BW Security - RSSM hierarchy auths

Similar Messages

• Strange problem: different hierarchy in InfoObject and RSSM hierarchy auth

  Dear Experts,
       I faced a strange problem: we had defined hierarchy on InfoObject 0ORGUNIT, for example, Organization unit: 50106592 under company A department AA.
       When we define hierarchy authorization via Tcode:RSSM ( we still not migrate to new authorization conception), when I search OU:50106592, it was found under "not assignment" .
       I can not understand why it appear different hierarchy, anyone can help me ?
  Regards
  Jie

  Hi Sushant,
  I went through the note, but we do not have any variable on the hierarchy. Its a navigational attribute which is restricted on Hierarchy.
  Thank you,
  -Jaimin

• Hierarchy Auth Object --  Exclusion of nodes possible ?

  Hello BW Experts,
  I am creating a Auth Object for the Infobject Hierarchy of 0Glaccounts. For a user A, I need to exclude 15 GL accounts. Algother we have around 2000 GL accounts. What is the recommended procedure to achieve this requirement.
  Procedure I know:
  1) RSSM > create a Auth object with Infobject 0GLaccount > again enable the 'Authorization Definition From Hierarchies' and press the create button > from the list select all the 1885 0GLaccounts.
  Wondering if there is any other procedure to exclude the 15 0GLaccounts.
  Suggestions appreciated.
  Thanks,
  BWer

  I would like to know as well if exclusion is possible for hierarchy authorization in BI 7.0 (RSEDADMIN)?
  I just read that exclusion in generell is not possible for BI 7.0 authorizations. Only IO 0TCAVALID allows exclusion. Exclude (E), special ranges (LE, GT, GE, LT), and the plus pattern work ONLY for this special characteristic!

• security-role and auth-constraint

  Hi Everybody,
  I want to know the relation between the <role-name> tags defined under <security-role> tag and the <auth-constraint> tag (defined for web-resource-collection).
  Assuming that tomcat is being used, should the <role-name> of <security-role> map to a role defined for tomcat and then the <role-name> of <auth-constraint> map to the <role-name> of <security-role>.
  Or how does it all work ? How are these two <role-name> tags related ?
  Thanks in advance for your time.
  Vikas

  in <security-role> you define the roles, in <auth-contraint> you tell which role is allowed to use the protected resource

• BW Security - transport hierarchy in role. What if....

  Hi All
  This Query is related to BW Security .
  The Process we flow is that we create a Hierarchy and we transport it to the production system
  We then create a role and we link the Hierarchy to the object within the role.
  What suppose if there is no Hierarchy structure for the particular customer maintained in dev and it is maintained in Production .
  Is it possible to transport the hierarchy from Dev without its hierarchy structure maintained in Dev?
  Is it possible that since data is existing in Production , so as an when this data sits in the UM of the production server , this automatically picks data from the UM?
  Please Advice
  Edited by: Julius Bussche on Feb 16, 2010 9:44 AM
  Subject title improved slightly

  These 3 threads of yours are starting to look like a series of interview questions.
  Please follow up and provide feedback / results of your search, otherwise I will lock them.
  Cheers,
  Julius

• BPEL to invoke a webservice secured by BASIC auth

  Hi
  I have been trying to write a simple BPEL process to invoke a remote webservice secured by basic authentication. I was able to build the BPEL process and then the composite application that I deployed successfully to glassfish, all within NetBeans IDE. As per the wiki notes: http://wiki.open-esb.java.net/Wiki.jsp?page=HTTPBasicAuthentication, I also added the Policy element to the wsdl for the service that I am trying to invoke as follows:
  <wsdl:service name="PMSDatabase">
          <wsdl:port name="PMSDatabaseSOAP11port_http" binding="ns2:PMSDatabaseSOAP11Binding">
              <soap:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
          </wsdl:port>
          <wsdl:port name="PMSDatabaseSOAP12port_http" binding="ns2:PMSDatabaseSOAP12Binding">
              <soap12:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
          </wsdl:port>
          <wsdl:port name="PMSDatabaseHttpport" binding="ns2:PMSDatabaseHttpBinding">
              <http:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
              <wsp:PolicyReference URI="#HttpBasicAuthBindingBindingPolicy"/>
          </wsdl:port>
      </wsdl:service>
      <wsp:Policy wsu:Id="HttpBasicAuthBindingBindingRealmPolicy">
          <mysp:MustSupportBasicAuthentication on="true">
              <mysp:BasicAuthenticationDetail>
                 <mysp:WssTokenCompare/>
              </mysp:BasicAuthenticationDetail>
          </mysp:MustSupportBasicAuthentication>
          <mysp:UsernameToken mysp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
             <wsp:Policy>
                  <sp:WssUsernameToken10>mcs_user</sp:WssUsernameToken10>
                  <sp:WssPassword>${pass_token}</sp:WssPassword>
             </wsp:Policy>
        </mysp:UsernameToken>
      </wsp:Policy>When i try to run a testcase, the BPEL process fails during the invoke activity and I get the following error in the output:
  <detailText>BPCOR-6135:A fault was not handled in the process scope; Fault Name is {http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/ErrorHandling}systemFault; Fault Data is &lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;&lt;jbi:message xmlns:sxeh=&quot;http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/ErrorHandling&quot; type=&quot;sxeh:faultMessage&quot; version=&quot;1.0&quot; xmlns:jbi=&quot;http://java.sun.com/xml/ns/jbi/wsdl-11-wrapper&quot;&gt;&lt;jbi:part&gt;HTTPBC-E00753: HTTP POST request failed, portType {http://service.messagecentre.dha.gov.au}PMSDatabaseHttpport
      URL: http://namadgi:9999/MessageCentre/services/PMSDatabase/deletePMSVoidPeriod
      QUERY:
      PATH_INFO:
      Exception detail: request requires HTTP authentication: User mcs_user not found in directory.&lt;/jbi:part&gt;&lt;/jbi:message&gt;. Sending errors for the pending requests in the process scope before terminating the process instance
     Caused by: BPCOR-6131:An Error status was received while doing an invoke (partnerLink=PartnerLink1, portType={http://service.messagecentre.dha.gov.au}PMSDatabasePortType, operation=deletePMSVoidPeriod)
  BPCOR-6129:Line Number is 48
  BPCOR-6130:Activity Name is Invoke1
     Caused by: HTTPBC-E00753: HTTP POST request failed, portType {http://service.messagecentre.dha.gov.au}PMSDatabaseHttpport
      URL: http://namadgi:9999/MessageCentre/services/PMSDatabase/deletePMSVoidPeriod
      QUERY:
      PATH_INFO:
      Exception detail: request requires HTTP authentication: User mcs_user not found in directory.
     Caused by: request requires HTTP authentication: User mcs_user not found in directory.</detailText>Where else do i need to configure the BASIC auth details to get this to work?

  Please post your request to [email protected] for quick response.
  Error states "mcs_user" is invalid user. Please make sure that the user is valid.

• BI7 Analysis Authorisations - relationship between value & hierarchy auths

  Hi all
  Does anybody know how we can set up the new analysis authorisations to allow a user to use a Query selection for cost centre based upon a hierarchy and yet restrict the cost centre data they can display by value authorisations?

  SDN is the place to discuss technical problems..
  Please avoid such weird post.
  G@urav.

• Label Security Group Hierarchy

  After reading the LS docs and implementing a test scenario am I a bit puzzled about something that is happening. Possibly I misinterpreted the documentation.
  I have a three level tier of groups. The data all belongs at the third tier as groups L3A, L3B, and L3C (names simplified for this example):
  L1
  | \
  L2A L2B
  | | \
  L3A L3B L3C <- ALL DATA AT THIS LEVEL
  I have set up the group hierarchy so that L3A's parent is L2A, etc as show above. All users have the same R/W access.
  The L3 users I created to work with the data at the L3 groups work. The users I created with the L2 group to view the L3 group data work. However, the L1 group user cannot see any of the data at the L3 level. If I set the L1 user to view the L2 groups, it can see the data.
  So, it seems that the data selected by group permissions are only rolling up one level (L3 to L2 but not L3 via L2 to L1). Is this the intended functionality, or is this a bug (Solaris 10.1.0.2.0 64bit)?

  Bump

• Hierarchy Analysis Authorization does not work after transport

  Hi Gurus,
  I am facing a issue in hierarchy analysis authorization in quality system but the same authorization works perfectly fine in development.
  All hierarchy authorizations works in Quality except for this one. I found one old sap note describing this as program error but this note is not applicable in BW 7.3.
  I have checked the table RSECVAL, RSECHIER and authorization is active so everything looks good. Please advise if anyone faced this issue after transporting hierarchy auths to other systems
  Regards,
  Salman

  Salman,
  What I understood from your description is that you have same role+AA in Dev and QA, which provides access in Dev for all the nodes for said hierarchy but in QA, same role+AA provides access to the same hierarchy for all the nodes but one. Try to create a ZTEST analysis authorization in QA itself with access for the problematic hierarchy node and see if it works ? This will rule out the case if there is a difference in hierarchy in DEV & QA.
  Regards,
  Shivraj Singh

• Injecting message security int Glassfish EJB3.0 Web Service Endpoint

  I need to specify message security in sun-ejb-jar.xml descriptor. According to documentation: https://glassfish.dev.java.net/javaee5/webservices/dispatch_process.html#EJB
  when EJB is deployed, ejb-jar.xml, webservices.xml, and sun-ejb-jar.xml get created. This works. The documentation goes on to say that if an ejb-jar.xml or sun-ejb-jar.xml file is provided in the EJB-JAR, they will be used as starting points when descriptors are generated. This does not seem to work.
  I have tried to create descriptors by hand but was unsuccessful at this as well.
  Is there a way to modify descriptors generated by the application server following a deploy with no descriptors), so that I can package them with my EJB-JAR? I tried and couln't get that to work.
  Basically, I need to be able to add message-security-binding and auth realm configs to the sun-ejb-jar.xml, if that is at all possible. Thanks for any help anyone can give.
  Frank

  Well, I managed to get this to sort of work. I am able to deploy my EJB with only a sun-ejb-jar.xml descriptor. The glassfish container generates the webservices.xml and ejb-jar.xml, and updates the sun-ejb-jar.xml file passed in. I now am seeing a new problem.
  Here are the scenarios:
  1) Default security provider:
  Request policy: auth-source="content" auth-recipient="after-content"
  Client signs and then encrypts message, all works fine.
  2) Specify provider and request protection in sun-ejb-jar.xml to be signature
  Request policy: auth-source="content"
  Client signs message
  All works fine.
  3) Specify provider and request protection in sun-ejb-jar.xml to be signature and encrypted. (Should be same as Scenario one).
  Request policy: auth-source="content" auth-recipient="after-content"
  Client signs and then encrypts message.
  The server throws the following exception:
  [#|2007-03-07T17:30:37.895-0700|SEVERE|sun-appserver-pe9.0|javax.enterprise.resource.webservices.jaxws.server.soapmd|_ThreadID=12;_ThreadName=httpWorkerThread-8080-1;_RequestID=eb686a92-f5a7-4a24-a83f-fbffeed3dd4d;|Error in decoding SOAP Message
  Error in decoding SOAP Message
  at com.sun.xml.ws.encoding.soap.server.SOAPXMLDecoder.toInternalMessage(SOAPXMLDecoder.java:89)
  at com.sun.xml.ws.protocol.soap.server.SOAPMessageDispatcher.toMessageInfo(SOAPMessageDispatcher.java:187)
  at com.sun.xml.ws.protocol.soap.server.SOAPMessageDispatcher$SoapInvoker.invoke(SOAPMessageDispatcher.java:571)
  at com.sun.xml.ws.protocol.soap.server.SOAPMessageDispatcher.receive(SOAPMessageDispatcher.java:145)
  at com.sun.xml.ws.server.Tie.handle(Tie.java:88)
  at com.sun.enterprise.webservice.Ejb3MessageDispatcher.handlePost(Ejb3MessageDispatcher.java:160)
  at com.sun.enterprise.webservice.Ejb3MessageDispatcher.invoke(Ejb3MessageDispatcher.java:89)
  at com.sun.enterprise.webservice.EjbWebServiceServlet.dispatchToEjbEndpoint(EjbWebServiceServlet.java:178)
  at com.sun.enterprise.webservice.EjbWebServiceServlet.service(EjbWebServiceServlet.java:109)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
  at com.sun.enterprise.web.AdHocContextValve.invoke(AdHocContextValve.java:100)
  at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:536)
  at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:71)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:182)
  at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
  at com.sun.enterprise.web.VirtualServerPipeline.invoke(VirtualServerPipeline.java:120)
  at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:137)
  at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:566)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:536)
  at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:939)
  at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:231)
  at com.sun.enterprise.web.connector.grizzly.ProcessorTask.invokeAdapter(ProcessorTask.java:667)
  at com.sun.enterprise.web.connector.grizzly.ProcessorTask.processNonBlocked(ProcessorTask.java:574)
  at com.sun.enterprise.web.connector.grizzly.ProcessorTask.process(ProcessorTask.java:844)
  at com.sun.enterprise.web.connector.grizzly.ReadTask.executeProcessorTask(ReadTask.java:287)
  at com.sun.enterprise.web.connector.grizzly.ReadTask.doTask(ReadTask.java:212)
  at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:252)
  at com.sun.enterprise.web.connector.grizzly.WorkerThread.run(WorkerThread.java:75)
  Caused by: javax.xml.ws.soap.SOAPFaultException: Cannot find the dispatch method
  at com.sun.xml.ws.encoding.soap.SOAPDecoder.raiseFault(SOAPDecoder.java:674)
  at com.sun.xml.ws.encoding.soap.server.SOAPXMLDecoder.decodeDispatchMethod(SOAPXMLDecoder.java:152)
  at com.sun.xml.ws.encoding.soap.SOAPDecoder.decodeBodyContent(SOAPDecoder.java:337)
  at com.sun.xml.ws.encoding.soap.SOAPDecoder.decodeBody(SOAPDecoder.java:327)
  at com.sun.xml.ws.encoding.soap.SOAPDecoder.decodeEnvelope(SOAPDecoder.java:250)
  at com.sun.xml.ws.encoding.soap.server.SOAPXMLDecoder.toInternalMessage(SOAPXMLDecoder.java:81)
  ... 29 more
  Please note that the client is the same for Scenario 1 and 3, yet the outcome is greatly different.
  Also, I did try manually change the generated descriptor, rather than passing in sun-ejb-jar.xml. This did not work either. same error.
  Thanks for any help.
  Message was edited by:
  FrankF@Sun
  Message was edited by:
  FrankF@Sun

• SAP Security handover from the Onshore Implementation team Documents

  Dear All,
  We are an Implementation & Support Team and we are getting SAP Security handover from the Onshore Implementation team where in future we ought to continue the Implementation.
  Please could you let me know what others documents which we require for handling the complete security landscape for our Scenario!
  CRM, BI, BS, SOLMAN, EP and PI
  Please suggest any other documents besides the below or any other specific details with respect to each Module,
  u2022           Enterprise-Wide Role Matrix
  u2022           Role Implementation Framework Prototype
  u2022           User Authorization and Strategy Management Procedures
  u2022           User Role and Authorization Concept Technical Design
  u2022           SAP Security Organization Hierarchy Requirements
  u2022           Transaction to Role Mapping
  u2022           Role to Position Mapping
  u2022           Available authorization policy documents
  u2022           Role matrix with segregation of Duties
  Many Thanks

  What do you have defined for your support?
  Presumably you have quoted a price per call but what do you cover and how do you calculate the charge to your client?
  Please let me know so that I can undercut your quote.
  Damn - forgot to ask who your client was and the contact name.
  Cheers
  David
  Edited by: David Berry on Feb 11, 2011 12:29 AM
  Edited by: David Berry on Feb 11, 2011 12:30 AM

• Secure AD Bind

  Hi,
  Struggling a bit with a module. I'm trying to do a secure bind to AD with not much success. I can do a simple bind just fine but not secure. I have used this module before in other environments and it has worked flawlessly. In this new environment however I'm stuck and asking for your help. Take a look and tell me if you see something wrong with this bind method:
        * <p>Basic bind for doing AD queries against domain simple bind assumes no
        * context </p> @param domain the Domain controller you're authenticating
        * against @return DirContext
       public DirContext ldapBind(String domain, String username, String password,
                 boolean secure) throws NamingException, IOException {
            Object retVal;
            DirContext ctx = null;
            Hashtable env = new Hashtable(8);
            String authType = null;
            authType = secure ? "DIGEST-MD5" : "simple";
            // Set the context & provider
            env.put(Context.INITIAL_CONTEXT_FACTORY,
                      "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, domain);
            env.put(Context.SECURITY_AUTHENTICATION, authType);
            // Request medium-strength cryptographic protection
            env.put("javax.security.sasl.qop", "auth");
            if (secure) {
                 env.put("javax.security.sasl.strength", "high, medium");
            // provide a username/password
            byte[] pass = password.getBytes();
            Object pword = secure ? pass : password;
            env.put("java.naming.security.principal", username);
            env.put(Context.SECURITY_CREDENTIALS, pword);
            env.put(Context.REFERRAL, "follow");
            if (ADUtil.debug) {
                 // env.put("com.sun.jndi.ldap.trace.ber", System.out);
            // Create the initial directory context
            ctx = new InitialDirContext(env);
            return ctx;
       }Thanks in advance,
  -Stumped

  adler_steven wrote:
  What do you mean "it doesn't work" ?
  Are you getting authentication exceptions ? perhaps LDAP Error 49 with an Active Directory error code of 52e ?Yes of course. How silly of me not to include the error:.
  javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece>
  If the same code worked in one environment & not the other, then one has to assume the problem lies with teh different environments.
  Are user's using the same format for authentication ? Remember that you cannot use LDAP Distinguished names (CN=Albert Einstein,OU=Research,DC=Antipodes,DC=Com") to authenticate using Digest-MD5, you can only use NTLM style domain names (ANTIPODES\AlbertE) or User Principal Names ([email protected])
  Yes I was aware with *simple* the expected format for username is the distinguishedName and with *DIGEST-MD5* it is userPrincipalName. I have verified both using ADSI from the domain controller.
  The username and password are definitely correct as they are the ones I use to remote desktop to the domain controller.
  >
  Also, each user account needs to have their password stored using reversible encryption. (The setting is exposed in the Active DIrectory Users & Computers snap-in under the Account Tab for each user)This I was not aware of, good to know. I looked and this was not checked. I checked it and re-ran the test and still getting the same error from above. I'm in agreement with you that the problem does lie with the different environments. I just wish I had a way to have more a more meaningful error to pass off to my System Admin's to take corrective action.

• What's the default auth method

  Hi,
  I have a web app with <security-constraint> and <auth-constraint> defined, but it doesn't supply login-config. In this case what's the auth method? Thanks

  3) External FireWire 800 Drive

• Asset: Security by Book

  Hi All,
  Our implemetation has 9 instances (9 BGs) in 9 countries, I've created one asset book in each country,
  the problem is system shows all the asset books in the list of values from any asset responsibility when adding assets or running depreciation.
  That's why I need to secure the asset books, to assign one for each country.
  Best Regards,

  Hi,
  Follow the below steps for set security by book in FA:
  1. Create Organizations with the classification as Asset Organization. You can create new organization or assign the classification to exisiting organizations. For the Asset Organisation, provide the Asset Book in the "Other" information. Here you should attach the asset book to which the organization has access.
  Navigation: Setup->Security->Organization->Description
  2. Create Organization Hierarchy - Start from Top to bottom. All Asset organizations, which do not have access to each other's FA Books, should be created at same level.
  Navigation: Setup->Security->Organization->Hierarchy
  3. Create Security Profiles - you have to create security profiles according to the number of responsbilities or asset organization. In the Security Profiles, select only those asset organizations, to which you want the users to have access.
  Navigation: Setup->Security->Security
  4. Run Security List Maintenance Program for security profiles
  5. Attach the Security Profiles in Profile Option FA: Security Profile at the Responsibility Level
  DONE!!!!
  Gajendra

• Linking secure html link with JSF?

  Hey all,
  I do have a previous post regarding j_security_check and using container based security, but since this problem could be answered without it, checking to see how (j_security_check: http://swforum.sun.com/jive/thread.jspa?threadID=54464&tstart=0).
  I want to be able to e-mail links with pre-populated attributes (identifiers, dates, what have you) but still have the link secure and require auth. But, I do want to automatically go to that linked page after auth. How does one do this with JSF?
  thanks,
  -D

  Hi,
  Please go through the below thread:
  http://swforum.sun.com/jive/thread.jspa?forumID=123&threadID=50520
  Hope this helps.
  Thanks,
  RK.