BW Authorizations in conjuction with R/3 Authorizations
I would like to know what type of authorization checks people are using in BW to ensure users only see the appropriate data. We would want users in BW to only see the information that they see in R/3. At the present we have a custom table set up to check the roles assigned to people in R/3, however we are looking for a new solution for several reason. If we consider HR Roles for example, we would want BW to check R/3 to see which Org Units, Personnel Areas, and Personnel Subareas the user should have access to. This custom table helps somewhat, however It only looks at authorization objects in a linear way, so if you have a Personnel Area ABC with authorization to * Personnel Subareas and Personnel Area XYZ with authorization to 0001 Personnel Subarea, the * overwrites the 0001, so the user still has authorization access to all of Personnel Area XYZ instead of just 0001. Does anyone have a solution for ensuring the BW authorization is the same as the R/3 authorization access. In addition to this, we may want to limit by Employee Subgroups, so although the user can see Subarea 0001, we would not want them to see the Subgroup of Executive. This has been worked out on the R/3, we just need assistance if making sure this is recognized on the BW side.
hi,
in case you have no id to access the links mentioned by Deepu, you may try following
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/biw/g-i/how to generate bw authorization profiles from a flat file
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/e1cba990-0201-0010-43ae-af579aee7a73
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/39f29890-0201-0010-1197-f0ed3a0d279f
hope this helps.
Similar Messages
-
An issue with authentication and authorization on ISE 1.2
Hi, I'm new to ISE.
I have an issue with authentication and authorization.
I have ISE 1.2 plus patch 6 installed on VMware.
I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
I created authentication and authorization rules with Active Directory as External Identity Source. Also I applied authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
What should I do to resolve this issue?
Switch configuration:
testISE#sh runn
Building configuration...
Current configuration : 7103 bytes
! Last configuration change at 12:20:15Tue Apr 15 2014
! NVRAM config last updated at 10:35:02 Tue Apr 15 2014
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname testISE
boot-start-marker
boot-end-marker
no logging console
logging monitor informational
enable secret 5 ************
enable password ********
username radius-test password 0 ********
username admin privilege 15 secret 5 ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 172.16.0.90 server-key ********
aaa session-id common
clock timezone 4 0
system mtu routing 1500
authentication mac-move permit
ip dhcp snooping vlan 1,22
ip dhcp snooping
ip domain-name elauloks
ip device tracking probe use-svi
ip device tracking
epm logging
crypto pki trustpoint TP-self-signed-1888913408
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1888913408
revocation-check none
rsakeypair TP-self-signed-1888913408
crypto pki certificate chain TP-self-signed-1888913408
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
ip ssh version 2
interface FastEthernet0/5
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 1
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface FastEthernet0/7
interface Vlan1
ip address 172.16.0.204 255.255.240.0
no ip route-cache
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
deny icmp any host 172.16.0.1
permit ip any any
ip radius source-interface Vlan1
logging origin-id ip
logging source-interface Vlan1
logging host 172.16.0.90 transport udp port 20514
snmp-server community public RO
snmp-server community ciscoro RO
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 172.16.0.90 ciscoro
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-Alex
address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key ******
ntp server 172.16.0.1
ntp server 172.16.0.5
endYes. Tried that (several times) didn't work. 5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts. Kept getting error message that username and password invalid. Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick. Think there is an issue with imap.gmail.com and IOS 6.0.1. I'm sure the 5 of us suddently experiencing this issue aren't the only ones. Apple will figure it out. Thanks.
-
unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest
Hi,
For SU01 role removal, you do not need S_USER_AGR with 02, and as you mentioned both authorizations available in production, if so trace should not show you the S_USER_AGR with 02 with RC=04.
I would recommend to do role comparison for the user performing the activity. and then check if you have the S_USER_AGR with 02 in user buffer SU56.
But ideally it should not ask you S_USER_AGR for 02 through SU01, so please take help of abaper to debug it.
Also put trace in non-prd to see if S_USER_AGR is getting checked with 02 for removal through SU01.
BR,
Mangesh -
I am trying to play a song I bought and it is saying I need to authorize my computer to use it with a very old id that I no longer use for apple. How do I get all my music back?
You need to authorize the computer with that specific Apple ID. If that account's inaccessible, delete the song and then purchase it from your current Apple ID, or click here and ask the iTunes Store staff for assistance.
(110985) -
Can I authorize two computers withe the same iTunes
Can I authorize two computers withe the same iTunes
Yes, you can authorize two computers with the same Itunes Account.
-
I got a new Kobo and tried to register it so that I can download books from the public library. When I tried to register my device I received the following message " You can only authorize this computer with an Adobe ID that hasn't been previously used to authorize any other computer or mobile devices. Please try again.
Please refer to Can't authorize with a previously used Adobe ID
-
How to Control authorization for users with certain status for level 2 WBS Element
Dear All,
Is there any standard way or enhancement available to control authorization for users with certain status for WBS Element i.e. for example
Pre-requisite:
There is only 2 level of project i.e.
Lev_ WBSE_______Description
1___ 7-14.E_______summay outage controller
2___ 7-14.E.2310__ Plant/unit # 2310
2___ 7-14.E.2310__ Plant/unit # 2220
Project Controller (authorization role assigned "Z_PS_OP7_OTGCON_C") have all project level authorization
Plant/Unit Controller (authorization role assigned "Z_PS_OP7_PLNTOTG_C_2310") have only level 2 authorization with enhancement that we did in system by Z table.
User ID_ Plant #
123345_ 2310
122455_ 2220
Issue:
After System Status released and User Status approved the WBS basic date for Plant/Units should be restricted from updating/changing by Plant/Unit Controller level and only project controller should have this authority.
Solution required:
Can any one tell how to control this scenario either by standard or enhancement available to control authorization
BR
Saqib UsmanHi,
Did you explore SAP Enhancement CNEX0002 Using Transaction CMOD?
Thank you and regards,
Varshal Kachole
The SCN Rules of Engagement -
I have recently changed my apple id and password. When i try to access music that i bought on itunes on an external hard drive, it asks me to authorize my computer with my old apple id? can anyone help?
Please try to sign in at https://appleid.apple.com
Check if your new username/email address is verfied
If this works, delete your account on your iPhone (Settings > iCloud)
Sign back in -
I can not authorize my computer with Adobe ID
When I try to authorize my computer with my Adobe ID, there is a erro happened, it said the activation sever can not be connected
Perhaps someone in the Adobe Digital Editions forum? (Adobe Reader has no connection, we don't have much of a clue). Adobe Digital Editions
-
I cant authorize my computer with my apple id what should i do
i downloaded some app with my apple id but i cant install them i authorize my computer with my iphone 5s but every time i sync, it says that you need to authorize your computer and i cant install my apps
Read this:
http://support.apple.com/kb/TS1389 -
TS1389 How do I authorize my computer with iTunes
How do I authorize my computer to download music? I went to the support page which told me to simply "click authorize computer" on the store menu, but unfortunately that doesn't exist The support page is wrong, so how would I really authorize my computer?
Authorization and Deauthorization
Macs: iTunes Store- About authorization and deauthorization.
Windows: How to Authorize or Deauthorize iTunes | PCWorld.
In iTunes you use the Authorize This Computer or De-authorize This Computer option under the Store menu in iTunes' menubar. For Windows use the ALT-S keys to access it. Or turn on Windows 7 and 8 iTunes menus: iTunes- Turning on iTunes menus in Windows 8 and 7.
More On De-authorizing Computers (contributed by user John Galt)
You can de-authorize individual computers, but only by using those computers. The only other option is to "de-authorize all" from your iTunes account.
1. Open iTunes on a computer
2. From the Store menu, select "View my Account..."
3. Sign in with your Apple ID and password.
4. Under "Computer Authorizations" select "De-authorize All".
5. Authorize each computer you still have, as you may require.
You may only do this once per year.
After you "de-authorize all" your authorized computers, re-authorize each one as required.
If you have de-authorized all computers and need to do it again, but your year has not elapsed, then contact: Apple - Support - iTunes - Contact Us. -
Table for Analysis authorization along with values for authorization fields
Hi,
I am looking for table that contains the Analysis Authorization name along with values for all the authorization fields within this Analysis Authorization. Individually i can go to PFCG or Rsecadmin but since i need all the Analysis auth objects, i need to get this info into excel, so need a table.Hi Prashanth
You can check RSECVAL that is appropriate for your requirement please let us know if any further help is needed.
Thanks & Regards
Santosh Varada -
hi, let me know if I authorize my computer with a new app ID, the other apps I purchased with my previuos app iD will be deleted?
Drag the entire iTunes library to an external drive.
(91059) -
I need to authorize my laptop with the itunes store in order to sync it with my ipad but when I go into the store I cannot find where to do the authorization?
johnbescoby wrote:
Hi Roger, Many thanks I found the authorization section activated it and it was confirmed by itunes. But then I encountered another problem as attempting to sync my computer to my ipad i still received the same notification that it was not authorized so I really would not know how to rectify that so any assistance would be appreciated,
Thanks John
I was under the impression that once you had authorised the computer, transferring purchased and other songs to your iPod/iPad wasa then straightforward. However it gets more complicated with apps, and as I don't have an iOS device I can't advise. You've actually asked in the forum for questions about these forums, and you would do better to ask in the iPad forum, where people who actually have these toys hang out. -
How do I authorize purchased songs with an obsolete Apple ID
Here's my problem...
I upgraded to Tiger 10.4.3 from 10.3.9 reluctantly using the erase and install option. I did not deauthorize my computer prior to doing this.
I have a lot of purchased songs from iTunes that were purchased using an old Apple ID (I changed my ISP after I purchased these songs...which changed my email address...which, in turn, required me to change my Apple ID). So, now when I try to play one of these songs, iTunes asks for authorization with the old Apple ID. I put in the password for the old Apple ID and it tells me that Apple ID does not exist. I try my current Apple ID and password and it tells me it is the wrong Apple ID. ...Any Thoughts?
Dual 867 mHz G4 Mac OS X (10.4.3)Tried to authorize the songs with the current Apple ID again and now it seems to have worked. Problem solved
Dual 867 mHz G4 Mac OS X (10.4.3)
Maybe you are looking for
-
Ignore last lines in a file using FCC
Hello, can we ignore last two line in a file, when we are using FCC. in a file uploaded with some special char like $#@..... due to this mapping getting failed. i want to ignore last two lines in a file. Regards, Chinna
-
Hi, I just returned from an international trip yesterday. I noticed that all my i cloud contacts were erased when I arrived in England. I am very certain that they were all working fine on my phone before I left for the trip. When I go into my messag
-
Regarding wild card search in oralce
I am facing one problem, I am using wild card search based on LIKE condition, that search is got used for searching purpose through a user interface. the query is like below SELECT /*+driving_site(a)*/ A.ID,A.CO_ID,B.NAME,A.CITY,A.state FROM mv1 a,mv
-
What table is the Release Date of MIRO Invoice Block stored on?
I'm attempting to track the timeframe between the date when a block is placed on an invoice vs the date that the block is released. I realize in the application you can see the release date through document changes...but can anyone tell me what tabl
-
Sync sharepoint calandar when I put an event in outlook calandar
the title says it all, we have a website and I'm trying to get my sharepoint calandar to update when I update my outlook calandar pretty much I want them to sync so when I do something in outlook calandar it auto syncs with my sharepoint calandar. if