Authorization Schemes, User Groups
Hi Folks,
I wish to create an authorization scheme and to do so with one of the user groups I defined in
Home>Administration>Manage Application Express Users
How can I set the authorization scheme to achieve this?
Thanks for any and all help
Are you looking for apex_util.current_user_in_group
Create a new authorization scheme... PL/SQL function reuturning boolean
begin
if apex_util.current_user_in_group('MyGroup')
then
return TRUE;
else
return FALSE;
end if;
end;Reference:http://apex.oracle.com/i/doc/AEAPI/apex_util014.htm
Regards,
Shijesh
Similar Messages
-
Assign Authorization in User Groups
Dear All
Please help me , assign authorization User Groups . I go Tcode : SUGR and Tcode : SU 10 but i can't assign authorization in User Group , please help me step by step
Regard , Thanks
LannguyenI think only way to do it through SU10.
-Pinkle -
How many ways we can create authorization for user groups in sap query reports
Hi Gurus, I am getting a problem when I am assigning users to user group in sap query report .The users other than created in user groups are also able to add &change the users .So please suggest me how to restrict users outside of the user group.
Please send me if u have any suggestions and useful threads.
Thank You,
Suneel Kumar.I don't think it can be done. According to the link below 'Users who have authorization for the authorization object S_QUERY with both the values Change and Maintain, can access all queries of all user groups without being explicitly entered in each user group.'
http://help.sap.com/saphelp_46c/helpdata/en/d2/cb3f89455611d189710000e8322d00/content.htm
Although I think you can add code to your infoset and maybe restrict according to authority group, i.e.:
Use AUTHORITY-CHECK to restrict access to the database based on user.
Press F1 on AUTHORITY-CHECK to find out how to use it in the code -
What is the Advantage of creation of user group through SUGR?
Hello Masters,
As per audit requirement I have maintained user groups for different sets of users through SUGR, but I am not getting except differenciating users (based on group), is there any other advantage? Can we assign role to a user group instead of assigning to list of users or can we do any mass changes to an user group by giving only user group name.
Regards,
Nilutpal.Dear Neels,
Apart from maintaining user group for Differnciation purpose you can also take the advantage on the following sectors:
1. Follow the http://help.sap.com/saphelp_nw04/helpdata/en/ce/17533e5ff4d064e10000000a114084/content.htm link . From this you will come to know the use of user group in the authorisation area.
2. User Groups also allow segregation of user maintenance, this is especially useful in a large organisation as you can control who your user admin team can maintain - an example would be giving a team leader the authority to change passwords for users in their team.
3. The authorization user group is used in conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in group SUPER, etc...
In case any issue, please feel free to reply.
Regards,
Nilutpal. -
Hi,
I wonder why in all existing users lists I know I don't see the user group they are assigned to.
I have no problem to get the users by user group (su10) but what I need is a list of all users (name,adress,...) + user group they are created in.
I have tried RSUSR002 without success.
By the way, what's the difference between "Group for Authorization" and "User Group (General)". My user groups appear in both.
Thanks in advance to help a security officer rookie.
Regards,
JulienHi julien,
Please have a look at BAPI_USER_GET_DETAIL. Its a function module so execute it using se37.
i.e., SE37->BAPI_USER_GET_DETAIL->EXECUTE.
Type the userId in the Username field (In Import Parameters), than execute. Expand LogonData (In export parameters), this would display the usergroup as well.
Please award points if it is useful.
Thanks & Regards,
Santosh -
Hi I am trying to configure an authorization scheme. I am confused at the different syntax used both on here and the User Guide.
I am wanting to control access based upon groups so I am wanting to use "HTMLDB_UTIL.CURRENT_USER_IN_GROUP" function.
I have setup my "Scheme Type" to be PL/SQL Function Returning Boolean
In expression one is where I am having my problems ... this is what I have..
DECLARE VAL BOOLEAN;
BEGIN
VAL := not nvl(HTMLDB_UTIL.CURRENT_USER_IN_GROUP('Managers'), false);
END;
and I get ... "ORA-06503: PL/SQL: Function returned without value"
This is the first time I have tried to setup a an authorization so I am not sure how to even do it. And based upon other posts on authorization schemes, I found these different syntaxs... Can someone help me out or explain what to do?
return wwv_flow_fnd_user_api.get_user_roles(':APP_USER') is not null; @ Re: Authorization when APP_USER = Develper or WS Administrator
Which way is right and how should I implement this....
TIA !!!
P.S. I used the "not nvl" syntax based upon the findings in this thread by Scott in his very last reply
User GroupsJustin - Try return not nvl(HTMLDB_UTIL.CURRENT_USER_IN_GROUP('Managers'), false);... and be sure you really want the NOT value of that API call.
Scott -
Authorization Scheme based on a group in LDAP?
Hi,
I would like to write an Authorization Scheme that checks whether a user (authenticated via a Authentication scheme based on LDAP) is a member of a specific group in LDAP, for access control.
I can't seem to find documentation or an example of this. Would appreciate any tips or links to docs and examples....
Thanks!I came across this nice example from the docs for the authorization scheme using the "IS_MEMBER Function".
http://download.oracle.com/docs/cd/E17556_01/doc/apirefs.40/e15519/apex_ldap.htm#CDEJAAEI
Very straightforward....
However, my question now is, how would I tie this in to my authentication scheme?
One Page Secured by > Authorization scheme (APEX_LDAP.IS_MEMBER) > From a user authenticated by my Authentication Scheme From LDAP directory?
How would I tie these two schemes together?
Thanks in advance for any help offered.... -
Create Authorization Scheme for LDAP Groups
I have installed APEX 4.0 in my staging environment and got the LDAPS to finally work. I can now login to the application with my LAN user name and password. The only problem is so can everyone else on the LAN. So I wanted to create an authorization scheme that would only allow a certain group or groups of LDAP users into the application rather than everyone.
I am at the Create Authorization Scheme page and am kind of stuck. Has anyone done this before and can share some SQL or knowledge?hi larosejh
If you want to do that you must write your own procedures using the dbms_ldap package. I found some code a while back that searches the LDAP. Maybe you can use this to create a function for your authentication.
DECLARE
retval PLS_INTEGER;
my_session DBMS_LDAP.session;
my_attrs DBMS_LDAP.string_collection;
my_message DBMS_LDAP.message;
my_entry DBMS_LDAP.message;
entry_index PLS_INTEGER;
my_dn VARCHAR2(256);
my_attr_name VARCHAR2(256);
my_ber_elmt DBMS_LDAP.ber_element;
attr_index PLS_INTEGER;
i PLS_INTEGER;
my_vals DBMS_LDAP.STRING_COLLECTION ;
ldap_host VARCHAR2(256);
ldap_port VARCHAR2(256);
ldap_user VARCHAR2(256);
ldap_passwd VARCHAR2(256);
ldap_base VARCHAR2(256);
BEGIN
retval := -1;
-- Please customize the following variables as needed
ldap_host := 'host';
ldap_port := '389';
-- In case of update/insert/delete need change ldap_user to other.
-- ldap_user := 'cn=orcladmin';
-- ldap_passwd:= 'welcome';
-- set User and password to NULL for anonymous user.
ldap_user := 'user';
ldap_passwd:= 'password';
ldap_base := 'CN=Users,DC=ee,DC=intern';
-- end of customizable settings
-- Start output Header--
DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
DBMS_OUTPUT.PUT('> DBMS_LDAP Search Example ');
DBMS_OUTPUT.PUT_LINE('');
DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Host ',25,' ') || ': ' || ldap_host);
DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Port ',25,' ') || ': ' || ldap_port);
-- Choosing exceptions to be raised by DBMS_LDAP library.
DBMS_LDAP.USE_EXCEPTION := TRUE;
my_session := DBMS_LDAP.init(ldap_host,ldap_port);
DBMS_OUTPUT.PUT_LINE (RPAD('> Ldap session ',25,' ') || ': ' ||
RAWTOHEX(SUBSTR(my_session,1,8)) ||
'(returned from init)');
-- bind to the directory
retval := DBMS_LDAP.simple_bind_s(my_session,
ldap_user, ldap_passwd);
DBMS_OUTPUT.PUT_LINE(RPAD('> simple_bind_s Returns ',25,' ') || ': '
|| TO_CHAR(retval));
-- issue the search
my_attrs(1) := 'dn'; -- retrieve all attributes
retval := DBMS_LDAP.search_s(my_session, ldap_base,
DBMS_LDAP.SCOPE_SUBTREE,
'objectclass=*',
my_attrs,
0,
my_message);
DBMS_OUTPUT.PUT_LINE(RPAD('> search_s Returns ',25,' ') || ': '
|| TO_CHAR(retval));
DBMS_OUTPUT.PUT_LINE (RPAD('> LDAP message ',25,' ') || ': ' ||
RAWTOHEX(SUBSTR(my_message,1,8)) ||
'(returned from search_s)');
-- count the number of entries returned
retval := DBMS_LDAP.count_entries(my_session, my_message);
DBMS_OUTPUT.PUT_LINE(RPAD('> Number of Entries ',25,' ') || ': '
|| TO_CHAR(retval));
DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
-- End output Heading --
-- get the first entry
my_entry := DBMS_LDAP.first_entry(my_session, my_message);
entry_index := 1;
-- Loop through each of the entries one by one
while my_entry IS NOT NULL loop
-- print the current entry
my_dn := DBMS_LDAP.get_dn(my_session, my_entry);
-- DBMS_OUTPUT.PUT_LINE (' entry #' || TO_CHAR(entry_index) ||
-- ' entry ptr: ' || RAWTOHEX(SUBSTR(my_entry,1,8)));
DBMS_OUTPUT.PUT_LINE (' dn: ' || my_dn);
my_attr_name := DBMS_LDAP.first_attribute(my_session,my_entry,
my_ber_elmt);
attr_index := 1;
while my_attr_name IS NOT NULL loop
my_vals := DBMS_LDAP.get_values (my_session, my_entry,
my_attr_name);
if my_vals.COUNT > 0 then
FOR i in my_vals.FIRST..my_vals.LAST loop
DBMS_OUTPUT.PUT_LINE(' ' || my_attr_name || ' : ' ||
SUBSTR(my_vals(i),1,200));
end loop;
end if;
my_attr_name := DBMS_LDAP.next_attribute(my_session,my_entry,
my_ber_elmt);
attr_index := attr_index+1;
end loop;
my_entry := DBMS_LDAP.next_entry(my_session, my_entry);
DBMS_OUTPUT.PUT_LINE(' --------------------------------------------------- ');
entry_index := entry_index+1;
end loop;
-- unbind from the directory
retval := DBMS_LDAP.unbind_s(my_session);
DBMS_OUTPUT.PUT_LINE(RPAD('unbind_res Returns ',25,' ') || ': ' ||
TO_CHAR(retval));
-- Start Output Footer --
DBMS_OUTPUT.PUT_LINE('Directory operation Successful .. exiting');
-- Start Output Footer --
-- Handle Exceptions
EXCEPTION
WHEN OTHERS THEN
DBMS_OUTPUT.PUT_LINE(' Error code : ' || TO_CHAR(SQLCODE));
DBMS_OUTPUT.PUT_LINE(' Error Message : ' || SQLERRM);
DBMS_OUTPUT.PUT_LINE(' Exception encountered .. exiting');
END;
/ -
Authorization to particular group of users
Hi
I have an application with two different groups A_super_user and B_user.
I question is how to create authorization to my different user groups.
When my report shows up it shows all records. What I want to achieve is to show only certain rows to B_user group and show all records to A_superuser.
Can anyone please help me to achieve this functionality to my report.
Thanks in advance.Hi,
Thanks for your prompt response.
In that application it only shows how to apply authorization at item level.
But I want to place the authorization at record level.
In that app it shows:
create a authorization scheme and place that scheme by clicking authorization tab on each level of item.
But how could I achieve it place on the query level.
Show certain type of records if that user is employee and all records to manager.
We need to place on query level.
Ex: If there are 10 records on that report. It should show all records for the manager, but only 6 records to employees
My situation is something like this.
Thanks. -
IDOC Scenario - User has no RFC authorization for function group EDIN
Hi all,
I'm trying to configure an IDOC scenario from ECC to XI.
RFC's, ports and destinations already configured. On WE19 I'm creating an IDOC for testing the scenario. The IDOC is sent successfully, and it stops on TRFC Monitor with error "User PIRFCUSER has no RFC authorization for function group EDIN." .
Some of you knows what authorization is needed? Basis team said the roles are the same at DEV environment, and there this scenario works fine.
Thanks for your help.
regards.
RobertiHi,
Check with PIRFCUSER user , that is having the right authorization or not ..
And make sure that this user is present in the system & it should not locked.
to check that user is present or not-----goto su01 of the system & check
Regards
Seshagiri -
Authorization scheme for users stored in a database table?
Hello!
I'm trying to find out how to make an authorization scheme for database users.
I first made an authentication scheme for my current application, I named it "Authentication for database accounts", and the scheme type is "Database Accounts".
A word of explanation:_
I have a table in my database, named "USERS". Inside this table, I have the following columns:
- USERID (NUMBER)
- USERNAME (VARCHAR2(50))
- PASSWORD (VARCHAR2(50))
- EMAIL (VARCHAR2(200))
For this question, I'll take an example user. The username is USER and the password is USER. Email and UserID don't matter here, but let's just say the UserID is 1.
What I want:_
When you go to the application, and you are requested to log in (page 101), then I want a user to be able to log in with the data that has been stored in the USERS table.
So, on the login page, the user will enter USER as username, and USER as password. The authorization scheme then needs to check whether or not this username and password match the data in the USERS table. If it does, then it must sign the user in with the credentials the user entered (those being USER and USER).
I also want the UserID to be stored somewhere in the application (if possible, in an application item).
How do I do this? I've never made an authorization scheme before... I'm not too good with PL/SQL either, but I'm working on that part.
Any help is greatly appreciated.I'm trying to find out how to make an authorization scheme for database users. I think there may be some confusion here. An authorization scheme gives the user access to different parts of an Apex Application. Database users are the users that you use to login to the database, for example with sqlplus.
From the rest of your post it sounds like you need a custom authentication scheme to validate users against a custom table. For this you need to create a custom authentication scheme and select use my custom function to authenticate. Exactly how you set up the authentication scheme depends on the version of Apex you are using. But an example of validate user function you could use is given below:
function validate_login (
p_username in varchar2
, p_password in varchar2) return boolean
is
v_result varchar2(1);
begin
select null into v_result
from USERS
where userid = p_username
and password = p_password;
return true;
when no_data_found then return false;
end validate_login;Once the user has successfully logged on the userid will be in the APP_USER apex substitution string.
And for Application Express Account Credentials, does this mean an admin must make each new user by hand?If you using Apex account credentials the user details are stored within the Apex tables. You can create users using the Apex admin application or by using the APEX_UTIL.create_user api.
Rod West -
Implement an authorization scheme using to check users
Hello,
I want to implement an authorization scheme for my application in which i want to
give access to only threee users to view my application. Can anyone help me what would be my pl/sql expression.
something like :APP_USER in ('R123',Y7654','TY7890')
can anyone help me with what type of scheme I need to create??
thanks,
ortonHi,
I have exactly similar application for my organisation with SSO organisation, but the application need to be accessed only by my TEAM members
What is did is i created a user table.. that will hold the user detail like email id , etc..
after that i went to shared component -> Security -> authorization scheme
Clicked on create button to create new authorization scheme..
Selected From scratch option .
Give a name to the authorization scheme.. i named is as VALID USERS
Scheme type - select Exits SQL Query
then in expression 1 i entered
select * from user_table where upper(user_email_id) = upper(:APP_USER)
and in error message enter ...Unauthorized USER.
Regards,
Shijesh -
User has no authorization for function group SWRS
Dear SRM Gurus,
We are facing an issue u201CUser has no authorization for function group SWRSu201D.
Hope the user has no authorization to access function group SWRS and this function group is saying that workflow substitution.
Can you any one have any idea what scenario are we using Workflow substitution?
Is there any Roles need to be assigned?
I would be appreciating if you could let us know more detail on this.
Thanks.
Regards,
Magesh Basavaraj.Hi,
The authorization object is 'S_WF_SUBST' for substitute role..try to assign this object and check..
Saravanan -
User has no authorization for Function group SYST
Hi,
We are starting to make customisation to B2B application. I have just created a new project for B2B_XXXX application and deployed it on the server. When I run this custom application, I am not able to login using the same user that is working fine for the standard B2B application.
Following is the error I am getting
ERROR 1 - RFC_ERROR_LOGON_FAILURE: User INTUSER05 has no RFC authorization for function group SYST
ERROR 2- The application was not able to switch to a stateful connection......
Strange thing is that the same user works very well for standard B2B.
Any clue? All I have done is created a CUSTCRMPRJ for B2B ERP (SHRWEB, SHRAPP). Please help.
Best regards,
-Tarun
Edited by: Tarun Bakshi on Nov 10, 2011 7:37 PMHi Shanto,
The problem is still occuring. Even If I give s_rfc authorisation the order is not being created.
I compared the source code for b2b and b2b_custom application, I have pasted below the component info
sap.com CORE-TOOLS 7.00 SP14 (1000.7.00.14.0.20071210170909) SAP AG SAP AG 20080125132852
sap.com SAP_JTECHF 7.00 SP14 (1000.7.00.14.0.20071210172424) SAP AG SAP AG 20080125132853
sap.com BASETABLES 7.00 SP14 (1000.7.00.14.0.20071210170411) SAP AG SAP AG 20080125132853
sap.com SAP-JEECOR 7.00 SP14 (1000.7.00.14.0.20071210172300) SAP AG SAP AG 20080125132852
sap.com JLOGVIEW 7.00 SP14 (1000.7.00.14.0.20071210160700) SAP AG SAP AG 20080125132853
sap.com SAP-JEE 7.00 SP14 (1000.7.00.14.0.20071210172039) SAP AG SAP AG 20080125132853
sap.com SAP_JTECHS 7.00 SP14 (1000.7.00.14.0.20071210172719) SAP AG SAP AG 20080125133813
sap.com BI_UDI 7.00 SP14 (1000.7.00.14.0.20071210170522) SAP AG SAP AG 20080125133909
sap.com BI_MMR 7.00 SP14 (1000.7.00.14.0.20071210170459) SAP AG SAP AG 20080125133230
sap.com UMEADMIN 7.00 SP14 (1000.7.00.14.0.20071210164800) SAP AG MAIN_APL70VAL_C 20080125140341
sap.com LM-TOOLS 7.00 SP14 (1000.7.00.14.1.20080124101556) SAP AG MAIN_APL70P14_C 20080125134809
sap.com SAP-SHRWEB 6.0 SP0 (1000.6.0.0.2.20080129095806) SAP AG MAIN_CRM70PAT_C 20110608153828
sap.com SAP-SHRAPP 6.0 SP0 (1000.6.0.0.2.20080128172843) SAP AG MAIN_CRM70PAT_C 20110608154506
b2b_custom application has been created by using code from the following SCs that were added to the track
SAPSHRWEB10_7-20003522.SCA
SAPSHRAPP10_7-20003520.SCA
SAPCRMWEB10_7-20003518.SCA
SAPCRMAPP10_7-20003516.SCA
SAPCRMDIC10_0-20003519.SCA
STRUTS01_0-10003646.SCA
SAPIPCMSA10_0-20003515.SCA
SAPCRMJAV10_7-20003517.SCA
SAPSHRJAV10_7-20003521.SCA
TEALEAF00_0-20001451.SCA
SAPBUILDT14_0-10003479.SCA
Any help would be great... -
UWL : User J2EE_ADMIN has no RFC authorization for function group SYST
Dear All,
When I am trying to register the system in universal Worklist Administration, It gives the following error,
System <>: Fri Jul 11 18:58:11 IST 2008
(Connector) :com.sap.netweaver.bc.uwl.connect.ConnectorExc eption:Fri Jul 11 18:58:11 IST 2008
(Connector) :com.sap.mw.jco.JCO$Exception:User J2EE_ADMIN has no RFC authorization for function group SYST.
I have tried by giving the role SAP_ALL to J2EE_ADMIN , then also i am getting the same error. Can anybody through some light on this....
Helpful tips will be rewarded...
SanojSanoj,
check these threads
https://forums.sdn.sap.com/click.jspa?searchID=13972376&messageID=5489621
https://forums.sdn.sap.com/click.jspa?searchID=13972376&messageID=5267551
https://forums.sdn.sap.com/click.jspa?searchID=13972376&messageID=5636365
reward points if helpful
Maybe you are looking for
-
I get "[file path and name].mov". An output module failed. The file may be damaged or corrupted. (-1610153464) when trying to export .mov using AE cc render queue but works fine in media Encoder cc. My problem is that i need to export animation with
-
VBA to pull from Financial Reporting Studio/Reporting and Analysis Framework
Hi all, I just started using Financial Reporting Studio, and I did a lot of research online to try to answer the questions I have below but to no avail, so I'm hoping I can get answers from the experts here. 1. I was wondering if it's possible to use
-
Measured data frm labview to be saved in a databank
Hello again.. I hope I am in the right forum to be asking this.. Im working with another project which requires me to use LabView software (apart from the other project about welding process).. This project is a bout solar cell which will give me cer
-
Offline Photoshop CHC Help Search Malfunction.
Photoshop help search isn't returning any results in offline mode. Please read this thread: http://forums.adobe.com/message/3213191 The local help has been downloaded for all the Adobe Creativity Suite applications and is showing as "Current". The op
-
Transferring Time Machine backup from old to new Time Capsule
After transferring my old Time Machine backup from a 5 year old Time Capsule to a new Airport Time Capsule, my MacBook Air wants to start a new full Time Machine backup to the new TC. I was under the impression that the Time Machine backups would pic