Authorization & User Groups

Similar Messages

• Assign Authorization in User Groups

  Dear All
  Please help me , assign authorization User Groups . I go Tcode : SUGR and Tcode : SU 10 but i can't assign authorization in User Group , please help me step by step
  Regard , Thanks
    Lannguyen

  I think only way to do it through SU10.
  -Pinkle

• What is the Advantage of creation of user group through SUGR?

  Hello Masters,
  As per audit requirement I have maintained user groups for different sets of users through SUGR, but I am not getting except differenciating users (based on group), is there any other advantage? Can we assign role to a user group instead of assigning to list of users  or can we do any mass changes to an user group by giving only user group name.
  Regards,
  Nilutpal.

  Dear Neels,
  Apart from maintaining user group for Differnciation purpose you can also take the advantage on the following sectors:
  1. Follow the http://help.sap.com/saphelp_nw04/helpdata/en/ce/17533e5ff4d064e10000000a114084/content.htm link . From this you will come to know the use of user group in the authorisation area.
  2. User Groups also allow segregation of user maintenance, this is especially useful in a large organisation as you can control who your user admin team can maintain - an example would be giving a team leader the authority to change passwords for users in their team. 
  3. The authorization user group is used in conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in group SUPER, etc... 
  In case any issue, please feel free to reply.
  Regards,
  Nilutpal.

• How many ways we can create authorization for user groups in sap query reports

  Hi Gurus, I am getting a problem when I am assigning users to user group in sap query report .The users other than created in user groups are also able to add &change  the users .So please suggest me how to restrict users outside of the user group.
  Please send me if u have any suggestions and useful threads.
  Thank You,
  Suneel Kumar.

  I don't think it can be done. According to the link below 'Users who have authorization for the authorization object S_QUERY with both the values Change and Maintain, can access all queries of all user groups without being explicitly entered in each user group.'
  http://help.sap.com/saphelp_46c/helpdata/en/d2/cb3f89455611d189710000e8322d00/content.htm
  Although I think you can add code to your infoset and maybe restrict according to authority group, i.e.:
  Use AUTHORITY-CHECK to restrict access to the database based on user.
  Press F1 on AUTHORITY-CHECK to find out how to use it in the code

• No provisioning of User Group for authorization field in user master

  We are implementing CUP 5.3 workflows. Both in manual proviosing and automated provisioning based on User Defaults the user group gets only provisioned to the Groups tab in SU01. The field User Group for authorization on the Logon data tab remains empty (field CLASS from system table USLOGOND, filling CLASS field in table USR02).
  In User defaults both under user default as on the user group tab the user groups have been defined. In manual provisioning the correct list of user groups get displayed for selection.
  Under field mapping in the Application field I only find User Group in user master maintenance, but not User group for authorization. However I would assume I do not need to use field mapping, as I want to automate this provisioning based on user defaults.
  Am I missing a configuration setting here? If so, where can I set it?
  I would assume the provisioning of this field is possible. RAR reports the user group also based on the User group for auhtorization and not from the Groups tab.

  S.Pados,
  I can assure you that what I said in my last response does provision the User Group For Authorization Check on the Logon Data tab; in fact, I was having the opposite issue where the Group tab was not being provisioned; however, I am ruunning AE 5.2 and you said you are running 5.3; maybe something did change or got lost in the releases; it probably is good to see what SAP has to say about this; I would hate to lose this capapbility when I upgrade to AE 5.3
  As far as using the custom field for multiple applications, would that field not be usable for any of the applications you would select in the request form?; if you are using the same table names in the different SAP systems (selectable by the application field on the request) would the drop down selections be whatever the table has defined for that system? I may not be understanding something here so I am just asking;
  It would be great to have a Group field automatically filled in by another selection to avoid the user involvement; I agree with you there; because of our concerns on users entering the AE request, our shop has decided to continue with the users submitting the request through normal email and the security administrators perform the AE entering; this way we have a better idea on something like the GROUP field; we have an option to include the original email as an attachment for justification of the request
  Sorry I could not be of more help
  Jerry
  Ryerson,Inc.

• Authorization Schemes, User Groups

  Hi Folks,
  I wish to create an authorization scheme and to do so with one of the user groups I defined in
  Home>Administration>Manage Application Express Users
  How can I set the authorization scheme to achieve this?
  Thanks for any and all help

  Are you looking for apex_util.current_user_in_group
  Create a new authorization scheme... PL/SQL function reuturning boolean
  begin
  if apex_util.current_user_in_group('MyGroup')
  then
  return TRUE;
  else
  return FALSE;
  end if;
  end;Reference:http://apex.oracle.com/i/doc/AEAPI/apex_util014.htm
  Regards,
  Shijesh

• Structural authorization : role, profile, user group

  Dear All,
  I am working in OM in Structural authorization, can anyone tell me difference among Roles, profile, user group.
  I am mainly concerned with roles and profiles, What exactly is role and what is profile.
  Pl give me practical example....
  Regards,
  Kumar

  Hi kumar,
  Roles: It is divided in to single role and Composite Role. It is used to maintain your list of allowed transactions and reports as a menu. Once you assigned this role to the user, he / she can access only those transactions, what you maintained in the menu.
  Profile: It is based on the authorization object. Unless untill, you generate the profile, the system will not consider the authorization for the assigned menu. You can provide the authorization based on various objects like infotype, transaction code, master record, org key,..
  User Group: Used to set the unique set of rules for the specific user. How system should react in case of specific user group.
  Good Luck
  Om
  Reward it, if u feel helpful.

• Restrict user group authorization on reporting

  Hi all;
  I've problem restriction of user groups on monitoring reports.
  By using RSSM transaction I gave only one user group to reach the reports but I still see the other groups on report.
  Thanks.
  Korel.

  Hi Chris,
  There is no standard report available for this purpose. However all this information is stored in table UME_STRINGS.
  You can write your own SQL queries to generate such reports. However please note that this table is not normalized, and it's a master UME table. You should use it strictly for READ ONLY purpose.
  For a sample code you which i wrote some time back, you might refer:
  http://forums.sdn.sap.com/thread.jspa?threadID=2088099&messageID=10859334#10859334
  Thanks
  Prashant

• User Group for Authorization Check

  I created a user group called SYSTEM and assigned all our companies system accounts to it. Two examples of additional SYSTEM accounts I added to the SYSTEM user group are: DDIC & SAPBATCH. I did not register this group or apply any special conditions. Since doing so, several system accounts constantly become locked.
  Is it safe to delete the SYSTEM user group?
  Please assist...

  Hi
  Did you create it on SAP Service Marketplace?
  thanks and regards Martin

• Populating the user group instead of the group ID in MFA

  Hello all,
  I am trying to Populate the user group instead of the group ID in MFA. I want to use this to create authorization permissions, after authentication. I am running into the problem of not getting any info after authentication in the attribute dump.  Are
  there settings that I can change in order to Populate the attribute dump? are there settings that I can change to get all of the groups that each user is in?
  Thanks,
  Levi Williams
  IT professonial
  Intern

  Hi Levi Williams,
  Thanks for posting here!
  Refer to the solution in this  thread link:
  https://social.msdn.microsoft.com/Forums/en-US/df060757-8190-4083-a162-0876cd4b8d15/group-based-radius-return-attributes?forum=windowsazureactiveauthentication
  Additional reference:
  http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/
  Hope this helps!
  Regards,
  Sadiqh

• Unable to assign the user in user group through SQ03

  Hi All,
  When I tried to assign a  user to one user group from SQ03 the tick mark is disables can't assign the user.
  This is happening only to one of the employee only. Others i can mark tick.
  Please advice.
  Imran

  Hi
  Please check if the user has authorization to that query....
  For example if the user is a PA administrator & you are trying to assign this user to a user group which is Time Management ( Time Infosets), then the tick will be disabled.
  This case was encountered in our firm too.
  Please check & revert.
  Regards,
  Megha

• Move a query to from one user group to another user group

  Hi,
  it's possible to move a query (SQ01) from one user group to another user group ??
  Thank you.

  Hi,
  You can copy queries only if you have the authorization to make changes. Within your current user group, you can copy all queries. However, queries of other user groups can only be copied if the InfoSet used to define the query is assigned to both user groups.
  To copy a query, proceed as follows:
  1. Choose the name of the query you want to copy on the initial screen.
  If you do not know the name, use the directory functions to display the query directories and then choose a query to copy from there.
  2. Choose Copy.
  3. Enter the name and the user group of the query that you want to copy in the dialog box. Furthermore, you must enter a name for the copied query. The system proposes values for this.
  4. Choose Continue.
  This takes you to the initial screen. The query is added and appears in the query directory. You can now continue.
  Regards,
  Amit

• ISE / Active Directory: issue to get users group

  Hello,
  We have a strange issue:
  - ISE 1.2 patch 8
  - no WLC, autonomous AP
  In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.
  We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.
  In one more rules to grant authentication from APs to register in WDS: user in local database.
  In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.
  (so 3 rules), and one more to authorise the internal base for WDS.
  We have something strange:
  - sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.
  Exemple:
  1- OK:
  Authentication Details
  Source Timestamp
  2014-05-15 11:43:19.064
  Received Timestamp
  2014-05-15 11:43:19.065
  Policy Server
  radius
  Event
  5200 Authentication succeeded 
  All the GROUPS of user are seen:
  false
  AD ExternalGroups
  xx/users/admexch
  AD ExternalGroups
  xx/users/glkdp
  AD ExternalGroups
  x/users/gl revue écriture
  AD ExternalGroups
  xx/users/pcanywhere
  AD ExternalGroups
  xx/users/wifidata
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa informatique
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa entreprises et cités
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa campus
  AD ExternalGroups
  xx/users/aiga_creches
  AD ExternalGroups
  xx/users/admins du domaine
  AD ExternalGroups
  xx/users/utilisa. du domaine
  AD ExternalGroups
  xx/users/groupe de réplication dont le mot de passe rodc est refusé
  AD ExternalGroups
  xx/microsoft exchange security groups/exchange view-only administrators
  AD ExternalGroups
  xx/microsoft exchange security groups/exchange public folder administrators
  AD ExternalGroups
  xx/users/certsvc_dcom_access
  AD ExternalGroups
  xx/builtin/administrateurs
  AD ExternalGroups
  xx/builtin/utilisateurs
  AD ExternalGroups
  xx/builtin/opérateurs de compte
  AD ExternalGroups
  xx/builtin/opérateurs de serveur
  AD ExternalGroups
  xx/builtin/utilisateurs du bureau à distance
  AD ExternalGroups
  xx/builtin/accès dcom service de certificats
  RADIUS Username
  xx\cennelin
  Device IP Address
  172.25.2.87
  Called-Station-ID
  00:3A:98:A5:3E:20
  CiscoAVPair
  ssid=CAMPUS
  ssid
  campus 
  2- NO OK later:
  Authentication Details
  Source Timestamp
  2014-05-15 16:17:35.69
  Received Timestamp
  2014-05-15 16:17:35.69
  Policy Server
  radius
  Event
  5434 Endpoint conducted several failed authentications of the same scenario
  Failure Reason
  15039 Rejected per authorization profile
  Resolution
  Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
  Root cause
  Selected Authorization Profile contains ACCESS_REJECT attribute 
  Only 3 Groups of the user are seen:
  Other Attributes
  ConfigVersionId
  5
  Device Port
  1645
  DestinationPort
  1812
  RadiusPacketType
  AccessRequest
  UserName
  host/xxxxxxxxxxxx
  Protocol
  Radius
  NAS-IP-Address
  172.25.2.80
  NAS-Port
  51517
  Framed-MTU
  1400
  State
  37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
  cisco-nas-port
  51517
  IsEndpointInRejectMode
  false
  AcsSessionID
  radius/189518899/49890
  DetailedInfo
  Authentication succeed
  SelectedAuthenticationIdentityStores
  AD1
  ADDomain
  xxxxxxxxxxx
  AuthorizationPolicyMatchedRule
  Default
  CPMSessionID
  b0140a6f0000C2E15374CC7F
  EndPointMACAddress
  00-xxxxxxxxxxxx
  ISEPolicySetName
  Default
  AllowedProtocolMatchedRule
  MDP-PC-PEAP
  IdentitySelectionMatchedRule
  Default
  HostIdentityGroup
  Endpoint Identity Groups:Profiled:Workstation
  Model Name
  Cisco
  Location
  Location#All Locations#Site-MDP
  Device Type
  Device Type#All Device Types#Cisco-Bornes
  IdentityAccessRestricted
  false
  AD ExternalGroups
  xx/users/ordinateurs du domaine
  AD ExternalGroups
  xx/users/certsvc_dcom_access
  AD ExternalGroups
  xx/builtin/accès dcom service de certificats
  Called-Station-ID
  54:75:D0:DC:5B:7C
  CiscoAVPair
  ssid=CAMPUS 
  If you have an idea, thanks so much,
  Regards,

  To configure debug logs via the Cisco ISE user interface, complete the following steps
  :Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.
  You can use the Filter button to search for a specific node, particularly if the node list is large.
  www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750

• Custom user/group properties

  Hi,
  Is there a possibility to extend the standard user/group properties (CQ5 Security)? I would like to add some more properties then the standard name, mail, about,....
  I've tried to extend the dialog by cutomizing the UserProperties.js Dialog. The Problem is that cq5 doesent save the newly added propertes. There is a save function using the folowing service.
                  url = CQ.HTTP.externalize("/bin/security/authorizables/POST");
                  url = CQ.HTTP.addParameter(url, "Authorizable", frm.findField("id").getValue());
  It posts the parameter but it doesent get saved.
  Is there a way to make it work?

  I have used a kind of a workaround. Just created a new tab for the user/group properties and registered it in the UserAdmin.js . The Tab is implemented similar to the CQ.security.UserProperties and has a similar save handler.
  I'm getting the stored Properties the following way:
          private static final String PREFERENCES_NODE_PATH = "/preferences";
          preferencesNode = currentSession.getNode(group.getPath() + PREFERENCES_NODE_PATH);
          if (preferencesNode.hasProperty(preferenceName)) {
              preferenceValue = preferencesNode.getProperty(preferenceName);
  I know it's not the most elegant solution but the fastest I have found.

• How to set different default interactive reports for different user groups?

  I'm probably overlooking an obvious solution, but how do I set different default interactive report for different user groups?
  For the same interactive report, I want one set of users to see a default where the default filter is based on column X. However, another group of users doesn't have authorization to see that column so I need to set the default filter to something else for them.
  Thanks

  You can set a filter on a report in a URL - would that help? I think with apex 4.x you can also link to a saved default report or alternative report...