Configuring P7.2 to auth against a specific org/suborg

Similar Messages

• HT203200 Have deleted temp video, configured anti spam and firewall, and one specific video keeps giving me an error. Just tried downloading a previous episode of the show and it worked just fine. Always sunny in philly "Charlie rules the world" anyone el

  Have deleted temp video, configured anti spam and firewall, and one specific video keeps giving me an error. Just tried downloading a previous episode of the show and it worked just fine. Always sunny in philly "Charlie rules the world" anyone else??

  Have deleted temp video, configured anti spam and firewall, and one specific video keeps giving me an error. Just tried downloading a previous episode of the show and it worked just fine. Always sunny in philly "Charlie rules the world" anyone else??

• Check against country-specific edit format

  Hi All,
  Currently for VAT registration number, settings for VAT registration number using transaction code OY17 is as follows,
  Length: 9
  Checking rule : 9 i.e. Check against country-specific edit format
  Now the user wants to enter a registration number with a different format which SAP is not allowing to enter. The length of the number is 9. But it is still not accepting. Country is ES.
  Can anyone let me know the relevance of the checking rule 9 i.e. Check against country-specific edit format. How the system validates the VAT registration number.
  Please help.
  Thanks,
  Aman Goel

  Hi All,
  Does anyone has idea about this?
  Thanks,
  Aman

• Country specific Org Structure

  Hi,
  I want to maintain the Org Structre based on Country. If I change the UGR and MOL to 07 then the system should be displayed only the Org Structure which belongs to MOL  07 that is Canada..
  Please suggest the configuration settings on the same
  Regards
  Priya .M

  see i dont we have this kind of settingss in SAP
  when u enter the orgunit u have to choose the specific org unit right

• LSO - Restricting Course Group to specific Org Unit

  Hi,
  We have created a Course Group (Object Type L) that we only want a specific Org Unit to see in the Dynamic Course/Participation menu.
  What would be the best way to restrict this?
  Thanks
  Agent 009

  Try Structural Authorization
  Tables T77UA and T77PR.
  Hope this helps.
  Best Regards

• Tcode to find the availability of temporary positions for specific org unit

  Hi all,
  What is the tcode to find the availability of temporary positions for specific org. unit??
  Thanks
  Jerry

  PPIS
  this tcode select the orgunit and positions once

• [Q] Identity Sequence issue causes MAB to auth against AD ??

  We have a strange issue whereby some users have suddenly failed to correctly authenticate against ACS 5.1 - we cant work out why, as nothing has changed and would greatly appreciate your help.
  We have dot1x configured on our network with MAB fallback. We havent yet rolled out dot1x to the clients even though the network is set up for this. In the meantime, we are using Mac Authentication Bypass. We do use 802.1x for wireless though.
  I have set up the folowing Identity Sequence:
  AD1 (this is set up as our AD servers for 802.1X user and machine auth)
  SecurID Server (we dont use this yet either)
  Internal Users (this is just used to authenticate ciscoworks)
  Internal Hosts (this contains the list of allowed MAC addresses)
  Typically what we have seen today is a user initially authenticates successfully by matching the Internal Hosts identity store, but then an hour later, re-authentication fails as the MAC address matches the AD1 id store and subsequently fails due to the MAC address not being present within AD.
  Here is the successful connection entry (all MAC addresses substituted form the originals)...
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  11027  Detected Host Lookup UseCase (Service-Type = Call Check (10))
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Network Access
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Hosts
  24432  Looking up user in Active Directory - 00-1B-78-00-33-00
  24412  User not found in Active Directory
  24559  Searching for user in the RSA identity store.
  24556  User record was not found in the cache.
  24210  Looking up User in Internal Users IDStore - 00-1B-78-00-33-00
  24216  The user is not found in the internal users identity store.
  24209  Looking up Host in Internal Hosts IDStore - 00-1B-78-00-33-00
  24211  Found Host in Internal Hosts IDStore
  22037  Authentication Passed
  22023  Proceed to attribute retrieval
  24432  Looking up user in Active Directory - 00-1B-78-00-33-00
  24412  User not found in Active Directory
  22016  Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
  Evaluating Exception Authorization Policy
  15042  No rule was matched
  Evaluating Authorization Policy
  15004  Matched rule
  15016  Selected Authorization Profile - MAB-PC
  11022  Added the dACL specified in the Authorization Profile
  11002  Returned RADIUS Access-Accept
  Here is the failed connection entry....
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  11027  Detected Host Lookup UseCase (Service-Type = Call Check (10))
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Network Access
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - AD1
  24432  Looking up user in Active Directory - 00-1B-78-00-33-00
  24416  User's Groups retrieval from Active Directory succeeded
  22037  Authentication Passed
  22023  Proceed to attribute retrieval
  22038  Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
  22016  Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
  Evaluating Exception Authorization Policy
  15042  No rule was matched
  Evaluating Authorization Policy
  15006  Matched Default Rule
  15016  Selected Authorization Profile - DenyAccess
  15039  Selected Authorization Profile is DenyAccess
  11003  Returned RADIUS Access-Reject
  Any help greatly appreciated!

  Hello Paul,
  If a switch is configured for dot1x with MAB fallback as ours is, does  the switch still send the MAC address for a dot1x-enabled client as well  as the user and host AD credentials even though the MAC address is not  required for auth in this case?
  A switchport configured for 802.1x with MAB fallback will first send an EAPOL Start message. An 802.1x enabled client would be able to provide the appropriate User and Host information and get authenticated via 802.1x. No MAC address will be send at this point.
  For the same switch and a client with dot1x DISABLED, does the switch forward just the MAC address to ACS?
  Yes, the switch will send the EAPOL Start messages to the 802.1x Disabled client. It will not be able to respond to the switchport request. After the retries the switchport will fallback to MAB and expect the client to send the MAC Address to get authenticated.
  If the switch invokes MAB and passes just the MAC address to ACS, does  ACS still run the MAC address through the full identity store sequence  which starts with AD1, even though dot1x is not running (and therefore  AD matching is not relevant)?
  Yes, the ACS will still run the authentication against all the Database specified on the Identity Store Sequest from top to bottom
  Ultimately, I am trying to decide if
  a) ACS is passing non-dot1x credentials (namely the MAC address)  to AD erroneously ---> Do not think this might be the case as it will  always pass the credentials to the every database on the specified  order
  b) if AD is responding (correctly or incorrectly) with a match ---> We know this one is happening.
  c)   if AD is rejecting the MAC address but that the rejection message isnt   triggering the next iteration in the identity store sequence. ---->  Do not think AD is rejecting the MAC Address based on:
  24432  Looking up user in Active Directory - 00-1B-78-00-33-00
  24416  User's Groups retrieval from Active Directory succeeded
  At this point I have no suggestions on how to determine if the MAC Address is being properly authenticated on the AD Side

• Authenticating Device Admin users against AD specific groups

     Hi,
  I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
  Any idea, how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.
  Thanks

  Hi Mike,
  Can you please define what you exactly mean by authentication and authorization?
  The ACS checks the AD for a specific user if it is available and if the credentials are correct. If it is then on the AD you will probably find a successful authentication on the logs, but form the user perspective, the user does not know about if it is authenticated or not at this stage.
  Now, the ACS knows the credentials are correct and then check the policy rules that are configured. depending on the policy rules it will tell the user if it is successfully authenticated or not.
  In the policy, you control success of failure of the authentication of the client depending on the AD group.
  If what I explained above is not what you are looking for please elaborate more about your request so we better understand your concern.
  Regards,
  Rating useful replies is more useful than saying "Thank you"

• Is Codes creation in QS41 possible against language specific?

  Hi
  When we are looking the notifcation catalogue profile, we could maintain the same against the language specific. I mean in configuration the transalation is possible.
  However against the same catalogue its code (damage, activities, objects etc) could be created with its specific language and there is no transalation available.
  Can you tell me how could handle this scanario. Since now we want to maintain the codes for IT, FR , ES language against its profile. Is required to create each one with QS41?
  Thanks

  HI,
  I don't know your exact requirement
  But to maintain different language for codes in QS41
  Select the codes you need to maintain  Menu --> Edit --> Translation --> select language and enter

• Configure SMTP to forward mail to a specific domain

  We have migrated all of our e-mail from on premise exchange to Office 365. To support internal applications that send e-mail such as our scanners, we have setup a SMTP relay server using IIS on Windows 2012.
  This is working very well however we have some users that when they do a scan they simply enter their e-mail alias (the part before the @ symbol) since that worked when the scanner was sending to Exchange. However Office 365 does not know how to route these
  e-mails so they result in a NDR. Since the NDR is not sent to the person creating the scan they do not even know the issue other than they did not receive their scan. 
  Is there a way to configure the SMTP service on Windows 2012 to send all e-mail that does not have a domain listed in the e-mail address to a specific domain? For example, if someone were to send their scan to myalias it would be delivered to myalias at mycompany
  dot com (sorry about spelling it out but it is not letting me post this with a e-m ail address in it even if the address is not valid)

  Hi,
  You can try to create a SMTP domain in IIS manager(Default SMTP Virtual Server>Domains>New>domain) and then enable "Allow incoming mail to be relayed to this domain" and "Forward all mail to smart host".
  In addition, for questions related to IIS, you can also ask in IIS forum for professional assistance:
  http://forums.iis.net/
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Configuring log location for Adobe Document Services specific log

  Hi All,
  Interesting one for you. I am currently helping to resolve a PDF rendering issue which is intermittent. I have sent the default trace logs to SAP, however, there is an additional adobe specific log which should be written to /usr/sap/<SID>/SYS/global/AdobeDocumentServices/renderErrorLog/errorFiles. However, my default trace is saying that they are written to the the wrong SID and also puts a double // between gloab and AdobeDocumentServices, which of course is never going to work.
  The system in question is a fully supported system copy of our Production environment, created using SAP sapinst tools.
  If anyone can point me in the right direction to edit/configure the renderErrorLog location I would be most relieved as there does not appear to be anything in the Visual Administrator or Config tool.
  many thanks

  Hi,
  All the form-related services have to be started first: the IIOP on dispatcher and server, all the Document Services *, PDF manupulation and XML form module.
  Then you should be able to register your credential.
  Francois

• CTS+ Configuration in PI 7.4 for SLD specific data

  Hello Guys,
  I am doing CTS+ configuration for PI System SLD Vesrion 7.4 to transport J2ee as well as SLD specific data through transports. My CTS server is Solman System.
  I have created a CTS user in Solman System and in PI NWA I have defined destination to point to Solman System. But i am running into several errors.
  Could anyone please help me what user authorization are required for CTS user in Solman to transfer Non-Abap Data and SLD specific data through transports.
  Its very urgent.

  Did you happen to see this document of a CTS+ configuration for 7.3 (should be fairly the same for 7.4)?   CTS+ Configuration for PI 7.3
  Steps 1.2 and 8.2 have references to roles.

• How to attach questionnaire to initiative/item against a specific field?

  Hi All,
  How to attach a questionnaire for a specific field for an intiative/item in contxt to xRPM
  Regards
  srikanth

  Hi,
    If you have completed the activity 'Define Questionnaires' under SAP xRPM -> Global Customizing -> Process and Service Settings, you should have the questionnaires displayed in the portal. If not, do the following.
  1) Check that you have attached the questionnaire for the correct object type in the 'Define Questionnaires' activity.
  2) In the previous activity, 'Define Services', check that the questionnaire service is linked to an object type correctly.
    If these 2 activities have the correct configuration, then you should be able to see the questionnaires in the drop down.
  Best Regards,
  Prashanth

• ACS 5.1 - auth against different AD groups from one client?

  Hello,
  ASA has RA vpn's set up with authentication against TACACS ACS 5.1 based on AD group.
  Need to set up access to ASA itself (ssh) based on TACACS as well, to the same ACS box.
  Is it possible to have it against another AD group?
  Right now, when I create rule, the cryteria to select specific service is based on protocol, client device IP, few other conditions,
  and based on that ACS selects rule which in turn may be Network Access or Device Access.
  I created two different rules, one is Device Access against Group1 in AD, another is Network Access agains Group2 in AD, and which one is
  the first in the list, that is being chosen for VPN access - basing on ASA IP and protocol (TACACS).
  Probably workaround would be to enable both RADIUS and TACACS for the ASA and on ACS for this client, and use different protocols for vpn and local device access?
  Is this the way?
  Thank you
  Alexander

  Hello,
  ASA has RA vpn's set up with authentication against TACACS ACS 5.1 based on AD group.
  Need to set up access to ASA itself (ssh) based on TACACS as well, to the same ACS box.
  Is it possible to have it against another AD group?
  Right now, when I create rule, the cryteria to select specific service is based on protocol, client device IP, few other conditions,
  and based on that ACS selects rule which in turn may be Network Access or Device Access.
  I created two different rules, one is Device Access against Group1 in AD, another is Network Access agains Group2 in AD, and which one is
  the first in the list, that is being chosen for VPN access - basing on ASA IP and protocol (TACACS).
  Probably workaround would be to enable both RADIUS and TACACS for the ASA and on ACS for this client, and use different protocols for vpn and local device access?
  Is this the way?
  Thank you
  Alexander

• How to run a SQL based query against a specific collection

  Hello,
  I have used this query to make a custom reports, it works but all machines are mixed up,
  So I am looking for a way to run it against collection group win 8 or win 8.1.
  or if I can add a line to this query so it will also display OS version.
  SELECT     dbo.v_R_System.Name0, dbo.v_GS_ENCRYPTABLE_VOLUME.DriveLetter0, dbo.v_GS_ENCRYPTABLE_VOLUME.ProtectionStatus0
  FROM         dbo.v_GS_ENCRYPTABLE_VOLUME INNER JOIN
                        dbo.v_R_System ON dbo.v_GS_ENCRYPTABLE_VOLUME.ResourceID = dbo.v_R_System.ResourceID
  Thanks in advance
   

  Corrected :
  SELECT dbo.v_R_System.Name0, dbo.v_GS_ENCRYPTABLE_VOLUME.DriveLetter0, dbo.v_GS_ENCRYPTABLE_VOLUME.ProtectionStatus0
  FROM dbo.v_GS_ENCRYPTABLE_VOLUME
  INNER JOIN dbo.v_R_System ON dbo.v_GS_ENCRYPTABLE_VOLUME.ResourceID = dbo.v_R_System.ResourceID
  JOIN v_GS_Operating_System OS on dbo.V_R_System.ResourceID = OS.ResourceID
  WHERE OS.Caption0 like '%Windows 8%'
  I also did it by CollectionID if needed :
  SELECT dbo.v_R_System.Name0, dbo.v_GS_ENCRYPTABLE_VOLUME.DriveLetter0, dbo.v_GS_ENCRYPTABLE_VOLUME.ProtectionStatus0
  FROM dbo.v_GS_ENCRYPTABLE_VOLUME
  INNER JOIN dbo.v_R_System ON dbo.v_GS_ENCRYPTABLE_VOLUME.ResourceID = dbo.v_R_System.ResourceID
  JOIN v_FullCollectionMembership COL on dbo.V_R_System.ResourceID = COL.ResourceID
  WHERE COL.CollectionID like 'Your Collection ID'
  Benoit Lecours | Blog: System Center Dudes