Best practice for assigning permissions

Similar Messages

• SAP Best Practice for Document Type./Item category/Acc assignment cat.

  What is the Best Practice for the document Type & Item category
  I want to use NB -  Item category  - B & K ( Blanket PO) , D ( Service)  and T( Text) .
  Is sap recommends to use FO Only for the Blanket Purchase Order.
  We want to use service contract (with / without service entry sheet) for all our services.
  We want to buy asset for our office equipments .
  Which is the best one to use NB or FO ?
  Please give me any OSS notes or reference for this
  Thanks
  Nick

  Thank you very much for your response. 
  I hope I can provide some clarity on how the accounting needs to be handle per FERC  Regulations.  The G/L balance on the utility that is selling the assets will be in the following accounts (standard accounts across all FERC Regulated Utilities):
  101 - Acquisition Value for the assets
  108 - Accumulated Depreciation Value for the assets
  For an example, there is Debit $60,000,000 in FERC Account 101 and a credit $30,000,000 in FERC Account 108.  When the purchase occurs, the net book value for the asset will be on our G/L in FERC Account 102.  Once we have FERC Approval to acquire the plant assets, we will need to enter the Acquisition Value and associated Accumulated Depreciation onto our G/L to FERC Account 101 and FERC Account 108 respectively with an offset to FERC Account 102.
  The method that I came up with is to purchase the NBV of the assets to a clearing account.  I then set up account assignments that will track the Acquisition Value and respective Accumulated Depreciation for each asset that is being purchased.  I load the respective asset values using t-code AS91 and then make an entry to the 2 respective accounts with the offset against the clearing account using t-code OASV.  Once my company receives FERC approval, I will transfer the asset to new assets that has the account assignments for FERC Account 101 and FERC Account 108 using t-code ABUMN or FB01.

• Best-practice for Catalog Views ? :|

  Hello community,
  A best practice question:
  The situtation: I have several product categories (110), several items in those categories (4000) and 300 end-users.    I would like to know which is the best practice for segment the catalog.   I mean, some users should only see categories 10,20 & 30.  Other users only category 80, etc.    The problem is how can I implement this ?
  My first idea is:
  1. Create 110 Procurement Catalogs (1 for every prod.category).   Each catalog should contain only its product category.
  2. Assign in my Org Model, in a user-level all the "catalogs" that the user should access.
  Do you have any idea in order to improve this ?
  Saludos desde Mexico,
  Diego

  Hi,
  Your way of doing will work, but you'll get maintenance issues (to many catalogs, and catalog link to maintain for each user).
  The other way is to built your views in CCM, and assign these views to the users, either on the roles (PFCG) or on the user (SU01). The problem is that with CCM 1.0 this is limitated, cause you'll have to assign one by one the items to each view (no dynamic or mass processes), it has been enhanced in CCM 2.0.
  My advice:
  -Challenge your customer about views, and try to limit the number of views, with for example strategic and non strategic
  -With CCM 1.0 stick to the procurement catalogs, or implement BADIs to assign items to the views (I experienced it, it works, but is quite difficult), but with a limitated number of views
  Good luck.
  Vadim

• Best practices for office 365 SHARED CALENDAR for whole school / organization

  hi
  we need guidance on best practice for setting up SHARED CALENDAR on Office365 exchange server for entire organization (school)of150 staff.
  Requirements
  + all staff should have read only / reviewer permissions on calendar
  +handful staff should have editor permissions on calendar
  + the calendar should synchronise custom categories and colors
  Current Solution
  at the moment we have found that a shared mailbox is the best solution because;
  - allusers can add the shared mailbox on outlook 2010as additional mailbox as readonly
  - all the categories & colors for the calendarare automatically synchronised because the color categories are stored within this mailbox.
  - you can edit calendar permissions in outlook to allow some users as "editor" of the calendar.Problem with Current Solution
  the problem however is that the users also need to access this...
  This topic first appeared in the Spiceworks Community

  Hi Aleksei,
  I think Inactive mailboxes in Exchange Online is the feature that you want. This feature makes it possible for you to preserve (store and archive) the contents of deleted mailboxes indefinitely.
  A mailbox becomes inactive when an In-Place Hold or a
  Litigation Hold is placed on the mailbox before the corresponding Office 365 user account is deleted.
  But I'm afraid that it might be impossible to "easily share certain folders or even whole mailbox with people in the company". As can been seen from below articles, this only allows administrators, compliance officers, or records managers
  to use the In-Place eDiscovery feature in Exchange Online to access and search the contents of an inactive mailbox:
  http://technet.microsoft.com/en-us/library/dn144876(v=exchg.150).aspx
  http://blogs.technet.com/b/exchange/archive/2013/03/21/preserve-mailbox-data-for-ediscovery-using-inactive-mailboxes-in-exchange-online.aspx
  Anyway, this is the forum to discuss questions and feedback for Microsoft Office client. For more details about your question, I would suggest you post in the dedicated forum of
  Exchange Online, where you can get more experienced responses:
  https://social.technet.microsoft.com/Forums/msonline/en-US/home?forum=onlineservicesexchange
  The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
  Regards,
  Ethan Hua
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• Best practice for managing a Windows 7 deployment with both 32-bit and 64-bit?

  What is the best practice for creating and organizing deployment shares in MDT for a Windows 7 deployment that has mostly 32-bit computers, but a few 64-bit computers as well? Is it better to create a single deployment share for Windows 7 and include both
  versions, or is it better to create two separate deployment shares? And what about 32-bit and 64-bit versions of applications?
  I'm currently leaning towards creating two separate deployment shares, just so that I don't have to keep typing (x86) and (x64) for every application I import, as well as making it easier when choosing applications in the Lite Touch installation. But I know
  each deployment share has the option to create both an x86 and x64 boot image, so that's why I am confused. 

  Supporting two task sequences is way easier than supporting two shares. Two shares means two boot media, or maintaining a method of directing the user to one or the other. Everything needs to be imported or configured twice. Not to mention doubling storage
  space. MDT is designed to have multiple task sequences, why wouldn't you use them?
  Supporting multiple task sequences can be a pain, but not bad once you get a system. Supporting app installs intelligently is a large part of that. We have one folder per app install, with a wrapper vbscript that handles OS detection. If there are separate
  binaries, they are placed in x86 and x64 subfolders. Everything runs from one folder via the same command, "cscript install.vbs". So, import once, assign once, and forget it. Its the same install package we use for Altiris, and we'll be using a Powershell
  version of it when we fully migrate to SCCM.
  Others handle x86 and x64 apps separately, and use the MDT app details to select what platform the app is meant for. I've done that, but we have a template for the vbscript wrapper and its a standard process, I believe its easier. YMMV.
  Once you get your apps into MDT, create bundles. Core build bundle, core deploy bundle, Laptop deploy bundle, etcetera. Now you don't have to assign twenty apps to both task sequences, just one bundle. When you replace one app in the bundle, all TS'es are
  updated automatically. Its kind of the same mentality as active directory. Users, groups and resources = apps, bundles and task sequences.
  If you have separate build and deploy shares in your lab, great. If not, separate your apps into build and deploy folders in your lab MDT share. Use a selection profile to upload only your deploy side to production. In fact I separate everything (except
  drivers) into Build and deploy folders on my lab server. Don't mix build and deploy, and don't mix Lab/QA and production. I also keep a "Retired" folder. When I replace an app, TS, OS, etcetera, I move it to the retired folder and append "RETIRED - " to the
  front of it  so I can instantly spot it if it happens to show up somewhere it shouldn't.
  To me, the biggest "weakness" of MDT is its flexibility. There's literally a dozen different ways to do everything, and there's no fences to keep you on the path. If you don't create some sort of organization for yourself, its very easy to get lost as things
  get complicated. Tossing everything into one giant bucket will have you pulling your hair out.

• Best Practice for SRST deployment at a remote site

  What is the best practice for a SRST deployment at a remote site? Should a separate router such as a 3800 series be deployed for telephony in addition to another router to be deployed for Data? Is there a need for 2 different devices?

  Hi Brian,
  This is typically done all on one ISR Router at the remote site :)There are two flavors of SRST. Here is the feature comparison;
  SRST Fallback
  This feature enables routers to provide call-handling support for Cisco Unified IP phones if they lose connection to remote primary, secondary, or tertiary Cisco Unified Communications Manager installations or if the WAN connection is down. When Cisco Unified SRST functionality is provided by Cisco Unified CME, provisioning of phones is automatic and most Cisco Unified CME features are available to the phones during periods of fallback, including hunt-groups, call park and access to Cisco Unity voice messaging services using SCCP protocol. The benefit is that Cisco Unified Communications Manager users will gain access to more features during fallback ****without any additional licensing costs.
  Comparison of Cisco Unified SRST and
  Cisco Unified CME in SRST Fallback Mode
  Cisco Unified CME in SRST Fallback Mode
  • First supported with Cisco Unified CME 4.0: Cisco IOS Software 12.4(9)T
  • IP phones re-home to Cisco Unified CME if Cisco Unified Communications Manager fails. CME in SRST allows IP phones to access some advanced Cisco Unified CME telephony features not supported in traditional SRST
  • Support for up to 240 phones
  • No support for Cisco VG248 48-Port Analog Phone Gateway registration during fallback
  • Lack of support for alias command
  • Support for Cisco Unity® unified messaging at remote sites (Distributed Exchange or Domino)
  • Support for features such as Pickup Groups, Hunt Groups, Basic Automatic Call Distributor (BACD), Call Park, softkey templates, and paging
  • Support for Cisco IP Communicator 2.0 with Cisco Unified Video Advantage 2.0 on same computer
  • No support for secure voice in SRST mode
  • More complex configuration required
  • Support for digital signal processor (DSP)-based hardware conferencing
  • E-911 support with per-phone emergency response location (ERL) assignment for IP phones (Cisco Unified CME 4.1 only)
  Cisco Unified SRST
  • Supported since Cisco Unified SRST 2.0 with Cisco IOS Software 12.2(8)T5
  • IP phones re-home to SRST router if Cisco Unified Communications Manager fails. SRST allows IP phones to have basic telephony features
  • Support for up to 720 phones
  • Support for Cisco VG248 registration during fallback
  • Support for alias command
  • Lack of support for features such as Pickup Groups, Hunt Groups, Call Park, and BACD
  • No support for Cisco IP Communicator 2.0 with Cisco Unified Video Advantage 2.0
  • Support for secure voice during SRST fallback
  • Simple, one-time configuration for SRST fallback service
  • No per-phone emergency response location (ERL) assignment for SCCP Phones (E911 is a new feature supported in SRST 4.1)
  http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps2169/prod_qas0900aecd8028d113.html
  These SRST hardware based restrictions are very similar to the number of supported phones with CME. Here is the actual breakdown;
  Cisco 880 SRST Series Integrated Services Router
  Up to 4 phones
  Cisco 1861 Integrated Services Router
  Up to 8 phones
  Cisco 2801 Integrated Services Router
  Up to 25 phones
  Cisco 2811 Integrated Services Router
  Up to 35 phones
  Cisco 2821 Integrated Services Router
  Up to 50 phones
  Cisco 2851 Integrated Services Router
  Up to 100 phones
  Cisco 3825 Integrated Services Router
  Up to 350 phones
  Cisco Catalyst® 6500 Series Communications Media Module (CMM)
  Up to 480 phones
  Cisco 3845 Integrated Services Router
  Up to 730 phones
  *The number of phones supported by SRST have been changed to multiples of 5 starting with Cisco IOS Software Release 12.4(15)T3.
  From this excellent doc;
  http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/vcallcon/ps2169/data_sheet_c78-485221.html
  Hope this helps!
  Rob

• Best practice for install oracle 11g r2 on Windows Server 2008 r2

  Dear all,
  May I know what is the best practice for install oracle 11g r2 on windows server 2008 r2. Should I create a special account for windows for the oracle database installation? What permission should I grant to the folders where Oracle installed and the database related files located (datafiles, controlfiles, etc.)
  Just grant Full for Administrators and System and remove permissions for all others accounts?
  Also how should I configure windows firewall to allow client connect to the database.
  Thanks for your help.

  Hi Christian,
  Check this on MOS
  *RAC Assurance Support Team: RAC Starter Kit and Best Practices (Windows) [ID 811271.1]*
  https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=BULLETIN&id=811271.1
  DOC Modified: 14-DEC-2010
  Regards,
  Levi Pereira

• Best Practice to Assign Network

  Hi Experts,
  I have a question - What is best practice to Assign networks. Is it Header assignment or Activity Assignment.
  I have a requirement which asks for a WBS Level Cost and Revenue posting while settlement. I followed the standard design of having a 1st level WBS and assigned a Network to that. Also have 2nd level WBSs linked to 1st level WBS, which have the activities. Is this suffice the settlement requirement.
  Thanks
  Rajesh

  Hi,
  The asked question needs more clarifications.
  Header assigned Newtork is used in Assembly processing i.e. from sales order when the project is generated automatically. in that case each sales order line item will have one network assigned to it or there is activity assigned network which is observed intermediator between WBS and activity.
  Regarding project profile if you want to assign the network to Proejct defination then only 1 network will be there in project struructre or if to WBS element then Each WBS will have one network.
  Further you have also mentioned about settlement?? which question needs more elaboration.
  regards
  sameer

• Best Practice for Deleted AD Users

  In our environment, we are not using AD groups. Users are being added individually. We are running User Profile Service but I am aware that when a user is deleted in AD, they stay in the content database in the UserInfo table so that some metadata can be
  retained (created by/modified by/etc).
  What are best practices for whether or not to get rid of them from the content database(s)?
  What do some of you consultants/admins out there do about this? It was brought up as a concern to me that they are still being seen in some list permissions/people picker, etc.
  Thank you!

  Personally I would keep them to maintain metadata consistency (Created By etc as you say). I've not had it raised as a concern anywhere I've worked.
  However, there are heaps of resources online to delete such users (even in bulk via Powershell). As such, I am unaware of cases of deleting them causing major problems.
  w: http://www.the-north.com/sharepoint | t: @JMcAllisterCH | YouTube: http://www.youtube.com/user/JamieMcAllisterMVP

• Best practice for partitioning 300 GB disk

  Hi,
  I would like to seek for advise on how I should partition a 300 GB disk on Solaris 8.x, what would be the optimal size for each of the partition.
  The system will be used internally for running web/application servers and database servers.
  Thanks in advance for your help.

  There is no "best practice" regardles of what others might say. I depends entirely on how you plan on using and maintaining the system. I have run into too many situations where fine-grained file system sizing bit the admins in the backside. For example, I've run into some that assumed that /var is only going to be for logging and printing, so they made it nice and small. What they didn't realize is that patch and package information is also stored in /var. So, when they attempted to install the R&S cluster, they couldn't because they couldn't put the patch info into /var.
  I've also run into other problems where a temp/export system that was mounted on a root-level directory. They made the assumption that "Oh, well, it's root. It can be tiny since /usr and /opt have their own partitions." The file system didn't mount properly, so any scratch files in that directory that were created went to the root file system and filled it up.
  You can never have a file system that's too big, but you can always have a file system that's too small.
  I will recommend the following, however:
  * /var is the most volatile directory and should be on its own several GB partition to account for patches, packages, and logs.
  * You should have another partition as big as your system RAM and assign that parition as a system/core dump for system crashes.
  * /usr or whatever file system it's on must be big enough to assume that it will be loaded with FOSS/Sunfreeware tools, even if at this point you have no plans on installing them. I try to make mine 5-6 GB or more.
  * If this is a single-disk system, do not use any kind of parallel access structure, like what Oracle prefers, as it will most likely degrade system performance. Single disks can only make single I/O calls, obviously.
  Again, there is no "best practice" for this. It's all based on what you plan on doing with it, what applications you plan on using, and how you plan on using it. There is nothing that anyone here can tell you that will be 100% applicable to your situation.

• Best practice for the Update of SAP GRC CC Rule Set

  Hi GRC experts,
  We have in a CC production system a SoD matrix that we would like to modified extensively. Basically by activating many permissions.
  Which is a best practice for accomplish our goal?
  Many thanks in advance. Best regards,
    Imanol

  Hi Simon and Amir
  My name is Connie and I work at Accenture GRC practice (and a colleague of Imanolu2019s). I have been reading this thread and I would like to ask you a question that is related to this topic. We have a case where a Global Rule Set u201CLogic Systemu201D and we may also require to create a Specific Rule Set. Is there a document (from SAP or from best practices) that indicate the potential impact (regarding risk analysis, system performance, process execution time, etc) caused by implementing both type of rule sets in a production environment? Are there any special considerations to be aware? Have you ever implemented this type of scenario?
  I would really appreciate your help and if you could point me to specific documentation could be of great assistance. Thanks in advance and best regards,
  Connie

• Best practice for dealing with Recordsets

  Hi all,
  I'm wondering what is best practice for dealing with data retrieved via JDBC as Recordsets without involving third part products such as Hibernate etc. I've been told to NOT use RecordSets throughout in my applications since they are taking up resources and are expensive. I'm wondering which collection type is best to convert RecordSets into. The apps I'm building are webbased using JSPs as presentation layer, beans and servlets.
  Many thanks
  Erik

  There is no requirement that DAO's have a direct mapping to Database Tables. One of the advantages of the DAO pattern is that the business layer isn't directly aware of the persistence layer. If the joined data is used in the business code as if it were an unnormalized table, then you might want to provide a DAO for the joined data. If the joined data provides a subsiduray object within some particular object, you might add the access method to the DAO for the outer object.
  eg:
  In a user permissioning system where:
  1 user has many userRoles
  1 role has many userRoles
  1 role has many rolePermissions
  1 permission has many rolePermissions
  ie. there is a many to many relationship between users and roles, and between roles and permissions.
  The administrator needs to be able to add and delete permissions for roles and roles for users, so the crud for the rolePermissions table is probably most useful in the RoleDAO, and the crud for the userRoles table in the UserDAO. DOA's also can call each other.
  During operation the system needs to be able to get all permissions for a user at login, so the UserDAO should provide a readPermissions method that does a rather complex join across the user, userRole, rolePermission and permission tables..
  Note that f the system I just described were done with LDAP, a Hierarchical database or an Object database, the userRoles and rolePermissions tables wouldn't even exist, these are RDBMS artifacts since relational databases don't understand many to many relationships. This is good reason to avoid providing DAO's that give access to those tables.

• Best practice for bi backup

  Hi,
  Who can suggest me the best practice for backup/restore of entire bi dashboard reports, permissions and etc?
  Ed,

  Hi,
  If you want move the entire dashboards,reports ,permissions
  Zip the *<OracleBIData>Web/catalog* folder and move it new environment. In new envornment unzip this catalog and in Instanceconfig.xml mention the path for this new catalog.
  If you want move the few dashboads or reports ,do it by Catalog Manager.
  Thank you.

• Best practice for standard security role

  Hi, I'd like to know which is the best practice for standard role use, some people tell me that a standard role should never be used, that a copy must be made and assign the users to the copy, but then, why should SAP bother creating the standard role?

  They are provided as a template for you, and you can copy them into a different namespace and make changes there before generating the profiles and authorizations.
  Why you should use a copy of them is because SAP will also update them sometimes. If transactions change in the standard menues with SP's and upgrades, then you will find them in transaction SU25.
  If you do a search on "standard AND roles" in the SDN then you will also find more detailed infos and opinions on the use of them.
  Cheers,
  Julius

• Best Practices for Service Entry Sheet Approval

  Hi All
  Just like to get some opinion on best practices for external service management - particularly approval process for Service Entry Sheet.
  We have a 2 step approval process using workflow:
  1 Entry Sheet Created (blocked)
  2. Workflow to requisition creator to verify/unblock the Entry Sheet
  3. Workflow to Cost Object owner to approve the Entry Sheet.
  For high volume users (e.g. capital projects) this is cumbersome process - we looking to streamline but still maintain control.
  What do other leaders do in this area?  To me mass release seems to lack control, but perhaps by using a good release strategy we could provide a middle ground? 
  Any ideas or experiences would be greatly appreciated.
  thanks
  AC.

  Hi,
  You can have purchasing group (OME4) as department and link cost center to department (KS02). Use user exit for service entry sheet release and can have two characteristics for service entry sheet release, one is for value (CESSR- LWERT) and another one for department (CESSR-USRC1) .Have one release class for service entry sheet release & then add value characteristics (CESSR- LWERT) and department characteristics (CESSR-USRC1). Now you can design release strategies for service entry sheet based on department & value, so that SES will created and then will be released by users with release code based on department & value assigned to him/her.
  Regards,
  Biju K