Authorization set up in SAP_MM_PUR_BUYER

Good morning everybody!
I have a requirement from business and I need to prepare some documents for our Basis Team but I'm not familiar with the Authorisation topic and I would be very grateful if you could help me on this.
Business wants 3 groups of buyers assigned to 3 groups of Vendors. This groups should have the PUR Rolle + MIGO and all the other Buyers outside this groups should have just the PUR Rolle.
Buyer group 1  -------->  Vendor group A
Buyer group 2  -------->  Vendor group B
Buyer group 3  -------->  Vendor group C
At the moment the PGr ist defined as Person. As fair as I understood, the PUR Authorization is on PGr level?
So, how can we organize that? How does the assignment to Vendor works? Which information do I need from Business for Basis Team?
Thank you very much in advance for your help!!!
Paola

Hi,
You have 3 groups of Vendors, so you can create three vendor account group. Based on vendor account group for vendor with purchasing group- you can restrict procurement process respectively.
Purchasing group-1(Buyer group 1)  -------->  vendor account group-A(Vendor group A)
Purchasing group-2(Buyer group 2)  -------->  vendor account group-B(Vendor group B)
Purchasing group-3(Buyer group 3)  -------->  vendor account group-C(Vendor group C)
Regards,
Biju K

Similar Messages

  • How to use a macro with AAA Authorization set?

    So!
    We have ACS version 4.1, and one goal is to start working on authorization sets for groups. I am able to get basic commands to work, but was curious about making a macro work without having to allow all of the commands that are actually contained wihtin the macro itself.
    I'm looking into this to promote standardization and minimize confiugration issues/inconsistencies on ports accross swtiches in our environment.
    The macro I created is used for configuring a port on a swtich to change its VLAN.  Basically as follows:
    macro name T2
    Description $DESC
    switchport mode access
    no cdp enable
    switchport access vlan $STATIC
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    storm-control broadcast level 25.00
    storm-control action trap
    switchport nonegotiate
    no lldp transmit
    no lldp receive
    #macro keywords $DESC $STATIC
    In ACS I've created a shell command authorization set, and allowed 'macro' with 'permit apply T2' and 'permit trace T2'.  This works fine and allows me to use those macro commands.  The problem I'm having is that every command in the macro is not allowed in the authorization set, so when I run the macro it fails for each command.
    I don't want to allow each individual command in the authorization set as it would then allow jr. admins the ability to make config changes on ports that would be outside of our standard.  For example they could get into a port and forget to disable CDP and LLDP, casuing inconsistencies accross the envrionment.  Is there a way to run these macros without putting all of the commands in the authorization set?

    Hello Eric,
    Please see the below link for configuring Macro and how you can use them with AAA
    http://www.cisco.com/en/US/docs/switches/lan/auto_smartports/12.2_55_se/configuration/guide/configure.html

  • Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

    Hello All,
    I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
    My Steps:
    Created a user in ACS
    Shared Profile Components
    Create Shell command Autorization Set - "ReadOnly"
    Unmatched Commands - Deny
    Unchecked - Permit Unmatched Arg
    Commands Added
    permit interface
    permit vlan
    permit snmp contact
    permit power inline
    permit version
    permit switch
    permit controllers utilization
    permit env all
    permit snmp location
    permit ip http server status
    permit logging
    Created a group - "GroupTest" with the following
    Confirgured - Network Access Restrictions (NAR)
    Max Sessions - Unlimited
    Enable Options - No Enable Privilege
    TACACS+ Settings
    Shell (exec)
    Priviledge level is check with 1 as the assigned level
    Shell Command Authorization Set
    "ReadOnly" - Assign a Shell Command Authorization Set for any network device
    I have configured following on my Router/Switch
    aaa authorization config-commands
    aaa authorization commands 1 default group tacacs+ if-authenticated
    privilege exec level 1 show log
    I have attached below the documention I have gone over.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

    "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
    Correct me if I am wrong."
    Regards
    Vamsi

  • ACS - Shell Command Authorization Sets

    Hi,
    I have had a problem where a set of users in two groups in ACS are struggling entering commands.  The commands are set in the Shell Command Authorization Sets and this hasnt changed.  Other commands are working.  As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
    Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
    permit port-security
    permit mac address-table'
    I've also ticked 'Permit unmatched args'
    At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
    Test Timed out for service: CSAdmin
    Test Timed out for service: CSAuth
    Test Timed out for service: CSDbSync
    Test Timed out for service: CSLog
    I have looked at other posts and have restarted CSMon.  This then stops the messages for some time, then a day or so later I get the messages again.
    Could this be tied in with the command issue?  Is there something else I should look at other than restarting the server and the CSMon service again?  All other CS' services are running.
    Thanks!!
    Steve

    Thanks for your reply!
    there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised.  On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode.  The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
    I am using ACS v 4.1.
    While I receive the service messages and also when they go away - I always have the authorisation problem.
    Thanks
    Steve

  • Cisco ACS command authorization sets

    I need help on the following please.
    1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
    2. Does anyone know where I can read up on command authorizations sets for ACS ??
    3. What is the debug command for CatOS to see cli output ?
    Many thanks
    Rod

    Thanks for your info. I have solved my problem -
    1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
    This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
    Problem resolved.
    Many thanks.

  • Tacacs problem with ACS 4.2 NDG and shell authorization sets

    Hi all,
    I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
    I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
    One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
    Did anyone had similar problem or is there something that I am doing in a wrong way? Is there another way to achieve such thing without using NDG's?
    Thanks everyone....

    Please upgrade to patch 6, there is a bug in patch 5 and you can check the release notes or the readme for more information.
    What is your user setting set to while you are testing command authorization, did you set it back to the group setting?
    Thanks,
    Tarik Admani

  • Shell Command Authorization Sets ACS

    hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    but still all my user  can use all the commands
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R3
    boot-start-marker
    boot-end-marker
    aaa new-model
    aaa authentication login milista group tacacs+ local
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa session-id common
    memory-size iomem 5
    ip cef
    no ip domain lookup
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    multilink bundle-name authenticated
    username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
    archive
    log config
    hidekeys
    interface FastEthernet0/0
    ip address 192.168.20.1 255.255.255.0
    duplex auto
    speed auto
    interface Serial0/0
    no ip address
    shutdown
    clock rate 2000000
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    interface Serial0/1
    ip address 20.20.20.2 255.255.255.252
    clock rate 2000000
    interface Serial0/2
    no ip address
    shutdown
    clock rate 2000000
    interface Serial0/3
    no ip address
    shutdown
    clock rate 2000000
    router eigrp 1
    network 20.0.0.0
    network 192.168.20.0
    no auto-summary
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    tacacs-server host 192.168.20.2 key cisco
    control-plane
    line con 0
    exec-timeout 0 0
    logging synchronous
    login authentication milista
    line aux 0
    line vty 0 4
    end
    i copy the authorization commands from the cisco forum and follow  the steps but no thing all my users have full access to all commands
    heres my share profile
    name-------------admin jr
    Description---------for jr admin
    unmatched commands------- ()permit  (x)deny
    permint unmatched args()
    enable
    show -------------------------- permit version<cr>
    permit runnig-config<cr>
    then i add this profifle to group 2 and then i add my user to the group 2
    then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
    can you  give me  if you can a guide to setup authorization with ACS i cant find any good guide  jeremy from CBT gives a example but just for authentication i am lost  i am battling with this  prblem since wednesday without luck

    "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
    Correct me if I am wrong."
    Regards
    Vamsi

  • ACS Shell Command Authorization Set + restricted Access

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Hi  ,
    I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side
    Thanks in Advance
    Regards
    Vineeth

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Hi Jatin ,
    first of all Thank you very much . It startted working after aaa authorization config-commands
    here I was trying to achive one  specfic  thing .
    I want to stop  the following commands  on ACS “switchport trunk allowed vlan 103” . I only want allow “add”  after “vlan” and block rest all arguments
    But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
    Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
    Thanks and Regards
    Vineeth

  • Shell Command Authorization Sets for device using NDGs??

    Hello. I NDGs configured, there is a group called "GR1" with 30 switch.
    This group is set up a Shell Command Authorization set called "Monitoring", in which only show commands, ping and traceroute are allowed.
    I want to let users switch in only 10 of the group "GR 1" to configure certain interfaces and IP addresses, switch to the other not. ! Note: The number of interface is not the same for each switch, one can be FA0 / 1, but for others it may fa0/3.etc.
    I want to retain these 10 switch within the group "GR1", it is possible to make this configuration?
    - Thanks

    I've edited my earlier post to make it more clear. You can assign Shell Auth. Sets at the user,group or NDG level.More details are mentioned on the following link:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wpmkr697610
    AFAIR, one device (AAA Client) can be part of only one NDG, so you cannot achieve your requirement by using per-NDG Shell Command Authorization sets. Unless you break up the NDG into more than one NDG.
    You can assign the authorization set at the user or group level (after putting the appropriate users in the group) to achive your requirement.
    You could also use the 'privilege' command on the switch to make sure that users can see only the commands you want. E.g. when a user logs in he will be placed at level 7. Now you can keep the undesired commands at level 15 and bring down the desired commands at level 7. All other users would be assigned a lower level (e.g level 5), so they wont be able to run these commands.
    Regards
    Farrukh

  • Allow some show commands in AAA Authorization Set

    I'm working on creating AAA authorization sets for our environment and ran into a question!
    I'd like to be able to enable ALL show commands except 'show run'.  I would also like to enable 'show run interface'.  I've figured out how to enable all show commands and disable show run.  The problem I'm finding is that since 'show run interface' is a subset of 'show run' it seems to disable.  Even if I try to explicitly enable it.
    Is there a way to disable 'show run' but enable all other show commands and 'show run interface' with a AAA authorization set?
    ACS Version 4.1.
    Command set is configured:

    Changing it to 'deny running-config' does the exact same thing.  It looks like it's seeing the 'show running-config' then stoping on that before anything else.  I've tried adding 'permit run interface' in ACS and same thing.  Other AAA Authorization set commands work just fine.
    On the switch (its a 2960G-8TC-K) running 12.2(58)SE2.
    aaa group server tacacs+ SHS
    server 10.10.11.200
    aaa authentication login verifyme group TACACS+ local
    aaa authorization config-commands
    aaa authorization exec verifyme group TACACS+ local
    aaa authorization commands 0 default group TACACS+
    aaa authorization commands 1 default group TACACS+
    aaa authorization commands 15 default group TACACS+
    aaa accounting send stop-record authentication failure
    aaa accounting exec verifyme start-stop group TACACS+
    aaa accounting commands 15 default start-stop group TACACS+
    aaa accounting network verifyme start-stop group TACACS+
    aaa accounting system default start-stop group TACACS+
    aaa session-id common
    Debugs!
    Jun 21 11:07:39: AAA: parse name=tty0 idb type=-1 tty=-1
    Jun 21 11:07:39: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
    Jun 21 11:07:39: AAA/MEMORY: create_user (0x3A790DC) user='test' ruser='SGAVEJ01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Port='tty0' list='' service=CMD
    Jun 21 11:07:39: AAA/AUTHOR/CMD: tty0 (4105592267) user='test'
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV service=shell
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd=show
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=running-config
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=interface
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=GigabitEthernet
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=0/1
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD(4105592267): found list "default"
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Method=TACACS+ (tacacs+)
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): user=test
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV service=shell
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd=show
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=running-config
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=interface
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=GigabitEthernet
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=0/1
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=
    Jun 21 11:07:39: TAC+: Using default tacacs server-group "TACACS+" list.
    Jun 21 11:07:39: TAC+: Opening TCP/IP to 10.10.11.200/49 timeout=5
    Jun 21 11:07:39: TAC+: Opened TCP/IP handle 0x3A41210 to 10.10.11.200/49 using source 10.40.0.14
    Jun 21 11:07:39: TAC+: 10.10.11.200 (4105592267) AUTHOR/START queued
    Jun 21 11:07:39: TAC+: (4105592267) AUTHOR/START processed
    Jun 21 11:07:39: TAC+: (-189375029): received author response status = FAIL
    Jun 21 11:07:39: TAC+: Closing TCP/IP 0x3A41210 connection to 10.10.11.200/49
    Jun 21 11:07:39: AAA/AUTHOR (4105592267): Post authorization status = FAIL
    Jun 21 11:07:39: AAA/MEMORY: free_user (0x3A790DC) user='test' ruser='SGAVEJ01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

  • ACS Shell Command Authorizations Set

    I have Cisco ACS Server V4.0
    In the shell Command Authorization Set I configure a restrict Access.
    In the privilege mode the restriction of the commands works good, but when I enter in the config prompt the restriction don't works. In this promt I can enter all commands.
    Why This?

    I have the same error with ACS Server 4.2. I can restrict in privilege mode but global config is wide open. Also any command i block in privilege mode can still be executed in global config using the "do" command. How do i block that, or find out what commands the router is sending to the ACS.

  • How to enable "Shell Command Authorization Sets"

    Hi there
    I use aaa over tacacs to verfiy user from ms active directory.
    I configured a new "Shell Command Authorization Set" see the attachment for details.
    But this does not work. So I just want to test whether the use of a command is working or not.
    You can see in the attached file I tried something with "show" command.
    But if I login I'm still able to use "show aaa servers" for example but in the "show" commandbox I putted the agrument "deny aaa" inside.
    Why does this not work?
    Thanx for help
    bb

    Hi BB,
    This is what you need on IOS device,
    Router(config)# username [username] password [password]
    tacacs-server host [ip]
    tacacs-server key [key]
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa authorization config-commands
    On acs bring users/groups in at level 15
    1. Go to user or group setup in ACS
    2. Drop down to "TACACS+ Settings"
    3. Place a check in "Shell (Exec)"
    4. Place a check in "Privilege level" and enter "15" in the adjacent field
    Rest all seems to be ok.
    ~JG
    Please rate if that helps

  • Command Authorization Set Show Run Permissions Only

    Hi All,
    I am trying to set up aaa authorization using Cisco ACS 4.2 so that my Helpdesk Users have the ability to do show commands only.
    I have followed the instructions from http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    and this doesn't work as intended.
    I have followed the document to a tee but when I log in with my test2 user account it gives me user mode access only (> prompt) instead of Priv Exec (# prompt) but with only show command privileges!  I guess this is because I am specifying level 1 access but that's what the doc says to do.......
    My config is as follows:
    Cisco 2811 Router
    aaa new-model
    aaa authentication login defaut group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa session-id common
    ACS 4.2 Config
    Shell Command Authorization Set: Name = ReadOnlyAccess - Unmatched commands set to Deny, with the show command configured in the box below and I have checked the Permit Unmatched Args check box next to it
    User: Test2 in UserGroup: ReadOnlyGroup with Enable options - Max Priv for any AAA Client: Level 1, TACACS+ - Shell (exec) box checked and Priv level checked and set to 1
    Shell Command Authorisation Set - Assign a Shell Command Authorization Set for any network Device radio button selected specifying ReadOnlyAccess as the Command authorisation set to apply.
    Thanks in advance
    David

    All,
    I have resolved this issue by giving my Test2 User account Priv 15 access and then specifying the commands that can be permitted within the command authorisation set applied to all devices, which is the way I thought it should be done in the first place

  • Wildcard mask in Shell Command Authorization Set?

    Under Shared Profile Components/Shell Command Authorization Sets in ACS, is it possible to enter a wildcard for further arguments.
    For example, say you want to permit show cam [+ all arguments], is it possible to configure show, then 'permit cam *' as the argument?
    Thanks

    Sure. Just tested this on my ACS 3.2 server with the following config:
    AAA client:
    aaa new-model
    aaa authentication login default tacacs
    aaa authorization commands 1 default group tacacs
    ACS Shell Command Set:
    Unmatched Commands = Deny
    Command = show
    Permit unmatched args = no
    args = permit ip *
    This then allows me to do "sho ip int brief" and "sho ip http server all" to name a couple, but doesn't allow me to do "sho ver".
    Hope that helps.

  • Authorizations setting for running the process chain

    Hai
    Iam planning to run the process chain for loading the data into ODS. But i dont have authorization for it.
    so what are the authorizations i need to run the process chain in my system. And how can i set all those authorizations to my user-id.  I have all authorization rights .
    Pls let me knw
    kumar

    Hi,
    Authorizations for Process Chains
    Use
    You use authorization checks in process chain maintenance to lock the process chain, and the processes of the chain, against actions by unauthorized users.
    ·        You control whether a user is allowed to perform specific activities.
    ·        You control whether a user is allowed to schedule the processes in a chain.
    The authorization check for the processes in a chain runs when the system performs the check. This takes place upon scheduling or during synchronous execution. The check is performed in display mode. The check is performed for each user that schedules the chain; it is not performed for the user who executes the chain. The user who executes the chain is usually the BI background user. The BI background user automatically has the required authorizations for executing all BI process types. In attribute maintenance for the process chain, you can determine the user who is to execute the process chain.
    See also: Display/Maintenance of Process Chain Attributes ®  Execution User.
    Features
    For the administration processes that are bundled in a process chain, you require authorization for authorization object S_RS_ADMWB.
    To work with process chains, you require authorization for authorization object S_RS_PC. You use this authorization object to determine whether process chains can be displayed, changed or executed, and whether logs can be deleted. You can use the name of the process chain as the basis for the restriction, or restrict authorizations to chains using the application components to which they are assigned.
    Display/Maintain Process Chain Attributes
    Use
    You can display technical attributes, display or create documentation for a process chain, and determine the response of process chains during execution.
    Features
    You can display or maintain the following attributes for a process chain:
    Process Chain ® Attribute ® ...
    Information
    Description
    ( Rename)
    You can change the name of the process chain.
    Display Components
    Display components are the evaluation criterion in the process chain maintenance. Assigning the process chains to display components makes it easier to access the chain you want.
    To create a new display component, choose Assign Display Components in the input help window and assign a technical name and description for the display component in the Display Grouping dialog box that appears.
    Documents
    You can create and display documents for a process chain.
    For more information, see Documents.
    Last Changed By
    Displays the technical attributes of the process chain:
    ·        When it was last changed and who by
    ·        When it was last activated and who by
    ·        Object directory entry
    Evaluation of Process Status
    If you set this indicator, all the incorrect processes in this chain and in the overall status of the run are evaluated as successful; if you have scheduled a successor process upon error or always.
    The indicator is relevant when using metachains: Errors in the processes of the subchains can be evaluated as “unimportant” for the metachain run. The subchain is evaluated as successful, despite errors in such processes of the subchain. If, in the metachain, the successor of the subchain is scheduled upon success, the metachain run continues despite errors in “unimportant” processes of the subchain.
    Mailing and alerting are not affected by this indicator and are still triggered for incorrect processes if they have an upon error successor.
    Polling Indicator
    With this indicator you can control the response of the main process for distributed processes. Distributed processes, such as the load process, are characterized as having different work processes involved in specific tasks.
    With the polling indicator you determine whether the main process needs to be kept until the actual process has ended.
    By selecting the indicator:
    -         A high level of process security is guaranteed, and
    -         External scheduling tools can be provided with the status of the distributed processes.
    However, the system uses more resources; and a background process is required.
    Monitoring
    With the indicator in the dialog box Remove Chain from Automatic Monitoring?, you can specify that a process chain be removed from the automatic monitoring using CCMS.
    By default CCMS switches on the automatic process chain monitoring.
    For more information about the CCMS context Process Chains, see the section BW Monitor in CCMS.
    Alerting
    You can send alerts using alert management when errors occur in a process chain.
    For more information, see Send Alerts for Process Chains.
    Background Server
    You can specify here on which server or server group all of the jobs of a chain are scheduled. If you do not make an entry, the background management distributes the jobs between the available servers.
    Processing Client
    If you use process chains in a client-dependent application, you can determine here in which client the chain is to be used. You can only display, edit, schedule or execute the chain in this client.
    If you do not maintain this attribute, you can display, edit, schedule or execute the process chain in all clients.
    Process variants of type General Services that are contained in a process chain with this attribute set will only be displayed in the specified client.
    This attribute is transported. You can change it by specifying an import client during import. You must create a destination to the client set here in the target system for the import post processing (transaction RSTPRFC)  The chain is activated after import and scheduled, if necessary, in this client.
    Execution User
    In the standard setting a BI background user executes the process chain (BWREMOTE).
    You can change the default setting so that you can see the user that executes the process chain and therefore the processes, in the Job Overview. You can select the current dialog user who schedules the process chain job, or specify a different user.
    The setting is transported.
    The BI background user has all the necessary authorizations to execute all BI process types. Other users must assign themselves these authorizations so that authorization errors do not occur during processing.
    Job Priority
    You use this attribute to set the job priority for all of the jobs in a process chain.
    Hareesh

Maybe you are looking for

  • EJB references post upgrade from 8.1 to 10.3

    Hi, I have an application.xml file in META-INF directory of the EAR file. It has the below reference: <module>           <ejb>content.jar</ejb>      </module>      <module>           <ejb>content_repo.jar</ejb>      </module>      <module>           

  • Error in WAD Template when no data.

    Hi All!! I'm working with BW 7 SP 15 I have a query that has the characteristic 0FISPER in the Columns side, above the  key figures, so the query displays the data per month. The problem is when I include this query into a WAD Template and I set the

  • Kernel 2.6.13 archck

    i get a kernel panic when i use this kernel. it says something about the filesystem. i have tryed redoing the partitions but i still get a kernel panic with it. The 2.6.12 archck kernel worked great for me. i want my ati drivers back

  • Is it possible to call ctx_doc.filter from Java?

    Hello all, Is it possible to call ctx_doc.filter from Java? If so, do you have a code sample? Thanks, Marvin

  • File or Memory Stream Access through Flex

    Dear all I create a desktop sharing application that is written in Flex. For desktop sharing I have a component that generates a series of images of a selected screen area, where only the changed screan areas will be transmitted. I would like to pass