Delegated User Admin with only UNLOCK USER Permission.

Similar Messages

• Check Delegated user permission with AD Domain and OU levels

  Hi
  We are looking for a way to check all user permissions at domain / OU levels. Is there a script or tool available for this?
  Regards
  LMS

  Hi
  We are looking for a way to check all user permissions at domain / OU levels. Is there a script or tool available for this?
  Regards
  LMS
  You can try this Powershell script:
  $ou = "AD:\OU=Users,DC=contoso,DC=com"
  $group = Get-ADGroup MyGroup
  $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
  $acl = get-acl $ou
  $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"GenericAll, ","Allow"
  $acl.AddAccessRule($ace)
  set-acl -aclobject $acl $ou
  and you can also look at these given below links:
  http://technet.microsoft.com/en-us/library/cc775585(v=ws.10).aspx
  http://auditingactivedirectory.blogspot.in/2014/08/how-to-view-active-directory-delegated-permissions.html

• Why can I not disable the guest user in the 10.8.2 update? I have never enabled the guest user, but after the update, it was automatically enabled with a "managed" tag. It is not selectable even after entering my admin password to unlock the options.

  Why can I not disable the guest user in the 10.8.2 update? I have never enabled the guest user, but after the update, it was automatically enabled with a "managed" tag. It is not selectable even after entering my admin password to unlock the options. I was able to select the account under "parental controls", but again, could not delete it. Why Apple? Why?!!????

  SOLVED Ok. I actually was able to disable it. I had to actually log in as the guest user to make it accessible in the preference window. Then I disabled it and logged out. Apologies if this was obvious for some people, but I have had some sort of issue with something every update since Snow Leopard.

• Companies & Delegated User Admin

  Hi,
  I'm planning to use Companies so that I can delegate user administration. I see in the help that delegated user admins cannot perform any actions on groups, which I assume includes assigning users to groups (is this correct?). So this means they have to individually assign the all roles to users, which loses all the advantages of having groups. Is there any way of using groups with delegated user admin, or does anyone know if this functionality will be available in the future? As long as you can specify which groups a delegated user admin can assign users to (the same as with roles currently), I don't see why there would be a problem with this.
  Regards
  Jane

  hi,
  You are right by saying delegated user admins cannot perform any operation on groups. In SAP Enterprise Portal , delegated user administrators can assign roles to their company users. They cannot assign roles to groups. They can only assign portal roles for which they have the Role Assigner permission. They do not need to have any Administrator or End User permissions for the role.
  I think you might have gone through this documentation
  http://help.sap.com/saphelp_nw04/helpdata/en/57/6aa430a3a8c1498d4f3eb08c41be95/frameset.htm
  Regards,
  Ganesh N

• Delegated User Search returns first 200 entries only...?

  Hi Folks,
  We are using Delegated user administration.  When I try to perform a search against the user base it doesn't matter what I type in for search criteria it always returns the first 200 entries starting with the letter "a".  It's almost as if it ignores the search criteria I entered.  For example I can enter "W*" in the search field, select user from the drop down and perform a search.  It returns only the first 200 entries starting with "a".
  We are EP6.0 on SP13 for NW04.
  Anyone have any ideas?
  I would greatly appreciate any help.
  Regards,
  -Jon

  hi,
  User Management Properties (sapum.properties)
  The property file sapum.properties contains properties controlling the configuration of SAP User Management Engine. The installer creates the settings in sapum.properties based on input made during the installation process. You can modify this file after installation.
  If you are using User Management Engine with SAP Enterprise Portal, you can edit the properties file in the user management configuration tool.
  The default value is 200 and to change it you have to edit it.
  Regards,
  Ganesh N

• How can i create a new user with only read rights ?

  How can i create a new user with only read rights ?

  You are asking about a Database User I hope.
  You can look into the Oracle 8i Documentation and find various privillages listed.
  In particular, you may find:
  Chapter 27 Privileges, Roles, and Security Policies
  an intresting chapter.
  You may want to do this with the various tools included with 8i - including the
  Oracle DBA Studio - expand the Security node and you can create USERS and ROLES.
  Or use SQL*Plus. To create a
  user / password named John / Smith, you would login to SQL*Plus as System/manager (or other) and type in:
  Create user John identified by Smith;
  Grant CONNECT to John;
  Grant SELECT ANY TABLE to John;
  commit;
  There is much more you can do
  depending on your needs.
  Please read the documentation.
  -John
  null

• How to deliver MM02 to user with only Bin Location editable.

  My user wishes to have access to change only the Bin Location field in MM02. How can we achieve this? or in other words how can we deliver MM02 to user with only the Bin Location field editable.
  My basis guy sees a possibility if we can some how provide the authorization objects of all the fields of MM02.Shall that be a practical approach. if yes, what is the way of finding the authorization objects?
  Regards,
  Alok.

  Hi,
  You can create a transaction variant in SHD0 for MM02.
  [Transaction variants|http://help.sap.com/saphelp_nw70/helpdata/en/7d/f639f8015111d396480000e82de14a/content.htm] simplify transaction flow by:
  -Inserting default values in fields
  -Hiding and changing the ready for input status of fields
  -Hiding and changing the attributes of table control columns
  -Hiding individual menu functions
  -Hiding entire screens
  Transaction variants are actually made up of a series of screen variants. The field values and field attributes for each screen in a transaction variant are stored in screen variants. Each variant is assigned to a transaction. Variants may, however, contain values for screens in multiple transactions, if transaction flow makes this necessary. The transaction the variant is assigned to serves as its initial transaction, whenever you start the variant.
  Both client-specific and cross-client transaction variants exist. Screen variants are always cross-client; they may, however, be assigned to a client-specific transaction.
  A specific namespace has been designated for cross-client transaction variants and screen variants and they are both automatically attached to the Change and Transport System. Client-specific transaction variants can be transported manually.
  Transaction and screen variants may be created for all dialog and reporting transactions. However, there are certain restrictions that apply to their use, depending on how their corresponding transactions have been realized internally.
  Transaction variants may not be created for transactions already containing pre-defined parameters (parameter transactions and variant transactions).
  The following sections contain additional information on how to create and maintain transaction variants:
  Maintenance
  Additional Functions
  Transport
  Regards,
  Srilatha.

• Delegated user admin and export Roles&Groups ?

  Hi experts,
  I'am searching some tips in order to allow my users's delegated user admin group to export UME Roles and Group. however, my users met no problem to assign their roles to themselves
  I'am working on EP 7.0 sp14 and my UME is an abap system
  Can you give me some advice to go out from this issue ?
  Best regards,

  Hi experts,
  I'll try to complete my question:
  I've added Batch action to my delegated user role, but it's not enough to perform export operation.
  I hope if i can find a combination of actions without "Manage ALL" that i can assign to my delegated user role.
  Best regards,

• HT3529 can my daughter send text messages to non iphone users with only an apple id?

  Can you send a text message from ipod touch to non iphone users with only an apple id and no phone number?

  The Apple Messages app will only send Messages to another uses who has the Messages app on their iPod touch, iPad or iPhone. For Messsging an iPod touch or iPad you use the E-mail address they have in Settings>Messages>Send and Receive.  An Phone number will also be listed if they also have an iPhone with iOS 6 using the same Apple ID and yo can use the number.
  You can Message an iPhone by its phone number of the Apple ID email address listed in Settings>Messages>Send and Receive.

• What's a delegated user admin used for?

  We are asked to use delegated use admin but we do not see why we have to use it.
  Could you explain a bit? Thanks!

  Hi Christy,
  Delegating administration is the process of "distributing" the administrative tasks and content in the portal to dedicated administrators. This decentralizing capability allows you to selectively assign the tools, tasks, and content in the portal to individual administrators, based on their area of responsibility. This solves the problem of exposing administrators to the portalu2019s entire set of administration tools and restricted company data, which is common in an environment where the tools and content are centralized and access cannot be controlled.
  Please refer to these links for more info :
  http://help.sap.com/saphelp_nw70/helpdata/EN/f6/26056705fd11d7b84200047582c9f7/content.htm
  http://help.sap.com/saphelp_nw70/helpdata/EN/8e/f0f7415e639c39e10000000a155106/frameset.htm
  Vamshi: Glad to see you back in business mate
  Hope this helps,
  Cheers,
  Sandeep Tudumu

• SUS Supplier - Delegated User Administration

  Hello,
  We are trying to implement SUS Supplier Self registration in SRM 7.0 and we want to give supplier administrators access to perform delegated user administration for their users. When we implement this scenario, the SUS system requires access to SU01 in the backend security role for the supplier to be able to find users and unlock, delete etc. However there is no control in terms on what users they can manage once SU01 is given to them. Have you seen this in the past and is there any control that can be built into it?
  Thanks,
  Varun

  Trilchan,
  Companies are not activated by default that is the reason you are able to see only ume.tpd.companies=0 which means their is no company available in portal. You can add the company codes in a comma seperated list like ume.tpd.companies=A,C,B in this example you have three companies named A,B and C. Its upto your convenient to add no. of companies and name of the company groups based on your business requirement.
  Additional info:
  When you add a company in portal a group shall be created automatically with the name STPD_<CompanyName> example STPD_A where A is company name.
  Refer:
  http://help.sap.com/saphelp_nw04/helpdata/en/3e/9bd6e9a11fd847a1ca1a5f9ac6ad23/content.htm
  Ram

• End user permission ignored

  Hello,
  I have a problem with an end user permission that seems to get ignored: I wanted to demonstrate the usage of the end user permission and assigned a role to a User (for simplicity's sake as an entry point, no worksets, pages etc. involved) and enabled end user permission on the role for that particular user.
  Now when that user logs in he gets to see the according entry in the navigation bar as expected. However if I disable the end user permission, log out and again log in the user, he stills sees the link. The end user permission setting is simply ignored. Can someone shed light onto this, could there be something wrong with the installation)?
  I don't think this is an issue of permission inheritance (the role permissions are set explicitly anyway) or overlapping permissions due to membership in several groups - the user is only member of the single standard  group 'authenticated users'.
  Regards,
  Sebastian
  P.S. What's the use of a role assignment to a user without end user permission anyway (I mean why the option)? What happens if you don't add permissions on a Role for a certain user at all (I tried it, but the effect is the same as described above - end user permission seem to be irrelevant)?

  Hi Robert,
  thanks for your answer and for the link (and I thought I had read everything). I am not so sure however if I really understand the term 'runtime environment' for a user. I thought runtime vs. design-time meant the difference between the content a user sees when he is actually using the portal and the content an administrator has access to in the portal content catalog, i.e. a meta-environment accessible only through certain tools like the permission editor or similar.
  I don't understand what you want to express with "<i>It's used to restrict ... end user runtime environment</i>" and why the "Page Personalization" is an example.
  I realize that for roles the availability for a user is solely defined by the assignment of that role to the user - end user permissions have no effect on this. Confusing, because I tought this availability (i.e. showing links in the toplevel or detailed navigation) was what was meant by 'runtime environment' but I seem to be wrong here.
  The docu says "<i>for roles the end user permission setting does enable you to define which users/groups/roles are able to preview the role content using the portal design-time tools</i>". Again, I am confused, I thought this was exactly the meaning of design-time environment.
  Great if you or someone else could comment on this..
  Regards,
  Sebastian

• How to menage user permission

  Hi all!
  I'm developing a WEB application for menaging the information on the inside of an industry.
  I use struts and JSF.
  The problem is that I've different type of user that can connect to the server. (sell manager, engeneer, custumer, segretary...)
  Every kind of user must have a diffrent level of access.
  Example:the secretary can't access in the "engeneer" zone.
  Another problem is:
  for the same page,the user must see a different level of details.
  Example:in the production page,the engeneer must see all the data,the chemical analist must see only the chemical analisis,and so on...
  how can I structure the DB for managing that?
  And how can I implement it?
  What do you think about creating a level between the DAO to data and the application.
  Every data have a specific permission to be see.
  When a request for see the data comes,I match the required permission with the user permission.
  If the user can't access to data, I throw an exception,that is catch above.
  Anybody knows of any kind of articles on this argument?
  Any advice?
  sorry for my english.

  Can I revoke this permissions once I grant?
  You can use DROP and REVOKE commands to do the opposite.
  USE [msdb]
  GO
  ALTER ROLE [SQLAgentOperatorRole] DROP MEMBER [TestLogin1]
  GO
  USE [msdb]
  GO
  ALTER ROLE [SQLAgentReaderRole] DROP MEMBER [TestLogin1]
  GO
  USE [msdb]
  GO
  ALTER ROLE [SQLAgentUserRole] DROP MEMBER [TestLogin1]
  GO
  use [master]
  GO
  REVOKE ALTER ANY CREDENTIAL TO [TestLogin1] AS [sa]
  GO
  Cheers,
  Vaibhav Chaudhari
  [MCTS],
  [MCP]

• Checking user permission doubt

  Hi everyone,
  I have posted a question yesterday, but I have no right answer. I want to try again, please help me. It is urgent! I thank in advance.
  I am developing a recursive tree in a Web Dynpro App. My tree has some nodes and sub nodes. Under the sub nodes I have documents. These documents are composed of header, footer, address, content and so on, which are loaded in runtime from Backend system. There is possible that thousand documents can be attached to a node. For accessing the documents we need to check the permission of the user. There are users who may read the whole content of a document. There are users who may only read parts of the document. For example, the information about salary of an employee shouldn't be read by every user. How can I check the user permission? Has someone any Suggestion?
  Regards,
  Hairong

  Hi William,
  thank you very much for your answer.
  I haven't worked with ACL. With your answer, I hava read something about ACL. It is used for checking user permissions for accessing portal content.We have no portal now. Our application is standalone application. Do you know what is a connection between reqular UME permission and UME ACL permission?
  By the way, we use UME to store our user profile. We have already tried to check user permission only for UME role of the user. We have also tried to follow the concept like the Web Dynpro tutorial RentCar APP with Actions and permissions. But all these can't resolve our problem really, because we can't create for every document a role or a permisson.
  here, ich want also to thank Atul who had me an answer to my question.
  Best regards,
  Hairong

• Regarding end user permission

  Hi Gurus,
  I have three iviews (v1,v2,v3)assigned to a role(RoleAll) which will be assigned to user. The requirement is: certain user can only see certain iviews.
  my notion is:
  another three roles(role1, role2, role3) created, and set the iviews' end user permission enabed to respective role(v1--->role1, v2>role2, v3--->role3), what I expected is : the user with role RoleAll and role1 will see v1.
  user with role RoleAll, role1 and rol2 will see v1 and v2.
  when I implement  like this, the behavior is not as expected.
  Can anyone body guide me?
  Best regards,
  John

  >
  John Wu wrote:
  > I have three iviews (v1,v2,v3)assigned to a role(RoleAll) which will be assigned to user.
  >The requirement is: certain user can only see certain iviews.
  > my notion is:
  > another three roles(role1, role2, role3) created, and set the iviews' end user permission
  >enabed to respective role(v1--->role1, v2>role2, v3--->role3), what I expected is :
  >the user with role RoleAll and role1 will see v1.
  > user with role RoleAll, role1 and rol2 will see v1 and v2.
  >
  Hello,
  Assign iView 1 to Role1, iView2 to Role2 & iView3 to Role3.
  Assign RoleAll to those users who should see atleast one of these iViews.
  Then Assign Role1 to the users who should see iView1. Similarly assign
  Role2 and Role3 to respective users.
  Now use Role Merging concept. Give same merge IDs to all the roles. For
  the user having  two of these roles (for e.g, RoleAll + Role1), will see
  only one merged role...and one iView.
  refer:
  http://help.sap.com/saphelp_nw70/helpdata/EN/53/89503ede925441e10000000a114084/content.htm
  May be you could give it a shot.
  Regards,
  Anagha