Authorization & User Groups
Hi I am trying to configure an authorization scheme. I am confused at the different syntax used both on here and the User Guide.
I am wanting to control access based upon groups so I am wanting to use "HTMLDB_UTIL.CURRENT_USER_IN_GROUP" function.
I have setup my "Scheme Type" to be PL/SQL Function Returning Boolean
In expression one is where I am having my problems ... this is what I have..
DECLARE VAL BOOLEAN;
BEGIN
VAL := not nvl(HTMLDB_UTIL.CURRENT_USER_IN_GROUP('Managers'), false);
END;
and I get ... "ORA-06503: PL/SQL: Function returned without value"
This is the first time I have tried to setup a an authorization so I am not sure how to even do it. And based upon other posts on authorization schemes, I found these different syntaxs... Can someone help me out or explain what to do?
return wwv_flow_fnd_user_api.get_user_roles(':APP_USER') is not null; @ Re: Authorization when APP_USER = Develper or WS Administrator
Which way is right and how should I implement this....
TIA !!!
P.S. I used the "not nvl" syntax based upon the findings in this thread by Scott in his very last reply
User Groups
Justin - Try return not nvl(HTMLDB_UTIL.CURRENT_USER_IN_GROUP('Managers'), false);... and be sure you really want the NOT value of that API call.
Scott
Similar Messages
-
Assign Authorization in User Groups
Dear All
Please help me , assign authorization User Groups . I go Tcode : SUGR and Tcode : SU 10 but i can't assign authorization in User Group , please help me step by step
Regard , Thanks
LannguyenI think only way to do it through SU10.
-Pinkle -
What is the Advantage of creation of user group through SUGR?
Hello Masters,
As per audit requirement I have maintained user groups for different sets of users through SUGR, but I am not getting except differenciating users (based on group), is there any other advantage? Can we assign role to a user group instead of assigning to list of users or can we do any mass changes to an user group by giving only user group name.
Regards,
Nilutpal.Dear Neels,
Apart from maintaining user group for Differnciation purpose you can also take the advantage on the following sectors:
1. Follow the http://help.sap.com/saphelp_nw04/helpdata/en/ce/17533e5ff4d064e10000000a114084/content.htm link . From this you will come to know the use of user group in the authorisation area.
2. User Groups also allow segregation of user maintenance, this is especially useful in a large organisation as you can control who your user admin team can maintain - an example would be giving a team leader the authority to change passwords for users in their team.
3. The authorization user group is used in conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in group SUPER, etc...
In case any issue, please feel free to reply.
Regards,
Nilutpal. -
How many ways we can create authorization for user groups in sap query reports
Hi Gurus, I am getting a problem when I am assigning users to user group in sap query report .The users other than created in user groups are also able to add &change the users .So please suggest me how to restrict users outside of the user group.
Please send me if u have any suggestions and useful threads.
Thank You,
Suneel Kumar.I don't think it can be done. According to the link below 'Users who have authorization for the authorization object S_QUERY with both the values Change and Maintain, can access all queries of all user groups without being explicitly entered in each user group.'
http://help.sap.com/saphelp_46c/helpdata/en/d2/cb3f89455611d189710000e8322d00/content.htm
Although I think you can add code to your infoset and maybe restrict according to authority group, i.e.:
Use AUTHORITY-CHECK to restrict access to the database based on user.
Press F1 on AUTHORITY-CHECK to find out how to use it in the code -
No provisioning of User Group for authorization field in user master
We are implementing CUP 5.3 workflows. Both in manual proviosing and automated provisioning based on User Defaults the user group gets only provisioned to the Groups tab in SU01. The field User Group for authorization on the Logon data tab remains empty (field CLASS from system table USLOGOND, filling CLASS field in table USR02).
In User defaults both under user default as on the user group tab the user groups have been defined. In manual provisioning the correct list of user groups get displayed for selection.
Under field mapping in the Application field I only find User Group in user master maintenance, but not User group for authorization. However I would assume I do not need to use field mapping, as I want to automate this provisioning based on user defaults.
Am I missing a configuration setting here? If so, where can I set it?
I would assume the provisioning of this field is possible. RAR reports the user group also based on the User group for auhtorization and not from the Groups tab.S.Pados,
I can assure you that what I said in my last response does provision the User Group For Authorization Check on the Logon Data tab; in fact, I was having the opposite issue where the Group tab was not being provisioned; however, I am ruunning AE 5.2 and you said you are running 5.3; maybe something did change or got lost in the releases; it probably is good to see what SAP has to say about this; I would hate to lose this capapbility when I upgrade to AE 5.3
As far as using the custom field for multiple applications, would that field not be usable for any of the applications you would select in the request form?; if you are using the same table names in the different SAP systems (selectable by the application field on the request) would the drop down selections be whatever the table has defined for that system? I may not be understanding something here so I am just asking;
It would be great to have a Group field automatically filled in by another selection to avoid the user involvement; I agree with you there; because of our concerns on users entering the AE request, our shop has decided to continue with the users submitting the request through normal email and the security administrators perform the AE entering; this way we have a better idea on something like the GROUP field; we have an option to include the original email as an attachment for justification of the request
Sorry I could not be of more help
Jerry
Ryerson,Inc. -
Authorization Schemes, User Groups
Hi Folks,
I wish to create an authorization scheme and to do so with one of the user groups I defined in
Home>Administration>Manage Application Express Users
How can I set the authorization scheme to achieve this?
Thanks for any and all helpAre you looking for apex_util.current_user_in_group
Create a new authorization scheme... PL/SQL function reuturning boolean
begin
if apex_util.current_user_in_group('MyGroup')
then
return TRUE;
else
return FALSE;
end if;
end;Reference:http://apex.oracle.com/i/doc/AEAPI/apex_util014.htm
Regards,
Shijesh -
Structural authorization : role, profile, user group
Dear All,
I am working in OM in Structural authorization, can anyone tell me difference among Roles, profile, user group.
I am mainly concerned with roles and profiles, What exactly is role and what is profile.
Pl give me practical example....
Regards,
KumarHi kumar,
Roles: It is divided in to single role and Composite Role. It is used to maintain your list of allowed transactions and reports as a menu. Once you assigned this role to the user, he / she can access only those transactions, what you maintained in the menu.
Profile: It is based on the authorization object. Unless untill, you generate the profile, the system will not consider the authorization for the assigned menu. You can provide the authorization based on various objects like infotype, transaction code, master record, org key,..
User Group: Used to set the unique set of rules for the specific user. How system should react in case of specific user group.
Good Luck
Om
Reward it, if u feel helpful. -
Restrict user group authorization on reporting
Hi all;
I've problem restriction of user groups on monitoring reports.
By using RSSM transaction I gave only one user group to reach the reports but I still see the other groups on report.
Thanks.
Korel.Hi Chris,
There is no standard report available for this purpose. However all this information is stored in table UME_STRINGS.
You can write your own SQL queries to generate such reports. However please note that this table is not normalized, and it's a master UME table. You should use it strictly for READ ONLY purpose.
For a sample code you which i wrote some time back, you might refer:
http://forums.sdn.sap.com/thread.jspa?threadID=2088099&messageID=10859334#10859334
Thanks
Prashant -
User Group for Authorization Check
I created a user group called SYSTEM and assigned all our companies system accounts to it. Two examples of additional SYSTEM accounts I added to the SYSTEM user group are: DDIC & SAPBATCH. I did not register this group or apply any special conditions. Since doing so, several system accounts constantly become locked.
Is it safe to delete the SYSTEM user group?
Please assist...Hi
Did you create it on SAP Service Marketplace?
thanks and regards Martin -
Populating the user group instead of the group ID in MFA
Hello all,
I am trying to Populate the user group instead of the group ID in MFA. I want to use this to create authorization permissions, after authentication. I am running into the problem of not getting any info after authentication in the attribute dump. Are
there settings that I can change in order to Populate the attribute dump? are there settings that I can change to get all of the groups that each user is in?
Thanks,
Levi Williams
IT professonial
InternHi Levi Williams,
Thanks for posting here!
Refer to the solution in this thread link:
https://social.msdn.microsoft.com/Forums/en-US/df060757-8190-4083-a162-0876cd4b8d15/group-based-radius-return-attributes?forum=windowsazureactiveauthentication
Additional reference:
http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/
Hope this helps!
Regards,
Sadiqh -
Unable to assign the user in user group through SQ03
Hi All,
When I tried to assign a user to one user group from SQ03 the tick mark is disables can't assign the user.
This is happening only to one of the employee only. Others i can mark tick.
Please advice.
ImranHi
Please check if the user has authorization to that query....
For example if the user is a PA administrator & you are trying to assign this user to a user group which is Time Management ( Time Infosets), then the tick will be disabled.
This case was encountered in our firm too.
Please check & revert.
Regards,
Megha -
Move a query to from one user group to another user group
Hi,
it's possible to move a query (SQ01) from one user group to another user group ??
Thank you.Hi,
You can copy queries only if you have the authorization to make changes. Within your current user group, you can copy all queries. However, queries of other user groups can only be copied if the InfoSet used to define the query is assigned to both user groups.
To copy a query, proceed as follows:
1. Choose the name of the query you want to copy on the initial screen.
If you do not know the name, use the directory functions to display the query directories and then choose a query to copy from there.
2. Choose Copy.
3. Enter the name and the user group of the query that you want to copy in the dialog box. Furthermore, you must enter a name for the copied query. The system proposes values for this.
4. Choose Continue.
This takes you to the initial screen. The query is added and appears in the query directory. You can now continue.
Regards,
Amit -
ISE / Active Directory: issue to get users group
Hello,
We have a strange issue:
- ISE 1.2 patch 8
- no WLC, autonomous AP
In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.
We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.
In one more rules to grant authentication from APs to register in WDS: user in local database.
In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.
(so 3 rules), and one more to authorise the internal base for WDS.
We have something strange:
- sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.
Exemple:
1- OK:
Authentication Details
Source Timestamp
2014-05-15 11:43:19.064
Received Timestamp
2014-05-15 11:43:19.065
Policy Server
radius
Event
5200 Authentication succeeded
All the GROUPS of user are seen:
false
AD ExternalGroups
xx/users/admexch
AD ExternalGroups
xx/users/glkdp
AD ExternalGroups
x/users/gl revue écriture
AD ExternalGroups
xx/users/pcanywhere
AD ExternalGroups
xx/users/wifidata
AD ExternalGroups
xx/informatique/campus/destinataires/aa informatique
AD ExternalGroups
xx/informatique/campus/destinataires/aa entreprises et cités
AD ExternalGroups
xx/informatique/campus/destinataires/aa campus
AD ExternalGroups
xx/users/aiga_creches
AD ExternalGroups
xx/users/admins du domaine
AD ExternalGroups
xx/users/utilisa. du domaine
AD ExternalGroups
xx/users/groupe de réplication dont le mot de passe rodc est refusé
AD ExternalGroups
xx/microsoft exchange security groups/exchange view-only administrators
AD ExternalGroups
xx/microsoft exchange security groups/exchange public folder administrators
AD ExternalGroups
xx/users/certsvc_dcom_access
AD ExternalGroups
xx/builtin/administrateurs
AD ExternalGroups
xx/builtin/utilisateurs
AD ExternalGroups
xx/builtin/opérateurs de compte
AD ExternalGroups
xx/builtin/opérateurs de serveur
AD ExternalGroups
xx/builtin/utilisateurs du bureau à distance
AD ExternalGroups
xx/builtin/accès dcom service de certificats
RADIUS Username
xx\cennelin
Device IP Address
172.25.2.87
Called-Station-ID
00:3A:98:A5:3E:20
CiscoAVPair
ssid=CAMPUS
ssid
campus
2- NO OK later:
Authentication Details
Source Timestamp
2014-05-15 16:17:35.69
Received Timestamp
2014-05-15 16:17:35.69
Policy Server
radius
Event
5434 Endpoint conducted several failed authentications of the same scenario
Failure Reason
15039 Rejected per authorization profile
Resolution
Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause
Selected Authorization Profile contains ACCESS_REJECT attribute
Only 3 Groups of the user are seen:
Other Attributes
ConfigVersionId
5
Device Port
1645
DestinationPort
1812
RadiusPacketType
AccessRequest
UserName
host/xxxxxxxxxxxx
Protocol
Radius
NAS-IP-Address
172.25.2.80
NAS-Port
51517
Framed-MTU
1400
State
37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
cisco-nas-port
51517
IsEndpointInRejectMode
false
AcsSessionID
radius/189518899/49890
DetailedInfo
Authentication succeed
SelectedAuthenticationIdentityStores
AD1
ADDomain
xxxxxxxxxxx
AuthorizationPolicyMatchedRule
Default
CPMSessionID
b0140a6f0000C2E15374CC7F
EndPointMACAddress
00-xxxxxxxxxxxx
ISEPolicySetName
Default
AllowedProtocolMatchedRule
MDP-PC-PEAP
IdentitySelectionMatchedRule
Default
HostIdentityGroup
Endpoint Identity Groups:Profiled:Workstation
Model Name
Cisco
Location
Location#All Locations#Site-MDP
Device Type
Device Type#All Device Types#Cisco-Bornes
IdentityAccessRestricted
false
AD ExternalGroups
xx/users/ordinateurs du domaine
AD ExternalGroups
xx/users/certsvc_dcom_access
AD ExternalGroups
xx/builtin/accès dcom service de certificats
Called-Station-ID
54:75:D0:DC:5B:7C
CiscoAVPair
ssid=CAMPUS
If you have an idea, thanks so much,
Regards,To configure debug logs via the Cisco ISE user interface, complete the following steps
:Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.
You can use the Filter button to search for a specific node, particularly if the node list is large.
www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750 -
Custom user/group properties
Hi,
Is there a possibility to extend the standard user/group properties (CQ5 Security)? I would like to add some more properties then the standard name, mail, about,....
I've tried to extend the dialog by cutomizing the UserProperties.js Dialog. The Problem is that cq5 doesent save the newly added propertes. There is a save function using the folowing service.
url = CQ.HTTP.externalize("/bin/security/authorizables/POST");
url = CQ.HTTP.addParameter(url, "Authorizable", frm.findField("id").getValue());
It posts the parameter but it doesent get saved.
Is there a way to make it work?I have used a kind of a workaround. Just created a new tab for the user/group properties and registered it in the UserAdmin.js . The Tab is implemented similar to the CQ.security.UserProperties and has a similar save handler.
I'm getting the stored Properties the following way:
private static final String PREFERENCES_NODE_PATH = "/preferences";
preferencesNode = currentSession.getNode(group.getPath() + PREFERENCES_NODE_PATH);
if (preferencesNode.hasProperty(preferenceName)) {
preferenceValue = preferencesNode.getProperty(preferenceName);
I know it's not the most elegant solution but the fastest I have found. -
How to set different default interactive reports for different user groups?
I'm probably overlooking an obvious solution, but how do I set different default interactive report for different user groups?
For the same interactive report, I want one set of users to see a default where the default filter is based on column X. However, another group of users doesn't have authorization to see that column so I need to set the default filter to something else for them.
ThanksYou can set a filter on a report in a URL - would that help? I think with apex 4.x you can also link to a saved default report or alternative report...
Maybe you are looking for
-
Line items are clubbed in Handling Unit's
There are two line items in delivery for same material , while packing I am selecting single line item and packing it . But when I select line item 10 and try to pack it, line item 20 also automatically getting clubbed with line item 10 and getting
-
Importing photos and videos from a previous version of Photoshop Elements or Premiere Elements. http://adobe.ly/QAckAp
-
Restore doesn't work on iPod nano 6th generation
I am trying to put my iPod nano back to restore on iTunes, and it asks for my pw which isn't the same as my Apple ID and pw. I am really stuck. please advise?
-
Hi Everyone, I have a Primary Cisco ACS, called CiscoACS1, version 5.4 patch 6 with an IP address of 1.1.1.1/24 and a Secondary ACS, called CiscoACS2, version 5.4 patch 6 with an IP address of 1.1.1.2/24. Connectivity between them is ok, same subnets
-
Cisco Prime NCS 1.2 Harware Appliance Problem
Hi, we are trying to install Prime NCS hardware Appliance for fist time, but during starting ncs service it gives an error writen below. isco-Prime-NCS/admin# ncs start Purging PurgeSAMPollerRecods {Fri Jun 21 08:28:03 UTC 2013} ===================