E-recruitment - Role based restrictions on Active Queries - High Priority

Requirement - Do we have an option to restrict the queries in recruiter 'active queries list' (work center) based on roles.
for example: Restricted recriter should not be allowed to view Back ground checks query. and Talent Groups query.
Version - E-rec 604 support pack 5. Webdynpro Interface, seperate front end and back end - candidate Scenerios #3 as per Note 1017866.
Request e-rec Pro's to post the solution, if they have faced this issue in there e-rec implementation exp.
Thanks & Regards,
David.
Edited by: SAPERECSDN1 on Oct 12, 2010 6:25 PM

Hello,
You can check out transaction POWL_QUERYR. Through this you can specify the roles to be assigned to the role. Through transaction POWL_QUERYU you can even specify the roles to be assigned for a specific user. You can copy the specific roles required and assign them to the roles. Any role which is not assigned to specific role will appear to all the roles that have authorization to the workcenter object.
Regards,

Similar Messages

  • Requisition for approval using - Restricted Recruiter role

    Hi,
    We have implemented SAP eRec EHP4. As of EHP3 the restricted recruiter was only able to create requesition in Draft mode and release the requisition for approval.
    We are using WD on SAP EHP4. We have provided SAP_RCF_RES_RECRUITER_ERC_CI_2 role in R3 to one of the user and Recruiter role on the portal. But when I try to create a requisition and try to release it, it gets released instead of going for approval......
    What have we done wrong.....Is there some other way by which the requisition can be sent for approval in EHP4......
    Thanks

    Hi All,
    In the meantime I was testing the BSP application since I had to give a demo to the client.....Here I could run the workflow, but when I launch the recruiter "approval" page it gives me an error
    BSP Exception: Das Objekt default.htm in der URL /sap/bc/bsp/sap/hrrcf_approval/default.htm?objid=90005527&otype=NB&plvar=01&requestdate=20100723&requestedRsncode=01&requestedstatus=1&requester=Mr%2etesttest&SAPWFCBURL=http%3a%2f%2ftcssol%2ehrservicesonline%2ecom%3a8002%2fsap%2fbc%2fwebflow%2fwshandle ist nicht gültig.
    I saw through SE80 there is no page like default.htm how do I resolve this, is this also connected with upgrading our SP level?
    Thanks
    Subbu

  • Conditional activity in Recruiter role

    Dear All,
    I am implementing e-recruitment. The client's requirement is to allow creating a specific activity only if certain condition is met.
    The condition is the response (YES /NO) of a question that candidate filled during the application.
    For Example the question is: Have you ever worked in ABC Company? 
    If candidate says YES or NO during the application wizard its stored in questionnaire table.
    Now on the candidate assignment list during the applicant tracking when recruiter selects this candidate and wants to create a certain activity say "XYZ", system should stop it if candidate response was NO and allow it in case of YES.
    your consideration would be highly appreciated as I really need a solution very urgently.
    Chohan

    Hello Chohan,
    currently there is no option to restrict the creation of an activity in the described way. In fact there is no way at all to have a logical restriction on activity maintenance. There is only an authorization object which allows to restrict the activity maintenance on activity type level.
    SAP is currently working on a concept for allowing dependencies between activities but I am not sure if it will be flexible enough to cover your specific requirement.
    To at least improve the process I can imagine to create the activity automatically in planned status via workflow if it is obligatory. So the recruiter only has to continue the work and not create new ones. You could also use the enhancement concept of the candidate selection list to add a column with the information. Both solutions will not prevent a recruiter from intentionally creating the activity for a candidate for whom he should not create it but the additional service or information can reduce errornous activities.
    Kind Regards
    Roman   

  • POWL: Hiding query from list of active queries in eRec workcenter dashboard

    Hi All,
    We are implementing SAP eRecruitment (EHP4) based on web dynpro ABAP. eRecruitment has work overview page (Recruiter role), which has two iviews (Search and Dashboard). Dashboard iview has two sections: Active Queries (Link Matrix) and Requisitions List. This is configured using POWL_UI_COMP. Query categories are: Requisitions, Postings, Applications, My Tasks and TRM.
    Requisitions categories has 5 queries: My open Requisitions, Open Team Requisitions, Open Application Groups, My Draft Requisitions, and All Requisitions.
    My requirement is to hide 2 of the 5 queries (Open Team Requisitions, Open Application Groups). I have tried activating/deactivating options in POWL_Query(r) transactions. Can you please let me know how to achieve this?
    Thanks,
    Shyam

    HI
    POWL_QUERYR is the required transaction for deactivating a query
    delete the entry for the required transaction there.
    and also Run POWL_D01 report for application id you want to hide.

  • BW Roles based on the department

    Hi,
      My requirment is to creat a roles that restricts data access according to department.
    We had nearly 20 different Detartments and my requirment is to create roles so that users can be granted access according to their department.
    Could you please update me detailed process on how i can create roles.
    I am the DEPARTMENT char as authorisation relevent
    Thanks

    Hello,
    Please see these docs,
    [Field Based Authorizations in BW BEx Queries|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4753ed83-0e01-0010-e186-f98413f868cb]
    [An Expert Guide to new SAP BI Security Features|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea]
    [Advanced Features of SAP BW Reporting Authorizations|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06]
    Thanks
    Chandran

  • Role Based FireFighter with GRC 10.0 (CEA)

    Does anyone know how the Role Based functionality of FireFighter exactly works besides putting the application type parameter to Role Based in SPRO?
    The manuals explain that the FF users log in to the remote system with their own users, but how are the FF roles or roles that are enabled for Firefighting assigned to these users and how will the log file know which activity to record?

    Good question, and the answer is not pretty.
    In Role-Based Firefighter Application, the firefighter ID on the target system contains the user's regular access plus his/her firefighter access.
    Reporting turns on when the user runs a transaction in the firefighter role.
    If the transaction is in both the user's regular access and the firefighter role, reporting will turn on because the firefighter role access is in use.
    The reports only track firefighter role usage.  So if a user runs a firefighter transaction but also uses access defined in the user's regular access, the only thing recorded is the transaction.
    If your company is not completely married to the idea of using Role-Based Firefighter Application, I suggest you consider the ID-Based Firefighter Application.  In this, there are separate firefighter IDs on the target system and a firefighter gains access to them by going into GRC and completing a form showing how the firefighter ID will be used, and then the GRC system will let the firefighter into the target system using that firefighter ID.

  • EAM ID based or Role based? Why settle for just one?

    G'Day All,
    I've raised a question in the following blog, however I would like to open it up to other people as well so they might get something out of it and in the process might share their own thoughts on the matter at hand.
    ID-Based Firefighting vs. Role-Based Firefighting
    So this is where I am at this point:
    From what I can gather so far, my understanding of EAM ID/ROLE based is as follows:
    - Id Based: Logs in using own U.ID and through GRAC_SPM accesess FFID from the GRC Server and logs into the system assigned to them (ECC, SRM, CRM etc)
    Only one user at a time can use a FFID.
    Firefighter need not exist in every system assigned to them due to central logon however they need to exist in the GRC system
    Knows exactly when FFID is being used as he/she has to login so has a psychological effect (good thing)
    Better tracking of FF tasks - Specific log reports with Reason Codes. Bonus point from Auditors!
    Two Log ins so potential to commit fraud. (1 action using own UserID and 1 action using FFID)
    Could be hard to track and find out when a fraud has been committed so can be a problem with auditors.
          ID Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFIDs assigned to you
          ID Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> You can see  the FFIDs assigned to you
    - Role Based: Logs into the remote system only using U.ID, so everything gets logged against that one ID. 
    Multiple users can use the FFROLE at once.
    Firefighter has to exist in every system assigned to them - so multiple logons.
    Hard to differentiate between FF tasks and normal tasks as no login required  So easy to slip up
    Time consuming to track FF tasks - No Specific log reports. No Reason Codes
         R.Based -> GRAC_SPM : TCode for Centralised FFighting -> You will see FFROLEs
         R.Based -> /n/GRCPI/GRIA_EAM : TCode for DCentralised FFighting -> Not applicable so wont work
    So based on this there are pros and cons in both however according to SAP only one can be used. To me personally,  it makes more sense to get the best of both the worlds right? So here is my question why can’t we just use both?
        . Really critical tasks -> FFID
        . Normal EAM tasks -> FFRole
    Alessandaro from the original post pointed this out:
    "Per design it isn't possible to achieve both types of firefighting at the same time. It's a system limitation and hence to configurable."
    Well this is what I can't seem to get my head around. For a FFID, there is a logon session so it has to be enabled and as far as I can tell there is no way around it.
    However for FFRole, there isn't such limitations/restrictions like starting a separate session. FFRole is just assigned to an end user for him/her to perform those tasks using their own user ID.
    So in what way is it different from any of their other tasks/roles, other than the fact that they've got an Owner/Controller assigned to the FFRole? and
    What is stopping us from using it when ID based is the default?
    If I were to do the following does it mean I can use both ?
        . Config Parameter: 4000 = 1 (GRC System) -> ID Based
        . Config Parameter: 4000 = 2 (Plug-In)  - > Role Based
    Please excuse me if my logic is a bit silly, Role Based firefighting is only done on Plug-in systems so the following should work just fine:
       . Config Parameter: 4000 = 2 (Plug-In)  - > Role Based
    However for ID based, it is a Central Logon, so the following is a must:
        . Config Parameter: 4000 = 1 (GRC System) -> ID Based
    Which means both ID/Role based can be used at the same time, which seems to be working just fine on my system. Either way I leave it you experts and I hope you will shed some light on it.
    Cheers
    Leo..

    Gretchen,
    Thank you for thoughts on this.
    Looks like I'm failing to articulate my thoughts properly as the conversation seems to be going in a different direction from what I am after. I'll try once more!
    My query/issue is not in regards to if/what SAP needs to do about this or why there isn't more support from Companies/Organizations and not even, which one is a better option.
    My query is what is stopping us(as in the end users ) from using both ID/Role based at the same time?
    Now before people start referencing SAP documentation and about parameter 4000, humour me with the following scenario please. Again I would like to reiterate that I am still in the learning phase so my logic might be all wrong/misguided, so please do point out to me where I am going wrong in my thought process as I sincerely would like to know why I am the odd one out in regards to this.
    Scenario
    I've created the following:
    FFID
    FFROLE
    Assigned them to, two end users
    John Doe
    Jane Doe
    I set the Configuration Parameters as follows: 
    IMG-> GRC-> AC-> Maintain Configuration Settings -> 4000:1 - ID Based
    IMG-> GRC (Plug-in)-> AC-> Maintain Plug-In Configuration Settings-> 4000:2 - Role Based
    User1
    John Doe logs into his regular backend system (ECCPROD001)-> executes GRAC_SPM-> Enters the GRC system (GRCPROD001)-> Because the parameter is set to ID based in the GRC Box, so he will be able to see the FFID assigned to him-> and will be presented with the logon screen-> Logs in -> Enters the assigned system (lets say CRMPROD001) At this point the firefighting session is under progress
    User2
    Jane Doe logs into her regular backend system (ECCPROD001) -> (can execute GRAC_SPM to check which FF Role has been assigned to her but she can see that in her regular menu, so there is no point) -> Executes the transactions assigned in FFROLEThis is done at the same time while FFID session is in progress
    So all I want to know is if this scenario is possible? if the answer is No, then why not?
    I physically carried out this scenario in my system and I had no problems(unless I am really missing the plot here), which brings me back to my original question: Why settle for just one?
    Again to reiterate I am not getting into the efficacy or merits of this or even if one should use this. Just want to know if it is possible/feasible or not.
    So there you have it. That's the whole enchilada(as they say there in Texas). I tried to word my thoughts as concisely as I can, if there are still any clarifications, more information you or anyone else reading this would like, please do let me know.
    Regards,
    Leo..

  • R12: Role based security : Hiding a button in OAF page for roles

    Hi All,
    We have a requirement where in which, we have to hide a "Create" button in AR customer search form for some roles ... we have implemented UMX - Roles based security in our project and we cant hide it based on user or resp ...
    Any ideas ... Is it feasible with this new featue of RBAC?
    Thanks and Regards,
    Senthil

    Hi Ajay,
    metalink note 2778881.1 is discussing "Page access tracking report".
    but here i want to implement access restrictions to a particular page.
    Regards,
    Naren.

  • Pre-populate adapters behaviour during role based provisioning

    Hi all,
    I have a question about pre-populate adapters behaviour during role based provisioning.
    I'll sortly describe our architecture: we have OIM 11.1.1.3, Active Direcotry connector and obviously Active Directory as target system.
    Our scenario is: assigning a role to a user , OIM should provision two account for this user to the same target system but in two different organizational unit (Active Directory).
    Here some sample information to better understand our request:
    - OIM User userID: userid1
    - Active Directory IT Resource: ADServer1
    - Active Directory Organizational Units: OU1 and OU2
    - Role: Example Role
    - UserID of the account provisioned in OU1: admin.userid1 (in this organizational unit the UserID is composted by a prefix "admin." and the OIM User UserID "user1")
    - UserID of the account provisioned in OU2: user.userid1 (in this organizational unit the UserID is composted by a prefix "user." and the OIM User UserID "user1")
    To achieve this goal, we have created two access policies AP1 and AP2. The first access policy provision the user account in OU1; while the second one in OU2.
    Here some access policies form details:
    ### AP1 ###
    - AD Server: ADServer1
    - Organization Name: OU1
    (other fields are empty)
    ### AP2 ###
    - AD Server: ADServer1
    - Organization Name: OU2
    (other fields are empty)
    Our idea was to develope two pre-populate adapter: one to compose the userID with "admin." prefix and the other one to compose userID with "user." prefix. However this solution cannot work because obviously you can link only one pre-populate adapter to a resource form field.
    Any suggestion to avoid to create a second resource form?
    Thank in advise,
    Daniele

    Hi,
    probably your confusion is caused by my english....anyway....
    I'm trying to generate two userids and in our scenario it's simple map the organizational units. For example userids in organizational units OU1 have "admin." prefix; while organizational units OU2 have "user." prefix.
    Do you suggest to create a pre-populate adapter that use a lookup to set the correct prefix based on organizational unit name?
    Thank you
    Daniele

  • Restricting access to Queries via Search

    Does anyone have any ideas on restricting access to queries from the Bex search. We have folks that are using the search functionality of Bex and are finding queries that we have not been published to a reporting role. We instruct our query writers that when devloping queries, do not publish them to a reporting role until they are finalized and tested. We are finding that folks are using search in Bex and finding these queries that may be in the middle of development and trying ot use them. In other words, we would like to restrict the Bex search to just queries published to reporting roles.

    Hi Diago,
         Our dilema is that restricting access of the search by query name (via the role) requires the query writer, when finished with the development of their query, to do a savas with a different technical name that falls into the role restrictions of the authorization. This then leaves two versions of the query out there until the original gets deleted, if the query writer happens to remember to do that. It would be great to limit the search mechanism to just published queries. What are other folks doing to get around this issue. It seems that everyone would be running into it unless the search could be restricted in such a manner.

  • Duet Enterprise 1.0 SP2 - SAP Role based authantication

    Hi All,
    We have implemented Duet Enterprise 1.0 SP2 in our landscape. Now we try to implement SAP Role based authantication.
    But don't know which role to assign for which authorisation. In my scenario i have created 2 users. For one user i want to have only read access to all lists (Contact, Employee, etc) and for another user i want to have all acess (read, write, modify, delete) on all lists available at sharepoint.
    Can someone help me to tell what roles (template) need to assign for what operation.
    Which roles i do assign to user in SAP that which ristrict users access at Sharepoint.
    Thanks & Regards
    Virender Solanki
    09818316550

    Hi Binson,
    I want to ristrict the crude operation (create, update etc) by giving roles in backend system. i am able to apply restriction at sharepoint end but i don't want that. i want SAP role based security.
    So i want, according to given roles in backend system user is able to do operations at sharepoint.
    Thanks & Regards
    Virender Solanki

  • Role based authorisations in the Integration Directory

    We have built a new PI landscape (Pi 7.11) and worked with our security teams to perfect the various roles. I am now attempting to implement role based authorisations in the ESR & ID so that objects in our QAS and PRD environments can be configured but not deleted or created.I have implemented role based authorsations as per the SAP standard process performing the following actions
    Exchange profile com.sap.aii.ib.util.server.auth.activation was set to true and the Java Stack Restarted.
    I created a role in the ID that allowed editing of any object.
    I assigned the role to my userid in NWA useradmin
    I am unable to edit ANY object in the ID
    When I set the Exchange profile parameter to false I found I was able to edit any object in the ID.
    So its obvious that the Exchange Profile Parameter does make a difference. However, it doesn't appear as if the role I created is being referenced, even though I assigned it to my account in NWA user admin. I looks like I may be missing some exchange profile parameters. I have the following exchange profiles set:
    IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.util.server.auth.activation (string) = true
    IntegrationBuilder.IntegrationBuilder.Repository com.sap.aii.ib.server.acl.enable (boolean) true
    IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.util.server.auth.activation (string) = true
    IntegrationBuilder.IntegrationBuilder.Directory com.sap.aii.ib.server.acl.enable (boolean) true
    Any advice you can offer would be appreciated

    Resolved this issue.
    The documentation is confusing but finally found the answer by referring to the SAP XI 3.0 documentation.

  • Role based reflection security manager?

    Hi,
    I am trying to find out whether there is a possibility to implement a role based Security Manager to control access to reflection operations (such as checkMemberAccess() for example).
    I need to implement an application where using reflection is totally forbidden, except for some very specific parts of the code. Is this possible? If yes, how should I proceed? Is there a concept of identity around the security manager? Should I use ReflectPermission? If yes how?
    I have been doing some reading, but it is still not clear to me. I am looking for a general implementation procedure.
    Thanks.

    Jrm wrote:
    Ok, fair enough regarding storing data on end user PC.
    But I see a contradiction here (or I mis-read you). I understand that SecurityManagers are used for applets to restrict some of their actions. What if people are able to bypass SecurityManagers? What is the point of having them? If a .jar application is started with a SecurityManager, can an end user strip it and replace it with its own security manager (from its own code for example)?First of all, the SecurityManager is provided by the local computer, not the applet. But, the most important point is that the SecurityManager used when running third-party applet code is not trying to protect the third-party code, it is trying to protect the local computer from unknown third-party code. the user is perfectly able to disable the SecurityManager and/or give the third-party code whatever permissions it desires if they decide to trust the code. you are trying to protect your code (+which is the third-party code with respect to the user+) from the user. that is the opposite situation, and does not work.
    I would be happy if I could deliver a .jar application with my customized and 'unremovable' SecurityManager. Is that possible or can one always fiddle the .jar to remove it?
    Because if people can always remove it, it is a permanent open door for man-in-the-middle attacks when code is delivered to end-users, correct? Is there any way to protect .jar from tampering?As i said in my previous post, there is no way to stop this. as a software developer, i'm sure you are aware that you can find "cracked" versions of any commercial software that you are interested in (if you know where to look). what makes you think that your java program is any more "secure" than those other programs?

  • Alter "Active Queries" in POWL

    Hello,
    I am running SRM 7.0 / EP 7.
    Is there a way to alter the "Active Queries" in POWL for a page? For example, under "Strategic Purchasing" -> Strategic
    Soucing, there are 4 lines of Active Queries, i.e.
    RFxs
    Auctions
    Sourcing Templates
    Document Output
    Is there a graceful way of removing a line of queries, e.g. removing Auctions?
    Thanks,

    Hi,
    Please check following transaction. You can delete the query or category.
    POWL_CAT             Maintain POWL categories
    POWL_EASY            Easy-POWL Feeder Builder
    POWL_QUERY           Maintain POWL Query definition
    POWL_QUERYR          Maintain POWL Query role assignment
    POWL_QUERYU          Maintain POWL Query user assignment
    POWL_TYPE            Maintain POWL Type definition
    POWL_TYPER           Maintain POWL Type role assignment
    POWL_TYPEU           Maintain POWL Type user assignment
    Regards,
    Masa

  • JHeadStart Security problem-error page cannot be found- role based security

    JHeadStart Security problem-error page cannot be found- role based security
    Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
    Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

    Thand you very much for your reply! Unfortunately there is a specific restriction-convention in the project I work in. I am supposed to perform role based security with my own tables and no by the jheadstart’s ones. Could you find out what is my fault with the steps I follow trying to perform the process?
    To remind you my steps I paste the following again:
    JHeadStart Security problem-error page cannot be found- role based security
    Good morning! How are you? I would need some help in a jheadstart 10.1.3.2 security case and I was wondering if you could give me a hand to go on. I create the Model project with tables of oe schema. Then in JHeadStart to perform security I follow the following steps: In ViewController/WEB-INF/web.xml – properties I do the following: login configuration: http basic authentication rfc 7617: realm:jazn.com
    Security roles : I define two roles: customer and administrator , Security Constraints: web_resources: All_pages, Url Patterns: faces/*. Then in Tools/Embedded OC4J Preferences/Global/Authentication JAZN/Realms/jazn.com/users: I define two users c1, password c1 and a1,password a1, roles/member users/ I attribute the roles to the relevant users c1—customer and a1—administrator. Then in application definition editor on service level I define security/use role based authorization=true , authorization type: JAAS and when access denied go to next group=true. On group level e.g.: ProductInformation: Authorization/Authorized Roles Permissions: administrator.On item level : Orders/Items/OrderTotal/Operations/Update Allowed: #{jhsUserRoles['administrator']},Then I generate the pages (run the jag) . The generation is completed successfully but when I run the View Controller project a “the website declined to show this webpage…(page cannot be found)’ is displayed. What should I do? I would appreciate it if you would help me on this issue! Thank you very much.

Maybe you are looking for