CUP question - Possible to restrict available roles based on the requester?

Helo all,
One of our customers wants to put restrictions on the access requester in the CUP module: meaning that some requesters should only be able to request roles assigned to functional area u2018Procurementu2019, while other requesters should only be able to request roles that are assigned to all functional areau2019s except for u2018Procurementu2019.
Do you know if this is possible or do you see an alternative solution?
Thanks in advance,

There is no real way to restrict people from doing that, but you could use the buisness process in role attributes to ensure if the select the correct buisness process only roles listed under a particular buisness process are listed when being searched.
You could make the buisness process field mandatory on the main screen and than that gets carried over when searching for roles, obviuosly that can always be changed by the user.
regards,
Chinmaya

Similar Messages

  • Is it possible to restrict control flow based on the excpetions?

    Hello,
    I am doing a program, in which if any exception is occured, then, program shouldn't continue. It should stop execution and comeout of program and display Exception message.
    Example:
    In the code below, i have one divide method and add method. If divide method throws excption, add method should not be executed.
    How to do this?
    public class Testcatch
    private int a=0;
    private int b=3;
    private int c=0;
    private int d=0;
         public int divide(int x)
                                  try
                                            a=x;
                                            System.out.println("a="+a);
                                            d=6/a;
                                        }catch(Exception e)
                                            System.out.println("Error= "+e);
                                  return d;
    public int add()
              c=a+b;
              System.out.println("b="+b);
              return c;
    public static void main(String args[])
         Testcatch tc=new Testcatch();
         System.out.println("Divided value c= "+tc.divide(0));
         System.out.println("Added Value d= "+tc.add());
    }Please help,Thanks for taking time,
    Regards,
    Ashvini

    Simple, make the divide() method not handle the exception by itself.
    public class Testcatch
        private int a=0;
        private int b=3;
        private int c=0;
        private int d=0;
        public int divide(int x) throws Exception
            a=x;
            System.out.println("a="+a);
            d=6/a;
            return d;
        public int add()
            c=a+b;
            System.out.println("b="+b);
            return c;
        public static void main(String args[])
            try {
                Testcatch tc=new Testcatch();
                System.out.println("Divided value c= "+tc.divide(0));
                System.out.println("Added Value d= "+tc.add());
            catch (Exception e) {
                e.printStackTrace();
    }

  • How to see the data records for a dso based upon the request id?

    Hi all,
    How to see the data records based upon the request id on the dso.
    I need to see the data for a dso based upon the request id 444493 loaded from another dso through repair full update.
    thanks

    Hi,
    Step 1: select your request from DSO request tb
    Step 2: Select your DSO just above your contents/requests/reconstruction tabs
    Step 3: Click contents(Spectacles symbol) in the top area of your screen
    Step 4: Slect the required fields
    Regards,
    Suman

  • Any ideas on restricting userID Role Assigment within the SAP Security Team

    Hello,
    I have gotten a request to look into restriction of assignment of roles to oneself within the company SAP Security Team. Thoughts I have come up with so far involve the use of UserID User Groups, Role Assignment Ranges, and forcing all role assignements for all userIDs through GRC-AC CUP for QA and Prod. Has anyone come up with a workable solution that is outside of these suggestions that they have put into practice?
    Thanks in advance for your help!
    John

    Hi John,
    There can be a manual control in place and individual should not assign role/s to himself / herself.
    Otherwise, security team members can be assigned to a specific group (let say Security) and they shouldn't have access to authorization S_USER_GRP with ACTVT 22 & CLASS - Security.There should be a dedicated power user to assign the role/s to the security team members and this can be auditted (SM20 log for manual super user / FireFighter log for FireFighter user).
    Thanks
    Prasanna

  • How to check Role based on the User ID

    Hi All,
      Based on the User ID how to check the role of the particular person[ex Employee / Manager etc].In HR module in which table the details are present.
    Thanks.
    Regards
    Tina

    Hi Tina,
    Use FM: <b>HR_GETEMPLOYEEDATA_FROMUSER</b>
    This will give you all info related to User ID.
    In parameter EMPLOYEESUBGROUP , you will get position of this employee.
    Hope this helps.
    Regds,
    Akshay Bhawgat
    Note: Some points would be nice if it helps.
    Message was edited by: Akshay Bhagwat

  • Restrict Org details based on the User in Business partner creation..

    Hi Gurus,.
    I have to assign Sales Org , DIV, Distribution Channel to the Business Partner in Sales Area data.  When I try system shows entire Org structure. But I want the Org structure should be displayed based on the user log on. Assume that, I am assigned to Shangai and creating Business partner for Shangai, the system should not show Beijing or other Org Unit since I belong to Shangai.  How to address this scenario thro standard customization?
    Is it common problem in CRM Webui(6.0 and 7.0).
    My Org Structure:
    Global
      China
         Shangai
         Beijing
       Nanjing.
    Thanks in Advance....

    Hi Denis,
       Thanks for your reply. I believe Org determination rule is applicable for Transaction types not for Account Creation. I want to get Sales area data based on login user. It shows complete Sales Area(Sales Org IDDistribution ChannelDivision) when I create an Account.. Assume that you are an employee and assigned to Newyork, when you create New Customer in Newyork, system should not show Boston, Washington Sales areas...Please throw some light on this...
    Thanks in Advance.,

  • Picking files based on the requested URL

    Hi Experts
    I have a requirement where I need to pick image files from SAP DMS server based on the URL requested.
    The scenario :
    Third-party sends a URL  corresponding to a particular image in DMS as request and PI needs to Pick the image
    file and send it as response.
    Due we need BPM? How to set up sender file adapter source directory as  the file name/directory   to be picked is dynamic in nature and there is no specifc pattern .We need to pick the exact file base on the Unique URL.
    Can we do this requirement in a synchronous interface by using HTTP or SOAP attachments for image? What about
    the performance impact as we have img files here.
    Regards,
    Srinivas
    Edited by: Srinivas on Sep 27, 2010 11:36 AM

    Third-party sends a URL corresponding to a particular image in DMS as request and PI needs to Pick the image
    file and send it as response.
    BPM would be required....We had a similar requirement wherein a URL was given at runtime to PI....then PI had to call the location and get back the details and we used SOAP for this (SYNC Call to the URL using SOAP channel from the BPM).
    Can we do this requirement in a synchronous interface by using HTTP or SOAP attachments for image?
    Not sure how the attachment will function inside a BPM....in my case I got the details as part of the message...even it was an image but it was stored as a base64 encoded message.
    Regards,
    Abhishek.

  • BW Roles based on the department

    Hi,
      My requirment is to creat a roles that restricts data access according to department.
    We had nearly 20 different Detartments and my requirment is to create roles so that users can be granted access according to their department.
    Could you please update me detailed process on how i can create roles.
    I am the DEPARTMENT char as authorisation relevent
    Thanks

    Hello,
    Please see these docs,
    [Field Based Authorizations in BW BEx Queries|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4753ed83-0e01-0010-e186-f98413f868cb]
    [An Expert Guide to new SAP BI Security Features|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea]
    [Advanced Features of SAP BW Reporting Authorizations|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06]
    Thanks
    Chandran

  • Role based on the username

    Hi Experts ,
        Could some one kindly tell me how to find the role assigned to a username.
    Appreciate ur response,
    Chaitanya.

    Function Modules:
    SO_CHECK_USER_ROLE
    GET_R3_ROLES
    ALM_ME_GET_USER_BY_ROLES
    UHC_GET_USER_ROLE
    Check the above function modules name.
    Regards,
    Gurpreet

  • Is there a possibility to know mobile device from which the request comes?

    Hi Experts,
    Iam developing mobile UI and I have the following requirement.
    Mobile user launches my application with the help of a URL. I need to know what is the name of the mobile
    device from which user is launching the application. For eg. i need to know if he is using blackberry, nokia etc.
    Is there any way to find this?
    Thanks,
    Satish Challa

    you can get this info from the useragent header info that most web browser include in there http header.  Here is some more info in the case of BlackBerry.
    http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/348583/800878/800733/How_To_-_Retrieve_information_about_the_BlackBerry_Browser.html?nodeid=1033750&vernum=0
    cheers
    ed

  • How to Restrict Search based on the Roles for External crawled sites

    I have a situation where the search results have to be restricted based on role
    When External sites are crawled, how can we restrict the search results based on roles,
    I know that we can restrict the search to a group or set of groups that can contain many users but if the group have different roles and if that group has given access to a web repository search, how can we restrict the document/search access based on roles for the same group?
    For Example an Index that has external site as data source and the permissions were set for a group and that group has 2 roles, lets say <b>"Admin" and "user"</b> and the external site have some documents when searched the documents should come up only for the "Admin" role during search, but should not come up for the "user" role
    Is it possible to achieve this? Is there a solution?
    Any advices are greatly appreciated and awarded
    Thanks,
    kk

    Is it possible to restrict on role based?
    Any suggestions are appreciated
    Thanks
    KK

  • EAM ID based or Role based? Why settle for just one?

    G'Day All,
    I've raised a question in the following blog, however I would like to open it up to other people as well so they might get something out of it and in the process might share their own thoughts on the matter at hand.
    ID-Based Firefighting vs. Role-Based Firefighting
    So this is where I am at this point:
    From what I can gather so far, my understanding of EAM ID/ROLE based is as follows:
    - Id Based: Logs in using own U.ID and through GRAC_SPM accesess FFID from the GRC Server and logs into the system assigned to them (ECC, SRM, CRM etc)
    Only one user at a time can use a FFID.
    Firefighter need not exist in every system assigned to them due to central logon however they need to exist in the GRC system
    Knows exactly when FFID is being used as he/she has to login so has a psychological effect (good thing)
    Better tracking of FF tasks - Specific log reports with Reason Codes. Bonus point from Auditors!
    Two Log ins so potential to commit fraud. (1 action using own UserID and 1 action using FFID)
    Could be hard to track and find out when a fraud has been committed so can be a problem with auditors.
          ID Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFIDs assigned to you
          ID Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> You can see  the FFIDs assigned to you
    - Role Based: Logs into the remote system only using U.ID, so everything gets logged against that one ID. 
    Multiple users can use the FFROLE at once.
    Firefighter has to exist in every system assigned to them - so multiple logons.
    Hard to differentiate between FF tasks and normal tasks as no login required  So easy to slip up
    Time consuming to track FF tasks - No Specific log reports. No Reason Codes
         R.Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFROLEs
         R.Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> Not applicable so wont work
    So based on this there are pros and cons in both however according to SAP only one can be used. To me personally,  it makes more sense to get the best of both the worlds right? So here is my question why can’t we just use both?
        . Really critical tasks -> FFID
        . Normal EAM tasks -> FFRole
    Alessandaro from the original post pointed this out:
    "Per design it isn't possible to achieve both types of firefighting at the same time. It's a system limitation and hence to configurable."
    Well this is what I can't seem to get my head around. For a FFID, there is a logon session so it has to be enabled and as far as I can tell there is no way around it.
    However for FFRole, there isn't such limitations/restrictions like starting a separate session. FFRole is just assigned to an end user for him/her to perform those tasks using their own user ID.
    So in what way is it different from any of their other tasks/roles, other than the fact that they've got an Owner/Controller assigned to the FFRole? and
    What is stopping us from using it when ID based is the default?
    If I were to do the following does it mean I can use both ?
        . Config Parameter: 4000 = 1 (GRC System) -> ID Based
        . Config Parameter: 4000 = 2 (Plug-In)  - > Role Based
    Please excuse me if my logic is a bit silly, Role Based firefighting is only done on Plug-in systems so the following should work just fine:
       . Config Parameter: 4000 = 2 (Plug-In)  - > Role Based
    However for ID based, it is a Central Logon, so the following is a must:
        . Config Parameter: 4000 = 1 (GRC System) -> ID Based
    Which means both ID/Role based can be used at the same time, which seems to be working just fine on my system. Either way I leave it you experts and I hope you will shed some light on it.
    Cheers
    Leo..

    Gretchen,
    Thank you for thoughts on this.
    Looks like I'm failing to articulate my thoughts properly as the conversation seems to be going in a different direction from what I am after. I'll try once more!
    My query/issue is not in regards to if/what SAP needs to do about this or why there isn't more support from Companies/Organizations and not even, which one is a better option.
    My query is what is stopping us(as in the end users ) from using both ID/Role based at the same time?
    Now before people start referencing SAP documentation and about parameter 4000, humour me with the following scenario please. Again I would like to reiterate that I am still in the learning phase so my logic might be all wrong/misguided, so please do point out to me where I am going wrong in my thought process as I sincerely would like to know why I am the odd one out in regards to this.
    Scenario
    I've created the following:
    FFID
    FFROLE
    Assigned them to, two end users
    John Doe
    Jane Doe
    I set the Configuration Parameters as follows: 
    IMG-> GRC-> AC-> Maintain Configuration Settings -> 4000:1 - ID Based
    IMG-> GRC (Plug-in)-> AC-> Maintain Plug-In Configuration Settings-> 4000:2 - Role Based
    User1
    John Doe logs into his regular backend system (ECCPROD001)-> executes GRAC_SPM-> Enters the GRC system (GRCPROD001)-> Because the parameter is set to ID based in the GRC Box, so he will be able to see the FFID assigned to him-> and will be presented with the logon screen-> Logs in -> Enters the assigned system (lets say CRMPROD001) At this point the firefighting session is under progress
    User2
    Jane Doe logs into her regular backend system (ECCPROD001) -> (can execute GRAC_SPM to check which FF Role has been assigned to her but she can see that in her regular menu, so there is no point) -> Executes the transactions assigned in FFROLEThis is done at the same time while FFID session is in progress
    So all I want to know is if this scenario is possible? if the answer is No, then why not?
    I physically carried out this scenario in my system and I had no problems(unless I am really missing the plot here), which brings me back to my original question: Why settle for just one?
    Again to reiterate I am not getting into the efficacy or merits of this or even if one should use this. Just want to know if it is possible/feasible or not.
    So there you have it. That's the whole enchilada(as they say there in Texas). I tried to word my thoughts as concisely as I can, if there are still any clarifications, more information you or anyone else reading this would like, please do let me know.
    Regards,
    Leo..

  • Role based reflection security manager?

    Hi,
    I am trying to find out whether there is a possibility to implement a role based Security Manager to control access to reflection operations (such as checkMemberAccess() for example).
    I need to implement an application where using reflection is totally forbidden, except for some very specific parts of the code. Is this possible? If yes, how should I proceed? Is there a concept of identity around the security manager? Should I use ReflectPermission? If yes how?
    I have been doing some reading, but it is still not clear to me. I am looking for a general implementation procedure.
    Thanks.

    Jrm wrote:
    Ok, fair enough regarding storing data on end user PC.
    But I see a contradiction here (or I mis-read you). I understand that SecurityManagers are used for applets to restrict some of their actions. What if people are able to bypass SecurityManagers? What is the point of having them? If a .jar application is started with a SecurityManager, can an end user strip it and replace it with its own security manager (from its own code for example)?First of all, the SecurityManager is provided by the local computer, not the applet. But, the most important point is that the SecurityManager used when running third-party applet code is not trying to protect the third-party code, it is trying to protect the local computer from unknown third-party code. the user is perfectly able to disable the SecurityManager and/or give the third-party code whatever permissions it desires if they decide to trust the code. you are trying to protect your code (+which is the third-party code with respect to the user+) from the user. that is the opposite situation, and does not work.
    I would be happy if I could deliver a .jar application with my customized and 'unremovable' SecurityManager. Is that possible or can one always fiddle the .jar to remove it?
    Because if people can always remove it, it is a permanent open door for man-in-the-middle attacks when code is delivered to end-users, correct? Is there any way to protect .jar from tampering?As i said in my previous post, there is no way to stop this. as a software developer, i'm sure you are aware that you can find "cracked" versions of any commercial software that you are interested in (if you know where to look). what makes you think that your java program is any more "secure" than those other programs?

  • Restrict available languages in portal

    Hello forum,
    We operate EP 60_SP14 and want to restrict the available languages in the portal.
    In the logon screen, the language is detected based on the client browser setting; we can do without this 'automatic' detection and prefer to have a localized logon page that is displayed in the default locale/language.
    Is there a possibility to restrict available languages/locales by a method such as to set the default locale (Re: Change default English Locale)
    Additionally, if we could provide our users with the possibility to choose which language they want to log on with this would be a plus. We have set ume.logon.locale=TRUE (in UME properties) so that a language selection box is displayed on the logon screen, but this box contains all the languages.
    Is there a possibility to restrict this list (in the logon screen) such as you can do within the portal (http://help.sap.com/saphelp_nw04/helpdata/en/49/e607426338da6fe10000000a1550b0/frameset.htm)?
    Thanks for your hints!
    Kind regards,
    Walter

    Hello Detlev,
    We need to provide access to the portal in two languages only; our default language is dutch (nl) and we want to provide users with the possibility to switch to english.
    Therefor, I would like to switch off the automatic language detection and don't use any setting the browser sends, but rather just use 'nl' as the language in which the logon screen is displayed. (we can and will accept the fact that the logon screen is only in dutch).
    Instead of translating the logon-screen however, I think that forcing the language to 'nl' is a more neat solution. For example, is there a possibility to set the portalapp.xml property <property name="ForcedRequestLanguage" value="nl"/> for the logon screen somewhere?
    Would we not be able to force the language into dutch then removing the language bundles could be a solution. Can you direct me to instructions on how to do this neatly? I guess that just removing the language bundles will still leave me with all the languages selectable in the combobox at the logon screen.
    Finally, setting the ume.logon.locale option seems to work; the combobox from the logon screen allows us to select a language without problems. Instead of manually edit-ing the code; I want to restrict languages in this box to Dutch and English.
    Thanks so far!
    Kind regards,
    Walter

  • Is it possible to lock the structure Tab in Solar02 based on the users

    Hi,
    In Solar02 transaction of solution manager , under configuration node - > structure Tab , it is possible to change the structure . Is it possible to restrict this authorisation based on login users.
    Best Regards,
    Saravana.

    Hi
    You can't restrict users as you required
    because if they have change access they can very well proceed.
    Moreover if you hide it will be hidden for all users from solar_project_admin...project tab
    Regards
    Prakhar
    Edited by: Prakhar Saxena on Sep 24, 2010 12:12 PM

Maybe you are looking for