Custom Authorization on Shared SSRS

How do I setup a report to perform an authorization check? I would like to simply pass the user's ID to a stored procedure to return whether or not the user is authorized to view the report before any report generation activity occurs. If the
result is false, I'd like the SSRS to display the standard "not authorized" message or something similar.
Shared SSRS
I am deploying to a shared SSRS 2008 R2 environment that I do not own, so modifying SSRS configuration files is not an option.
Application Roles
The application I am reporting against has its own role based security which I will need to leverage, so I can not manage security on the actual report item in SSRS.

Create a parameter and populate it with
=User!UserID
This will drop the current windows user: windows_domain\Patrick Hurst into the parameter value. You can then use it as a filter. I used the following to strip it down to just first initial/last name (where @UserControl was my parameter):
left(right(@UserControl,len(@UserControl)-charindex('\',@UserControl)),1)+'%'
and username like '%'+ right(right(@UserControl,len(@UserControl)-charindex('\',@UserControl)),len(right(@UserControl,len(@UserControl)-charindex('\',@UserControl)))-1)

Similar Messages

Catch datetime exception and custom error message in SSRS

I currently working on create report by using SSRS. I have 2 parameters: [Start date] and [End date] to filter data from database and show it on report. I want to validate 2 datetime parameter as describe above. Please tell me a solution to do this.
For example:
When user type the text like: 4/15/2014mmm => System validation thrown a message: [The From Date not correct type]
But in my case, I want to receive a custom error message by myself.(Look like: [Date Invalid!])

Hi Brain,
According to your description, you have a report with two parameters for user to input. Now you want to validate these two parameters and display custom error message when the date is invalid. Right?
In Reporting Service, it doesn’t provide any interference for us to modify the system error message (the text in grey color). That means we can’t modify the system message when error occurs. However we can create a textbox in this report, use custom code
and expression to display the custom error message. But this all based on the report is successfully running. So if error occurs during report processing, all the custom code and expression will not work. In this scenario, we find a workaround for you. We
use custom code to judge if the date is valid, if the users type an invalid date, we return a default value to make sure this report can successfully run. Then we use expression to control the visibility of tablix in this report and create a textbox to show
the custom error message. Your case has been tested in our local environment. Here are steps and screenshots for your reference:
Go to Report Properties. Put the code below into custom code:
Public Shared a As Integer=0
Public Shared Function IsDate(d1 As String,d2 As String) as Integer
        Try
           FormatDateTime(d1)
           FormatDateTime(d2)
        Catch ex As Exception
                   a=1
        End Try
return a
End Function
Create two parameters. One is StartDate, the other is EndDate. Set the data type of these two parameters Text.
Create a filter for StartDate, put the expression below into Value:
=IIF(Code.IsDate(Parameters!StartDate.Value,Parameters!EndDate.Value)=0,CDate(IIF(Code.IsDate(Parameters!StartDate.Value,Parameters!EndDate.Value)=0,Parameters!StartDate.Value,"1/1/2012")),CDate("1/1/2012"))
Create a filter for EndDate, put the expression below into Value:
=IIF(Code.IsDate(Parameters!StartDate.Value,Parameters!EndDate.Value)=0,CDate(IIF(Code.IsDate(Parameters!StartDate.Value,Parameters!EndDate.Value)=0,Parameters!EndDate.Value,"1/1/2013")),CDate("1/1/2013"))
Ps: In step3 and step4, the date(“1/1/2012”, “1/1/2013”) in the expression are the default we set to make sure the report can successfully process. You can set any date existing in your dataset.
Use the expression below to set the visibility of the tablix:
=IIF(Code.IsDate(Parameters!StartDate.Value,Parameters!EndDate.Value)=0,false,true)
Create a textbox, put the expression below into it:
=IIF(Code.IsDate(Parameters!StartDate.Value,Parameters!EndDate.Value)=0,"","Date invalid")
Save and preview. It looks like below:
Reference:
SSRS Calendar and Date Restriction
Errors and Events Reference (Reporting Services)
If you have any question, please feel free to ask.
Best Regards,
Simon Hou

Custom authorization provider for WL7 problem (not getting all parameters from ContextHandler)

I'm implementing a custom authorization provider for WebLogic 7.
In my Access Decision isAccessAllowed method I need to check values of
the parameters passed to an EJB method. Now, if an EJB method I have
two parameters of the same type, for example int, when I get
ContextElement array from ContextHandler and iterate through it to get
names and values of the parameters I get the same value (value of the
first int parameter) from both ContextElement's.
Here is the code:
String [] names = ch.getNames();
for (int i = 0; i < names.length; i++)
String name = names;
System.out.println("name = " + name);//here it gets array of
Strings, which contains two parameter names: "int","int",
which are the types of EJB method parameters
ContextElement[] ces= ch.getValues(names);
for (int j = 0; j < ces.length; j++)
     ContextElement ce = ces[j];
     System.out.println(ce.getName()+ " = " + ce.getValue());
//here if the value of the first int was 2 and the second 0,
it would get 2 from both ContextElements (each of ContextElements will
have name "int"
If I try this with method parameters of different types, for example
int with value 2 and long with value 0, then this code work fine -
first ContextEleement has name int and value 2 and the second has name
long and value 0.
Thanks,
-Oleg Kozlov.

I'm implementing a custom authorization provider for WebLogic 7.
In my Access Decision isAccessAllowed method I need to check values of
the parameters passed to an EJB method. Now, if an EJB method I have
two parameters of the same type, for example int, when I get
ContextElement array from ContextHandler and iterate through it to get
names and values of the parameters I get the same value (value of the
first int parameter) from both ContextElement's.
Here is the code:
String [] names = ch.getNames();
for (int i = 0; i < names.length; i++)
String name = names;
System.out.println("name = " + name);//here it gets array of
Strings, which contains two parameter names: "int","int",
which are the types of EJB method parameters
ContextElement[] ces= ch.getValues(names);
for (int j = 0; j < ces.length; j++)
     ContextElement ce = ces[j];
     System.out.println(ce.getName()+ " = " + ce.getValue());
//here if the value of the first int was 2 and the second 0,
it would get 2 from both ContextElements (each of ContextElements will
have name "int"
If I try this with method parameters of different types, for example
int with value 2 and long with value 0, then this code work fine -
first ContextEleement has name int and value 2 and the second has name
long and value 0.
Thanks,
-Oleg Kozlov.

How to add custom authorization object to a SAP standard transaction

Hi All,
I have a standard tcode IW22 (change PM Notification) and I would lock changing when some users modify the field Functional Location (field TPLNR).
Since this field does not have an authorization object associated, I've tried to solve this problem with the following steps:
- tcode SU20 - creation of new authorization field TPLNR with data element TPLNR
- tcode SU21 - creation of a new auth object in transaction SU21 with name ZPM and field (TPLNR, ACTVT and TCOD)
- tcode SU24 - insert of new authorization field e check indicator (green)
- tcode SU22 - check indicator - check (green)
After this we have created a new role with PFCG and add transaction IW22; the new auth.ZPM was added manually.
We have try to analyze log (ST01 trace) but it seems no check was made in the trace file.
It seems new authorization object was not checked.
My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
Thanks
Maurizio

> My question is: "Is it possible to add a custom authorization object into standard transaction and implementing authorization check without writing abap code in exit or badi ?"
>
No .. not possible. The list of Auth. objects SAP proposed in SU24 for each Stnd. SAP TCodes are basically documentation of the Authority-Checks in the program for that TCode. The extra advantage of SU24 is to set the object status (means the proposal for availability in PFCG) among any of the four check indicators. So that we can provide our own value (customer specific values which are basically defined and separate from sap provided values) and reinforce the authorization concept of the organization.
So you need to provide a Authority-Check for ZPM in the program of IW22 to make sure that the fields you want to be checked are really being checked during execution of the tcode.
Regards,
Dipanjan

How to create and configure a custom authorization service

Anyone has any idea how to create a custom authorization module? Can anyone tell me where can I find a documentation or some example how to do it?
I appreciate any idea.
Regards.

The Access Manager developer guide on the Authentication SPI should be all you need to get started
http://docs.sun.com/app/docs/doc/819-4675/6n6qfk0nf?a=view

HR ABAP Custom Authorization Check

Hi all,
We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
GET PERNR.
I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
Thanks in Advance.

There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
Some special differences are:
- The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
- Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
- Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
Cheers,
Julius
Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

When I try to authorize home sharing in iTunes, I get error message 5506. What is the problem?

When I try to authorize home sharing in iTunes, I get error message 5506.
What is the problem?

Home Sharing
Setting up Home Sharing on your Computer
http://support.apple.com/kb/HT4620?viewlocale=en_US&locale=en_US
Understanding > http://support.apple.com/kb/HT3819
How to > http://support.apple.com/kb/HT2688
Troubleshooting > http://support.apple.com/kb/TS2972

Custom authorization object

Hi all,
I have created a custom authorization object to define a data security based on the Company code field.
These are the steps I did:
- I create a new authorization object containing the Company code field (BUKRS).
- I create a new role with this authorization object, and I have assigned a specific value to the Company code field.
- The role contains also the standard authorization object HR Master data which contains the field: infotype, personnel area...
- I have assigned the new role to a user and I have executed a report, but I had not the expected result.
- I had assigned the custom authorization object to the report transaction through SU24 and SU22, but I had not the expected result.
As expected result I was expecting that the data are filtered based on the Company code I put in the authorization field.
Any idea about the problem?
thx!

Please check that you have followed all of the steps listed here when creating your object:
<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm">http://help.sap.com/saphelp_erp2005vp/helpdata/en/9e/74ba3bd14a6a6ae10000000a114084/content.htm</a>
- April

Custom authorization object and check logic

Hi gurus,
we need to apply additional authorization check in our custom reports.
so i created a custom fields & object, and put the statement
      AUTHORITY-CHECK OBJECT 'ZHR_APP01' FOR USER uname
               ID 'ZROLEID' FIELD '03'
               ID 'ZSOBID' FIELD zzdwbm.
in a abap class method centrally, so it could be called by many reports.
but the test show that the sy-subrc always set to 0, even for users without any authorization.
what i missed for adding custom auth check?
for this case, do i need to maintain authorization check indicator in SU24?
what i am confused is that , su24, you have to maintain a transaction , but our authorization check is not for transaction , but for reports and bsp application, how should i maintain su24 for that?
thanks and best regards.
Jun

Hi,
I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
We've ran the report RPUACG00 also which is mentioned in this thread.
We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
but still it is taking the P_ORGIN object.

Custom Authorization Object for HR

Hi,
As per our Company's internal needs I have created a Custom Authorization Object for HR named ZP_ORGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction & do a trace on it, the object ZP_ORGIN is never checked (for a user having this object in his/her User Master). Only P_ORGIN object is checked instead.
I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked.
Your help will be appreciated.
Thanks,
Mandeep Virk

Hi,
I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
We've ran the report RPUACG00 also which is mentioned in this thread.
We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
but still it is taking the P_ORGIN object.

HR Authorization : Custom Authorization Object for P_ORGIN

Hi,
I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
We've ran the report RPUACG00 also which is mentioned in this thread.
We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
but still it is taking the P_ORGIN object

Online Help
<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a>

HR custom authorization issues/BADI to be used for some customization

We can develop custom authorization object in HR and run RPUACG00 to generate include MPAUTCON.Is it possible to include some customizations to the MPAUTCON program to accomplish some of our requirements.
If not can you please suggest me a BADI/User exit which can be used to develop some customization on a specific field, which can be called at the times the HR Master data is being changed/displayed/created.
Thanks in adavnce for the answers.

Hi Kiranm,
the MPPAUTCON program (or MPPAUTZZ in non-contextual mode) is automatically generated by the RPUACG00 report.
But you can modify it to add custom controls.
Best regards.

Customized Authorizations in SAP ISA Frame work

Hi All,
I am using SAP ISA Frame work in my project and displaying customized Authorizations in my Project and i want to add new Authorizations in my Project.
Please let me from where these authorization data is coming whether it is coming from back end or front end.
If it is front end from which file these data is coming.
I am expecting it is coming from some xml file and i would like to know from file name of xml.
regards,
suresh

Hi All,
Any suggestions please
Regards
G.s.naidu

Custom Authorization Policy

Hello Experts,
I need to create new custom Authorization Policies, but seems that I can create or copy only Policy from these Entity Type:
- User Management
- Role Management
- Authenticated Self Service User Management
What about the other entity Type? Why I cannot create an Authorization Policy based (for example) on Entity Type 'Scheduler'??
Thanks in Advance and Best Regards
AT

Open an SR and ask Oracle for the 11gR1 unpublished API.
We automate the creationing of an authz policy when we create a group. We were able to receive the API for 11gR1 with the understading that it was unsupported, and with a very strong business case for needing it.
Hope that help.

Custom Authorizer

I have created a custom Authorizer and RoleMapper for 8.1SP5. I have also implemeted a new a new Security Console Extension (SecurityExtensionV2), replacing the default WL screens. I have everything working except for one small item. When I try to create/edit a Web Application's Security Policy or Scoped Role the default "URL Pattern" screen appears. The text on the screen says that URL Patterns already defined are shown below. They are not. I cannot find any way to replace this screen or any methods in the Policy/Role MBeans that are being called to populate the list. Once I enter something into the input field, the getExtensionForPolicy() or getExtensionForRole() method is called with the correct resourse and url.
Any help would be greatly appreciated.
Joe [email protected]

I have created a custom Authorizer and RoleMapper for 8.1SP5. I have also implemeted a new a new Security Console Extension (SecurityExtensionV2), replacing the default WL screens. I have everything working except for one small item. When I try to create/edit a Web Application's Security Policy or Scoped Role the default "URL Pattern" screen appears. The text on the screen says that URL Patterns already defined are shown below. They are not. I cannot find any way to replace this screen or any methods in the Policy/Role MBeans that are being called to populate the list. Once I enter something into the input field, the getExtensionForPolicy() or getExtensionForRole() method is called with the correct resourse and url.
Any help would be greatly appreciated.
Joe [email protected]

Custom Authorization on Shared SSRS

Similar Messages

Maybe you are looking for