Customizing Authorization for Controlling

Hello, Experts,
I need to create a role with authorization for SPRO but only for the Controling branch.
How do I do it ?
Thank you !
Rami Kleiman - HP

Hi,
DSK- How do create configuration project ?
Anil - Can you be more specific ? PFCG is transaction for creating roles.
When I add SPRO to the role, it DOES NOT add all the authorization for
the SPRO options.
Thank you,
Rami

Similar Messages

Custom authorization for MDB in WLS 7.0

Hi,
Does anyone know how to authorize MDB using a Custom Authorization
Provider while the Weblogic Container registers the MDB as a listener
to JMS queue? My Custom Authorization Provider uses an oracle database
to store user roles and access control lists to allow a certain role
to access specific weblogic resources.
Any assistance is highly appreciated.
Thanks
Siva

The main reason is that JMS topics do not work well with HTTP clients. A topic cannot
initiate an HTTP call to the subscriber, so we have to store the message in memory
outside of JMS waiting for the subscriber to call us. Reliability is lost (if anyone
cared). The lifecycle of the outbound message is controled by the HTTP session timeout
(yuck!). This did not look like a solid feature that we should support.
If you like it, you can implement it yourself. I would recommend using JAX-RPC
handlers for that.
Thanks,
-ruslan
Michael Poulin wrote:
The deprication note is in "Creating JMS-Implemented WebLogic Web Services, section
Overview of JMS ...

Custom buttons for control 3d PDF Animate

I am currently using the 3d PDF Animate program distributed by Tetra4d to animate some 3d models that I imported into a pdf. The only actions that the default buttons provide are Play, PlayAll, Pause, Preivous, Next, First, and Last. I am trying to create a button that would play specidic steps without having to hit next or previous to get to it, but nothing I try seems to work. I have no experience in java or javascript so i am basicly just trying to piece things together based on what I see, but as I said, nothing is working. If anybody has any experience in the program, I would sure appreciate some input.

There are two ways to animate the contents of a 3D annotation - either the keyframe data is stored within the 3D model itself (as a timeline) or JavaScript is used to move each element based on a ticker loop. In both cases there must be a JavaScript controller function attached to the 3D annotation in order for control buttons to work, and when that code is added by a commercial plugin it is usually obfuscated so it cannot be modified.
Aside from inspecting the internal structure of the file, you can tell where the animation comes from by how the inbuilt controls work. Open the properties of the 3D annotation in Acrobat Pro, go to the 3D tab and 'Clear' the embedded script (don't save the file!). Re-activate the 3D scene, and look at the popup toolbar. If there's an embedded timeline, the play/scrub controller on the 3D toolbar will work. If it doesn't, the animation is script-controlled.
With embedded timelines there is usually only one animation (which covers all steps), and the various buttons assigned by the plugin simply refer to start/stop times within that animation - the 'play all' button simply tells the script to ignore all the intermediate markers. If you wanted to play a particular step, you would have to work out the time (in seconds) that the step begins and ends, then add your own code to play through only that range. However, given the code already attached to the annotation cannot be edited or removed without breaking everything, and a 3D annotation cannot have more than one attached script, the only option to make even a minor change would be to write it all again from scratch. That's the disadvantage of using tools like this - they make one thing very easy, but in doing so make it next-to-impossible to change the end result.

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Importing custom pics for controls?

Hello all,
After poking around in the NI Example Finder I found a VI that verifies that I can modify the interface with custom pics and such... I found it under "Building User Interfaces / Customizing Controls / Using Custom Controls.VI" I'm trying to find out how they changed the pictures for the sliders and such, but each interface simply has "Custom pics were imported for the...." in the properties folder.
...ok, HOW did they import the custom pics? Maybe I'm making this too hard. Is there a bitmap image of the slider or knob that that I can modify? I've done a search in the Knowledge Base, searched on here, searched on LAVA... I'm probably making this too hard, but if someone in the know will point me in the right direction I'd really appreciate it!
Thanks!
Chad

Yair's Nugget may be helpful.
ben
Ben Rayner
I am currently active on.. MainStream Preppers
Rayner's Ridge is under construction

HR custom authorization issues/BADI to be used for some customization

We can develop custom authorization object in HR and run RPUACG00 to generate include MPAUTCON.Is it possible to include some customizations to the MPAUTCON program to accomplish some of our requirements.
If not can you please suggest me a BADI/User exit which can be used to develop some customization on a specific field, which can be called at the times the HR Master data is being changed/displayed/created.
Thanks in adavnce for the answers.

Hi Kiranm,
the MPPAUTCON program (or MPPAUTZZ in non-contextual mode) is automatically generated by the RPUACG00 report.
But you can modify it to add custom controls.
Best regards.

Custom authorization provider for WL7 problem (not getting all parameters from ContextHandler)

I'm implementing a custom authorization provider for WebLogic 7.
In my Access Decision isAccessAllowed method I need to check values of
the parameters passed to an EJB method. Now, if an EJB method I have
two parameters of the same type, for example int, when I get
ContextElement array from ContextHandler and iterate through it to get
names and values of the parameters I get the same value (value of the
first int parameter) from both ContextElement's.
Here is the code:
String [] names = ch.getNames();
for (int i = 0; i < names.length; i++)
String name = names;
System.out.println("name = " + name);//here it gets array of
Strings, which contains two parameter names: "int","int",
which are the types of EJB method parameters
ContextElement[] ces= ch.getValues(names);
for (int j = 0; j < ces.length; j++)
 ContextElement ce = ces[j];
 System.out.println(ce.getName()+ " = " + ce.getValue());
//here if the value of the first int was 2 and the second 0,
it would get 2 from both ContextElements (each of ContextElements will
have name "int"
If I try this with method parameters of different types, for example
int with value 2 and long with value 0, then this code work fine -
first ContextEleement has name int and value 2 and the second has name
long and value 0.
Thanks,
-Oleg Kozlov.

I'm implementing a custom authorization provider for WebLogic 7.
In my Access Decision isAccessAllowed method I need to check values of
the parameters passed to an EJB method. Now, if an EJB method I have
two parameters of the same type, for example int, when I get
ContextElement array from ContextHandler and iterate through it to get
names and values of the parameters I get the same value (value of the
first int parameter) from both ContextElement's.
Here is the code:
String [] names = ch.getNames();
for (int i = 0; i < names.length; i++)
String name = names;
System.out.println("name = " + name);//here it gets array of
Strings, which contains two parameter names: "int","int",
which are the types of EJB method parameters
ContextElement[] ces= ch.getValues(names);
for (int j = 0; j < ces.length; j++)
 ContextElement ce = ces[j];
 System.out.println(ce.getName()+ " = " + ce.getValue());
//here if the value of the first int was 2 and the second 0,
it would get 2 from both ContextElements (each of ContextElements will
have name "int"
If I try this with method parameters of different types, for example
int with value 2 and long with value 0, then this code work fine -
first ContextEleement has name int and value 2 and the second has name
long and value 0.
Thanks,
-Oleg Kozlov.

How to Control authorization for users with certain status for level 2 WBS Element

Dear All,
Is there any standard way or enhancement available to control authorization for users with certain status for WBS Element i.e. for example
Pre-requisite:
There is only 2 level of project i.e.
Lev_ WBSE_______Description
1___ 7-14.E_______summay outage controller
2___ 7-14.E.2310__ Plant/unit # 2310
2___ 7-14.E.2310__ Plant/unit # 2220
Project Controller (authorization role assigned "Z_PS_OP7_OTGCON_C") have all project level authorization
Plant/Unit Controller (authorization role assigned "Z_PS_OP7_PLNTOTG_C_2310") have only level 2 authorization with enhancement that we did in system by Z table.
User ID_ Plant #
123345_ 2310
122455_ 2220
Issue:
After System Status released and User Status approved the WBS basic date for Plant/Units should be restricted from updating/changing by Plant/Unit Controller level and only project controller should have this authority.
Solution required:
Can any one tell how to control this scenario either by standard or enhancement available to control authorization
BR
Saqib Usman

Hi,
Did you explore SAP Enhancement CNEX0002 Using Transaction CMOD?
Thank you and regards,
Varshal Kachole
The SCN Rules of Engagement

Custom Authorization Object for HR

Hi,
As per our Company's internal needs I have created a Custom Authorization Object for HR named ZP_ORGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction & do a trace on it, the object ZP_ORGIN is never checked (for a user having this object in his/her User Master). Only P_ORGIN object is checked instead.
I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked.
Your help will be appreciated.
Thanks,
Mandeep Virk

Hi,
I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
We've ran the report RPUACG00 also which is mentioned in this thread.
We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
I believe I'll have to write some ABAP code e.g. AUTHORITY-CHECK OBJECT 'ZP_ORGIN' etc. Can anybody tell which User Exit or Field Exit I'll have to put the AUTHORITY-CHECK code in, so that my new custom authorization object is alwayz checked
but still it is taking the P_ORGIN object.

HR Authorization : Custom Authorization Object for P_ORGIN

Hi,
I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
We've ran the report RPUACG00 also which is mentioned in this thread.
We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
but still it is taking the P_ORGIN object

Online Help
<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a>

Amount Authorization for Customer

I want to Enter Customer invoice While creating Invoice Following Message Display
No Amount Authorization for vendor/customer in co. code?
Pls Reply

Hi,
Go to -
img - fa u2013 arap u2013 business transaction u2013 incoming payment u2013 manual incoming payment u2013 define tolerance (customers)
Define Tolerance Groups for Employees and Assign User/Tolerance Groups
Regards
udayakumar.k

No authorization for changing Customer Centrally- Idoc in Error Status 51

Hi Experts,
We are implementing MDM for one of the client.
The client runs a modification scenario in MDM for Customer Master.
He modifies a customer record in MDM and this record is transfered from MDM to ECC via PI through Idocs.
We are using standard Idocs for Customer Master which is DEBMDM
There are 2 Idoc's generated in ECC by PI from DEBMDM as DEBMAS and ADRMAS.
ADRMAS Idoc is succesfull in ECC and the corresponding record is modified.
Now the issue is that the corresponding DEBMAS Idoc goes into Error 51.
The Error details is as below:
                                                                                No authorization for changing vendor Centrally
Message no. F2326
System Response
You cannot access the requested data.
Procedure for System Administration
If necessary, include an entry in the user's authorization profile for
    the authorization object and parameters specified below.
Authorization object:
o   F_KNA1_APP
Parameters:
o   Activity: 02
    o   Application authorization : *
We gave the respective authorization object to the RFC User ID used in PI RFC created to connect to ECC.
Also we have given the user id Tcode authorization like XD01/02/03.
But this error still persists.
Request to throw some light on this.
Cheers
Dhwani

Check these threads
[Re: IDOC STATUS - 51 " IDOC HAS TEST STATUS|IDOC STATUS - 51 " IDOC HAS TEST STATUS";
[Error Inbound IDoc - Status 51|Error Inbound IDoc - Status 51;
thanks
G. Lakshmipathi

Custom fields for FV50 table control

Hello,
The customer has a requirement to add 3 text fields to the table control in Transaction FV50. These fields are currently not available in the table control at all (I checked the Table settings Administrator). Further, no Screen/Transaction Variant has been implemented either to prevent these fields from being displayed. Which is why I'd like to find a way to add these custom fields to this table control. These fields are the text descrptions for the numeric fields Cost Center, Fund and Business Area.
I've read many posts on this forum regarding potential solutions including the link below which details the SAP std solution. Only problem is this approach adds these fields to the data dictionary tables underlying the screen. The customer says about 1 million records are being generated a month so they would rather not have all that extra data at the line item level.
Custom column for FB60
If anybody has done this sort of thing via a user exit I'd much appreciate your input.
Thanks,
Tarun

Hi Rob,
Yes, I checked IMG configuration and found that Txn OXK3 allows us to extend the underlying tables and customize the generic fields in the table control. However, the client has nearly 1 million postings to table BSEG each month and I'm guessing this approach will entail adding the custom fields to table BSEG, which won't work for them. I haven't actually tried this approach because the SAP documentation has some dire warnings about proceeding. But if you have any insight as to whether this can be achieved without extending BSEG (possibly just extend VBSEGS??) that would be very valuable.
Thanks,
Tarun

Authorization for FBL5n specific customer

Hi all,
I have a scenario where we want to restrict sales person to view specific customer. We maintain sales person and customer number relation in a Z table.
Please advise how I can restrict?

Hello Ravi
You can restrict access to master records in order to prevent unauthorized changes from being made. Depending on how you organize your master data, you can assign authorizations for maintaining this data. For example, one user may have authorization to maintain all master data, while another may have authorization to maintain only accounting master data.
You can also assign different authorizations for different types of processing. All users could have authorization to display master records, while only a limited group of users may be able to create and change master data.
Authorizations are specified during system configuration and assigned to each user in his or her user master record. If you have any other questions on this subject, you should contact your system administrator. The Implementation Guide (IMG) for Financial Accounting explains how to set up authorizations.
Suresh

Is it worth it to make custom icons for a custom control/indicator?

I was making custom icons (well not very custom, but still at least somet ext) for controls and indicators, when I realized that the only times you see them are when you open the control, itself, ot if you hover over it in the project with context help on.
So the question is:
Is it worth it to create a custom icon for each custom control you make, if it will be seen only rarely? (The exception being a cluster, since, in the later versions of LabVIEW, you can actually represent your cluster on the BD as the icon you made for it, so it definitely IS worth it to make an icon for it.)
Thanks!
Bill
(Mid-Level minion.)
My support system ensures that I don't look totally incompetent.
Proud to say that I've progressed beyond knowing just enough to be dangerous. I now know enough to know that I have no clue about anything at all.
Solved!
Go to Solution.

Hooovahh wrote:
I'd like to add another time that you see the control's icon, is when it is a type def cluster, and you have it as a constant on the block diagram. Then double click the border to shrink the cluster. It will shrink to the size of the control's icon.
I also hardly ever make a control icon. Only when it is on the palette in a reuse package.
Yeah,t hat's what I meant in my original post, although you CAN represent a cluster constant on the BD as an icon - but it's just the little thing on the bottom of the typdef'd cluster because it obviously has no actual icon.
Bill
(Mid-Level minion.)
My support system ensures that I don't look totally incompetent.
Proud to say that I've progressed beyond knowing just enough to be dangerous. I now know enough to know that I have no clue about anything at all.

Customizing Authorization for Controlling

Similar Messages

Maybe you are looking for