Groups and Authorization

Similar Messages

• Tcode to create activity group and authorization check,

  hi,
    can any one say me the transaction code to create activity group and authorization check.

  Hi
  I'm not sure about what you want to do, anyway have you try the trxs SU20 and SU21?
  Max

• Query Group and Authorization group is different

  Hi,
  In Authorization screen, it allowed to authorize up to 20 query group. Whereas in Query Category window, it has only max 15 query group. For future patch, is it possible to have matched query groups?
  Thanks.
  Regards,
  MH

  Hi,
  In Authorization screen, it allowed to authorize up to 20 query group. Whereas in Query Category window, it has only max 15 query group. For future patch, is it possible to have matched query groups?
  Thanks.
  Regards,
  MH

• Table showing Authorization group and Package

  Hi
  Is there any table where we can see the list of programs using BOTH selection crieteria Authorization group and package together?
  Your help and time will be really appreciate.
  Thanks,
  Niki.

  Hi Niki,
  Try se84->Other Objects->Authorization Objects->choose one->Process->Complete list button on aplication toolbar.
  Regards
  Marcin

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• How to restrict sales group and sales office in va01?

  in transaction "va01" ,I want to restrict "sales group" and "sales office", but there is no
  relative authorization object. I create a role named "z1000test001" with va01 , there are only "division","sales organization"
  and "distribution channel" which could be restricted.
  the authorization object with va01 is : V_VBAK_VKO.
  and I find another authorization:V_VBKA_VKO ,which contains:"sales group" and "sales office",
  but this one seems have no relationship with va01.
  Is there any method to restrict "sales group" and "sales office" in va01?
  Could anybody help me?

  Hello,
  This has been discussed before and there's a solution available.
  Have a look at this thread: Authorization for Sales Office and Sales Group
  Cheers
  Jurjen

• ISE 1.2: Remove unused Sponsor Group and Identity Group

  Hi
  I started with ISE 1.1.2 and now upgrade to 1.2.
  There are 1. Sponsor Groups and 2. Identity Groups which are no more in use, but I am not able to remove them anymore.
  1. One is a special Sponsor group which sponsor group policy I already removed. The I go to Aministration>Web Portal Management>Sponsor Groups and select the appropriate Group ans click delete and ok to confirm, the following error is displayed:
  com.cisco.cpm.nsf.api.exceptions.NSFEntityDeleteFailed: java.rmi.RemoteException: Failed to execute the Query : DELETE_USERONAPP ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found ; nested exception is: java.sql.SQLIntegrityConstraintViolationException: ORA-02292: integrity constraint (CEPM.EDF_GST_SPGRPID_SUB) violated - child record found
  2. The same happens with one Identity Group. I do not have it active anymore. Not in authentication, and not in authorization policy. I go to Administration>Identity Management>Groups>  and select te group to remove, and click "Delete selected" and confirm with ok, the following error occured:
  Cannot delete selected Identity Group(s) because there are resources which are mapped to these or its child identity group(s)
  Is there any reason for any of these issue?
  Many thanks

  Hi ,
  Please open service request with cisco. These kind of issues may happen when the dependencies are deleted from UI but there is a chance that some of the dependencies may not be deleted completely and are not visible from UI as well.  These kind of issues can be resolved under cisco guidance.
  Thanks,
  Naresh

• Authentication and Authorization question.

  Hi All,
  I require your help in getting validated my understanding on Authentication and Authorization. This is wrt to WebLogic Server and WebLogic Portal.
  Authentication.
  1. The custom authentication provider can authenticate(user and group) against any datastore(LDAP OR DB). The LoginModule is a kind of blockbox and it can return true/false depending on authentication.
  2. The end result of this process is true/false.
  Authorization.
  1. The custom authorization providers can authorize the authenticated user based on role. All these entities ie(user,group,role) can be either in LDAP OR DB.
  2. The end result of this process is true/false.
  Role mapping.
  1. The custom role mapper can put all the roles that a user belongs and returns all Role. This can happen agaist LDAP OR DB.
  2. The end result is list of roles for a user.
  Security policy configuration.
  Is it mandatory that a user/group/role should be existing in WebLogic Server LDAP server(OR Portal LDAP server) to create these policies and authorization rules. What i mean by is that can user,group,role can exist in application specific database and still can be used for creatiing security policies??
  Thanks,
  Prashanth Bhat.

  The Security Providers are useful/can be used for developing a standard j2ee application , which will be deployed as standard j2ee application.
  The DA means Delegated Administrator, which is way how portal components are restricted to different types of administrators.
  The VE means Visitor Entitlemens, which is way how portal components are restricted to end users.
  My question is whether thess(DAs and VEs) can also be put
  our datastore for access rights??
  Thanks,
  Prashanth Bhat.

• Issue in External Table Authentication and Authorization in OBIEE11G

  Hello Gurus,
  Can anyone help me how to configure External Table Authentication and Authorization in OBIEE11g through weblogic server not like in 10g style(Through INIT Blocks).
  I've followed the (Doc ID 1338007.1) document. But when i'm restart the Managed servers and Admin servers after configuring the SQLAuthenticator all my services are showing down.
  I already raised the SR (SR 3-6286054151) on this issue. But still i didn't get any reply from them.
  Can anyone help me out on this issue or can anyone me send the document for "how to configure External Table Authentication and Authorization in OBIEE11g" . It's really appreciate for your quick response.
  my mail ID [email protected]
  Thanks,
  Syam.
  Edited by: 942658 on Oct 13, 2012 10:55 AM

  Hi John,
  Thanks for your quick response.
  We configured "ReadOnlySQL Provider" by following the Oracle's white paper(Doc ID 1338007.1) Please find the below steps what we configured in weblogic console.
  1. Created the Data Source
  2. In the data source specified the Database driver--> *Oracle's Driver Thin for service connections: Versions:9.0.1 and later.
  3. Defined the connection Properties .
  4. Selected targets as Admin server and bi_server.
  Then Activate changes
  5. Created new provider by using ReadOnlySQL Authenticator
  6. In the provider specific tab we given the SQL statements and saved it.
  7. Restarted the Admin and Managed servers.
  After restarted the services when we open the Enterprise Manager page all the services are showed as Undefined - means red.
  Apart from that we followed your suggested link http://askjohnobiee.blogspot.com/2012/09/how-to-oid-authentication-with-groups.html
  For External table authentication do we need to configure BISQLAuthenticator or ReadOnlySQLAuthenticator ?
  If we configure BISQLAuthenticator we just import Groups from database to Console application. Then how can it Authenticated to the User ?
  Please let me know your ideas on this.
  Thanks,
  Syam

• Business Service , Service Group  and Provider System for CE 7.2

  Hi
  I need documentation about Business Service , Service Group  and Provider System for CE 7.2.
  Att,
  Marco

  Did you get one? I need too.
  In SAP Help Portal there are a large quantity of documents, such as:
  http://help.sap.com/saphelp_nwce72/helpdata/en/88/a552908d4c44dc99b3ec247069921e/frameset.htm
  But the content is so much and I do not know with which part I should start.
  In the web blog of Ms. Stefanie Bacher:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/50d70a19-45a3-2b10-bba0-807d819daf46?quicklink=index&overridelayout=true
  she has mentioned how to create a service group shortly. But I cannot follow it in my NWDS CE7.1.
  Anyone could give me some tipps, how to resolve authorization problem of consuming web services.
  Thanks and regards
  Rene

• No provisioning of User Group for authorization field in user master

  We are implementing CUP 5.3 workflows. Both in manual proviosing and automated provisioning based on User Defaults the user group gets only provisioned to the Groups tab in SU01. The field User Group for authorization on the Logon data tab remains empty (field CLASS from system table USLOGOND, filling CLASS field in table USR02).
  In User defaults both under user default as on the user group tab the user groups have been defined. In manual provisioning the correct list of user groups get displayed for selection.
  Under field mapping in the Application field I only find User Group in user master maintenance, but not User group for authorization. However I would assume I do not need to use field mapping, as I want to automate this provisioning based on user defaults.
  Am I missing a configuration setting here? If so, where can I set it?
  I would assume the provisioning of this field is possible. RAR reports the user group also based on the User group for auhtorization and not from the Groups tab.

  S.Pados,
  I can assure you that what I said in my last response does provision the User Group For Authorization Check on the Logon Data tab; in fact, I was having the opposite issue where the Group tab was not being provisioned; however, I am ruunning AE 5.2 and you said you are running 5.3; maybe something did change or got lost in the releases; it probably is good to see what SAP has to say about this; I would hate to lose this capapbility when I upgrade to AE 5.3
  As far as using the custom field for multiple applications, would that field not be usable for any of the applications you would select in the request form?; if you are using the same table names in the different SAP systems (selectable by the application field on the request) would the drop down selections be whatever the table has defined for that system? I may not be understanding something here so I am just asking;
  It would be great to have a Group field automatically filled in by another selection to avoid the user involvement; I agree with you there; because of our concerns on users entering the AE request, our shop has decided to continue with the users submitting the request through normal email and the security administrators perform the AE entering; this way we have a better idea on something like the GROUP field; we have an option to include the original email as an attachment for justification of the request
  Sorry I could not be of more help
  Jerry
  Ryerson,Inc.

• User Groups and non Developers users

  Hi,
  two questions.
  1) How do I create users groups.
  I want to divide specific users to specific groups.
  2) I created users not as developer and not as a administrator.
  When I logged on with that users I didnt see any of the applications, why?
  Thanx.

  1. You asked "how do I assign users to that group and later attach the group..." I think your question is not about how to assign users to a group but rather how to attach the group... Use the function wwv_flow_fnd_user_api.user_in_group in an authorization scheme (desc wwv_flow_fnd_user_api). Attach the scheme to a region, button, etc. to control access. Please read about authorization schemes in the user guide and search this forum for "authorization" and "groups" for useful threads.
  2. A user account without development privilege will be useful for authenticating to an application you create. It will not be useful for developing any applications in the Application Builder.
  Scott

• Talent Group and Support Team

  Hi.
  To my understanding only Talent Management Specialists (TMS) assigned as members of the support team for each  Talent Group shall be able to maintain the Talent Group. This is an important function we need so that TMS can't delete another TMS Talent Group by mistake.
  However in our system any TMS can access and edit/delete any Talent Group regardless if they are assigned as support team member or not.
  Are there any settings we might have missed?
  We are using the SAP standard role (well a z-copy of it).
  /Mauritz

  Hi,
  I have the same requirement as Mauritz, i.e., the Talent Group should only be available for the persons in the Support Team. This applies to both Manager and Talent Managment Specialist. So the TMS should only be able to modify and nominate candidates for own Talent Groups and other groups where he/she is assigned as member of the Support Team. The Manager should only be able to nominate candidates in Talent Assessment if the manager is in the support team (ideally, as an altenative, the manager should be able to nominate talent for talent groups created by the talent manager of his/her organization, but I don´t expect SAP to provide such a sophisticated option).
  I have tried to use restricted Manager roles, but the manager can in my scenario nominate for talent groups even if the manager is not in the support team. Similar, as TMS, I can edit the Talent Groups created by other TMS, even if I am not in the support group.
  Have any of you found an easy way of restricting access to talent groups without creating a structural authorization profile for each of them? We are implementing this application on a global scale, so it is important to be able to create both local and global talent groups.
  Any input on this matter would be appreciated.

• Channels and authorizations roles

  Hi all,
  Is it possible control the channels access using groups and roles organizations?
  For example: user A access web service 1 and ws 2, user B access ws2 and ws3 and C access all ws.
  Thanks in advance and best regards,
  Renato.

  This issue it's covered by the oss note <a href="https://websmp110.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=852237&_NLANG=E">Note 852237 - Extended authorization concept of the XI runtime</a>.
  Regards,
  Sandro

• SE16 data display and authorizations.

  Hi Experts,
  I had few following questions regarding data display and authorization using SE16 :-
  As example, SAP HCM solution for an enterprise is implemented in say 10 countries :-
  - Is it that using SE16 the user has the authorization to display all data, including the data for different countries employee's?
  - isn't the infotype data based on the country grouping settiings and shouldn't be displayed via SE16?
  - Can the authorization be controlled, using User group or some roles being assigned while creating the user id?
  Thank you for your help in advance.
  Thanks and Regards,
  Puneet Luthra

  Puneet,
  If you assign SE16 tcode to a profile you can set further authorization object S_TABU_DIS - here you can set authorization groups such as PA for HR intptype tables and SC for PD infotype tables,
  I do not believe that you can actually set infotype level access. i.e if you give pa tables then thay can see all pa tables you cannot restrict to just say, 0001 and 0007. This is independent of the P_ORGIN authorizations, so even if you restrict a certain infotype in P_ORGIN, they will be able to see using SE16.
  One of the ways in which we have got around it in the past is to just create custom transctaions for each table they want to see, such as zse16_pa0001 and assign individual tables to those who need it.  Only HR experts and Support users need this kind of access in the production system so it should be relatively easy to maintain individually.
  Hope this helps.