E-recruitment - Role based restrictions on Active Queries - High Priority
Requirement - Do we have an option to restrict the queries in recruiter 'active queries list' (work center) based on roles.
for example: Restricted recriter should not be allowed to view Back ground checks query. and Talent Groups query.
Version - E-rec 604 support pack 5. Webdynpro Interface, seperate front end and back end - candidate Scenerios #3 as per Note 1017866.
Request e-rec Pro's to post the solution, if they have faced this issue in there e-rec implementation exp.
Thanks & Regards,
David.
Edited by: SAPERECSDN1 on Oct 12, 2010 6:25 PM
Hello,
You can check out transaction POWL_QUERYR. Through this you can specify the roles to be assigned to the role. Through transaction POWL_QUERYU you can even specify the roles to be assigned for a specific user. You can copy the specific roles required and assign them to the roles. Any role which is not assigned to specific role will appear to all the roles that have authorization to the workcenter object.
Regards,
Similar Messages
-
Requisition for approval using - Restricted Recruiter role
Hi,
We have implemented SAP eRec EHP4. As of EHP3 the restricted recruiter was only able to create requesition in Draft mode and release the requisition for approval.
We are using WD on SAP EHP4. We have provided SAP_RCF_RES_RECRUITER_ERC_CI_2 role in R3 to one of the user and Recruiter role on the portal. But when I try to create a requisition and try to release it, it gets released instead of going for approval......
What have we done wrong.....Is there some other way by which the requisition can be sent for approval in EHP4......
ThanksHi All,
In the meantime I was testing the BSP application since I had to give a demo to the client.....Here I could run the workflow, but when I launch the recruiter "approval" page it gives me an error
BSP Exception: Das Objekt default.htm in der URL /sap/bc/bsp/sap/hrrcf_approval/default.htm?objid=90005527&otype=NB&plvar=01&requestdate=20100723&requestedRsncode=01&requestedstatus=1&requester=Mr%2etesttest&SAPWFCBURL=http%3a%2f%2ftcssol%2ehrservicesonline%2ecom%3a8002%2fsap%2fbc%2fwebflow%2fwshandle ist nicht gültig.
I saw through SE80 there is no page like default.htm how do I resolve this, is this also connected with upgrading our SP level?
Thanks
Subbu -
Conditional activity in Recruiter role
Dear All,
I am implementing e-recruitment. The client's requirement is to allow creating a specific activity only if certain condition is met.
The condition is the response (YES /NO) of a question that candidate filled during the application.
For Example the question is: Have you ever worked in ABC Company?
If candidate says YES or NO during the application wizard its stored in questionnaire table.
Now on the candidate assignment list during the applicant tracking when recruiter selects this candidate and wants to create a certain activity say "XYZ", system should stop it if candidate response was NO and allow it in case of YES.
your consideration would be highly appreciated as I really need a solution very urgently.
ChohanHello Chohan,
currently there is no option to restrict the creation of an activity in the described way. In fact there is no way at all to have a logical restriction on activity maintenance. There is only an authorization object which allows to restrict the activity maintenance on activity type level.
SAP is currently working on a concept for allowing dependencies between activities but I am not sure if it will be flexible enough to cover your specific requirement.
To at least improve the process I can imagine to create the activity automatically in planned status via workflow if it is obligatory. So the recruiter only has to continue the work and not create new ones. You could also use the enhancement concept of the candidate selection list to add a column with the information. Both solutions will not prevent a recruiter from intentionally creating the activity for a candidate for whom he should not create it but the additional service or information can reduce errornous activities.
Kind Regards
Roman -
POWL: Hiding query from list of active queries in eRec workcenter dashboard
Hi All,
We are implementing SAP eRecruitment (EHP4) based on web dynpro ABAP. eRecruitment has work overview page (Recruiter role), which has two iviews (Search and Dashboard). Dashboard iview has two sections: Active Queries (Link Matrix) and Requisitions List. This is configured using POWL_UI_COMP. Query categories are: Requisitions, Postings, Applications, My Tasks and TRM.
Requisitions categories has 5 queries: My open Requisitions, Open Team Requisitions, Open Application Groups, My Draft Requisitions, and All Requisitions.
My requirement is to hide 2 of the 5 queries (Open Team Requisitions, Open Application Groups). I have tried activating/deactivating options in POWL_Query(r) transactions. Can you please let me know how to achieve this?
Thanks,
ShyamHI
POWL_QUERYR is the required transaction for deactivating a query
delete the entry for the required transaction there.
and also Run POWL_D01 report for application id you want to hide. -
BW Roles based on the department
Hi,
My requirment is to creat a roles that restricts data access according to department.
We had nearly 20 different Detartments and my requirment is to create roles so that users can be granted access according to their department.
Could you please update me detailed process on how i can create roles.
I am the DEPARTMENT char as authorisation relevent
ThanksHello,
Please see these docs,
[Field Based Authorizations in BW BEx Queries|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4753ed83-0e01-0010-e186-f98413f868cb]
[An Expert Guide to new SAP BI Security Features|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea]
[Advanced Features of SAP BW Reporting Authorizations|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06]
Thanks
Chandran -
Role Based FireFighter with GRC 10.0 (CEA)
Does anyone know how the Role Based functionality of FireFighter exactly works besides putting the application type parameter to Role Based in SPRO?
The manuals explain that the FF users log in to the remote system with their own users, but how are the FF roles or roles that are enabled for Firefighting assigned to these users and how will the log file know which activity to record?Good question, and the answer is not pretty.
In Role-Based Firefighter Application, the firefighter ID on the target system contains the user's regular access plus his/her firefighter access.
Reporting turns on when the user runs a transaction in the firefighter role.
If the transaction is in both the user's regular access and the firefighter role, reporting will turn on because the firefighter role access is in use.
The reports only track firefighter role usage. So if a user runs a firefighter transaction but also uses access defined in the user's regular access, the only thing recorded is the transaction.
If your company is not completely married to the idea of using Role-Based Firefighter Application, I suggest you consider the ID-Based Firefighter Application. In this, there are separate firefighter IDs on the target system and a firefighter gains access to them by going into GRC and completing a form showing how the firefighter ID will be used, and then the GRC system will let the firefighter into the target system using that firefighter ID. -
EAM ID based or Role based? Why settle for just one?
G'Day All,
I've raised a question in the following blog, however I would like to open it up to other people as well so they might get something out of it and in the process might share their own thoughts on the matter at hand.
ID-Based Firefighting vs. Role-Based Firefighting
So this is where I am at this point:
From what I can gather so far, my understanding of EAM ID/ROLE based is as follows:
- Id Based: Logs in using own U.ID and through GRAC_SPM accesess FFID from the GRC Server and logs into the system assigned to them (ECC, SRM, CRM etc)
Only one user at a time can use a FFID.
Firefighter need not exist in every system assigned to them due to central logon however they need to exist in the GRC system
Knows exactly when FFID is being used as he/she has to login so has a psychological effect (good thing)
Better tracking of FF tasks - Specific log reports with Reason Codes. Bonus point from Auditors!
Two Log ins so potential to commit fraud. (1 action using own UserID and 1 action using FFID)
Could be hard to track and find out when a fraud has been committed so can be a problem with auditors.
ID Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFIDs assigned to you
ID Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> You can see the FFIDs assigned to you
- Role Based: Logs into the remote system only using U.ID, so everything gets logged against that one ID.
Multiple users can use the FFROLE at once.
Firefighter has to exist in every system assigned to them - so multiple logons.
Hard to differentiate between FF tasks and normal tasks as no login required So easy to slip up
Time consuming to track FF tasks - No Specific log reports. No Reason Codes
R.Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFROLEs
R.Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> Not applicable so wont work
So based on this there are pros and cons in both however according to SAP only one can be used. To me personally, it makes more sense to get the best of both the worlds right? So here is my question why can’t we just use both?
. Really critical tasks -> FFID
. Normal EAM tasks -> FFRole
Alessandaro from the original post pointed this out:
"Per design it isn't possible to achieve both types of firefighting at the same time. It's a system limitation and hence to configurable."
Well this is what I can't seem to get my head around. For a FFID, there is a logon session so it has to be enabled and as far as I can tell there is no way around it.
However for FFRole, there isn't such limitations/restrictions like starting a separate session. FFRole is just assigned to an end user for him/her to perform those tasks using their own user ID.
So in what way is it different from any of their other tasks/roles, other than the fact that they've got an Owner/Controller assigned to the FFRole? and
What is stopping us from using it when ID based is the default?
If I were to do the following does it mean I can use both ?
. Config Parameter: 4000 = 1 (GRC System) -> ID Based
. Config Parameter: 4000 = 2 (Plug-In) - > Role Based
Please excuse me if my logic is a bit silly, Role Based firefighting is only done on Plug-in systems so the following should work just fine:
. Config Parameter: 4000 = 2 (Plug-In) - > Role Based
However for ID based, it is a Central Logon, so the following is a must:
. Config Parameter: 4000 = 1 (GRC System) -> ID Based
Which means both ID/Role based can be used at the same time, which seems to be working just fine on my system. Either way I leave it you experts and I hope you will shed some light on it.
Cheers
Leo..Gretchen,
Thank you for thoughts on this.
Looks like I'm failing to articulate my thoughts properly as the conversation seems to be going in a different direction from what I am after. I'll try once more!
My query/issue is not in regards to if/what SAP needs to do about this or why there isn't more support from Companies/Organizations and not even, which one is a better option.
My query is what is stopping us(as in the end users ) from using both ID/Role based at the same time?
Now before people start referencing SAP documentation and about parameter 4000, humour me with the following scenario please. Again I would like to reiterate that I am still in the learning phase so my logic might be all wrong/misguided, so please do point out to me where I am going wrong in my thought process as I sincerely would like to know why I am the odd one out in regards to this.
Scenario
I've created the following:
FFID
FFROLE
Assigned them to, two end users
John Doe
Jane Doe
I set the Configuration Parameters as follows:
IMG-> GRC-> AC-> Maintain Configuration Settings -> 4000:1 - ID Based
IMG-> GRC (Plug-in)-> AC-> Maintain Plug-In Configuration Settings-> 4000:2 - Role Based
User1
John Doe logs into his regular backend system (ECCPROD001)-> executes GRAC_SPM-> Enters the GRC system (GRCPROD001)-> Because the parameter is set to ID based in the GRC Box, so he will be able to see the FFID assigned to him-> and will be presented with the logon screen-> Logs in -> Enters the assigned system (lets say CRMPROD001) At this point the firefighting session is under progress
User2
Jane Doe logs into her regular backend system (ECCPROD001) -> (can execute GRAC_SPM to check which FF Role has been assigned to her but she can see that in her regular menu, so there is no point) -> Executes the transactions assigned in FFROLEThis is done at the same time while FFID session is in progress
So all I want to know is if this scenario is possible? if the answer is No, then why not?
I physically carried out this scenario in my system and I had no problems(unless I am really missing the plot here), which brings me back to my original question: Why settle for just one?
Again to reiterate I am not getting into the efficacy or merits of this or even if one should use this. Just want to know if it is possible/feasible or not.
So there you have it. That's the whole enchilada(as they say there in Texas). I tried to word my thoughts as concisely as I can, if there are still any clarifications, more information you or anyone else reading this would like, please do let me know.
Regards,
Leo.. -
R12: Role based security : Hiding a button in OAF page for roles
Hi All,
We have a requirement where in which, we have to hide a "Create" button in AR customer search form for some roles ... we have implemented UMX - Roles based security in our project and we cant hide it based on user or resp ...
Any ideas ... Is it feasible with this new featue of RBAC?
Thanks and Regards,
SenthilHi Ajay,
metalink note 2778881.1 is discussing "Page access tracking report".
but here i want to implement access restrictions to a particular page.
Regards,
Naren. -
Pre-populate adapters behaviour during role based provisioning
Hi all,
I have a question about pre-populate adapters behaviour during role based provisioning.
I'll sortly describe our architecture: we have OIM 11.1.1.3, Active Direcotry connector and obviously Active Directory as target system.
Our scenario is: assigning a role to a user , OIM should provision two account for this user to the same target system but in two different organizational unit (Active Directory).
Here some sample information to better understand our request:
- OIM User userID: userid1
- Active Directory IT Resource: ADServer1
- Active Directory Organizational Units: OU1 and OU2
- Role: Example Role
- UserID of the account provisioned in OU1: admin.userid1 (in this organizational unit the UserID is composted by a prefix "admin." and the OIM User UserID "user1")
- UserID of the account provisioned in OU2: user.userid1 (in this organizational unit the UserID is composted by a prefix "user." and the OIM User UserID "user1")
To achieve this goal, we have created two access policies AP1 and AP2. The first access policy provision the user account in OU1; while the second one in OU2.
Here some access policies form details:
### AP1 ###
- AD Server: ADServer1
- Organization Name: OU1
(other fields are empty)
### AP2 ###
- AD Server: ADServer1
- Organization Name: OU2
(other fields are empty)
Our idea was to develope two pre-populate adapter: one to compose the userID with "admin." prefix and the other one to compose userID with "user." prefix. However this solution cannot work because obviously you can link only one pre-populate adapter to a resource form field.
Any suggestion to avoid to create a second resource form?
Thank in advise,
DanieleHi,
probably your confusion is caused by my english....anyway....
I'm trying to generate two userids and in our scenario it's simple map the organizational units. For example userids in organizational units OU1 have "admin." prefix; while organizational units OU2 have "user." prefix.
Do you suggest to create a pre-populate adapter that use a lookup to set the correct prefix based on organizational unit name?
Thank you
Daniele -
Restricting access to Queries via Search
Does anyone have any ideas on restricting access to queries from the Bex search. We have folks that are using the search functionality of Bex and are finding queries that we have not been published to a reporting role. We instruct our query writers that when devloping queries, do not publish them to a reporting role until they are finalized and tested. We are finding that folks are using search in Bex and finding these queries that may be in the middle of development and trying ot use them. In other words, we would like to restrict the Bex search to just queries published to reporting roles.
Hi Diago,
Our dilema is that restricting access of the search by query name (via the role) requires the query writer, when finished with the development of their query, to do a savas with a different technical name that falls into the role restrictions of the authorization. This then leaves two versions of the query out there until the original gets deleted, if the query writer happens to remember to do that. It would be great to limit the search mechanism to just published queries. What are other folks doing to get around this issue. It seems that everyone would be running into it unless the search could be restricted in such a manner. -
Duet Enterprise 1.0 SP2 - SAP Role based authantication
Hi All,
We have implemented Duet Enterprise 1.0 SP2 in our landscape. Now we try to implement SAP Role based authantication.
But don't know which role to assign for which authorisation. In my scenario i have created 2 users. For one user i want to have only read access to all lists (Contact, Employee, etc) and for another user i want to have all acess (read, write, modify, delete) on all lists available at sharepoint.
Can someone help me to tell what roles (template) need to assign for what operation.
Which roles i do assign to user in SAP that which ristrict users access at Sharepoint.
Thanks & Regards
Virender Solanki
09818316550Hi Binson,
I want to ristrict the crude operation (create, update etc) by giving roles in backend system. i am able to apply restriction at sharepoint end but i don't want that. i want SAP role based security.
So i want, according to given roles in backend system user is able to do operations at sharepoint.
Thanks & Regards
Virender Solanki -
Role based authorisations in the Integration Directory
We have built a new PI landscape (Pi 7.11) and worked with our security teams to perfect the various roles. I am now attempting to implement role based authorisations in the ESR & ID so that objects in our QAS and PRD environments can be configured but not deleted or created.I have implemented role based authorsations as per the SAP standard process performing the following actions
Exchange profile com.sap.aii.ib.util.server.auth.activation was set to true and the Java Stack Restarted.
I created a role in the ID that allowed editing of any object.
I assigned the role to my userid in NWA useradmin
I am unable to edit ANY object in the ID
When I set the Exchange profile parameter to false I found I was able to edit any object in the ID.
So its obvious that the Exchange Profile Parameter does make a difference. However, it doesn't appear as if the role I created is being referenced, even though I assigned it to my account in NWA user admin. I looks like I may be missing some exchange profile parameters. I have the following exchange profiles set:
IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.util.server.auth.activation (string) = true
IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.ib.server.acl.enable (boolean) true
IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.util.server.auth.activation (string) = true
IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.ib.server.acl.enable (boolean) true
Any advice you can offer would be appreciatedResolved this issue.
The documentation is confusing but finally found the answer by referring to the SAP XI 3.0 documentation. -
Role based reflection security manager?
Hi,
I am trying to find out whether there is a possibility to implement a role based Security Manager to control access to reflection operations (such as checkMemberAccess() for example).
I need to implement an application where using reflection is totally forbidden, except for some very specific parts of the code. Is this possible? If yes, how should I proceed? Is there a concept of identity around the security manager? Should I use ReflectPermission? If yes how?
I have been doing some reading, but it is still not clear to me. I am looking for a general implementation procedure.
Thanks.Jrm wrote:
Ok, fair enough regarding storing data on end user PC.
But I see a contradiction here (or I mis-read you). I understand that SecurityManagers are used for applets to restrict some of their actions. What if people are able to bypass SecurityManagers? What is the point of having them? If a .jar application is started with a SecurityManager, can an end user strip it and replace it with its own security manager (from its own code for example)?First of all, the SecurityManager is provided by the local computer, not the applet. But, the most important point is that the SecurityManager used when running third-party applet code is not trying to protect the third-party code, it is trying to protect the local computer from unknown third-party code. the user is perfectly able to disable the SecurityManager and/or give the third-party code whatever permissions it desires if they decide to trust the code. you are trying to protect your code (+which is the third-party code with respect to the user+) from the user. that is the opposite situation, and does not work.
I would be happy if I could deliver a .jar application with my customized and 'unremovable' SecurityManager. Is that possible or can one always fiddle the .jar to remove it?
Because if people can always remove it, it is a permanent open door for man-in-the-middle attacks when code is delivered to end-users, correct? Is there any way to protect .jar from tampering?As i said in my previous post, there is no way to stop this. as a software developer, i'm sure you are aware that you can find "cracked" versions of any commercial software that you are interested in (if you know where to look). what makes you think that your java program is any more "secure" than those other programs? -
Alter "Active Queries" in POWL
Hello,
I am running SRM 7.0 / EP 7.
Is there a way to alter the "Active Queries" in POWL for a page? For example, under "Strategic Purchasing" -> Strategic
Soucing, there are 4 lines of Active Queries, i.e.
RFxs
Auctions
Sourcing Templates
Document Output
Is there a graceful way of removing a line of queries, e.g. removing Auctions?
Thanks,Hi,
Please check following transaction. You can delete the query or category.
POWL_CAT Maintain POWL categories
POWL_EASY Easy-POWL Feeder Builder
POWL_QUERY Maintain POWL Query definition
POWL_QUERYR Maintain POWL Query role assignment
POWL_QUERYU Maintain POWL Query user assignment
POWL_TYPE Maintain POWL Type definition
POWL_TYPER Maintain POWL Type role assignment
POWL_TYPEU Maintain POWL Type user assignment
Regards,
Masa -
JHeadStart Security problem-error page cannot be found- role based security
JHeadStart Security problem-error page cannot be found- role based security
Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.Thand you very much for your reply! Unfortunately there is a specific restriction-convention in the project I work in. I am supposed to perform role based security with my own tables and no by the jheadstart’s ones. Could you find out what is my fault with the steps I follow trying to perform the process?
To remind you my steps I paste the following again:
JHeadStart Security problem-error page cannot be found- role based security
Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.
Maybe you are looking for
-
Join is not working in webi report
I have let's say three tables; one fact and two dimensions; I manually joined each dimension table with the fact with 1 to many cardinality... Now I'm trying to run a test report using few fields from each dimension and it doesn't seem to join; in th
-
I Purchased a bunch of music under an old ID and email. I no longer have the email and I can't remember the password. How can I get the music I bought unlocked so it will be loaded on my new iPod classic??
-
Problem in creating user request through ContentDB API
Hi I am trying to create user request on the document. Workflow is configured on the document parent folder. I am trying to submit the document for workflow. Here is the code i used to create user request RequestManager reqM = session.getRequestManag
-
Printing from a pc notebook to my Apple printer wirelessly
I need help getting my HP laptop to print through my Airport Extreme Base station to my HP printer. I've tried online help instructions from various sites and I feel I'm close but still nothing shows up as being networked through the PC to the Mac. I
-
Internal Error message appears when I try to open Acrobat pro XI
I recently installed Acrobat pro XI on my MacBook Air running mavericks. It installs fine, but when I try to launch it I receive an 'Internal Error occurred' message. How do I resolve this? I have uninstlled and reinstalled from my disk, and even dow