BW Security roles based on query

Hello All,
If a User 1 needs to have access to ZQUERY_1 restricted by a company code AB11 and need to have full access (without restriction to AB11) to a different query ZQUERY_2.
Similarly if a User 2 needs to have access to ZQUERY_1 restricted by a company code AB22 and need to have full access (without restriction to AB22) to a different query ZQUERY_2.
ZQUERY_2 has company code as one of the characteristics.
This is what I canu2019t do (I think):
1)     Create an authorization object Z_RS_AB11 through T Code RSECADMIN to include the company code AB11. And then create a role with ZQUERY_1 and ZQUERY_2 as the only query that the role will give access to. Using RSU01, insert the authorization object Z_RS_AB11 (for the Company Code AB11) and assign it to User 1.
This wonu2019t work, because with restriction to User 1u2019s profile on, User 1 would not be able to run ZQUERY_2 for all company codes.
Or
2)     Create a role where the authorization object S_RS_AUTH includes only company code AB11.
This wonu2019t work either because User 1 would not be able to run ZQUERY_2 for all company codes due to restriction in the role to company code AB11.
What are the possible solutions? Any thoughts...

These queries are based on many Cubes/DSOs. 0COMP_CODE are in both the queries. We are not using 0COMPANY in any of the queries. Restricting access on a single InfoObject would not allow the users to view the other query where there should be no restriction.
A Potential Solution (not sure if it could work though):
Possible solution:
Create role 1 for ZQUERY_1 and include AB11 in S_RS_AUTH.
Create role 2 for ZQUERY_2 and include 0BI_ALL in S_RS_AUTH.
Create role 3 for ZQUERY_1 and include AB22 in S_RS_AUTH
Assign user 1, role 1 and role 2
Assign user 2, role 2 and role 3
Any thoughts on this...

Similar Messages

  • BPMON Alert Inbox - role based custom query

    Hello experts,
    I have a requirement from my customer in BPMON alert inbox to build a custom queries and distribute them to end-users based on security access or other kind of assignment.
    Say for example, we have a monitoring object "purchase requisition" defined for all company codes (regions).
    We do not want region A to see BPMON alerts for region B.
    So far what I have found is:
    1) the alert inbox shows all alerts to everyone who has access to BPO work center, cannot find an authorization object to restrict this.
    BPM_DETAIL kind of supposed to do the trick, but it only checks the authorizations when "Detail info" button hit - way pass the initial alerts list.
    We want to restrict the alerts visibility even before they come to hit the "Detail" button.
    2) Query to view alerts: seems that STANDARD query is available to everyone, and the standard query shows ALL alerts. The Filter would work, and we can create a new query to see only partial alert list, but this query is not "custom" but actually "user-specific", i.e. only person who created it can see it.
    We want the ADMIN person to create queries centrally for all regions, and be able to assign those queries to the regional people, so that they can only see the query that contain data pertaining to the region.
    And by the way - the "standard" query should be only assigned to ADMIN (not to everyone).
    Is it possible to achieve ?
    Appreciate any comments.
    Thank you
    Elena

    yes, you're correct. Basically "Associate assigned security roles with specific security scopes and collections" is required when you've more than one security role. However, do you think it's worth a try  "login
    into console with respective administrative user and check the required access."
    Also would that be possible to paste the screenshots of security scope properties of administrative users? That would also give some more idea. 
    I've noted down some of the issues in the following link ( I don't think nothing is directly related to your issue but it may give some clues) http://anoopcnair.com/2013/02/18/configmgr-sccm-2012-sp1-rba-implementation-gotchas-and-troubleshooting-tips/
    Anoop C Nair (My Blog www.AnoopCNair.com)
    - Twitter @anoopmannur -
    FaceBook Forum For SCCM

  • Identify role based on query

    Hi
    I have 1 query, how can i identify what is role name assigned my query, how can i cross chec.

    hi,
    check this link.
    Re: Roles??????
    hope this will help you.
    Edited by: Ramakrishna Gattikoppula on Aug 18, 2009 10:29 AM

  • What is the mean of using Portal with Role Based security as entry point

    Hi Experts we have requirement of integration of Portal and MDM
    I am completely new to the MDM. So please give me some idea , what is the meanin for following points.
    1) Using the Portal with Role Based security as entry point for capacity and Routing Maintaince(These two are some modules).
    2) Additionally , Portal should have capability to enter in to the MDM for future master data maintence. Feeds of data will need to be come from  SAP 4.6c
    Please give me the clarity of what is the meanin of second point
    Regards
    Vijay

    Hi
    It requires the entire land scape like EP server and MDM server both should be configured in SLD.
    Your requirement is maintaing and updating the MDM data with Enterprise portal.We have some Business Packages to install in Portal inorder to access the functionality of MDM.
    Portal gives you a secure role based functionality of MDM through Single sign on (login into the portal access any application) to their end users.
    Please go through this link
    http://help.sap.com/saphelp_mdmgds55/helpdata/EN/45/c8cd92dc7f4ebbe10000000a11466f/frameset.htm
    You need to develope some custom applications which should be integrated into the portal to access MDM Server master data
    The estimation involves as per your requirement clearly
    Its depends upon the Landscape settings, Requirement complexity,Identify how many number of custom applications need to be developed
    Regards
    Kalyan

  • Role based oracle adf security and filtering data

    while oracle adf security looks great its only role based... does anyone know of any resources describing an architecture where this is used in addition to filtering of data based on say, organization?
    it seems that oracle adf security is not really geared towards a self service app where administrative users have a security interface as part of the application where they can assign roles and associate users to entities for the further filtering of data...

    Hi,
    it seems that oracle adf security is not really geared towards a self service app where administrative users have a security interface as part of the application where they can assign roles and associate users to entities for the further filtering of data...
    ADF Security is a JAAS based security implementation to protect resources (like entities). It is nota security provider like OPSS or OID which you can use for user provisioning and self service (if you code against the IDM APIs). ADF Security only checks for whether a user is authenticated and if the user has the permission to perform a task.
    However, you can use groovy to access the security context from Groovy, which allows you to add the authenticated username to a query - for example to filter recrds out that match the username in one of its attributes.
    For example, you could create a ViewCriteria that for example filters the query by a specific attribute. Say that managers can see data starting from department 10 whereas employees can see data starting from department 100. The ViewCriteria would reference a bind variable with the following default setting
    adf.context.securityContext.isUserInRole('manager')? 10 : 100
    Frank

  • Reseeding cache for users with role based security

    I have role based security and trying to set up cache by purging all cache and later seeding cache by query. The query would be different for different users. What is the best way to purge all cache and reseed cache for administrator as well as all users. The EPT would purge cache based on updated tables. But how do I next go about reseeding cache for better performance to all the users. Thanks.

    I have created an ibot with the following:
    General - Normal Priority, Personalized (recipient's data visibility)
    Conditional Request - example_report
    Schedule - some schedule
    Recipients - Me(administrator) and User1
    Destinations - Oracle BI Server cache
    when the ibot runs 2 cache entries are created (for the 2 recipients).
    I have the report (example_report) on the dashboard (1 dashboard, 1 page, 1 report).
    After the ibot runs:
    When the administrator logs in first, there is a cache hit on the report. Followed by when the User1 logs in there is NO cache hit.
    On the other hand when the User1 logs in first, there is a cache hit on the report. Followed by when the administrator logs in there is no cache hit. The query log creates a Query issued to the database instead of cache hit on query.
    The User1 has a data level security.
    Please let me know where was I making an error in setting the ibot and how to get the cache seeding work for the different users with different role based security.
    Thanks for your inputs.

  • CRM 2011: Can you control which form is used based not security roles, but on a field value?

    I see that you can control which form is used based on security roles, but can you control it based on other field values?  I'd like a new record to use a different form until a given status is updated.  I have a status of draft and active. So
    it would be nice if I could use form1 for those in draft, form2 for those that are active.  But I only see where you can control that via the security roles.
    I can code all of this via JavaScript, but having the ability to use two separate forms would be nice.  Is that even possible.
    Best regards,
    Jon Gregory Rothlander

    Hello,
    Recheck following article - http://gonzaloruizcrm.blogspot.com/2014/11/avoiding-form-reload-when-switching-crm.html
    Dynamics CRM MVP/ Technical Evangelist at SlickData LLC
    My blog

  • Error in Role Based security using weblogic 9

    Hi All,
    Currently I am working with Weblogic Server 9. I am trying to use role based security. Below is the entries for web.xml.
    <security-constraint>
         <web-resource-collection>
              <web-resource-name>Success</web-resource-name>
              <url-pattern>/form.jsp</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
         </web-resource-collection>
         <auth-constraint>
              <role-name>admin</role-name>
         </auth-constraint>
         <user-data-constraint>
    <transport-guarantee>INTEGRAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <login-config>
         <auth-method>BASIC</auth-method>
         <realm-name>myrealm</realm-name>
    </login-config>
    <security-role>
         <role-name>admin</role-name>
    </security-role>
    When I am calling form.jsp from the browser it is asking for the username and password, but after giving the username and password it is showing the followig error:
    Error 403--Forbidden
    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
    10.4.4 403 Forbidden
    The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
    So can any one provide me the solution for the above problem.
    Thanks in advance.
    By,
    Sandip Pradhan

    Here is a blog post for the backend (WebLogic Admin GUI) http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-role.html and a blog post for the web.xml in your project http://disaak.blogspot.com/2009/11/migrating-to-weblogic-configure-ear.html.

  • R12: Role based security : Hiding a button in OAF page for roles

    Hi All,
    We have a requirement where in which, we have to hide a "Create" button in AR customer search form for some roles ... we have implemented UMX - Roles based security in our project and we cant hide it based on user or resp ...
    Any ideas ... Is it feasible with this new featue of RBAC?
    Thanks and Regards,
    Senthil

    Hi Ajay,
    metalink note 2778881.1 is discussing "Page access tracking report".
    but here i want to implement access restrictions to a particular page.
    Regards,
    Naren.

  • Role-Based Security In SQL Server Reporting Services

    Hi
    I have created Reports,
    Now I need to assign Role-Based Security, ie like some particular clients can access only some particular report.
    http://localhost/reports/Pages/Folder.aspx
    Here in the above link i can see the property tool bar where i need to set the user assignement roles.
    could any one please help me out how to set different login assigned to a set of report.
    Or is there any tutor links for this.
    Thanks a lot.
    Shan

    Create folders under the Home page (the link you have there).  For each folder set group athentication (AD) or harder managed, user account roles for the folders and the reports under the folder.
    If you set security at that home level you will not be able to control what reports they see or can't see.  You'll need to go all the way to the folder/report level.
    It's also not best practice to deploy reports directly to the home level.  Not best practice in it creating a very hard to manage security level.  Think of the levels in security as such to SQL Server.  Set the connect to sql level, database level and then down to the objects in them.  Same priciples apply to SSRS.
    Here is a cast going through some security settings as well http://technet.microsoft.com/en-us/sqlserver/dd391734.aspx fro creating your roles and utilizing them
    Ted Krueger Blog on lessthandot.com @onpnt on twitter

  • RBAC / Role Based Security Set Up in R12

    We are working with a 3rd party consulting organization to implement Role Based Access Control in E-Business Suite R12. We have approximately 50 users and with 35 responsibilities today and are currently in the process of designing our role based security set up. In advance of this the consulting company has provided us with effort estimates to cutover from the current responsibility structure to RBAC. We are told this must be done while all users are off the system. The dowtime impact to the business is very high, expecially considering our small user base.
    With RBAC cutover downtime estimates such as these I can't understand how any company larger than ours could go live with it?
    Does anyone have previous Role Based Access Control implementation experience in EBS R11i or R12 and could provide some insight on their experience and recommendations, best practice for cutover to mitigate impacts to the business as we cannot accept the 90 hours of downtime outlined by the consulting company below?
    Disable users old assignments:
    *12.00 hours*
    Disable Responsibilities targeted for the elimination:
    *12.00 hours*
    Disable Responsibilities targeted for the elimination:
    *16.00 hours*
    Setup OUM options and profiles:
    *6.00 hours*
    Setup Roles and Hierarchies:
    *14.00 hours*
    Grant Permissions:
    *12.00 hours*
    Setup Functional Security and disable the obsolete responsibilities:
    *12.00 hours*
    Setup Data Security and disable the obsolete data accesses:
    *6.00 hours*
    Total *90 hours*
    Note - all activities must be performed sequentially*
    Any advice or experiences you could share would be extremely valuable for us. Thank you for taking the time advance to review & respond.

    On Srini`s comments "Creating Roles.. will have to be done manually "... I would like to know will the same approach be followed for PRODUCTION instance also. Say if we need to create 35 responsibilities and 50 roles so should this be done manually in PRODUCTION.
    I have not worked on this but I know that in my previous company this was done using scripts. Need to find more on this.

  • Weblogic security & EJB role based access

    How does (or not) weblogic security tie into the EJB notion of role based
    control ? Can we create a 'custom' security mechanism for EJB (which
    basically uses the EJB facilities but extends it within the application) by
    using custom weblogic realms ?
    Thanks
    Raju

    Thanks !
    "Terry" <[email protected]> wrote in message
    news:[email protected]...
    comments inline
    r <[email protected]> wrote in message
    news:[email protected]...
    >>
    Here are some more specific questions around an 'example' scenario:
    The application has an entity bean 'Account' that can be accessed by the
    roles 'Bank Employee' and 'Customer'
    'Bank Employee' can execute the 'getBalance()' and 'placeOnHold()'
    methods on the 'Account' bean
    'Customer' can execute the 'withdraw()', 'deposit()', and'getBalance()'
    methods on the 'Account' bean
    These permissions are set up through the deployment descriptor by
    mapping
    the 'Bank Employee' and 'Customer' roles
    to the particular bean methods that the role should be given access to.
    1. How does weblogic provide the facility to map the EJB deployment
    descriptor
    <security-role> to a particular weblogic principal (user orgroup)
    Or, should I say, how do I map the user or group to a
    deployment-descriptor defined role?In the deployment tool, once in the jar select the 'Security' item,create
    an application role (in your case it is probably best to create 2 security
    roles - the bank employee role refering to the bank employee group (usethe
    'in role' checkboxes, and the customer role refering to the customergroup -
    there may at some point be use for an allUsers role, which includes both
    groups, maybe not. What I am saying is that a role is made of a one ormore
    of Principals - in our case groups)
    In the Account Bean select the method permissions item, and create amethod
    permission perm-0, select the perm-0 item that has just popped up in the
    left hand window, tick the box for placeOnHold(), and the boxes for<remote>
    and <home> one level deeper than this in the tree (as an aside, I have
    absolutely no idea why there would be a 'home' box here, ho hum). Selectthe
    'bank employee' 'can invoke' tickbox
    Create perm-1, and do what you did above for 'withdraw()' and 'deposit()'
    methods, and the 'customer' tickbox
    I believe the documents say you would have to set up another permission to
    allow both groups access to the getBalance method, but in practive Ihaven't
    found this the case.
    The documentation for this is at
    http://www.weblogic.com/docs51/classdocs/API_ejb/EJB_deploy.html#1102211
    (or
    search for 'Deploying EJBs with DeployerTool'
    2. Are there any administrative tools provided by weblogic to do
    this
    mapping ?The deployer tool. Otherwise I think it's the acse of writing your own xml
    files
    3. How much effort & complexity is involved in creating a custom
    realm
    Hmmm, depends - you could have the RDBMSRealm that is provided in'examples'
    in half an hour or so (there is a problem with one of the RDBMSUser's
    methods - getUserType or something like that - the solution can be foundin
    the newsgroups if you search), the same is probably true of the LDAPRealm,
    NTRealm etc (although I have never used these).
    Which one you choose depends on what equipment you have available,although
    I would say that the RDBMSRealm canuse a lot of optimisation
    Thanks,Welcome
    Raju
    "Terry" <[email protected]> wrote in message
    news:[email protected]...
    The Principals (i.e. groups and users) from your custom realm are used
    to
    define application roles for the EJBs, but, as far as I am aware youcannot
    use a custom implementation for the ACLs for EJBs
    terry
    r <[email protected]> wrote in message
    news:[email protected]...
    How does (or not) weblogic security tie into the EJB notion of rolebased
    control ? Can we create a 'custom' security mechanism for EJB (which
    basically uses the EJB facilities but extends it within the
    application)
    by
    using custom weblogic realms ?
    Thanks
    Raju

  • SDK C# - query Security Role Properties like Views, Tasks etc

    Hi,
    i have a Problem with getting information from the securityroles in SCSM. In C# i cant get the views, Tasks, templates etc. which are in the security roles. Can anybody give me a hint how i can query this configuration in c#.
    Thank you in advance.

    So the "real need" is that your security roles are confusing and not well defined, so to address this, you'd like to make or find a tool that tells you quickly roles a given user is in, then you could go about troubleshooting
    the security issue.
    I'd like to offer an alternative: fix your security roles.
    a ideal* service manager implementation has 3 security roles.
    Administrators, who can see and manage everything,  
    Analysts, who can work incidents complete activities and shepherd things through the process, but can't really change how the system operates
    Everyone Else, who get
    implied permissions and not much else.
    Sometimes those roles are broken out into different responsibility groups, which are queue filtered, but typically those are the three classes of people in service manager.
    Those roles groups should be applied to the departmental or job groups that correspond to the people who do this job, i.e. you work in the helpdesk, therefore you get helpdesk rights in SCSM.
    If you are going to stray from this ideal, you should have a good reason for it.
    *note: ideal is not "most" or even "a good", ideal is exactly what it sounds like, an ideal goal state that isn't restricted to practical needs. Practical business needs are going to modify this ideal, but it isn't going
    to change the goal, just how close you can get.

  • Role based reflection security manager?

    Hi,
    I am trying to find out whether there is a possibility to implement a role based Security Manager to control access to reflection operations (such as checkMemberAccess() for example).
    I need to implement an application where using reflection is totally forbidden, except for some very specific parts of the code. Is this possible? If yes, how should I proceed? Is there a concept of identity around the security manager? Should I use ReflectPermission? If yes how?
    I have been doing some reading, but it is still not clear to me. I am looking for a general implementation procedure.
    Thanks.

    Jrm wrote:
    Ok, fair enough regarding storing data on end user PC.
    But I see a contradiction here (or I mis-read you). I understand that SecurityManagers are used for applets to restrict some of their actions. What if people are able to bypass SecurityManagers? What is the point of having them? If a .jar application is started with a SecurityManager, can an end user strip it and replace it with its own security manager (from its own code for example)?First of all, the SecurityManager is provided by the local computer, not the applet. But, the most important point is that the SecurityManager used when running third-party applet code is not trying to protect the third-party code, it is trying to protect the local computer from unknown third-party code. the user is perfectly able to disable the SecurityManager and/or give the third-party code whatever permissions it desires if they decide to trust the code. you are trying to protect your code (+which is the third-party code with respect to the user+) from the user. that is the opposite situation, and does not work.
    I would be happy if I could deliver a .jar application with my customized and 'unremovable' SecurityManager. Is that possible or can one always fiddle the .jar to remove it?
    Because if people can always remove it, it is a permanent open door for man-in-the-middle attacks when code is delivered to end-users, correct? Is there any way to protect .jar from tampering?As i said in my previous post, there is no way to stop this. as a software developer, i'm sure you are aware that you can find "cracked" versions of any commercial software that you are interested in (if you know where to look). what makes you think that your java program is any more "secure" than those other programs?

  • JHeadStart Security problem-error page cannot be found- role based security

    JHeadStart Security problem-error page cannot be found- role based security
    Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
    Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

    Thand you very much for your reply! Unfortunately there is a specific restriction-convention in the project I work in. I am supposed to perform role based security with my own tables and no by the jheadstart’s ones. Could you find out what is my fault with the steps I follow trying to perform the process?
    To remind you my steps I paste the following again:
    JHeadStart Security problem-error page cannot be found- role based security
    Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
    Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

Maybe you are looking for

  • Read only query help

    Hello, I have read-only access to a database and I'm trying to perform a count on a decoded statement. I cannot update, merge, create views, or delete at all. example: vdh.vin as VIN, mcs.vehicle.veh_manuf_year@OCP5 as YEAR, mcs.veh_make.veh_make_des

  • InDesign CS5 suddenly slower...

    In Design CS5 has been running intermittently very slow recently. It will run normally for a while; then in the middle of a simple operation like copying a small piece of text, everything stalls and I get the pinwheel of death for an undetermined amo

  • Lately when I try to access Google 'Shoping' search it comes up for a second and then I get this: (function(){})();(function(){})();

    Can't access Google 'shopping' search. It pulls up for a quick second then gets replaced by this prompt: (function(){})();(function(){})();

  • Duplicate item does not validate it

    Hello when I use F3 key to duplicate a lookup item (has invisible foreign key item) the duplicated item does not fire When-Validate-Item trigger to brings it invisible foreign key, How to solve this problem?

  • Delay playing sounds

    I have a 24" iMac6,1 If no sound has been played in the last 30 seconds or so then there's about one second delay before a sound can be played. This is bad enough but the delay also holds up whatever app is causing the sound. This is really annoying.