authorization role via PFCG maintenace
Hi,
I would like to assign several queries to existing authorization roles.
Therefore I am using the transaction PFCG > maintain the menu > add "other" SAP BW Query URL and fill in the name as well as object description.
However, the new query will not be shown in the BEx Analyzer in the role folder.
What do I have to administrate that the query will be shown in the role menu (BEx Analyzer)?
Thanks!Dear Arvind,
thanks for your reply.
As an authorization administrator for SAP BI I do have the authorization for S_USER_AGR already.
I am just testing in our development system.
However, the query will not appear in the BEx Analyzer while selecting "Open Query" and search in "Roles".
As far as I know queries could provided to authorization roles via BEx Analyzer.
But does no possibility exists to maintain the authorization role via PFCG?
Regards, Christian -
What authorization-roles for user login (java stack)
Hello SAP-Fans ,
which authorization role needs to be assigned to the users for logging into a java-stack on port 50.000?
We always get the error-message: "Error 403 forbidden, You are not authorized to view the requested resource."
I know this is a beginner's question. Java is completely new to us.
Thanks in advance
Danny WinnHi Danny,
Welcome to SDN,
Logon to the portal with the user Administrator, go to User Administartion and create a user for yourself by assigning Super Admin Role.
portal Url must be http://<host.fqdn>:50XX0/irj/portal where XX is the system number in this case 00.
You will able to see at the user admin tab all the SAP standard roles.
regards
Juan
Please reward with points if helpful -
Transport Release frequency for Authorization Roles
Hi,
At my present customer all system changes are transported via release management. The current frequency of releases is 2 times a year. This includes SAP support packages, customizing, abap AND authorization roles.
Now I would like to establish a different, quicker release 'speed' for authorization roles only (f.i. once a week).
I already motivated my request with many reasons (role changes can be considered as master data changes; the lack of speed leeds to insecure 'workarounds'; role management issues are 'redesigned' to user management issues; etc.) but what I am still looking for are reference documents, best practices, audit reports in which the same advise is described.
Could you please help me with my quest?
Thank you!
Kind regards,
LodewijkHi Lodewijk,
I agree, that is is useful to define a specific schedule for transporting roles in oposite to the schedule for updating the software, however, I do not have a document described some best practise. Anyway, the following link may help you to convince the management, that you can setup a process including 4-eyes checks on the transports:
[TMS Quality Assurance|http://help.sap.com/saphelp_nw70ehp2/helpdata/en/9c/a544c6c57111d2b438006094b9ea64/frameset.htm]
Using this process you would accept transports only which cointains roles (R3TR ACGR...).
Kind regards
Frank -
Authorizations analysis versus Authorizations roles
Hello All,
I try to understand how to manage BW authorizations in the best way. I'm confused with authorizations analysis we set up in transaction RSECADMIN and authorizations object available in authorizations roles.
I have got some questions :
1-Do we have to use both ? My tests shows that I have to declare a cube within analysis authorization using object 0TCAIPROV and I have also to update role with object S_RS_COMP for RSINFOCUBE.
2-What are the list of all existing analysis authorisation object ?
Thanks for your help
Regards
CatherineHi Catherine,
1)
S_RS_COMP gives you the option to only change the object and has nothing to do with the reading the data from the infoprovider.This is maintained by the Basis team for the users to create and do the developments in business exploere.
So if you want that a user should work upon a particulat infocube only like using that infocube to create query etc in business explorer. then you should you give the give the cube name here.
Generally it is kept as *.
You have to maintain the user profile to read the data from the respective cubes.
This has to be done by creating an authorization object/ ex .ZAUTH1) and providing the values for 0TCAIPROV there.
No need to add 0TCAIPROVto the cubes.
Once the authorization object is created you need to assing it to a role and then this role should be assigned to the user.
2)
Some are here
Authorization for Analysis Process RSANPR
Data Warehousing Workbench - Objects S_RS_ADMWB
BI Analysis Authorizations in Role S_RS_AUTH
Business Explorer - BEx Reusable web items (NW 7.0+) S_RS_BITM
Business Explorer - BEx Web Templates (NW 7.0+) S_RS_BTMP
Business Explorer - Components S_RS_COMP
Business Explorer - Components: Enhancements to the Owner S_RS_COMP1
Data Warehousing Workbench - DataSource (Release > BW 3.x) S_RS_DS
Data Warehousing Workbench - Data Transfer Process S_RS_DTP
Data Warehousing Workbench - Hierarchy S_RS_HIER
Data Warehousing Workbench - InfoCube S_RS_ICUBE
Data Warehousing Workbench - InfoObject Catalog S_RS_IOBC
Data Warehousing Workbench - InfoObject S_RS_IOBJ
Data Warehousing Workbench - Maintain Master Data S_RS_IOMAD
Data Warehousing Workbench - InfoSet S_RS_ISET
Data Warehousing Workbench - InfoSource (Release > BW 3.x) S_RS_ISNEW
Data Warehousing Workbench - InfoSource (Flexible Update) S_RS_ISOUR
Data Warehousing Workbench - InfoSource (Direct Update) S_RS_ISRCM
Data Warehousing Workbench - DataStore Object S_RS_ODSO
Data Warehousing Workbench - Open Hub Destination S_RS_OHDST
Data Warehousing Workbench - Process Chains S_RS_PC
Data Warehousing Workbench - Transformation S_RS_TR
you can find this values in the table
RSECVAL.
Thanks
Ajeet -
How to upload authorization role & profile to PFCG
I have downlaod the authorization role & profile from PFCG at client 100.
How to upload the authorization role & profile to SAP client 200?check with ur basis guys once
generally it will be dont by them check with them once -
Authorization,roles,profiles
i want to know how authorization and roles and profiles will be created...
and the hirearchy of above 3 (authorization,roles,profiles)
can anyone help me in getting the documensHi,
The common used t-code for the above is
PFCG to create the Role.Here we can assign the role to user also.
You can see the same in SU01 t-code.
IN PFCG we create the role and it will ask for profile name.
Basically it contain the authorization object.
In BW we hade rssm t-code,now we have RSECADMIN in BI.
RSECADMIN is basically used to create the auth object.
For Example: If you want to restrict the user to see their
company code data then you need to crete auth object for company code
and give access to user according to therir requirement ie
you need to add this auth object to their respetive role.
Thanks,
Saveen Kumar
Edited by: saveen kumar on Jan 10, 2011 7:47 AM -
Required Authorization Role for E-commerce manager
Hi ,
Could you please tell me required Authorization Role for E-commerce manager and catalog administartor?
Thanks.
Regards,
PVSAP_CRM_ECO_ISA_WU_B2B_FULL CRM-ECO: ISA Internet User (Full Document Authorization) ISA_B2B_FULL
SAP_CRM_ISA_UA_SUPERUSER Internet Sales User Administration Authorizations Superuser
*SAP_CRM_ISA_WEBSHOP_MANAGER * Authorizations for the Internet Sales Web shop Manager Webshop Manager
SAP_CRM_ECO_ISA_WU_B2C Internet User for B2C
Maybe you are looking for
-
On the top of the above message is says XULRunner
-
I recently reinstalled Arch, and everything was going great. My system seemed to be very snappy, and I was quite happy. Now, after a reboot, things have slowed down by a ton. My computer is an AMD 2.6 GHz dual core with 2 gigs of ram. However, gmrun
-
Dear Friends, 1.When i try to download ALV report to excel it is not downloading the logo to the excel sheet. 2.I want my logo in the left side of the ALV. Please suggest. Thanks in advance
-
Why does my html widget not play sound in ibooks?
I've designed a widget that plays sound correctly in every other browser. It uses an AAC-MPEG4 with the .m4a file extension on all of the sounds. I know the code is working correctly because as I said, it works in any browser. I've checked to volume
-
Hello can anyone tell me what character  is ?? I got this illegal xml character error saying this is illegal while working with FOP. Can anyone tell me where on the web I can find a table mapping of xml characters thanks pauli