Configuration for authorization

Similar Messages

• Configuring Cisco ISE for Authorization with External Radius Server attribute

  Hi,
  I'm trying to integrate an external radius server with Cisco ISE.
  I created an External Identity Store>Radius Token Server.
  I created a Identity Store sequence with just one identity store just as creadted above.
  And I was able to authenticate successfully.
  But when it comes to authorization.
  I observed we just have one tab named Authorization while creating Radius Token server.
  And it always refers to ACS:attribute_name.
  If I want to define a IETF radius attribute, (lets say class with attribute id as 25), how could I do it.
  In Cisco ACS we have a direct entry option in authorization tab where we can define the radius (IETF) attribute within Radius token server creation (within radius token server>Directory attribute tab).
  How ever I try to define the IETF attribute here (class,IETF:Class) I am not able to authorize with this attribute value.
  I tried with just one single authorization rule where it could hit.But observed it to go the default(as none of the rules defined matches the condition).
  Can anyone guide me how can we define a IETF radius attribute for authorization within Cisco ISE and what policy could we set it to work as authorization.
  Thanks in advance
  Senthil K

  This is the step of Creating and Editing RADIUS Vendors
  To create and edit a RADIUS vendor, complete the following steps:
  Step 1 From the Administration mega menu, choose Resources > RADIUS  Vendors.
  The RADIUS Vendors page appears with a list of RADIUS vendors that ISE  supports.
  Step 2 Click Create to create a new RADIUS vendor or click the radio  button next to the RADIUS vendor that
  you want to edit and click Edit.
  Step 3 Enter the following information:
  • Name—(Required) Name of the RADIUS vendor.
  • Description—An optional description for the vendor.
  • Vendor ID—(Required) The Internet Assigned Numbers Authority  (IANA)-approved ID for the
  vendor.
  • Vendor Attribute Type Field Length—(Required) The number of bytes  taken from the attribute value
  to be used to specify the attribute type. Valid values are 1, 2, and 4.  The default value is 1.
  • Vendor Attribute Size Field Length—(Required) The number of bytes  taken from the attribute value
  to be used to specify the attribute length. Valid values are 0 and 1.  The default value is 1.
  Step 4 Click Submit to save the RADIUS vendor.

• No provisioning of User Group for authorization field in user master

  We are implementing CUP 5.3 workflows. Both in manual proviosing and automated provisioning based on User Defaults the user group gets only provisioned to the Groups tab in SU01. The field User Group for authorization on the Logon data tab remains empty (field CLASS from system table USLOGOND, filling CLASS field in table USR02).
  In User defaults both under user default as on the user group tab the user groups have been defined. In manual provisioning the correct list of user groups get displayed for selection.
  Under field mapping in the Application field I only find User Group in user master maintenance, but not User group for authorization. However I would assume I do not need to use field mapping, as I want to automate this provisioning based on user defaults.
  Am I missing a configuration setting here? If so, where can I set it?
  I would assume the provisioning of this field is possible. RAR reports the user group also based on the User group for auhtorization and not from the Groups tab.

  S.Pados,
  I can assure you that what I said in my last response does provision the User Group For Authorization Check on the Logon Data tab; in fact, I was having the opposite issue where the Group tab was not being provisioned; however, I am ruunning AE 5.2 and you said you are running 5.3; maybe something did change or got lost in the releases; it probably is good to see what SAP has to say about this; I would hate to lose this capapbility when I upgrade to AE 5.3
  As far as using the custom field for multiple applications, would that field not be usable for any of the applications you would select in the request form?; if you are using the same table names in the different SAP systems (selectable by the application field on the request) would the drop down selections be whatever the table has defined for that system? I may not be understanding something here so I am just asking;
  It would be great to have a Group field automatically filled in by another selection to avoid the user involvement; I agree with you there; because of our concerns on users entering the AE request, our shop has decided to continue with the users submitting the request through normal email and the security administrators perform the AE entering; this way we have a better idea on something like the GROUP field; we have an option to include the original email as an attachment for justification of the request
  Sorry I could not be of more help
  Jerry
  Ryerson,Inc.

• Finding Objects for Authorizations

  Dear PM Experts,
  When we request the basis guy to restrict Authorizations for users we need to provide the objects for each transaction code with the restricted values. (ex-if I'm allowing only order type PM05 in IW31 T-Code for a particular role I need to specify the particular object from the T-Code IW31 and request to allow only PM05 for the particular role).
  But the problem is I'm doing it for the first time and I'm not in a position to identity/find the objects of each T-Code. Can anyone help me out by providing a guidance? is there a particular T-Code to get the object of T-Codes?
  Cheers
  Deepal

  hi
  for PM here are the authorization objects
  /MRSS/PB1           Multiresource Planning: Organizational Units
  /MRSS/PB2           Multiresource Planning: Orders
  I_AER                    Follow-Up Order Creation
  I_ALM_ME              Mobile Asset Management
  I_AUART                 PM: Order Type
  I_BEGRP                PM: Authorization Group
  I_BETRVORG          PM: Business Operation
  I_CCM_ACT            Configuration Control authorization object
  I_CCM_STRC          Structure gap maintenance authority
  I_CONFLICT            WCM: Checks for Lockout/Tagout
  I_FCODE                WCM: Function Codes (e.g. Operational Cycle)
  I_ILOA                   Change location- and accounting data in the order
  I_INGRP                PM: Maintenance Planner Group
  I_IWERK                PM: Maintenance Planning Plant
  I_KOSTL                PM: Cost Centers
  I_MASS                 PM: Mass Data Change
  I_QMEL                 PM/QM: Notification Types
  I_ROUT                 PM: Task List
  I_ROUT1                PM: Task Lists by PM Planning Plant, Work Scheduler, Status
  I_SOGEN              PM: Permit
  I_SWERK             PM: Maintenance Plant
  I_TCODE              PM: Transaction Code
  I_VAL                  WCM: Valuation of Applications
  I_VORG_MEL        PM/QM: Business Operation for Notifications
  I_VORG_MP          PM: Business Operation for Maintenance Planning
  I_VORG_ORD       PM: Business Operation for Orders
  I_WCUSE            WCM: Use of WCM Object
  regards
  thyagarajan

• The backend of system SAP_R3_UWL is not configured for optimized delta pull

  Hi All,
  I used the below to configure the Enabling Delta Pull Mechanism in UWL.
  http://help.sap.com/saphelp_nw04s/helpdata/en/eb/101fa0a53244deb955f6f91929e400/frameset.htm
  uwl_service user created and assigened role SAP_BC_UWL_SERVICE with the help of Note 873932 - Additional note on authorization of uwl_service user. But still i am having the  below error:
  The backend of system SAP_R3_UWL is not configured for optimized delta pull
  Thanks,
  Anumit

  Hi Sean,
  I have done everything that is mensioned in the Help.
  Thanks,
  Anumit

• Reg : Initial configuration for SLD

  HI all ,
  In the netweaver administration portal we have a option for deploy and change .when we click on that we have some options for initial configuration.Now the doubt that i have is that we have installed netweaver java stack on a server .We have configured local sld on that .We want to connect to a seperate ECC 6.0 system.That system doesnt have a sld configured for it .So we want to bring that system into our sld.I have configured NWA_01 i.e .configuration for local sld and NWA_03 i.e. create a connection to the SLD and Setting required authorizations for SLD (CIM client settings) in netweaver administrator portal.Do i need to configure only these or anything else other than this .One more thing is that when i enter the netweaver administrator portal i am getting these error messages.
  System Landscape Directory is not accessible
  Only local system can be administered
  Any pointers regarding this.Thanx in advance .

  Hi there,
  The java stack is installed as standalone or ABAP+Java?
  You need to maintian SLD server details in RZ70 on ECC server and test if data is sent successfully. Check for RFCs SLD_UC/SLC_NUC in ECC.
  Also, check if SLD server is running.
  regards, Sean.

• Releted to h\w and s\w  configuration for SAP B1

  HI 
  please tell me exat hardware and software configuration for SAP
  B1
  becouse  i am going to implement on (bled server) so is it     possible?
  please replay  with  configuration
  regards 
  sandip

  Hi,
  If you are authorize to sign in with Service partner portal you can download the sizing guide thru' the following link.  You need S-user id (given to partner)
  You can down load sizing guide for B1 vesion 2005 X version from the Document resource center.
  https://websmp103.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000706510&_SCENARIO=01100035870000000183&_ADDINC=011000358700001192682007E&
  Regards,
  Venkatesan G.

• Difference between Reauthentication action of Common Task for Authorization Profile

  Hi guys,
  Would you mind helping me to choose reauthentication action for Authorization Profile?
  At Cisco ISE User Guide got "Reauthentication—To choose, select the check box and enter a value in seconds for maintaining connectivity during reauthentication. You can also choose attribute values from the Timer drop-down list. You choose to maintain connectivity during reauthentication by selecting to use either the default (a value of 0) or RADIUS-Request (a value of 1) from the drop-down list. Setting this to the RADIUS-Request value maintains connectivity during the reauthentication process."
  Then, what is "default" behaviour? What is different between default action and Radius-Request action ?
  On the other hands, could someone explain in detail the sequence and priority of IEEE 802.1X, MAC authentication bypass (MAB), and Central Web Authentication (CWA). I read a lot of paper, but still don't get it. It is possible to configure MAB will be fail in Authentication Policy with Wire_MAB ?
  Appreciate all your help!!!

  Hasan Saeed Khan wrote:
  Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.
  I had never heard of this treble control and the added value of splitting rolebuilding and profile generation doesn't make much sense to me but that's my personal opinion.
  On the technical side of things: in your first post you state "No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile."
  It is also possible to change the data and save this but not generate the profile yet. I just tried this by doing the following:
  Create role
  Add transactions to menu
  Edit profile, org levels & authroization data.
  Hit 'save'.
  Accept proposed profile name.
  Go back to PFCG main screen and ignore message of profile not being generated. (Click 'continue')
  And this leaves me with a role with yellow traffic light on the authorization tab an the profile status is: "Current version not generated"
  So it should be possible to maintain roles and profiles separately.

• SAP DMS - How to do an external DMS configuration for the existing system ?

  Hi All.
  Greetings.
  Request help and understanding.
  Am new to the world of SAP. And request SOME clarity for understanding of DMS.
  We are wanting to put an external DMS server and wish to configure for the same.
  So that the load on the production SAP R/3 database is reduced.
  We are now wanting to test the same on Dev environment.
  From SDN Link :
  I understand that :
  DMS basically has a content server. which stores documents.
  That can be accessed through Web, SAP R/3 Gui , SAP Portal.
  I have gone thro various links and the following links i have found to be informative and helpful :
  http://help.sap.com/saphelp_erp60_sp/helpdata/en/c1/1c31a243c711d1893e0000e8323c4f/frameset.htm
  http://wiki.sdn.sap.com/wiki/display/PLM/DMS+Customizing
  http://help.sap.com/saphelp_nw70/helpdata/en/59/fba637fcf7dc39e10000009b38f8cf/frameset.htm
  However, would like to know the following because am not getting the clarity :
  1) Is there any supported platform / compatibility guide for DMS ?
  if yes, can someone send me the link?
  2) We have oracle 11g as our for SAP R/3 backend.
  Windows 2003 server 64 bit system.
  When i check the system status on the dev server of sap.
  It says. ECC 6.0 Rel 7.00 update 20 (hOpe am reading it correctly)
  After much search on the SMP site,
  we finally discovered and downloaded the DMS software for unicode and / 64 bit.
  Which we saw under the maintenance components separately seen for DMS 7.0
  Now for this DMS content server which we would like to make it external for storage of documents -
  do we need to have a separate database for this purpose as a repository.
  If i run a setup of DMS - will that automatically install any default repository for this or
  will it allow me to choose any other repository for the same ?
  Can anyone advise on this.
  Because this link says content server is based on Instance of MAXDB : http://help.sap.com/saphelp_nw70/helpdata/en/59/fba637fcf7dc39e10000009b38f8cf/frameset.htm
  3) I read some thing like this on some of the SDN links :
  P40 - Integration of DMS
  P62 - R&D Document Manage¬ment and Workflow
  P71 - Document management
  What are they referring to.
  4) We would be accessing these thro web, gui, customised portal.
  This content server configuration is a bit confusing.
  5) Is SNC configuration required to be done for the separate DMS server setup.
  If yes, how to do that ? any configuration link for that please ?
  Can anyone advise on the things to do.
  Steps to do.
  What all are the pre-requisites to check, before we start the set up of DMS.
  Can anyone help me understand this whole thing regarding the DMS installation and configuration.
  Step-wise.. from the start to end.
  Because it gives me a lot of uneasiness without having everything in place before we could say we could start the whole process of configuration / installation.
  Many thanks for your help in advance.
  Wishing you a happy and relaxed weekend.
  Kind regards
  Indu

  Thanks christoph & pradeep kumar.
  did a few more research and atleast have come to understand that.
  DMS server installation has content server which works only with MAXDB.
  So my understanding is correct.
  And what we see as Easy DMS is a client installation.
  which probably i would look at at a later stage.
  Found this link to be a little more informative :
  http://www.sapfans.com/forums/viewtopic.php?f=12&t=330558
  I really wish. That life were to be so easy. To call a consultant and finish it off
  Wishful thinking
  thanks and cheers
  indu

• How to have Multiple Configurations for a Flex Application

  Hi All,
  I've seen this question asked in various forms multiple times, but never answered: How do you set up a FLEX configuration to have different configurations for development (local), test server, staging server, beta server, and production server? I cannot imagine that Adobe has not accounted for this, something that is very standard in most development teams. Zend Framework has a very elegant solution for this: in the configuration file you define all aspects that can be configured, as well as the various environments (development, staging, beta, live, etc.). Then, in the bootstrap file you specify which environment you want to work in, and you're all set.
  How can something like this be achieved in FLEX?
  Many thanks!
  -Mike

  Maybe my setup is unconventional, I doubt it, though:
  1) SVN repo stores FLEX and PHP codebases in separate projects.
  2) Developer gets code from repo, and runs on local machine. -> need to configure FLEX to point to local PHP code here for Remote Objects.
  3) Developer then publishes Flex app to staging server. -> need to configure FLEX to point to staging PHP code here.
  4) Flex app then gets published to live server. -> need to configure FLEX to point to live PHP code here.
  Now, using ANT, the scenario would look like this:
  1) SVN repo stores FLEX and PHP codebases in separate projects.
  2) Developer gets code from repo, and runs on local machine. -> need to configure FLEX to point to local PHP code here for Remote Objects.
  3) Code is good and developer checks it back into SVN.
  4) ANT extracts latest build from SVN and builds it, then publishes to staging server. -> need to configure FLEX to point to staging PHP code.
  I am using PHPUnderControl as my build server for PHP.
  I am also unclear as to how my goal could be achieved using ANT?
  Thanks!
  Mike

• I've authorized my iPhone on a Mac but when I go to play videos it asks for authorization again, only to tell me that I have authorized too many computers. Help!

  So I used my work Mac to authorize my iPhone so I can play music, but now that I want to play a movie it asks for authorization. I've already authorized that account! I don't understand why it's asking for authorization again when I want to play a movie. Plus, I can't access the iTunes store from my work computer, so I'm stuck until I go home to deauthorize my other computers. Why is this happening?

  Authorization does not apply to iphones.  Authorization is for computers.
  About iTunes Store authorization and deauthorization

• ASA 5505 configured for WebVPN connecting to Citrix Web Interface

  ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
  i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface .  The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark  citrix server http:// 172.30.40.5.) i enter the citrix and then for example  i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
  thanks.

  Teymur,
  Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error.  It is possible that it is generating a different error.
  The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1.  Can you confirm the exact version of code you are running on the ASA.
  If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
  Thanks
  -Jay

• Financial Reporting Studio 11.1.2.1 PDF not Configured for Web Server

  I have installed EPM 11.1.2.1, and HFM, Planning, Essbase, Financial Reporting are all working fine except when I do a report preview in the Workspace an error is received that PDF has not been configured for this Web Server.
  I have uninstalled PDF and Financial Reporting then re-installed them but I am still getting the same error. Also, I when I tried to view report from Workspace in Financial Reporting Studio, I received the following error:
  error number 400 Error Description:Form already displayed; can't show modally. Function: ShowMsg. Module:GblMethods.
  Your help would be gracefully appreciated.

  You should review all installation guides, readmes, and the certification matrix before performing a Hyperion Installation and/or Upgrade.
  Version 9.0 of Ghostscript is not supported, install ghostscript 8.6.3 - 32-bit.
  From the 11.1.2.1 Certification Matrix: "Either: --Adobe Acrobat Distiller Server 8.0 or 6.0 --GPL Ghostscript 8.63; AFPL Ghostscript 8.54 or 8.51; or GNU Ghostscript 7.0.6"     
  From the 11.1.2.1 Installation Guide Page 110: "Ensure that a supported 32-bit version of Ghostscript is installed."
  See http://www.oracle.com/technetwork/middleware/bi-foundation/oracle-hyperion-epm-system-certific-131801.xls
  http://download.oracle.com/docs/cd/E17236_01/epm.1112/epm_install_11121.pdf
  Regards,
  John A. Booth
  http://www.metavero.com

• Want to use an iPod photo configurated for Mac on a PC

  I want to use my old iPod photo (configurated for Mac) on a PC (but do not need to keep my songs and photos). Is this possible? If so, what do I do?
  iMac G5   Mac OS X (10.4.8)   iPod 5th generation 60 GB

  If your iPod is formatted for Mac it won't run natively on a PC because the Windows OS does not support the HFS Plus file system and therefore will not see the drive. Macs can read Windows drives so you could restore and format the iPod on a PC, this would also mean any future software updates would have to be done on Windows. This will erase your drive so you need to have your songs and photos backed up. Alternatively there are third party programs that will allow you to use a Mac formatted iPod on Windows, this is one for instance gets good reviews and has the functionality to let you copy content from the iPod to the PC. Not sure if it does photos but have a look: XPlay 2
  You can read another user's experience of using XPlay at this link: iPod on Mac and Windows

• HT1349 how can I change an email for authorization, the email address we used years back, is no longer a valid email address

  how can I change an email for authorization, the email address we used years back, is no longer a valid email address

  SfromW wrote: ... how can I change an email for authorization, the email address we used years back, is no longer a valid email address
  How to change account here: http://support.apple.com/kb/PH1641
  If you need more help, start here: http://www.apple.com/support/itunes/
  SfromW wrote: ... we can't remember the password from the old email address (for authorization)...
  Help Retrieving and changing passwords here: http://support.apple.com/kb/HT1911
  If you need more help, from iTunes for Windows, click  iTunes > iTunes Store > Support
  SfromW wrote: ... apple should make it easier to transfer authorization authority....I would think anyways.
  You might want to rethink your thoughts about making transferring authority easier.  Making it too easy would certainly degrade your account's security.  If you still believe it should be easier, you can send feedback directly to Apple via http://www.apple.com/feedback/itunesapp.html
  You will not get a response, but you can be certain that the responsible Apple people will see your input for consideration in FaceTime product development.
  As a new user, please understand that you are NOT directly addressing Apple here.  For more info about Apple discussions, start here: http://discussions.apple.com/static/apple/tutorial/etiquette.html 
  Message was edited by: EZ Jim
  Mac OSX 10.7.4