Dimension administration by end-users
Dear colleagues,
I am designing BPC solution for Headcount planning. End users should be able to change properties for employee dimension. This would be done by approx. 40 users (Fund Centre managers). Is this possible to be done within BPC admininstation, what are the challenges and risks? Has anyone done it with so many users? As far as I know it is not possible to customize or limit dimensions, which can be changed by a user. So it would be very risky that someone changes property, which he should not.
Thank you!
Kind regards
Ivan
Hi Ivan,
If the user activity will be limited to member property change (not creating of new members) then the risk is moderate. It can be done by modified code of Master Data on the Fly http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/2020b522-cdb9-2e10-a1b1-873309454fce?QuickLink=index&…
Using this badi you can add required restrictions. You will need to change code to allow update of properties only.
Vadim
Similar Messages
-
Background Administration Setup - End Users
Hello
We want to put in some restrictions from Transaction SM37 to our end-users
We only want end-users to have access to display , delete , release their OWN Jobs and not have access to the other users from SM37
From the Roles in PFCG that have access to SM37 I have done the following:
Deactivated S_BTCH_ADM (I dont want them to have access to Manage Background Administration)
Deactivated S_BTCH_NAM (I only want the user to view himself and not other users with entry * or username )
S_BTCH_JOB (Gave the values RELE , DEL , List , Prot ) I excluded Show as for reason not to have access to display others jobs
With the above done I can still view the other end users background jobs.
Any idea on how I can setup correct security measures for SM37?
Thanks & Regards
MarlonAs far as I am aware, unless you want to modify SM37 then you should use SMX to restrict users to displaying (and managing) only their jobs.
If you leave S_BTCH_ADM, S_BTCH_JOB & S_BTCH_NAM blank, users will still be able to see all the batch jobs but only manage their own.
The screens are very similar between SM37 & SMX so your users shouldn't have too much trouble (though nothing would surprise me.......) -
Administrator and End user Permission
Hello Everybody,
How <b>Administrator permission</b> is different from <b>End user permission</b>, i cannot see any major changes if i assign or revoke those.
2. If i have assigned <b>role assigner permission</b> to a user who does not User administrator or any other administrator rights, how he is able to assign role to other user.
I have read on help.sap.com, but unable to understand.
regards
SantoshHi Santhosh,
1. The Name itself tells us the Difference .
"Administrator" ->
There r 3 types of Admn here
a) "Content Admn" ( he is the one Who can create Iview / Role ..)
b) "User Admn" ( he is the one who can Create Users and Assign Roles to the Users)
c) "System Admn" ( he can change the System Properties ..Like Layout ,sys alias etc )
and End User is the one who doesn't have any of the Admn Roles . A default user may contain Only EU_ROLE
2.
If u r a developer u must have Content Admn
and for the basis guys must have User Admn and Sys admn.
Hope it helps .
Regds,
J -
User Administration for End User
Hello Everyone,
I needing that a end-user can only insert other users in the user group where it is administrator.
Somebody to know as if makes this?
Thanks.Lucas,
As far as I now, there is no possibility to differenciate users in a group.
This means that if you can't differenciate users belonging to a group, you will not be able to identify if he is administrator or not of the group. So it will not be possible to assign him a specific role that will allow him to populate users in that group only.
For your information, you can use the role "pcd:portal_content/administrator/user_admin/delegated_user_admin_role" to allow user to :
- create other users
- top grant roles for with they have the "Role Assigment" permissions
- but not to populate groups (what could lead to security problem, ie you can make your self member of Administrators group, and so have the SuperAdmin role)
Hope this help
Vincent -
How to Use the same iview for both KM End User and the KM Administrator
Hi friends,
*This is my scenario :* How to Use the same iview for both KM End User and the KM Administrator but with different Context
Menu Options.
i followed these steps but im getting same context menu for both KM End User and the KM Administrator .
Assign the role Content Administrator to the user km_admin. This is needed so that km_admin can change
the presentation settings for the KM Folder u201EReports_kmFolder‟.
Now, login with user km_admin. Navigate to the Km Folder reports_kmFolder through Content Administration
-> Km Content. Click on Details link of the folder reports_kmFolder.
Go To Settings -> Presentation. Click on the tab u201ESettings for You‟-> Click on button u201ESelect Profile‟.
Select the radio button corresponding to u201Elayout Set‟, and choose u201EConsumerExplorer‟ from the dropdown.
Click u201EOK‟.
Select both the check boxes corresponding to Items Affected as shown above, and click u201ESave‟
Now, remove the u201ESuper Administrator‟ role from the user km_admin and login with this user.
How rto resolve this????
Regards,
Prasad.Hello Prasad,
Most likely the user km_admin still has system principal roles assigned, even though you removed the Super Admin role, you should check that this user doesn't have any other admin roles, otherwise it will be considered a System Principal user and will therefore still have access to all content. For more information see http://help.sap.com/saphelp_nw70/helpdata/en/19/56f28fbd4e11d5993b00508b6b8b11/frameset.htm
Try creating a new user with just read access to the content and you should see that it will not be able to make any changes etc.
Regards,
Lorcan. -
Our Helpdesk staff performs the basic functions of add/remove phones and add/remove users from CUCM. We've just upgraded from CM 4.2 to CUCM 8.5(1). We are using the integrated CUCM LDAP and not AD integration. My Helpdesk users are able to use the User/Phone Add option to create a new phone and a new CUCM End User. They are able to edit all the necessary properties of the phone and line settings. But with their current group/role memberships they are unable to change attributes of users or to be able to delete them. The only Role I can see to add them to that allows changes to End Users is Standard CCMADMIN Administration and the only User Group is Standard CCM Super Users. Both of those give far more rights than I would like Helpdesk staff to have. Am I missing something obvious to allow them to perform End User management? Has anyone else encountered this? Below are the groups/roles my Helpdesk staff are currently part of. Any help would be apprecitated.
Bryan
I've added the users on our Helpdesk to the following Groups:
Standard CCM Admin Users
Standard CCM End Users
Standard CCM Phone Administration
Standard CTI Enabled
Standard RealtimeAndTraceCollection
Which automatically adds them to the following Roles:
Standard CCM Admin Users
Stadard CCM End Users
Standard CCM Phone Management
Standard CCMADMIN Read Only
Standard CCMUSER Administration
Standard CTI Enabled
Standard CUReporting
Standard RealtimeAndTraceCollectionBryan,
If I remember correctly, there isn't a pre-canned role that will allow for End User administration. I don't know why.
Your best bet is to create a custom Role and User Group. This way, you can give your Helpdesk exactly the access they need. The descriptions for the Role permissions are pretty self-explanatory, so it should be pretty easy to accomplish.
Steps:
1) create new role
2) assign permissions to the new role
3) create a new User Group
4) assign the new Role to the new User Group
5) assign the new User Group to the End/Application User accounts for the helpdesk.
This maybe helpful: http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/admin/8_5_1/ccmsys/a02mla.html#wp1062944
HTH
Adam -
End User's mailing list administration
Hi,
I have a customer who has just migrated from iMS 5 to newest JES05Q4. Everything seems to be OK except one thing: In iMS 5 end users were able to use Delegated Admin to manage their mailing lists.In 05Q4, Delegated Admin does not allow end users to login. Is this a configuration issue, or is that function removed from the newest Delegated Admin? What is the recommended way for web-based mailing list manipulations?Yeah, that's gone from the current DA. We're hoping to get better stuff into JES5, due out sometime around the end of the year.
-
Administrator's notifications to end users.
Hello,
we do not have portal, but would like to know is there any simple solution to include admin's notifications to end users on the page of the transaction bbpglobal.
I would like to have it on the left side of the page, under the long descriptions of the transactions.
TIA
GordanHello Gordan,
With transaction SM02, you can define system messages. They can appear in first screen after logon if you define it the logon configuration of service bbpstart.
IIs that what you are looking for ?
Rgds,
Pierre -
Jabber for Mac - End User unable to Cut & Paste Images in IM
Full discloure: I am an END USER, not an IT admin or anything like that. Not sure if this is the proper forum to ask this question but figured it was worth a shot...
Running OSX 10.9.1 and Jabber 9.2.1.
I am unable to copy-and-paste images into IM conversations with co-workers.
My "cachedPresenceConfigStore.xml" file shows:
"<im_cutandpaste_enabled>TRUE</im_cutandpaste_enabled>"
and
"<screen_capture_enabled>TRUE</screen_capture_enabled>"
...yet these functions seem to be missing from the IM client. As far as I know our organization's service-side policy allows for sending images over IM (confirmed this using the jabber client on a windows machine).
Am I just "doing it wrong" somehow? Is there some special method I need to use to be able to paste images into an IM conversation?
Any help or direction is appreciated.
Thank you,
JasonIt appears they disabled it server-side as the button (a paperclip) normaly appears to the right of the emoticon button. While the jabber-config.xml file can block specific file extensions, it cannot disable the feature entirely. This is done within the Service Parameters of the server, which only an admin can see.
ProcedureStep 1 Choose Cisco Unified CM IM and Presence Administration > System > Service Parameters.Step 2 From the Server menu, choose an IM and Presence node .Step 3 In the Service Parameter Configuration window, choose Cisco XCP Router as the service.Step 4 From the Enable file transfer drop-down list, click On or Off.Step 5 Click Save.Step 6 Restart the Cisco XCP Router Service on every node in the cluster. For more information, see Restart CiscoXCP Router service, on page 43.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/im_presence/deployment/9_1_1/CUP0_BK_D5B4C107_00_deployment-guide-for-imp-91.html
Please remember to rate helpful responses and identify helpful or correct answers. -
How can end users execute rules files ?
There is a need to have Hyperion Planning end users kick off a rules file in EAS. Obviously we can not give end users access to EAS to execute a SQL based rules file. Our Admin is now executing the same rules files 20 times a day. What is the best way for the end user to execute a rules file themselves or load data to Essbase from a SQL source ?
ThanksThanks for the suggestions. The first reply of using the MaxL script to call the load rule is what you would do if you were an administrator. My problem is that this solution is for end users and they would need to somehow need to use a Remote Desktop Protocol to log into a server and call a batch file that contained the MaxL script to load data.
The second reply seems a little bit more elegant in that the end users could theoretically kick off a data load by executing a BR that calls an ODI Package. This way, the users don't have to leave the Planning Application to load data.
We do use ERPi and therfore we do have ODI, but I'm new to ODI and it would take me awhile to piece together all the moving pieces to make this work. I guess the first reply is my path of least resistance so I'm going to give it a try. I'm more perplexed however, in that we can't be the only company out there that has a need for the end users to execute a load rule at their own discretion. Are there any more suggestions out there ?
Thanks Gurus. -
Acrobat Pro XI problem+Accept End User License Agreement when opening a PDF inside IE
Hi folks, this issue has been challenging.
Acrobat Pro CC install
W7 X64
Deployment went ok after the code was worked out, but.....
We use Desire to Learn content management system at the community college where I maintain the student computers at. When running D2L and a PDF has been embedded in some course material, I am getting the message below and the PDF won't open.
“Before proceeding you must first launch Adobe Acrobat and accept the End User License Agreement" .
The only fix so far is to run up Acrobat Pro and run the program once. Fine and dandy, but we are looking at 700+ machines to clear in this fashion. The other part of this scenario we we also utilize Respondus Lockdown Browser to invigilate exams through D2L. Because of the "lock down" features, the student can't even get back to the desktop to run Acrobat and clear the message.
I have tried a number of GPO entries to no avail. As well, disabled the IE PDF viewer add-on. I ran Procmon with no results either; .
I have been scouring the Googlemachine and building on the GPO below to get around the issue with no results. I am hoping someone with a sharper eye than I can spot something or point me in the correct direction..
Thanks eh.
GPLabs-Acrobat Reader default .PDF file open
Computer Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.
Adobe Acrobat XI/Preferences/General
Policy Setting Comment
Show messages when I launch Acrobat Disabled
Adobe Reader XI/Preferences/General
Policy Setting Comment
Show messages when I launch Reader Disabled
Adobe Reader XI/Preferences/Startup
Policy Setting Comment
Enable Protected Mode at startup Disabled
Preferences
Windows Settings
Registry
ELUA=1 (Order: 1)
General
Action Update
Properties
Hive HKEY_CURRENT_USER (HKU\.DEFAULT)
Key path Software\Adobe\Acrobat Reader\11.0\AdobeViewer
Value name ELUA=1
Value type REG_DWORD
Value data 0x1 (1)
Common
Options
Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
EULAAcceptedForBrowser (Order: 2)
General
Action Update
Properties
Hive HKEY_CURRENT_USER (HKU\.DEFAULT)
Key path Software\Adobe\Adobe Acrobat\11.0\AdobeViewer
Value name EULAAcceptedForBrowser
Value type REG_DWORD
Value data 0x1 (1)
Common
Options
Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
ELUA=1 (Order: 3)
General
Action Update
Properties
Hive HKEY_CURRENT_USER (HKU\.DEFAULT)
Key path Software\Adobe\Acrobat Reader\10.0\AdobeViewer
Value name ELUA=1
Value type REG_DWORD
Value data 0x1 (1)
Common
Options
Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
EULAAcceptedForBrowser (Order: 4)
General
Action Update
Properties
Hive HKEY_CURRENT_USER (HKU\.DEFAULT)
Key path Software\Adobe\Adobe Acrobat\10.0\AdobeViewer
Value name EULAAcceptedForBrowser
Value type REG_DWORD
Value data 0x1 (1)
Common
Options
Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
bBrowserIntegration (Order: 5)
General
Action Update
Properties
Hive HKEY_CURRENT_USER (HKU\.DEFAULT)
Key path Software\Adobe\Acrobat Reader\11.0\Originals
Value name bBrowserIntegration
Value type REG_SZ
Value data 00000000
Common
Options
Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
bBrowserIntegration (Order: 6)
General
Action Update
Properties
Hive HKEY_CURRENT_USER (HKU\.DEFAULT)
Key path Software\Adobe\Acrobat Acrobat\11.0\Originals
Value name bBrowserIntegration
Value type REG_SZ
Value data 00000000
Common
Options
Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
bBrowserIntegration (Order: 7)
General
Action Update
Properties
Hive HKEY_CURRENT_USER (HKU\.DEFAULT)
Key path Software\Adobe\Acrobat Reader\10.0\Originals
Value name bBrowserIntegration
Value type REG_SZ
Value data 00000000
Common
Options
Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
User Configuration (Enabled)
Preferences
Windows Settings
Registry
ELUA (Order: 1)
General
Action Update
Properties
Hive HKEY_CURRENT_USER
Key path Software\Adobe\Acrobat Reader\11.0\AdobeViewer
Value name ELUA
Value type REG_DWORD
Value data 0x1 (1)
Common
Options
Stop processing items on this extension if an error occurs on this item No
Run in logged-on user's security context (user policy option) No
Remove this item when it is no longer applied No
Apply once and do not reapply No
ELUA (Order: 2)
General
Action Update
Properties
Hive HKEY_CURRENT_USER
Key path Software\Adobe\Acrobat Reader\10.0\AdobeViewer
Value name ELUA
Value type REG_DWORD
Value data 0x1 (1)
Common
Options
Stop processing items on this extension if an error occurs on this item No
Run in logged-on user's security context (user policy option) No
Remove this item when it is no longer applied No
Apply once and do not reapply No
.pdf (Order: 3)
General
Action Update
Properties
Hive HKEY_CURRENT_USER
Key path software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf
Common
Options
Stop processing items on this extension if an error occurs on this item No
Run in logged-on user's security context (user policy option) No
Remove this item when it is no longer applied No
Apply once and do not reapply No
OpenWithList] (Order: 4)
General
Action Update
Properties
Hive HKEY_CURRENT_USER
Key path Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PDF\OpenWithList]
Value name (Default)
Value type REG_SZ
Value data "AcroRd32.exe"
Common
Options
Stop processing items on this extension if an error occurs on this item No
Run in logged-on user's security context (user policy option) No
Remove this item when it is no longer applied No
Apply once and do not reapply No
Control Panel Settings
Folder Options
Open With (Extension: pdf, Program: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe)
pdf (Order: 1)
General
Action Update
Properties
File Extension pdf
Associated Program C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
Set as default Enabled
Common
Options
Stop processing items on this extension if an error occurs on this item No
Run in logged-on user's security context (user policy option) Yes
Remove this item when it is no longer applied No
Apply once and do not reapply No
Open With (Extension: pdf, Program: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe)
pdf (Order: 2)
General
Action Update
Properties
File Extension pdf
Associated Program C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
Set as default Enabled
Common
Options
Stop processing items on this extension if an error occurs on this item No
Run in logged-on user's security context (user policy option) Yes
Remove this item when it is no longer applied No
Apply once and do not reapply NoHi technobyte,
Try using APTEE to do EULA suppression and check.
You might want to refer the docs:
Creative Cloud Help | Using Adobe Provisioning Toolkit Enterprise Edition
4 Installation Workflows — Enterprise Administration Guide
Regards,
Rave -
Training To End User on AA , AP.
Hi,
i need to give the Traing to End Users on AA & AP next week,
can any one help me how do i start, from which topic,
or send me any meterail for Training to End Users. what type of questions
will we get from them, how do i answer & manage them.
please help me, very urgent.
i will assign points.Prabodh wrote:
You should always state the Apex version. And this case, because this is related to authentication, the Authentication scheme you are using.
Assuming that you are using the Apex Built-in Auth scheme, you can achieve this by using User Groups feature and the APEX_UTIL.CURRENT_USER_IN_GROUP API.
Here are the high level steps:
a. Apex Builder > Administration > Manage Users and Groups
b. Create 2 users UAT1 and UAT2
c. Create 2 Groups UAT1Group and UAT2 Group
d. Assign UAT1 user to UAT1Group and UAT2 to UAT2Group
e. On the Home page of both the applications create a "Before Page Header" Branch that goes back to the Login Page. Make this branch conditional.This does not work, because in APEX you can go into any page after login bypassing the home page (like this http://apex.oracle.com/pls/apex/f?p=46417:9 where 9 is not home page)
So this branch will not run.
f. In "A" application you want only UAT1 to access , so use PL/SQL Expression type of condition in the above created branch that has the following code
return NOT APEX_UTIL.CURRENT_USER_IN_GROUP('UAT1Group')So the user UAT1 will return False and the branch will not execute, but for others it will return True and send the user to Login page, which is access denied.
Similarly, make the branch in B application condition for UAT2Group.
Regards, -
How to hide the columns at the end user level thru personalization
Hi all
how I can hide the columns that are displayed on the portal. Any personalize option for the end user? Any righ click or some thing?
I am looking at hiding columns not while developing the iViews / Pages, But in the browsers as the end user.
i can hide the columns what ever i want while creating the iViews for MDM data. but we cant provide the content administrator role to the end user for hiding the columns what ever they want. they want to hide the columns thru pesonalization option at the end user level.
Can you please let me know whether we can able to hide the columns at the end user level thru personalization ?? is it posible with standard iViews??
Regards
SunilHi Sunil,
I understood your requirement properly and seems valid and I tried this at my end but i didnt get the solution. Field list is not visible in Personalize option. I dont think it is possible with MDM standard iViews.
I was thinking an alternative is if some how we manage to give the permissions to end user only on Result Set iView but if it would be possible it will not be a good design.
Lets wait for some inputs from others.
Regards,
Jitesh Talreja -
Imposible to login to an application like end user
I try to develop an application with Oracle Application Express together with Oracle XE.
Oracle XE is installed on a different computer.
I'm working to a different computer that is a client. Also the application is already (partial) created some users with different rights are also created (developers, end users and workspace administrator). When I try to connect like end user, I get this message you have below:
Logout (link to logout of application)
Access denied by Application security check (message)
Return to application. (link to return to application)
What is wrong that I cannot connect like end user?Hi Paul,
This is the setting in this moment for my application. I tried also to set different security check for every one page and then try to connect only to that page only.
Also I have some endusers that must to connect to my application like enduser. Answer is same.
I try to setup authorisation schema properly using database users (I've done some users in my XE database with same name and same password). Also, I get same answer.
I'll try step by step all possible combinations for security check, because there is no logic answer for my mind in this moment with all these security schemas. See here what they are saying in help files:
Application Express Authentication checks the user name and password against the Oracle Application Express account repository.
There is a nonsense answer that I get from application part, because a developer account is working very well.
Best regards to you,
Daniel -
Hello,
I have a problem with an end user permission that seems to get ignored: I wanted to demonstrate the usage of the end user permission and assigned a role to a User (for simplicity's sake as an entry point, no worksets, pages etc. involved) and enabled end user permission on the role for that particular user.
Now when that user logs in he gets to see the according entry in the navigation bar as expected. However if I disable the end user permission, log out and again log in the user, he stills sees the link. The end user permission setting is simply ignored. Can someone shed light onto this, could there be something wrong with the installation)?
I don't think this is an issue of permission inheritance (the role permissions are set explicitly anyway) or overlapping permissions due to membership in several groups - the user is only member of the single standard group 'authenticated users'.
Regards,
Sebastian
P.S. What's the use of a role assignment to a user without end user permission anyway (I mean why the option)? What happens if you don't add permissions on a Role for a certain user at all (I tried it, but the effect is the same as described above - end user permission seem to be irrelevant)?Hi Robert,
thanks for your answer and for the link (and I thought I had read everything). I am not so sure however if I really understand the term 'runtime environment' for a user. I thought runtime vs. design-time meant the difference between the content a user sees when he is actually using the portal and the content an administrator has access to in the portal content catalog, i.e. a meta-environment accessible only through certain tools like the permission editor or similar.
I don't understand what you want to express with "<i>It's used to restrict ... end user runtime environment</i>" and why the "Page Personalization" is an example.
I realize that for roles the availability for a user is solely defined by the assignment of that role to the user - end user permissions have no effect on this. Confusing, because I tought this availability (i.e. showing links in the toplevel or detailed navigation) was what was meant by 'runtime environment' but I seem to be wrong here.
The docu says "<i>for roles the end user permission setting does enable you to define which users/groups/roles are able to preview the role content using the portal design-time tools</i>". Again, I am confused, I thought this was exactly the meaning of design-time environment.
Great if you or someone else could comment on this..
Regards,
Sebastian
Maybe you are looking for
-
Why is the "Empty Trash" option missing? All I have is "Secure Empty Trash" which takes a considerable amount of time.
-
Syncing issues with google ( I think )
I have a MobileMe subscription, and wanted to have my address book synced on my devices and my Google account. This where everything went wrong. My consolidated contacts on my laptop went from around 900 to over 20k. and then my issues went extra cra
-
HELP HELP HELP!! Following error on Oracle 8.1.7 SQR 5528) ORACLE OCIStmtExecute error 2049 in cursor 38: ORA-02049: timeout: distributed transaction waiting for lock ORA-02063: preceding line from XAPPPRD Error on line 3155: (SQR 3735) Could not exe
-
How to remove security warning from silent print
Hi everybody, All is in the question ... From a web application i can print a document but every time that open a popup with a warning. I have to click ok before printing. I just like to remove this warning. Thank for your help.
-
Sql_hash_value/sql_id for query querying interval views like gv$session etc
Hi, I am writing queries to query the internal views. My intention is to find out sql_id and sql_hash_value for all user queries including my queries. Can it be done? If yes, I would appreciate some pointers. thanks Neelima