Authorization Schemes, User Groups

Similar Messages

• Assign Authorization in User Groups

  Dear All
  Please help me , assign authorization User Groups . I go Tcode : SUGR and Tcode : SU 10 but i can't assign authorization in User Group , please help me step by step
  Regard , Thanks
    Lannguyen

  I think only way to do it through SU10.
  -Pinkle

• How many ways we can create authorization for user groups in sap query reports

  Hi Gurus, I am getting a problem when I am assigning users to user group in sap query report .The users other than created in user groups are also able to add &change  the users .So please suggest me how to restrict users outside of the user group.
  Please send me if u have any suggestions and useful threads.
  Thank You,
  Suneel Kumar.

  I don't think it can be done. According to the link below 'Users who have authorization for the authorization object S_QUERY with both the values Change and Maintain, can access all queries of all user groups without being explicitly entered in each user group.'
  http://help.sap.com/saphelp_46c/helpdata/en/d2/cb3f89455611d189710000e8322d00/content.htm
  Although I think you can add code to your infoset and maybe restrict according to authority group, i.e.:
  Use AUTHORITY-CHECK to restrict access to the database based on user.
  Press F1 on AUTHORITY-CHECK to find out how to use it in the code

• What is the Advantage of creation of user group through SUGR?

  Hello Masters,
  As per audit requirement I have maintained user groups for different sets of users through SUGR, but I am not getting except differenciating users (based on group), is there any other advantage? Can we assign role to a user group instead of assigning to list of users  or can we do any mass changes to an user group by giving only user group name.
  Regards,
  Nilutpal.

  Dear Neels,
  Apart from maintaining user group for Differnciation purpose you can also take the advantage on the following sectors:
  1. Follow the http://help.sap.com/saphelp_nw04/helpdata/en/ce/17533e5ff4d064e10000000a114084/content.htm link . From this you will come to know the use of user group in the authorisation area.
  2. User Groups also allow segregation of user maintenance, this is especially useful in a large organisation as you can control who your user admin team can maintain - an example would be giving a team leader the authority to change passwords for users in their team. 
  3. The authorization user group is used in conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in group SUPER, etc... 
  In case any issue, please feel free to reply.
  Regards,
  Nilutpal.

• List of users with user group

  Hi,
  I wonder why in all existing users lists I know I don't see the user group they are assigned to.
  I have no problem to get the users by user group (su10) but what I need is a list of all users (name,adress,...) + user group they are created in.
  I have tried RSUSR002 without success.
  By the way, what's the difference between "Group for Authorization" and "User Group (General)". My user groups appear in both.
  Thanks in advance to help a security officer rookie.
  Regards,
  Julien

  Hi julien,
  Please have a look at BAPI_USER_GET_DETAIL. Its a function module so execute it using se37.
  i.e., SE37->BAPI_USER_GET_DETAIL->EXECUTE.
  Type the userId in the Username field (In Import Parameters), than execute. Expand LogonData (In export parameters), this would display the usergroup as well.
  Please award points if it is useful.
  Thanks & Regards,
  Santosh

• Authorization & User Groups

  Hi I am trying to configure an authorization scheme. I am confused at the different syntax used both on here and the User Guide.
  I am wanting to control access based upon groups so I am wanting to use "HTMLDB_UTIL.CURRENT_USER_IN_GROUP" function.
  I have setup my "Scheme Type" to be PL/SQL Function Returning Boolean
  In expression one is where I am having my problems ... this is what I have..
  DECLARE VAL BOOLEAN;
  BEGIN
  VAL := not nvl(HTMLDB_UTIL.CURRENT_USER_IN_GROUP('Managers'), false);
  END;
  and I get ... "ORA-06503: PL/SQL: Function returned without value"
  This is the first time I have tried to setup a an authorization so I am not sure how to even do it. And based upon other posts on authorization schemes, I found these different syntaxs... Can someone help me out or explain what to do?
  return wwv_flow_fnd_user_api.get_user_roles(':APP_USER') is not null; @ Re: Authorization when APP_USER = Develper or WS Administrator
  Which way is right and how should I implement this....
  TIA !!!
  P.S. I used the "not nvl" syntax based upon the findings in this thread by Scott in his very last reply
  User Groups

  Justin - Try    return not nvl(HTMLDB_UTIL.CURRENT_USER_IN_GROUP('Managers'), false);... and be sure you really want the NOT value of that API call.
  Scott

• Authorization Scheme based on a group in LDAP?

  Hi,
  I would like to write an Authorization Scheme that checks whether a user (authenticated via a Authentication scheme based on LDAP) is a member of a specific group in LDAP, for access control.
  I can't seem to find documentation or an example of this. Would appreciate any tips or links to docs and examples....
  Thanks!

  I came across this nice example from the docs for the authorization scheme using the "IS_MEMBER Function".
  http://download.oracle.com/docs/cd/E17556_01/doc/apirefs.40/e15519/apex_ldap.htm#CDEJAAEI
  Very straightforward....
  However, my question now is, how would I tie this in to my authentication scheme?
  One Page Secured by > Authorization scheme (APEX_LDAP.IS_MEMBER) > From a user authenticated by my Authentication Scheme From LDAP directory?
  How would I tie these two schemes together?
  Thanks in advance for any help offered....

• Create Authorization Scheme for LDAP Groups

  I have installed APEX 4.0 in my staging environment and got the LDAPS to finally work. I can now login to the application with my LAN user name and password. The only problem is so can everyone else on the LAN. So I wanted to create an authorization scheme that would only allow a certain group or groups of LDAP users into the application rather than everyone.
  I am at the Create Authorization Scheme page and am kind of stuck. Has anyone done this before and can share some SQL or knowledge?

  hi larosejh
  If you want to do that you must write your own procedures using the dbms_ldap package. I found some code a while back that searches the LDAP. Maybe you can use this to create a function for your authentication.
  DECLARE
  retval PLS_INTEGER;
  my_session DBMS_LDAP.session;
  my_attrs DBMS_LDAP.string_collection;
  my_message DBMS_LDAP.message;
  my_entry DBMS_LDAP.message;
  entry_index PLS_INTEGER;
  my_dn VARCHAR2(256);
  my_attr_name VARCHAR2(256);
  my_ber_elmt DBMS_LDAP.ber_element;
  attr_index PLS_INTEGER;
  i PLS_INTEGER;
  my_vals      DBMS_LDAP.STRING_COLLECTION ;
  ldap_host VARCHAR2(256);
  ldap_port VARCHAR2(256);
  ldap_user VARCHAR2(256);
  ldap_passwd VARCHAR2(256);
  ldap_base VARCHAR2(256);
  BEGIN
  retval := -1;
  -- Please customize the following variables as needed
  ldap_host := 'host';
  ldap_port := '389';
  -- In case of update/insert/delete need change ldap_user to other.
       -- ldap_user := 'cn=orcladmin';
       -- ldap_passwd:= 'welcome';
  -- set User and password to NULL for anonymous user.
  ldap_user := 'user';
  ldap_passwd:= 'password';
  ldap_base := 'CN=Users,DC=ee,DC=intern';
  -- end of customizable settings
  -- Start output Header--
  DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
  DBMS_OUTPUT.PUT('> DBMS_LDAP Search Example ');
  DBMS_OUTPUT.PUT_LINE('');
  DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Host ',25,' ') || ': ' || ldap_host);
  DBMS_OUTPUT.PUT_LINE(RPAD('> LDAP Port ',25,' ') || ': ' || ldap_port);
  -- Choosing exceptions to be raised by DBMS_LDAP library.
  DBMS_LDAP.USE_EXCEPTION := TRUE;
  my_session := DBMS_LDAP.init(ldap_host,ldap_port);
  DBMS_OUTPUT.PUT_LINE (RPAD('> Ldap session ',25,' ') || ': ' ||
  RAWTOHEX(SUBSTR(my_session,1,8)) ||
  '(returned from init)');
  -- bind to the directory
  retval := DBMS_LDAP.simple_bind_s(my_session,
  ldap_user, ldap_passwd);
  DBMS_OUTPUT.PUT_LINE(RPAD('> simple_bind_s Returns ',25,' ') || ': '
  || TO_CHAR(retval));
  -- issue the search
  my_attrs(1) := 'dn'; -- retrieve all attributes
  retval := DBMS_LDAP.search_s(my_session, ldap_base,
  DBMS_LDAP.SCOPE_SUBTREE,
  'objectclass=*',
  my_attrs,
  0,
  my_message);
  DBMS_OUTPUT.PUT_LINE(RPAD('> search_s Returns ',25,' ') || ': '
  || TO_CHAR(retval));
  DBMS_OUTPUT.PUT_LINE (RPAD('> LDAP message ',25,' ') || ': ' ||
  RAWTOHEX(SUBSTR(my_message,1,8)) ||
  '(returned from search_s)');
  -- count the number of entries returned
  retval := DBMS_LDAP.count_entries(my_session, my_message);
  DBMS_OUTPUT.PUT_LINE(RPAD('> Number of Entries ',25,' ') || ': '
  || TO_CHAR(retval));
  DBMS_OUTPUT.PUT_LINE('+++++++++++++++++++++++++++++++++++++++++++++++++++');
  -- End output Heading --
  -- get the first entry
  my_entry := DBMS_LDAP.first_entry(my_session, my_message);
  entry_index := 1;
  -- Loop through each of the entries one by one
  while my_entry IS NOT NULL loop
  -- print the current entry
  my_dn := DBMS_LDAP.get_dn(my_session, my_entry);
  -- DBMS_OUTPUT.PUT_LINE (' entry #' || TO_CHAR(entry_index) ||
  -- ' entry ptr: ' || RAWTOHEX(SUBSTR(my_entry,1,8)));
  DBMS_OUTPUT.PUT_LINE (' dn: ' || my_dn);
  my_attr_name := DBMS_LDAP.first_attribute(my_session,my_entry,
  my_ber_elmt);
  attr_index := 1;
  while my_attr_name IS NOT NULL loop
  my_vals := DBMS_LDAP.get_values (my_session, my_entry,
  my_attr_name);
  if my_vals.COUNT > 0 then
  FOR i in my_vals.FIRST..my_vals.LAST loop
  DBMS_OUTPUT.PUT_LINE(' ' || my_attr_name || ' : ' ||
  SUBSTR(my_vals(i),1,200));
  end loop;
  end if;
  my_attr_name := DBMS_LDAP.next_attribute(my_session,my_entry,
  my_ber_elmt);
  attr_index := attr_index+1;
  end loop;
  my_entry := DBMS_LDAP.next_entry(my_session, my_entry);
  DBMS_OUTPUT.PUT_LINE(' --------------------------------------------------- ');
  entry_index := entry_index+1;
  end loop;
  -- unbind from the directory
  retval := DBMS_LDAP.unbind_s(my_session);
  DBMS_OUTPUT.PUT_LINE(RPAD('unbind_res Returns ',25,' ') || ': ' ||
  TO_CHAR(retval));
  -- Start Output Footer --
  DBMS_OUTPUT.PUT_LINE('Directory operation Successful .. exiting');
  -- Start Output Footer --
  -- Handle Exceptions
  EXCEPTION
  WHEN OTHERS THEN
  DBMS_OUTPUT.PUT_LINE(' Error code : ' || TO_CHAR(SQLCODE));
  DBMS_OUTPUT.PUT_LINE(' Error Message : ' || SQLERRM);
  DBMS_OUTPUT.PUT_LINE(' Exception encountered .. exiting');
  END;
  /

• Authorization to particular group of users

  Hi
  I have an application with two different groups A_super_user and B_user.
  I question is how to create authorization to my different user groups.
  When my report shows up it shows all records. What I want to achieve is to show only certain rows to B_user group and show all records to A_superuser.
  Can anyone please help me to achieve this functionality to my report.
  Thanks in advance.

  Hi,
  Thanks for your prompt response.
  In that application it only shows how to apply authorization at item level.
  But I want to place the authorization at record level.
  In that app it shows:
  create a authorization scheme and place that scheme by clicking authorization tab on each level of item.
  But how could I achieve it place on the query level.
  Show certain type of records if that user is employee and all records to manager.
  We need to place on query level.
  Ex: If there are 10 records on that report. It should show all records for the manager, but only 6 records to employees
  My situation is something like this.
  Thanks.

• IDOC Scenario - User  has no RFC authorization for function group EDIN

  Hi all,
  I'm trying to configure an IDOC scenario from ECC to XI.
  RFC's, ports and destinations already configured. On WE19 I'm creating an IDOC for testing the scenario. The IDOC is sent successfully, and it stops on TRFC Monitor with error "User PIRFCUSER has no RFC authorization for function group EDIN." .
  Some of you knows what authorization is needed? Basis team said the roles are the same at DEV environment, and there this scenario works fine.
  Thanks for your help.
  regards.
  Roberti

  Hi,
  Check with PIRFCUSER user , that is having the right authorization or not ..
  And make sure that this user is present in the system & it should  not locked.
  to check that user is present or not-----goto su01 of the system & check
  Regards
  Seshagiri

• Authorization scheme for users stored in a database table?

  Hello!
  I'm trying to find out how to make an authorization scheme for database users.
  I first made an authentication scheme for my current application, I named it "Authentication for database accounts", and the scheme type is "Database Accounts".
  A word of explanation:_
  I have a table in my database, named "USERS". Inside this table, I have the following columns:
  - USERID (NUMBER)
  - USERNAME (VARCHAR2(50))
  - PASSWORD (VARCHAR2(50))
  - EMAIL (VARCHAR2(200))
  For this question, I'll take an example user. The username is USER and the password is USER. Email and UserID don't matter here, but let's just say the UserID is 1.
  What I want:_
  When you go to the application, and you are requested to log in (page 101), then I want a user to be able to log in with the data that has been stored in the USERS table.
  So, on the login page, the user will enter USER as username, and USER as password. The authorization scheme then needs to check whether or not this username and password match the data in the USERS table. If it does, then it must sign the user in with the credentials the user entered (those being USER and USER).
  I also want the UserID to be stored somewhere in the application (if possible, in an application item).
  How do I do this? I've never made an authorization scheme before... I'm not too good with PL/SQL either, but I'm working on that part.
  Any help is greatly appreciated.

  I'm trying to find out how to make an authorization scheme for database users. I think there may be some confusion here. An authorization scheme gives the user access to different parts of an Apex Application. Database users are the users that you use to login to the database, for example with sqlplus.
  From the rest of your post it sounds like you need a custom authentication scheme to validate users against a custom table. For this you need to create a custom authentication scheme and select use my custom function to authenticate. Exactly how you set up the authentication scheme depends on the version of Apex you are using. But an example of validate user function you could use is given below:
  function validate_login (
     p_username   in   varchar2
  , p_password   in   varchar2) return boolean
  is
  v_result varchar2(1);
  begin
  select null into v_result
  from USERS
  where userid = p_username
  and password = p_password;
  return true;
  when no_data_found then return false;
  end validate_login;Once the user has successfully logged on the userid will be in the APP_USER apex substitution string.
  And for Application Express Account Credentials, does this mean an admin must make each new user by hand?If you using Apex account credentials the user details are stored within the Apex tables. You can create users using the Apex admin application or by using the APEX_UTIL.create_user api.
  Rod West

• Implement an authorization scheme using to check users

  Hello,
  I want to implement an authorization scheme for my application in which i want to
  give access to only threee users to view my application. Can anyone help me what would be my pl/sql expression.
  something like :APP_USER in ('R123',Y7654','TY7890')
  can anyone help me with what type of scheme I need to create??
  thanks,
  orton

  Hi,
  I have exactly similar application for my organisation with SSO organisation, but the application need to be accessed only by my TEAM members
  What is did is i created a user table.. that will hold the user detail like email id , etc..
  after that i went to shared component -> Security -> authorization scheme
  Clicked on create button to create new authorization scheme..
  Selected From scratch option .
  Give a name to the authorization scheme.. i named is as VALID USERS
  Scheme type - select Exits SQL Query
  then in expression 1 i entered
  select * from user_table where upper(user_email_id) = upper(:APP_USER)
  and in error message enter ...Unauthorized USER.
  Regards,
  Shijesh

• User has no authorization for function group SWRS

  Dear SRM Gurus,
  We are facing an issue u201CUser has no authorization for function group SWRSu201D.
  Hope the user has no authorization to access function group SWRS and this function group is saying that workflow substitution.
  Can you any one have any idea what scenario are we using Workflow substitution?
  Is there any Roles need to be assigned?
  I would be appreciating if you could let us know more detail on this.
  Thanks.
  Regards,
  Magesh Basavaraj.

  Hi,
     The authorization object is 'S_WF_SUBST' for substitute role..try to assign this object and check..
  Saravanan

• User has no authorization for Function group SYST

  Hi,
  We are starting to make customisation to B2B application. I have just created a new project for B2B_XXXX application and deployed it on the server. When I run this custom application, I am not able to login using the same user that is working fine for the standard B2B application.
  Following is the error I am getting
  ERROR 1 - RFC_ERROR_LOGON_FAILURE: User INTUSER05 has no RFC authorization for function group SYST
  ERROR 2-  The application was not able to switch to a stateful connection......
  Strange thing is that the same user works very well for standard B2B.
  Any clue? All I have done is created a CUSTCRMPRJ for B2B ERP (SHRWEB, SHRAPP). Please help.
  Best regards,
  -Tarun
  Edited by: Tarun Bakshi on Nov 10, 2011 7:37 PM

  Hi Shanto,
  The problem is still occuring. Even If I give s_rfc authorisation the order is not being created.
  I compared the source code for b2b and b2b_custom application, I have pasted below the component info
  sap.com      CORE-TOOLS      7.00 SP14 (1000.7.00.14.0.20071210170909)      SAP AG      SAP AG      20080125132852
  sap.com      SAP_JTECHF      7.00 SP14 (1000.7.00.14.0.20071210172424)      SAP AG      SAP AG      20080125132853
  sap.com      BASETABLES      7.00 SP14 (1000.7.00.14.0.20071210170411)      SAP AG      SAP AG      20080125132853
  sap.com      SAP-JEECOR      7.00 SP14 (1000.7.00.14.0.20071210172300)      SAP AG      SAP AG      20080125132852
  sap.com      JLOGVIEW      7.00 SP14 (1000.7.00.14.0.20071210160700)      SAP AG      SAP AG      20080125132853
  sap.com      SAP-JEE      7.00 SP14 (1000.7.00.14.0.20071210172039)      SAP AG      SAP AG      20080125132853
  sap.com      SAP_JTECHS      7.00 SP14 (1000.7.00.14.0.20071210172719)      SAP AG      SAP AG      20080125133813
  sap.com      BI_UDI      7.00 SP14 (1000.7.00.14.0.20071210170522)      SAP AG      SAP AG      20080125133909
  sap.com      BI_MMR      7.00 SP14 (1000.7.00.14.0.20071210170459)      SAP AG      SAP AG      20080125133230
  sap.com      UMEADMIN      7.00 SP14 (1000.7.00.14.0.20071210164800)      SAP AG      MAIN_APL70VAL_C      20080125140341
  sap.com      LM-TOOLS      7.00 SP14 (1000.7.00.14.1.20080124101556)      SAP AG      MAIN_APL70P14_C      20080125134809
  sap.com      SAP-SHRWEB      6.0 SP0 (1000.6.0.0.2.20080129095806)      SAP AG      MAIN_CRM70PAT_C      20110608153828
  sap.com      SAP-SHRAPP      6.0 SP0 (1000.6.0.0.2.20080128172843)      SAP AG      MAIN_CRM70PAT_C      20110608154506
  b2b_custom application has been created by using code from the following SCs that were added to the track
  SAPSHRWEB10_7-20003522.SCA
  SAPSHRAPP10_7-20003520.SCA
  SAPCRMWEB10_7-20003518.SCA
  SAPCRMAPP10_7-20003516.SCA
  SAPCRMDIC10_0-20003519.SCA
  STRUTS01_0-10003646.SCA
  SAPIPCMSA10_0-20003515.SCA
  SAPCRMJAV10_7-20003517.SCA
  SAPSHRJAV10_7-20003521.SCA
  TEALEAF00_0-20001451.SCA
  SAPBUILDT14_0-10003479.SCA
  Any help would be great...

• UWL  : User J2EE_ADMIN has no RFC authorization for function group SYST

  Dear All,
  When I am trying to register the system in universal Worklist Administration, It gives the following error,
  System <>: Fri Jul 11 18:58:11 IST 2008
  (Connector) :com.sap.netweaver.bc.uwl.connect.ConnectorExc  eption:Fri Jul 11 18:58:11 IST 2008
  (Connector) :com.sap.mw.jco.JCO$Exception:User J2EE_ADMIN has no RFC authorization for function group SYST.
     I have tried by giving the role SAP_ALL to J2EE_ADMIN , then also i am getting the same error. Can anybody  through some light on this....
  Helpful tips will be rewarded...
  Sanoj

  Sanoj,
  check these threads
  https://forums.sdn.sap.com/click.jspa?searchID=13972376&messageID=5489621
  https://forums.sdn.sap.com/click.jspa?searchID=13972376&messageID=5267551
  https://forums.sdn.sap.com/click.jspa?searchID=13972376&messageID=5636365
  reward points if helpful