Function to see if a user has data dba role

Similar Messages

• How to check if a user has a particular role in sql server

  Is it possible to check to see if a user has a particular role in sql server? For instance, I need to check to see if the user logging in has wite ability to the database. Thanks in advance.

  To answer your question from a Java-perspective, since this is a Java-forum: No.
  The JDBC 3.0 specification does not state that the driver has to implement a user credential mechanism.
  However, the DriverManager will throw an SQLException if user credentials are not met at all and the Connection should throw you a SQLException when trying to create or execute a statement that you are not alowed to do.

• See if a user has a record open

  Hi all,
  We have been caught out by two users editting the same form (BP/Quote etc) and of course losing the actions of one user as it isn't until they ty and update the form that they are told that it cannot be done due to another user.
  Is it possible to see if a user has opened the form or has it in edit mode - at which ever point SAP locks the record so it can't be updated by anothe user?
  We don't mind if its just a query that updates a search define that updates a UDF, as long as we can see that the record is open already - or is there an easy way we are not aware of?
  Any help is much appreciated.
  Kind Regards,
  Matthew

  Matthew,
  I understand that this can be frustrating at times but the whole purpose of a multi-user environment is the possiblity for multiple users to use the system at the same time.  Transaction are no different as there could be different departments accessing the same transaction but it is the way SQL works that two people cannot edit the same transaction.
  The first user who updates the transaction change the current values and the data on the screen of other user has already changed and thats why you get the message " Another user modified table ..."
  Unfortunately there is nothing you could do about it for now.
  Regards
  Suda

• How to see, if some user has done multiple login at the same time

  Hi,
  i'm looking for a tcode to see, if some user has done multiple login in a date-range.
  Regards, Dieter

  It is also dependent on your license type, as it is populated at logon - prior to any Z-coding option - which will cause a lockout if attempted an access that way.
  I recently found a cool way to detect DB triggers and updates - very obscure...
  However I also "move around" during support in projects and don't always want to kick myself out. I guess SAP can "work-it-out" from the various fields of the table to map the user behaviour.
  Personally I dont believe that all of such information is appropriate for public domain, as all the SAP_ALLers out there combined with the types of authentication options are not always responsible with the information either.
  Thankfully, SAP has added a "salt" to the password hashes now. They offer RZ11 login/password_downwards_compatibility as a workaround...
  Take a look in your system!
  Cheers,
  Julius

• Check if a user has a specific role

  Hello,
  Is it possible to check if a user has a specific role in MII 12.0?
  For example if the user has the role "xmii Developers" I would do something more in a transaction than if the user doesn't have this role.
  Thank you for your help.
  Regards,
  Matthias

  Hi Matthias Pröller ,
  Are u finding difficulty to trace which role user is assigned to? If so, then u can refer Abesh's Blog.
  OR
  If you are writing Transaction to get user list based on Role , then u can do following
  Create XML query.
  Configure above XML Query in Transaction, in links map (XML Query) URL like given below
  "https://Server:Port/XMII/Illuminator?service=admin&Mode=UserList&Content-Type=text/xml&group=XMII Administrators&IllumLoginName=loginId&IllumLoginPassword=pwd"
  Regards,
  Padma
  Edited by: Rao on Mar 31, 2009 11:52 AM

• How do I test to see if a user has access on a site?

  I am completely new to PowerShell, but I have a requirement to build a PowerShell script that will run against a site, a set of sites or a web application. How do I add a check within my script to test if a user has rights on the site they are running it
  on or not? Am clueless on how to test if the user has rights to a site....I basically am trying to test, then let them know that they do not have access on a site or not. 
  How can I get this done? Please help.

  I now have this code which I think should do the trick, but I am getting an exception when i step through it. The $serverContext variable is always null. Does anyone know why I am getting this?
  write-host "Please enter the url of the site collection"
  $url = read-host
  write-host "Please enter the username of the user"
  $userName = read-host
  $site = New-Object Microsoft.SharePoint.SPSite($url)
  $serverContext = [Microsoft.Office.Server.ServerContext]::GetContext($site)
  $userProfileManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($serverContext)
  $userProfile = $userProfileManager.GetUserProfile($userName)
  $userLogin = $userProfile[[Microsoft.Office.Server.UserProfiles.PropertyConstants]::AccountName].Value.ToString()
  $webs = $site.AllWebs
  foreach ($web in $webs)
  $permissionInfo = $web.GetUserEffectivePermissionInfo($userLogin)
  $roles = $permissionInfo.RoleAssignments
  write-host "Now checking the permissions of the user " $userLogin " " "in the site " $web.Url
  for ($i = 0; $i -lt $roles.Count; $i++)
  $bRoles = $roles[$i].RoleDefinitionBindings
  foreach ($roleDefinition in $bRoles)
  if ($roles[$i].Member.ToString().Contains('\'))
  write-host "The User " $userLogin " has direct permissions " $roleDefinition.Name
  else
  write-host "The User " $userLogin " has permissions " $roleDefinition.Name " given via " $roles[$i].Member.ToString()
  Thanks for the help.
   

• Checking if a user has a role (FGAC)

  Hi!
  I am implementing Fine Grained Access Control on a table and in my policy function I do not want to restrict the amount of result data on a select if the current user has a certain role (otherwise I want to).
  My idea was to check USER_ROLE_PRIVS/ROLE_ROLE_PRIVS for the role, but the stored procedure runs with definer-rights, so that won't help.
  Running the procedure with invoker-rights won't help either, since not the current user is the invoker of the policy function but the DB system (user sys?).
  And finally, the definer of the policy function does not have DBA privs, so I can't select the DBA_* views to check if the current user has the role.
  Is there another way to check if the current user that is known inside the policy function by the USER variable has a certain role?
  Thanks for your help!
  Marcus

  Hi Frank,
  thanks for your answer!
  Frank Kulash wrote:
  Policy functions are run by the user who queries or tries to do DML on the table.I don't see that this is happening. Here's my test case:CREATE OR REPLACE FUNCTION CU_is_member_of
  (v_role IN VARCHAR2) RETURN NUMBER
  AUTHID CURRENT_USER
  is
  v_res VARCHAR2(255);
  begin
  SELECT COUNT(*)
  INTO v_res
  FROM
  (SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS
  UNION
  select GRANTED_ROLE from role_role_privs)
  WHERE UPPER(GRANTED_ROLE)=UPPER(v_role);
  RETURN to_number(v_res);
  end;
  CREATE OR REPLACE FUNCTION POLIFUNC_PARTTYPES_WRITE
  (p_schemaname IN varchar2, p_tablename IN varchar2)
  RETURN VARCHAR2
  IS
  BEGIN
  IF USER=p_schemaname
  THEN RETURN '';
  ELSE
  BEGIN
  if SYSWM_TOOL.CU_is_member_of('#ACT#WMT_MANAGE_PARTTYPES')=1
  THEN RETURN ''; -- *****
  ELSE
  BEGIN
  RETURN '1=0';
  END;
  end if;
  end;
  END IF;
  END;
  CALL SYS.DBMS_RLS.ADD_POLICY('SYSWM_TOOL', 'TBL_PARTTYPES', 'POL_PARTTYPES', 'SYSWM_TOOL', 'POLIFUNC_PARTTYPES_WRITE', 'select'); --TODO: SELECT->UPDATE,INSERT,DELETE
  If the policy function is run by the user who queries, then I would expect that a user who has the role querying table TBL_PARTTYPES would see all entries since he would run into the line marked with *****.
  SQL> select SYSWM_TOOL.CU_is_member_of('#ACT#WMT_MANAGE_PARTTYPES') FROM DUAL;
  SYSWM_TOOL.CU_IS_MEMBER_OF('#ACT#WMT_MANAGE_PARTTYPES')
  1
  SQL> SELECT COUNT(*)
  2 FROM
  3 (SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS
  4 UNION
  5 select GRANTED_ROLE from role_role_privs)
  6 WHERE UPPER(GRANTED_ROLE)=UPPER('#ACT#WMT_MANAGE_PARTTYPES');
  COUNT(*)
  1
  So, the current user has the role and the stored function CU_IS_MEMBER_OF works correctly. However:
  SQL> select count(*) from syswm_tool.tbl_parttypes;
  COUNT(*)
  0
  What am I missing here?
  Marcus

• How to check if the user has only the display authority of a message

  hi,
  How to check if the user has only the display authority of a message but does not have the change authority for a certain message?
  Best regards,

  hi blake
  though i am an application consultant and for authorisation u need to have help of BASIS person if u r not the one but still i can guide u regarding the same,
  Basically Authorization Management 
  Use
  You can use the following authorization objects to control the authorizations for maintaining business partner data:
  •        Authorization objects for the Business Partner:
  •             B_BUPA_GRP
  •             B_BUPA_ATT
  •             B_BUPA_FDG
  •             B_BUPA_RLT•       
  Authorization objects for relationships:
  •             B_BUPR_BZT
  •             B_BUPR_FDG
  In addition, you can assign an authorization group to a business partner in the dialog. The authorization group controls which users may maintain data for this business partner.
  You can also define authorizations for fields and field groups using the Business Data Toolset (BDT). Depending on the settings you have made, the system carries out the relevant authorization checks.
  In the dialog in the SAP GUI, you can display an overview of the authorizations assigned to you by pressing the button Settings.
  For more information on authorization management, see the Implementation Guide (IMG) of the Business Partner, as well as in the Developer’s Handbook for the BDT under  Authorizations.
  IntegrationAuthorization management for the Business Partner forms part of the  SAP authorization concept.
  Prerequisites
  You have made the necessary settings in Customizing of the Business Partner under Basic Settings--> -Address Management.
  Moving over
  AS ABAP Authorization Concept 
  The ABAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the users that determine which actions a user can execute in the SAP system, after he or she has logged on to the system and authenticated himself or herself.
  To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.
  Authorization Checks 
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:
  •        Starting SAP transactions (authorization object S_TCODE)
  •        Starting reports (authorization object S_PROGRAM)
  •        Calling RFC function modules (authorization object S_RFC)
  •        Table maintenance with generic tools (S_TABU_DIS)
  Checking at Program Level with AUTHORITY-CHECK
  Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code of the program, to check whether users have the appropriate authorization and whether these authorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactions that are called indirectly by other programs.
  AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.
  Starting SAP Transactions
  When a user starts a transaction, the system performs the following checks:
  •        The system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction.
  •        The system then checks whether the user has authorization to start the transaction.
  The SAP system performs the authorization checks every time a user starts a transaction from the menu or by entering a command. Indirectly called transactions are not included in this authorization check. For more complex transactions, which call other transactions, there are additional authorization checks.
  •             The authorization object S_TCODE (transaction start) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code.
  •             If an additional authorization is entered using transaction SE93 for the transaction to be started, the user also requires the suitable defined authorization object (TSTA, table TSTCA).
  If you create a transaction in transaction SE93, you can assign an additional authorization to this transaction. This is useful, if you want to be able to protect a transaction with a separate authorization. If this is not the case, you should consider using other methods to protect the transaction (such as AUTHORITY-CHECK at program level).
  •        The system checks whether the transaction code is assigned an authorization object. If so, a check is made that the user has authorization for this authorization object.
  The check is not performed in the following cases:
  You have deactivated the check of the authorization objects for the transaction (with transaction SU24) using check indicators, that is, you have removed an authorization object entered using transaction SE93. You cannot deactivate the check for objects from the SAP NetWeaver and HR areas.
  This can be useful, as a large number of authorization objects are often checked when transactions are executed, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload. You can therefore deactivate authorization checks of this type in a targeted manner using transaction SU24.
  •             You have globally deactivated authorization objects for all transactions with transaction SU24 or transaction SU25.
  •             So that the entries that you have made with transactions SU24 and SU25 become effective, you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to “Y” (using transaction RZ10).
  All of the above checks must be successful so that the user can start the transaction. Otherwise, the transaction is not called and the system displays an appropriate message.
  Starting Report Classes
  You can perform additional authorization checks by assigning reports to authorization classes (using report RSCSAUTH). You can, for example, assign all PA* reports to an authorization class for PA (such as PAxxx). If a user wants to start a PA report, he or she requires the appropriate authorization to execute reports in this class.
  We do not deliver any predefined report classes. You must decide yourself which reports you want to protect in this way. You can also enter the authorization classes for reports with the maintenance functions for report trees. This method provides a hierarchical approach for assigning authorizations for reports. You can, for example, assign an authorization class to a report node, meaning that all reports at this node automatically belong to this class. This means that you have a more transparent overview of the authorization classes to which the various reports are transported.
  You must consider the following:
  •     •         After you have assigned reports to authorization classes or have changed assignments, you may have to adjust objects in your authorization concept (such as roles (activity groups), profiles, or user master records).
  •     •         There are certain system reports that you cannot assign to any authorization class. These include:
  •     •         RSRZLLG0
  •     •         STARTMEN (as of SAP R/3 4.0)
  •     •         Reports that are called using SUBMIT in a customer exit at logon (such as SUSR0001, ZXUSRU01).
  •     •         Authorization assignments for reports are overwritten during an upgrade. After an upgrade, you must therefore restore your customer-specific report authorizations.
  Calling RFC Function Modules
  When RFC function modules are called by an RFC client program or another system, an authorization check is performed for the authorization object S_RFC in the called system. This check uses the name of the function group to which the function module belongs. You can deactivate this check with parameter auth/rfc_authority_check.
  Checking Assignment of Authorization Groups to Tables
  You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.
  You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).
  please See also:
  •        SAP Notes 7642, 20534, 23342, 33154, and 67766
  guess this info will help you,there is one graphic which actually explain the hierarchy of authorisation,i will find some time out to let u know more info about the authorisation
  but if u sit with ur BASIS guy then u can learn lot of things in PFCG
  i guess u r a basis guy,then its not a problem
  best regards
  ashish

• SUIM and USR02-ERDAT donu00B4t match in user creation date

  Hello,
  My question is in 4.6B version. As my understanding, table-column USR02-ERDAT shows that date when a user is created. Also in SUIM (thru modification of documents) you can see when a user has been created so I would expect that both entries show the same date.
  In most users this is true but I´ve found several (more that 4-5) that boths dates are very different
  USER1----USER02-ERDAT--SUIM
  user1----
  9.4.2007----
  28.11.2007
  user2----
  21.12.2000----
  11.12.2007
  user3----
  14.1.2003----
  28.1.2008
  The question is: is this behaviour normal?  If so, which data is correct
  Thanks in advanced,
  Félix

  More information related with this behaviour:
  The information that looks right is the one that comes from SUIM. The reason of trusting in SUIM (more than in USR02) is because if we check the date where the same user has been created in other non SAP systems (like active directory) then it matchs with SUIM date and not with USR02 date.
  From my point of view this is even more strange since USR02 us the table where the information resides while SUIM is just a bunch of reports
  Sincerely,
            Félix

• How to find out if a user has no more resource accounts?

  I want to check to see if a user has no more resource accounts tied to it. The only resource account left is Lighthouse and nothing else.
  Do you know how I do this?
  Thanks

  I was able to find disabled users using the below code. Does anyone know how I can find users who have only Lighthouse account and nothing else? I want to add this to the search criteria.
  <Action id='0' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='queryObjectNames'/>
  <Argument name='type' value='User'/>
  <Argument name='single' value='false'/>
  <Argument name='attributes'>
  <map>
  <s>lhdis</s>
  <s>true</s>
  </map>
  </Argument>
  </Action>

• How to check if a user has a deferred task or not?

  Right now, I use getView and then check for the deferred task as below
  1)
  <Action id='0' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='getView'/>
  <Argument name='type' value='User'/>
  <Argument name='id' value='$(accountId)'/>
  </Action>
  2)
  <Transition to='Add Deferred Task'>
  <isnull>
  <ref>view.accounts[Lighthouse].properties.tasks[Task Name]</ref>
  </isnull>
  </Transition>
  Is there a quicker way to combine both steps 1 and 2 into one step?

  Here's my code
  <Action id='0' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='queryObjectNames'/>
  <Argument name='type' value='User'/>
  <Argument name='single' value='true'/>
  <Argument name='attributes'>
  <map>
  <s>accountId</s>
  <ref>accountId</ref>
  <s>deferredTaskDate</s>
  <s>Task 123</s>
  </map>
  </Argument>
  </Action>
  So I'll pass in 2 parameters, the accountId and a task name. I want to see if this user has that particular task name or not.
  In the WF trace, I see this
  Argument attributes = {accountId=ABC, deferredTaskDate=Task 123}
  queryResult is null because it could not find this user even though user ABC exists in IDM and has a deferred task named Task 123.
  Is my code wrong and how do I use AttributeCondition in the queryObjectNames above?

• Activity to determine if a user has a mailbox.

  Hello,
  I am writing this to see if anybody has been able to figure out how to do what i am trying to accomplish. I am working on a RB that builds user accounts and I have come across a problem i haven't been able to figure out. I have a process where i would like
  to check to see if a user has a mailbox. I thought i could use the get-mailbox activity and filter if the sam account equals what is passed by the process. The problem is that doesnt seem to work and regardless of wether or not the user has an MB it taks the
  route of the get mailbox returns a sucess. Can anybody let me in on what activity you used for this?

  I was trying to figure out the same thing. I asked how our Exchange Admins would do this via PowerShell, and they would do it with
  Get-Mailbox -Identity ACCOUNT
  This would throw an error, if there was no mailbox. Well, it returns the SAM Account Name if the mailbox exists.
  Knowing that, it is easy to accomplish this via Orchestrator:
  Compare Values: Select "Identity" and "SAM Account Name" for comparison.
  If the mailbox exists,  "Comparison result from Compare Values equals true".

• Performance tab not working in Enterprise Manager for user with dba role

  Database: 11g2
  New to Oracle. Don't want share SYS user account among dbas. Tried to create user with dba role to perform all tasks.
  1. Removed DBMS_JOB, DBMS_LOB, UTL_FILE, UTL_HTTP, UTL_SMTP, and UTL_TCP from PUBLIC
  2. Created user dbauser1 with dba role
  3. Log in as dbauser1 in Enterprise Manager
  After click Performance tab, it just went straight to "Database Login" page. No error message.
  Any suggestions or advice will be appreciated.
  piaoma

  Hi Gourav,
  This is the wsdl url:
  http://hostname:8000/sap/bc/srt/wsdl/bndg_E04711310A0E55F1A0E3005056B03D6F/wsdl11/allinone/ws_policy/document?sap-client=450
  Kind Regards,
  Richard

• How to see what are the privilages a USER has

  Hi all,
  How to see the what are the privilages a USER has.
  and
  In Oracle 10g, where the log files were created ?
  Thanks in advance,
  Pal

  Hi,
  You can use the "DBA_SYS_PRIVS" data dictionary view to see a user's system privileges.
  You can use the "DBA_ROLE_PRIVS" data dictionary view to see a user's roles by filtering on the "GRANTEE" column.
  Finally, you can see what direct grants a user has on tables, views, packages, types, procedures, functions, etc. with "DBA_TAB_PRIVS"...
  Hope this helps...

• How to verify that the user has changed table row data before db update

  Hi all,
  Iam using Oracle ADF with EJBs.
  I have a single selection table that displays rows of data returned from a function of my data control.
  The columns of my table are editable so that the user can change the data. The user selects a row, changes the data in one or more columns of the row and saves the data by means of a submit button. The code in the submit button, identifies the row of the corresponding iterator that the user clicked on and updates the data in the database (using the 'mergeEntity' function of the EntityManager)
  Before saving the data, I want to put some logic to check whether the user has actually changed some data to avoid unnecessary updates in the database . But for this I need a technique to detect that the user has indeed changed some data in the table row.
  One technique I have been using so far was to isolate the iterator row of the table and then query the corresponding row in the database table and compare their values.
  Except from dummy, this technique is not efficient if the table contains many rows.
  Moreover, in my case I have observed that on successive updates on the same row , the query on the database returns the new values (user changed values) and not the actual values contained in the database table. This means that when the user updates an iterator row the cached data affect also the results of the SELECT statement from the actual database table!!! Isn't this strange ?
  Can somebody propose me a neat method to detect when the user has changed the the data of an iterator row ?

  Hey Alan,
  The below solution seems overly complicated to me and can not be implemented without a custom screen and/or the use of JavaScript. Also, if your main concern is that a user may accidentally loose all their data because they closed the browser window or the session times out before they hit the save button then this solution does not help you.
  There are a couple of simpler approaches you can take here:
  # If the use of JavaScript is permissible you can hook into the windows 'onUnload' event, and pop-up a message box which gives the user the opportunity to cancel closing the window and save their case if they haven't already.
  # Implement an autosave feature by hooking into one of events provided by web determinations. A simple (but rather naive) way of doing this would be to hook into the OnRenderScreenEvent and call save on the interview session every time the event fires. This guarantees that all the data the user has submitted will aways automatically be saved, thereby removing the need to make sure the user manually saves their data before closing the browser.
  Automatically making Web Determinations close a browser window has to be done using JavaScript. However, doing so means that a) it won't work for people who turn off JavaScript, which is commonly done for accessibility reasons b) you'll likely run afoul of the browser's security mechanism (they generally won't let you close a window that you didn't open and some really don't like you doing that at all).
  Thanks,
  Kristy