Authorizations-Security based on BP relationships

Dear Experts,
In a generic sense We could control which BP could be maintained using Authorization Groups (Obj:B_BUPA_GRP), which is not sufficient for us.
We have a situation,Users should be able to view and modify those BPs who are in some relationship with the current user.For ex: The User should be able to edit those BPs to which they are contact persons or something like that.
Can anyone throw some light on this, pls.
Thanks
Senthil

You cannot protect Business Partners based on relationships object.There is no corresponding auth object for relatiosnhips.
The best approach would be using auth object 'B_BUPA_GRP' for authorization group .
In your business scenario contact persons with the same relationship need to have same authorization group maintained.
You find the authorization group field unsed control tab of BP transaction.
But the problem with this approach is to define seperate user role and assign it the user profiles of contact persons with the same relationship.It may lead to creating lot of user roles which is not good if you have thousands of BP's.
Usually BP's are protected using auth objects B_BUPA_GRP(Authorization group) & B_BUPA_RLT(BP Role)
Thanks,
Thirumala.

Similar Messages

  • How to setup the security based on roles in Organization.

    Hi,
    How to setup the security based on roles in Organization.
    For example:Few users are Manager and a few user are Non Manager .Manager should have access to all work data including Non Manager and Non Manager should access based role.How to setup this? How OBI server identify the user role?
    kindly let me know.
    Regards.,
    CHR

    Hi,
    You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
    And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
    Hope this will solve your problem.
    Regards
    MuRam

  • Repost based on Char Relationships help !

    Hi,
    I need help with the above function please. I'm doing this in IP but I think it would be equally relevant in BPS.
    I have 2 derivations
    1. VAT is derived as its an attribute of contract. (so its characteristic relationship of type attribute)
    2. Cash date is derived in an exit from Event date and Debtor days.(so its characteristic relationship of type exit)
    When doing a repost based on characteristic relationships (after changing master data attributes), the VAT derives properly but I get an error on the cash date derivation.
    I'm not sure if its important, but VAT flag is actually in the cube whereas Debtor days is simply looked up from contract master and then used to calculate cash date in the exit.
    The characteristic relationship does work properly when simply planning data into the cube, but not on the repost function.
    Any help/ideas would be appreciated.
    Cheers
    sue

    Hi,
    No its not possile. If you put CALWEEK as a target in the derivation, the CHECK on the derivation will fail as you cannot derive Generic Time characteristics.
    I overcame the problem however by ticking CALWEEK in the Repost with Characteristic Relationships function. ie. even though the function did not suggest that it could be derived, ticking it did not lead to error and in this way the function worked.
    Just further FYI, I've found that Exit derivations and Attribute derivations cannot be achieved in a single function that they have to be created separately.
    Regards
    Sue

  • Security based on the position and responsibility of Siebel tables.

    Hi Forum,
    We have a requirement to show some reports based on OLTP (Siebel Base tables with S_) tables. so we have created a repository and created few reports in OBIEE.
    Now we want to implement security based on these tables. Like siebel users will be accessing these reports, So how do we implement security based on the position and responsibility of Siebel tables.
    I request to share any links or docs pertaining to above mentioned implementation.
    Thanks

    Could be interference
    AirPort and Bluetooth: Potential sources of wireless interference
    Try:
    - Reseting the BT headset
    - Reset the iOS device. Nothing will be lost
    Reset iOS device: Hold down the On/Off button and the Home button at the same time for at
    least ten seconds, until the Apple logo appears.
    - Reset network settings: Settings>General>Reset>Reset Network Settings. You will have to rejoin all wifi networs and re-pair all BT devices

  • Authorization check based on personnel sub area

    Dear experts,
             I would like to know if there's a way to do the authorization checking based on personnel subarea? Currently we can perform the authorization check up to Personnel Area only in P_ORGIN.
              Please advice.
              Thanks in advance.
    Regards,
    Yen

    The feature Administrator groups (PINCH) is designed to deal with such a situation.
    Example
    Administrator A is responsible for personnel areas 1 and 2, Administrator B is responsible for the employee subgroups X and Y within personnel area 3, Administrator C is responsible for all other employee subgroups within personnel area 3.

  • Data Security Based on Responsibility

    Hi Gurus,
    We are planning to have seperate Order managment user respnsibility for each inventory organizations. How do we restrict viewing of the orders created from an organizaiton to the resposibility created for that organization ?,
    Thanks in advance.
    Hussein

    Hi;
    What is your OS and EBS?
    Please check:
    Index: R12 Inventory User's Guide in a Note [ID 605395.1]
    Chapter 19: R12 Inventory User's Guide in a Note [ID 733873.1]
    Frequently Asked Question About Reporting, Printing, Security/LDAP, Configurations In Store Inventory Management (SIM) [ID 604163.1]
    Multi Organizations setup 13 Define inventory organization security [ID 200556.1]
    How To Enable Security Privileges For System Admin Button In Store Inventory Management (SIM) System? [ID 361925.1]
    Also check:
    http://www.google.com.tr/search?hl=tr&source=hp&q=inventory-setup-organizations-security+&meta=&aq=f&oq=
    http://www.google.com.tr/search?hl=tr&q=oracle%2BData+Security+Based+on+Responsibility&meta=&aq=f&oq=
    Hope it helps
    Regard
    Helios

  • Authorization Scheme based on a group in LDAP?

    Hi,
    I would like to write an Authorization Scheme that checks whether a user (authenticated via a Authentication scheme based on LDAP) is a member of a specific group in LDAP, for access control.
    I can't seem to find documentation or an example of this. Would appreciate any tips or links to docs and examples....
    Thanks!

    I came across this nice example from the docs for the authorization scheme using the "IS_MEMBER Function".
    http://download.oracle.com/docs/cd/E17556_01/doc/apirefs.40/e15519/apex_ldap.htm#CDEJAAEI
    Very straightforward....
    However, my question now is, how would I tie this in to my authentication scheme?
    One Page Secured by > Authorization scheme (APEX_LDAP.IS_MEMBER) > From a user authenticated by my Authentication Scheme From LDAP directory?
    How would I tie these two schemes together?
    Thanks in advance for any help offered....

  • Authorization check based on item category on sales order (VA01 or VA02)

    I want to be able to restrict authorization of users based on item category. We only want certain users to be able to select a certain item category.  I know I'm going to have to check one of the userexits in MV45AFZZ. The issue I'm having is the authorization object .
    The item category is field VBAP-PSTYV.
    What we are going is having a item category for emergency orders. But this requires more manual steps to associate with the original order. We already have the emergency item categories defined and working (no credit check etc) so there's no reason not to have them added to the original order. The issue is its use has to be restricted so when the user selects an alternative item category it checks whether they have the authority.   
    Any help would be appreciated

    Hi,
    You can achieve this through authorization objects.
    Transaction
    SU20 - Authorization Fields
    SU21 - Authorization Objects
    Create the field PSTYV in the Authorization Fields.
    Then Create the authorization object and include this field along with the standard field ACTVT (which determines what activities can be performed by a certain user i.e. Create, Change or Display) & user-name
    In your your-exit, you can either use the ABAP command AUTHORITY-CHECK or the function-module AUTHORITY_CHECK and pass the values for these fields. The system can perform the test based on this values & based on the sy-subrc value you can restrict the users that are not having the authorization to select item-categories for emergency orders.
    Following link should help you:
    [SAP Authorization Concept|http://help.sap.com/saphelp_wp/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm]
    Hope that helps you.
    Regards,
    Saurabh

  • Authorization control based on responsible persons

    Hi Experts
    My project structure is operated by several users.
    To have a control on each WBS (based on responsible person) i have set up authorization control for auth object C_PRPS_VNR.
    I have acheived control on WBS elements.
    However, the activities and network are still editable.
    Please suggest the auth control for the wbs and resp NWAs based on resp person.
    warm regards
    ramSiva

    Hi Ram Siva,
    If you are using individual Network header for different WBS element,you can use MRP controller field in the assignment tab page of Network heade for this authorisation.You can create the equal number of Person responsible as MRP controller and control the authorisation.

  • Business Rules Security based on work flow

    Hello,
    How can we enable security on Business Rules, based on the workflow,
    for example,
    we have Business rule, that is attached to one input form, which opens a window for entering run time prompts for entering
    new asset details, and after entering he saves and the planning unit is promoted to next level,
    but on the input form, the Business rule is still visible, where by he can enter the the details though the planning unit is promoted,
    Is there any way that makes the Business rule access disables/hides as the planning unit is promoted?
    Thanks,
    murali.

    There is currently no out-of-the-box integration between workflow and business rule security.
    This thread may help with some alternatives:
    Workflow Problem
    - Jake

  • CRM 2015 - How to limit Field Level Security based on unit/subunit ?

    Hello,
    I have a problem with field level security. 
    I have entity entityX, and then have set of financial fields on this entityX.
    These fields are under field level security profile named "Financials".
    Next, I have a team which can read/write those fields. This team "Team1" is in business unit called "Subunit1".
    "Team1" has a role "ReadWholeOrganization", which enables it to read entityX from complete organization.
    "Team1" also has a role "WriteOwnOrganization", which enables users from this team to read and change entityX in his unit and sub-units.
    How can I disable "Team1" users to see financial data for entityX, if entityX is  owned by users outside "Team1" users unit?
    In other words,  i want "Team 1" users to see all entityX entities based on "ReadWholeOrganization" role, but I don't want them to see financial data for complete organization. I want "Team1" to see financial data only
    for their unit and subunits.
    How can I solve this?
    Extracting financial fields in another entity is out of the question.

    Write javascript to hide the fields if you need to hide them just from the form. Here is
    sample to assist.  However this way they will still see the fields in Advanced Find. 
    Hope this helps.
    Minal Dahiya
    blog : http://minaldahiya.blogspot.com.au/
    If this post answers your question, please click "Mark As Answer" on the post and "Vote as Helpful"

  • Authorization decision based on property of accessed resource?

    Hi everyone!
    Is it possible to base the decision of a policy service in AM based on a property of the accessed resource? I can specify the method and the resource name, but can I also specify a property of the resource, maybe using some plugin for AM? For example a doctor should only be allowed access to a patient's file if it's his patient, and the patient has a property naming the doctor in charge.
    And another question: How can I take things such as time into account of an authorization decision? I don't want to code this in the application. The application should only ask: May $Subject access $Resource using $Method? Everything else (time, role of subject etc) should be definable on the PDP.
    Thanks for comments!
    Chris
    PS Actually I'd need a PDP which can handle policies as powerful as those definable using XACML combined with the authentication capabilities of AM.

    Found it! First, of course, there are conditions which already cover simple cases. For more elaborate authorization one can add new conditions by extending a java interface, as described here:
    http://docs.sun.com/app/docs/doc/819-4675/6n6qfk0o3?a=view
    By writing a new xml-document you can add a new policy service with arbitrary methods. The process is described in the manual or here:
    http://developers.sun.com/identity/reference/techart/secureapps.html

  • Port Security based on Device Type

    Hi all:
    We need to know whether there is any feature or software that allows to block switch ports for type of devices.
    For instance, we have some switches for IP phones and we do not want to have PCs connected to those ports.
    We know that it can be done using MACs, but, as phones can be moved easily, it implies constant changes on port security.
    Thanks
    Regards

    Apologies if I have not understood the original question, however, can you use port security (max MAC / sticky MAC) to ensure only devices that are currently connected are successful, other violations will result in the port being shutdown.
    You may want to investigate some 802.1x device authentication
    http://www.cisco.com/en/US/products/ps6662/products_ios_protocol_option_home.html
    HTH
    Steve

  • Security based on condition

    I am trying to keep a group of users from accessing some members of the measures dimension if the value of another measure is equal to one. I couldn't find a way to create a filter with a condition. Is there any other way to do this?Thanks!

    Hi,
    The way to authorize like your are doing is not a way I would recommend as its not very dynamic. You don't say whatever you are using a repository like an Active Domain but in general you would always check whatever the user that is authenticated is member in a specific group rather than keeping a list of users in an compare filter. You want to avoid having very specific logic in the gateway configurations as much as possible, otherwise you will have to redeploy every time you want to add or remove users etc.
    If you are using an active directory you can use the filter "Retrieve from Directory Server" after a successful authentication to retrieve attributes of that user and then normally memberOf which will give you all the groups the specific user is a member of and on that data you would do an authorization check.
    If you are using the built in User repository there is a "Check Group Membership" filter that can be used instead.
    Cheers,
    Stefan

  • Application express security based on table values

    If for example 100 customers use an application build with application express, how can I restrict rows on there forms and reports.
    Each customer is allowed to see only their own articles (using the same table; condition on custno)

    Use Oracle VPD (Virtual Private Database) simply put. I currently use it in our applications.
    Do a search on OTN, Oracle's main website and also google between all three you will see how to implement it. It isn't bad, if you need further help let me know.
    http://www.oracle.com/technology/deploy/security/database-security/virtual-private-database/index.html
    Justin

Maybe you are looking for