How to authenticate only specific AD users in ACS 5.1

Hi All,
Is it possible for ACS 5.1 to only allow specific AD users to authenticate the switches and routers?
Currently What I have configured is onlyfor all AD users. I can't seem to find a way to be selective.
Thanks
Regards

Hi Ryan,
The way to control Active Directory access is via the Directory Groups tab under
Users and Identity Stores --> External Identity Stores --> Active Directory.
The way to permit TACACS+ mgmt access to your infrastructure devices is as follows:
1. Make your network admins part of a specific AD group
2. Add that AD group to the list of Directory Groups
3. In the Access Policy, click the Customize button as Mauricio suggested, and add "AD1:External Groups" to the selected critieria
4. In the policy rule, you will now be able to select your specific AD group to match against.
Additionally, you may want to verify that the identity selection is set to only check AD for the authentication portion, by default I think (if I'm not mistaken) the identity check should be AD1 (Active Directory only), but it's best to confirm that part as well.

Similar Messages

How to allow only the specified users/groups to open my pdf files...

Hi there,
I'm looking for resources/documents describing how to allow only the specified users/groups to open my pdf files by the Java API...
I've found a sample code creating a policy in the following document.
http://livedocs.adobe.com/livecycle/es/sdkHelp/programmer/sdkHelp/wwhelp/wwhimpl/js/html/w whelp.htm?context=sdkHelp&topic=learn_lc_sdk_invokeremoting
( API Quick Starts (Code Examples) > Rights Management Service API Quick Starts > Quick Start: Creating a new policy using the Java API )
But the sample code doesn't set recepients( users/groups ) who can open the pdf file.
How can I make it ?
Any samples ? or Does anybody can tell me which Java classes/methods I should use ??
Policy#addPolicyEntry(PolicyEntry policyEntry) ??
PolicyEntry#setPrincipal(Principal principal) ??
or none of them ?
Any hints are appreciated !
Thanks.

I'm not exactly sure what you are tying to do here, but typical approach when issuing one PDF par user/groups scenario goes like:
1. Create policy for specific purpose and add principal (user/group)
2. Apply policy on server side
3. Deliver the file (via email etc...)
If you are looking for sample codes, try quick start.
http://livedocs.adobe.com/livecycle/8.2/programLC/programmer/help/wwhelp/wwhimpl/js/html/w whelp.htm?&accessible=true
If you go "API Quick Start/Rights Management Service API Quick Starts", you might find something useful. I think you need "Creating Policies" or "Modifying Policies" for step 1 above, and "Applying Policies to PDF Documents" for step 2.
Hope this helps.

How to view only specific authentication requests in access tracker

Requirement:
How to view only "Healthy/Unhealthy" requests from a specific Webauth service.
Solution:
If we have more than one Webauth service (based on conditions such as Device type or NAS IP or posture status etc) and we need only Healthy/Unhealthy requests from a specific service in access tracker for administrative use; we need to create a custom Data filter.
Configuration:
Below are the steps to achieve the same:
Navigate to Monitoring > Data filters > Click on "Add" option to create a new filter
Specify a name on the "Filter" tab
Select the "Rule" tab to specify the unique condition (to filter the access tracker request)
Create the below conditions:
( Commonystem-Posture-Token CONTAINS Healthy )
- AND - ( Commonervice CONTAINS Windows-health-check )
5. Save this filter
Now we can use this Data filter in access tracker to only view Healthy Webauth requests from "Windows-health-check" service.
Verification
So now we can verify the output by looking at the access tracker.
At present we can see "Eight" webauth requests in access tracker. Now we want to see only Healthy web-auth request from "Windows-health-check" service.
We change the data filter to the Custom "healthy-filter" and now only see one request in access tracker as per our requirement.

Hi Vignesh,
ANy luck on this ? I am trying the almost same thing...and stuck at same point.
Please let us know if you have any more information.

How to allow only part of users in AD login sharepoint?

We have a SP2013 farm using windows authentication. On the AD there are 10,000 user accounts and we have no edit permission on AD. (Hence, I cannot setup any group there) As the Sharepoint admin I only have a list of 1,000 users allowed to access. There
is no existing group setup to indicate these 1,000 users.
My question is, how can I allow these 1,000 user login Sharepoint while blocking the other 9,000?
My concern is these 9,000 users will get their My Site self-created when he browse the My Site web application. Another concern is when they access some page without authorization, they will get a form allow them asking for access. The site owner may grant
access to them by mistake which I need to avoid.
Thanks.

Hello Mark,
Regarding the second part of your question. You can uncheck the option 'Allow requests for Access', it is described how in the following thread:
http://social.msdn.microsoft.com/Forums/sharepoint/en-US/d1e948cf-6289-48f9-9f25-81b57b292c40/how-to-hide-request-access
- Dennis | Netherlands | Blog |
Twitter

How do I only allow certain users to print in color?

Product Name: HP Color LaserJet Professional CP5225dn Printer (CE712A)
Operating System Installed: Windows 7 Enterprise (64bit)
I work at a K-12 school and purchased the HP Color LaserJet Professional CP5225dn Printer (CE712A) for use in our computer lab. I would like to know if it is possible to have it so that only certain users can print in color (possibly put a password on it). I know the cost for color is higher, and therefore, would like it so that students have to approve through teacher if they want to print in color.
We are running it on our Print Server (networked) not through USB.
Thank you for the help.

Hi,
That's a very good question actually. In my corporate networks, we are talking about hundreds of laser printers and the ONLY thing we can do: only allow people access to a set of mono laser printers, not all printers. For example, the following printer is using B&W as default but can't stop users to print in colors if they could access to the resourse:
Regards.
BH
**Click the KUDOS thumb up on the left to say 'Thanks'**
Make it easier for other people to find solutions by marking a Reply 'Accept as Solution' if it solves your problem.

How to authenticate external and internal users on different AD

What is the recommended way to authenticate external users as well as internal employees in a customer facing application?
We have external users in an Active Directory in the DMZ and our employees in our internal DMZ. Unfortunately we don't have an identity management system in place and wondering if there is a way we could authenticate user against two active directories without creating a trust between them.
We are implementing EP7.0
Thanks in Advance.

You can also use user partitioning. A feature of the UME which allows for having different user persistence options for different users. What you could do in this case have the external user stored in the local db or an LDAP for the external users and the internal users stored in an internal LDAP directory. For more details about <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/e0/b60b404b2b1e07e10000000a1550b0/frameset.htm">user partitioning</a>, please see the docs.
regards,
Patrick

How to download only specific photos from my camera?

Hi,
I'm in the habit of not deleting the photo images from my camera's CF card frequently. The problem with using iPhoto is that that it appears to only allow me to download ALL or NOTHING of the photos on my camera. I would like to selectively download specific photos from my camera with iPhoto. Is this possible?
Thanks.
mac book pro Mac OS X (10.4.9)

Hello.
There is also a way to selectively upload directly to iPhoto. If your camera mounts on the desktop as an external drive, simply ignore iPhoto's initial uploading screen. [Click back on Library in the Source Pane if this screen distracts you.] Choose File> Import to Library. A window will open where you can navigate to your camera, preview the images, and select only the ones you wish to upload. As in the Finder, Shift-click will select a contiguous range, and Command-click selects multiple, nonconsecutive items.
If your camera does not mount on the desktop (most Canons do not) then you can use a card reader. Place the card in the reader, connect to the Mac via USB, and use the above method to upload from the card. This is my preferred method, since it saves on the camera's batteries.
Cheers.

How to resize only specific text in PDF?

In the text above, how would I go about enlarging/resizing the text in arabic so that the text resizing doesn't affect the rest of the paragraph?
When I select "edit text & images", the entire paragraph is one box, and when I enlarge the font of the arabic word, the whole paragraph gets affected in that a bigger spacing appears between both lines of text.
So, how do I rezise that specific word on its own?
Thanks.

Hi, I did think of that, but it'd take me an awfully long time to go through the 200 page document in this fashion because I would need to cut that word, paste it into the new text field, then create space in the original paragraph to insert the arabic word.
Isn't there a way of perhaps selecting that word as an image by converting it or something and then resizing it?

How to allow only specific letters, numbers and symbols in input string

Hi all
i'm new to java and trying to program a polynom calculator.
so, you can enter a polynom string like for example "2.1x^3 + 3x^2 - 1". this all works fine.
but i only need numbers, some special symbols and only the letter x which will be the variable you can enter here, otherwise a message should be displayed that i entered an invalid character or symbol. and is it also possible to check that there is a space before and after a + or - sing?
the input string i'm reading it in with: String inputString = TastaturRead.readString();
anyone out there who can help me?
many thanks in advance.

Please don't cross-post.
Again, this looks backwards here. You seem to be using the string you want to split as the regex string, but again, I'm no expert here.
import java.util.regex.*;
public class Splitter {
 public static void main(String[] args) throws Exception {
 // Create a pattern to match breaks
 String pattern = "[+|-]+";
 Pattern p = Pattern.compile(pattern);
 // Split input with the pattern
 String input = "-5x^3+8x^2 - 2";
 //This smells wrong to me, backwards
 String[] result = p.split(input);
 for (int i=0; i<result.length; i++)
 System.out.println(result);
//This looks better to me.
result = input.split(pattern);
for (int i = 0; i < result.length; i++)
System.out.println(result[i]);

How to only synchronize one specific LDAP user group with SAP?

Hi,
Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
Thanks, Oscar

We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
Then we also have a constant for the LDAP_STARTING_POINT
For our AD Group Initial Load we filter according to these settings:
LDAP_FILTER_GROUPS = (objectclass=group)
LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
The above example only reads AD groups starting at the specified OU
Then in a Job From LDAP Pass the LDAP URL looks like this:
LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
I hope this helps
Paul

How to authenticate (JAAS) a user programmatically for batch processing

HI,
We're struggling to get our batch user proper authenticated and authorized to enable the batch user to execute various jobs. The Jobs are initially executed by a Quartz scheduler which in turn invokes to execute method on the specific batch job controller class. In this class we'll like to login the batch user before the processing starts and again logout the user before the jobs ends. The batch job processing does some updates on security protected entities - that's where the problems starts. To be able to update certain ADF Entities, the batch user must be in "batch-role". The permissions is configured in the jazn-data.xml file. ADF Security is enabled for the project and various entities is security protected. The application is deployed in one EAR file in into Weblogic 10.3.5. We're using JDeveloper 11.1.2.1.
When we login to the application through the login form in the application, then the security permissions is applied as they should and only users with the correct roles is able to update certain security protected entities. The login form uses something like this, to authenticate the user:
Subject subject = weblogic.security.services.Authentication.login(handler);
weblogic.servlet.security.ServletAuthentication.runAs(mySubject, request);
We'd like to do the same kind of authentication in the batch controller class, like:
Subject subject = weblogic.security.services.Authentication.login(new BatchLoginCallBackHandler());
weblogic.security.Security.runAs(subject,
new PrivilegedAction() {
public Object run() {
try {
executeJob(jec);
} catch (JobExecutionException e) {
e.printStackTrace();
return null;
But this doesn't work. When the job accesses ADFContext.getSecurityContext() it isn't the correct user which is logged in (actually it is the users which initially started the scheduler). And even thouth
boolean inBatchRole = aDFContext.getSecurityContext().isUserInRole("batch-role");
returns true, the user is not allowed to update entities which requires this role to allow an update. It some how seems to, that the login does affect the ADF application module (ADF Context).
We've tried a lot of other things but we're not able to login the batch user in the same way as the ADF Faces are.
Can anyone please help us?
Regards
Jacob

We have the same requirement.
We've tried these approaches, with no success:
AuthenticationService vAuthenticationService = AuthenticationServiceUtil.getAuthenticationService();
vAuthenticationService.login("user", "password");
resulting in Caused By: oracle.adf.share.security.ADFSecurityRuntimeException: EXC_UNSUPPORTED_AUTHENTICATION_OPERATION
and JAASAuthenticationService authService = new JAASAuthenticationService();
authService.login("user", "password");
Caused By: java.security.AccessControlException: access denied (oracle.security.jps.JpsPermission AppSecurityContext.setApplicationID.default)
If I test these methods in a simple java class's main method, they work.
I feel I'm missing something, could somebody please tell me if I'm thinking wrong: We have an application made of a Model project, a UI project(ADF) and a scheduler project(Quartz). Both the UI project and the scheduler use the Model project(ADF BC). We deploy 2 ears, one for the UI and one for the scheduler. The UI application's security is working just fine, and it's about time we enforce security for the scheduler. Scheduler has a Listener that extends QuartzListener, witch implements ServletContextListener. In the contextInitialized we launch different jobs using quartz. How could we make these jobs authenticate using some predefined user credentials?

How to display DB specific data in WEBI for users with Single Universe

hi,
I have a WEBI report which is based on Single Universe, which can support both Oracle and SQL Server databases.
There are 2 users for this report.
1) Oracle_User
2) SQLServer_User
When 'Oracle_User' opens report in InfoView, he should see the data from Oracle DB
When 'SQLServer_User' opens the same report in InfoView, he should see the data from SQL Server DB
Please let me know how to achieve this functionality.
Can we dynamically change the Universe connection based on the User who logged into InfoView..?
Thanks,
Vamsee

hi Anil,
Thank you for the response.
I have tried creating 2 connections and restricted each connection for each group, but in Infoview, only one group user is able to refresh the report, whose connection is exported along with the Universe. when the other group user tries to refresh the report, an error is displayed 'You donot have access the data from this Universe'.
So the reason is : 'As Universe can be exported to Repository with only one connection' that connection specific group user is able to access data from Universe Whereas other groupuser cannot( as other connection can't be exported along with the same universe).
As Universe can be exported to Repository with only one connection, how should these connections set for the corresponding groups?
Could you please provide me the detailed steps w.r.t connections restrictions...?
Thanks,
Vamsee

How to find my specific user exit

hi friends,
in the transaction vl06O , we have different screens under different tabs,
in the screen under shipment tab, there are two fields,
incoterm
productcode
i should change the values appearing in these fileds only for specific data,
the data to the incoterm field is brough from likp table,
i felt that, i shpuld be using a user exit for this,
can any one plz suggest me which user exit to user or how do i
find the correct user exit for this using break points, i found out that,
the field incoterm is being called from
a screen 2000 in
SAPMV50A program.
did any one face this problem earlier.
thank you.

Hi,
Use this code to find user exits for specific transaction. You can create a tool program with this..
REPORT z_find_userexit NO STANDARD PAGE HEADING.
TABLES : tstc,     "SAP Transaction Codes
         tadir,    "Directory of Repository Objects
         modsapt, "SAP Enhancements - Short Texts
         modact,   "Modifications
         trdir,    "System table TRDIR
         tfdir,    "Function Module
         enlfdir, "Additional Attributes for Function Modules
         tstct.    "Transaction Code Texts
DATA : jtab LIKE tadir OCCURS 0 WITH HEADER LINE.
DATA : field1(30).
DATA : v_devclass LIKE tadir-devclass.
*& Selection Screen Parameters
SELECTION-SCREEN BEGIN OF BLOCK a01 WITH FRAME TITLE text-001.
SELECTION-SCREEN SKIP.
PARAMETERS : p_tcode LIKE tstc-tcode OBLIGATORY.
SELECTION-SCREEN SKIP.
SELECTION-SCREEN END OF BLOCK a01.
*& Start of main program
START-OF-SELECTION.
Validate Transaction Code
SELECT SINGLE * FROM tstc
    WHERE tcode EQ p_tcode.
Find Repository Objects for transaction code
IF sy-subrc EQ 0.
    SELECT SINGLE * FROM tadir
       WHERE pgmid    = 'R3TR'
         AND object   = 'PROG'
         AND obj_name = tstc-pgmna.
    MOVE : tadir-devclass TO v_devclass.
    IF sy-subrc NE 0.
      SELECT SINGLE * FROM trdir
         WHERE name = tstc-pgmna.
      IF trdir-subc EQ 'F'.
        SELECT SINGLE * FROM tfdir
          WHERE pname = tstc-pgmna.
        SELECT SINGLE * FROM enlfdir
          WHERE funcname = tfdir-funcname.
        SELECT SINGLE * FROM tadir
          WHERE pgmid    = 'R3TR'
            AND object   = 'FUGR'
            AND obj_name = enlfdir-area.
        MOVE : tadir-devclass TO v_devclass.
      ENDIF.
    ENDIF.
Find SAP Modifactions
    SELECT * FROM tadir
      INTO TABLE jtab
      WHERE pgmid    = 'R3TR'
        AND object   = 'SMOD'
        AND devclass = v_devclass.
    SELECT SINGLE * FROM tstct
      WHERE sprsl EQ sy-langu
        AND tcode EQ p_tcode.
    FORMAT COLOR COL_POSITIVE INTENSIFIED OFF.
    WRITE:/(19) 'Transaction Code - ',
    20(20) p_tcode,
    45(50) tstct-ttext.
    SKIP.
    IF NOT jtab[] IS INITIAL.
      WRITE:/(95) sy-uline.
      FORMAT COLOR COL_HEADING INTENSIFIED ON.
      WRITE:/1 sy-vline,
      2 'Exit Name',
      21 sy-vline ,
      22 'Description',
      95 sy-vline.
      WRITE:/(95) sy-uline.
      LOOP AT jtab.
        SELECT SINGLE * FROM modsapt
        WHERE sprsl = sy-langu AND
        name = jtab-obj_name.
        FORMAT COLOR COL_NORMAL INTENSIFIED OFF.
        WRITE:/1 sy-vline,
        2 jtab-obj_name HOTSPOT ON,
        21 sy-vline ,
        22 modsapt-modtext,
        95 sy-vline.
      ENDLOOP.
      WRITE:/(95) sy-uline.
      DESCRIBE TABLE jtab.
      SKIP.
      FORMAT COLOR COL_TOTAL INTENSIFIED ON.
      WRITE:/ 'No of Exits:' , sy-tfill.
    ELSE.
      FORMAT COLOR COL_NEGATIVE INTENSIFIED ON.
      WRITE:/(95) 'No User Exit exists'.
    ENDIF.
ELSE.
    FORMAT COLOR COL_NEGATIVE INTENSIFIED ON.
    WRITE:/(95) 'Transaction Code Does Not Exist'.
ENDIF.
Take the user to SMOD for the Exit that was selected.
AT LINE-SELECTION.
GET CURSOR FIELD field1.
CHECK field1(4) EQ 'JTAB'.
SET PARAMETER ID 'MON' FIELD sy-lisel+1(10).
CALL TRANSACTION 'SMOD' AND SKIP FIRST SCREEN.
Enjoy SAP.
Pankaj Singh.

How to activate or deactivate a user-exit based a specific condition

hi all,
i want to activate or deactivate(make it trigger) a particular user-exit based in a condition.
can i do that. if yes please tell me how.
can we use COMMIT in user-exits or BADI's.
Thanks & Regards,
Saroja.

Hello Saroja
The solution provided by Rich should be used for testing purposes only in the the reverted sense:
IF ( syst-uname ne '<specific user>' ).
RETURN.
ENDIF.
" Execute user-exit for specific user
However, for serious programming you should use a a better strategy. In principle, user-exits are either ON or OFF and, if they are ON, they are ON for all user which is usually not intended.
The following example shows a (possible) strategy how to execute user-exits based on specific conditions.
The SAP extension CATS0001 contains the component EXIT_SAPLCATS_001 with the following interface:
FUNCTION EXIT_SAPLCATS_001.
*"*"Lokale Schnittstelle:
*" IMPORTING
*" VALUE(SAP_TCATS) LIKE TCATS STRUCTURE TCATS
*" VALUE(SAP_PERNR) LIKE CATSFIELDS-PERNR
*" VALUE(SAP_DATELEFT) LIKE CATSFIELDS-DATELEFT
*" VALUE(SAP_DATERIGHT) LIKE CATSFIELDS-DATERIGHT
*" VALUE(SAP_DATEFROM) LIKE CATSFIELDS-DATEFROM OPTIONAL
*" VALUE(SAP_DATETO) LIKE CATSFIELDS-DATETO OPTIONAL
*" TABLES
*" SAP_ICATSW STRUCTURE CATSW
*" SAP_ICATSW_FIX STRUCTURE CATSW OPTIONAL
INCLUDE ZXCATU01.
ENDFUNCTION.
The include ZXCATU01 contains only the following coding:
CALL FUNCTION 'Z_EXIT_SAPLCATS_001'
 EXPORTING
 sap_tcats = sap_tcats
 sap_pernr = sap_pernr
 sap_dateleft = sap_dateleft
 sap_dateright = sap_dateright
 SAP_DATEFROM = SAP_DATEFROM
 SAP_DATETO = SAP_DATETO
 tables
 sap_icatsw = sap_icatsw
 SAP_ICATSW_FIX = SAP_ICATSW_FIX.
This function module is just a copy of the exit function module in the customer namespace.
Let us assume that your condition at which the user-exit should be executed is that the employee (SAP_PERNR) belongs to a specific controlling area. Thus, we make another copy of the original exit function module and call this fm within the "general" customer-specific exit function module:
FUNCTION z_exit_saplcats_001.
*"*"Local Interface:
*" IMPORTING
*" VALUE(SAP_TCATS) LIKE TCATS STRUCTURE TCATS
*" VALUE(SAP_PERNR) LIKE CATSFIELDS-PERNR
*" VALUE(SAP_DATELEFT) LIKE CATSFIELDS-DATELEFT
*" VALUE(SAP_DATERIGHT) LIKE CATSFIELDS-DATERIGHT
*" VALUE(SAP_DATEFROM) LIKE CATSFIELDS-DATEFROM OPTIONAL
*" VALUE(SAP_DATETO) LIKE CATSFIELDS-DATETO OPTIONAL
*" TABLES
*" SAP_ICATSW STRUCTURE CATSW
*" SAP_ICATSW_FIX STRUCTURE CATSW OPTIONAL
" User-Exit specific for employees (SAP_PERNR)
" belonging to controlling area 1000
CALL FUNCTION 'Z_EXIT_SAPLCATS_001_1000'
 EXPORTING
 sap_tcats = sap_tcats
 sap_pernr = sap_pernr
 sap_dateleft = sap_dateleft
 sap_dateright = sap_dateright
 sap_datefrom = sap_datefrom
 sap_dateto = sap_dateto
 TABLES
 sap_icatsw = sap_icatsw
 sap_icatsw_fix = sap_icatsw_fix.
" User-Exit specific for employees (SAP_PERNR)
" belonging to controlling area 2000
CALL FUNCTION 'Z_EXIT_SAPLCATS_001_2000'
 EXPORTING
 sap_tcats = sap_tcats
 sap_pernr = sap_pernr
 sap_dateleft = sap_dateleft
 sap_dateright = sap_dateright
 sap_datefrom = sap_datefrom
 sap_dateto = sap_dateto
 TABLES
 sap_icatsw = sap_icatsw
 sap_icatsw_fix = sap_icatsw_fix.
ENDFUNCTION.
Finally, within the specific exit function module we define the condition when the exit should be executed:
FUNCTION z_exit_saplcats_001_1000.
*"*"Local Interface:
*" IMPORTING
*" VALUE(SAP_TCATS) LIKE TCATS STRUCTURE TCATS
*" VALUE(SAP_PERNR) LIKE CATSFIELDS-PERNR
*" VALUE(SAP_DATELEFT) LIKE CATSFIELDS-DATELEFT
*" VALUE(SAP_DATERIGHT) LIKE CATSFIELDS-DATERIGHT
*" VALUE(SAP_DATEFROM) LIKE CATSFIELDS-DATEFROM OPTIONAL
*" VALUE(SAP_DATETO) LIKE CATSFIELDS-DATETO OPTIONAL
*" TABLES
*" SAP_ICATSW STRUCTURE CATSW
*" SAP_ICATSW_FIX STRUCTURE CATSW OPTIONAL
IF ( <user BELONGS to CONTROLLING area 1000> ).
 " execute user-exit
ELSE.
 RETURN.
ENDIF.
ENDFUNCTION.
The alternative would be to place the entire coding including the conditions in the include ZXCATU01. However, in this case you can test the user exit only in the context of the transaction in which the user-exit is passed.
Using the strategy I have devised you are able to test the user-exit in general and the specific user-exits independent of the transaction. For example, if you are already working on 6.40 or higher then you could use ABAP Unit Testing for this purpose.
The same logic can be applied for BAdI where we can have only a single active implementation.
Finally, I hope to convince that it makes sense to spend some time into a reasonable strategy for implementing user-exits.
Regards
Uwe

Delegate specific domain user to do add/remove hardware&software, join to domain feature only.

Dear team;
I want to Delegate specific domain user to do two things add/remove hardware/software, join to domain feature only without give him Local admin
Best regards
LAshkham

Hi,
Please understand that if you want make some specific domain users add/remove hardware/software on domain computers, you should grant these users the local admin right. We could grant the local
admin right using Restricted Groups Policy Settings or Local Users and Groups GPP setting. For details, please refer to the following articles.
Restricted Groups Policy Settings
http://technet.microsoft.com/en-us/library/cc756802(v=ws.10).aspx
How to use Group Policy Preferences to Secure Local Administrator Groups
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
You also mentioned that you want to delegate the
Join a computer to a domain task to these specific users. Regarding the request, we could delegate the task via Delegation of Control Wizard. For details, please refer to the following article.
Delegation of Control Wizard
http://technet.microsoft.com/en-us/library/dd145344.aspx
Hope this helps.
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Andy Qi
TechNet Community Support

How to authenticate only specific AD users in ACS 5.1

Similar Messages

Maybe you are looking for