How to check if a user has a particular role in sql server
Is it possible to check to see if a user has a particular role in sql server? For instance, I need to check to see if the user logging in has wite ability to the database. Thanks in advance.
To answer your question from a Java-perspective, since this is a Java-forum: No.
The JDBC 3.0 specification does not state that the driver has to implement a user credential mechanism.
However, the DriverManager will throw an SQLException if user credentials are not met at all and the Connection should throw you a SQLException when trying to create or execute a statement that you are not alowed to do.
Similar Messages
-
How to check if the user has only the display authority of a message
hi,
How to check if the user has only the display authority of a message but does not have the change authority for a certain message?
Best regards,hi blake
though i am an application consultant and for authorisation u need to have help of BASIS person if u r not the one but still i can guide u regarding the same,
Basically Authorization Management
Use
You can use the following authorization objects to control the authorizations for maintaining business partner data:
Authorization objects for the Business Partner:
 B_BUPA_GRP
 B_BUPA_ATT
 B_BUPA_FDG
 B_BUPA_RLT
Authorization objects for relationships:
 B_BUPR_BZT
 B_BUPR_FDG
In addition, you can assign an authorization group to a business partner in the dialog. The authorization group controls which users may maintain data for this business partner.
You can also define authorizations for fields and field groups using the Business Data Toolset (BDT). Depending on the settings you have made, the system carries out the relevant authorization checks.
In the dialog in the SAP GUI, you can display an overview of the authorizations assigned to you by pressing the button Settings.
For more information on authorization management, see the Implementation Guide (IMG) of the Business Partner, as well as in the Developers Handbook for the BDT under Authorizations.
IntegrationAuthorization management for the Business Partner forms part of the SAP authorization concept.
Prerequisites
You have made the necessary settings in Customizing of the Business Partner under Basic Settings--> -Address Management.
Moving over
AS ABAP Authorization Concept
The ABAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the users that determine which actions a user can execute in the SAP system, after he or she has logged on to the system and authenticated himself or herself.
To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.
Authorization Checks
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:
Starting SAP transactions (authorization object S_TCODE)
Starting reports (authorization object S_PROGRAM)
Calling RFC function modules (authorization object S_RFC)
Table maintenance with generic tools (S_TABU_DIS)
Checking at Program Level with AUTHORITY-CHECK
Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code of the program, to check whether users have the appropriate authorization and whether these authorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactions that are called indirectly by other programs.
AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.
Starting SAP Transactions
When a user starts a transaction, the system performs the following checks:
The system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction.
The system then checks whether the user has authorization to start the transaction.
The SAP system performs the authorization checks every time a user starts a transaction from the menu or by entering a command. Indirectly called transactions are not included in this authorization check. For more complex transactions, which call other transactions, there are additional authorization checks.
 The authorization object S_TCODE (transaction start) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code.
 If an additional authorization is entered using transaction SE93 for the transaction to be started, the user also requires the suitable defined authorization object (TSTA, table TSTCA).
If you create a transaction in transaction SE93, you can assign an additional authorization to this transaction. This is useful, if you want to be able to protect a transaction with a separate authorization. If this is not the case, you should consider using other methods to protect the transaction (such as AUTHORITY-CHECK at program level).
The system checks whether the transaction code is assigned an authorization object. If so, a check is made that the user has authorization for this authorization object.
The check is not performed in the following cases:
You have deactivated the check of the authorization objects for the transaction (with transaction SU24) using check indicators, that is, you have removed an authorization object entered using transaction SE93. You cannot deactivate the check for objects from the SAP NetWeaver and HR areas.
This can be useful, as a large number of authorization objects are often checked when transactions are executed, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload. You can therefore deactivate authorization checks of this type in a targeted manner using transaction SU24.
 You have globally deactivated authorization objects for all transactions with transaction SU24 or transaction SU25.
 So that the entries that you have made with transactions SU24 and SU25 become effective, you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to Y (using transaction RZ10).
All of the above checks must be successful so that the user can start the transaction. Otherwise, the transaction is not called and the system displays an appropriate message.
Starting Report Classes
You can perform additional authorization checks by assigning reports to authorization classes (using report RSCSAUTH). You can, for example, assign all PA* reports to an authorization class for PA (such as PAxxx). If a user wants to start a PA report, he or she requires the appropriate authorization to execute reports in this class.
We do not deliver any predefined report classes. You must decide yourself which reports you want to protect in this way. You can also enter the authorization classes for reports with the maintenance functions for report trees. This method provides a hierarchical approach for assigning authorizations for reports. You can, for example, assign an authorization class to a report node, meaning that all reports at this node automatically belong to this class. This means that you have a more transparent overview of the authorization classes to which the various reports are transported.
You must consider the following:
After you have assigned reports to authorization classes or have changed assignments, you may have to adjust objects in your authorization concept (such as roles (activity groups), profiles, or user master records).
There are certain system reports that you cannot assign to any authorization class. These include:
RSRZLLG0
STARTMEN (as of SAP R/3 4.0)
Reports that are called using SUBMIT in a customer exit at logon (such as SUSR0001, ZXUSRU01).
Authorization assignments for reports are overwritten during an upgrade. After an upgrade, you must therefore restore your customer-specific report authorizations.
Calling RFC Function Modules
When RFC function modules are called by an RFC client program or another system, an authorization check is performed for the authorization object S_RFC in the called system. This check uses the name of the function group to which the function module belongs. You can deactivate this check with parameter auth/rfc_authority_check.
Checking Assignment of Authorization Groups to Tables
You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.
You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).
please See also:
SAP Notes 7642, 20534, 23342, 33154, and 67766
guess this info will help you,there is one graphic which actually explain the hierarchy of authorisation,i will find some time out to let u know more info about the authorisation
but if u sit with ur BASIS guy then u can learn lot of things in PFCG
i guess u r a basis guy,then its not a problem
best regards
ashish -
Check if a user has a specific role
Hello,
Is it possible to check if a user has a specific role in MII 12.0?
For example if the user has the role "xmii Developers" I would do something more in a transaction than if the user doesn't have this role.
Thank you for your help.
Regards,
MatthiasHi Matthias Pröller ,
Are u finding difficulty to trace which role user is assigned to? If so, then u can refer Abesh's Blog.
OR
If you are writing Transaction to get user list based on Role , then u can do following
Create XML query.
Configure above XML Query in Transaction, in links map (XML Query) URL like given below
"https://Server:Port/XMII/Illuminator?service=admin&Mode=UserList&Content-Type=text/xml&group=XMII Administrators&IllumLoginName=loginId&IllumLoginPassword=pwd"
Regards,
Padma
Edited by: Rao on Mar 31, 2009 11:52 AM -
How to check if a user has a deferred task or not?
Right now, I use getView and then check for the deferred task as below
1)
<Action id='0' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='getView'/>
<Argument name='type' value='User'/>
<Argument name='id' value='$(accountId)'/>
</Action>
2)
<Transition to='Add Deferred Task'>
<isnull>
<ref>view.accounts[Lighthouse].properties.tasks[Task Name]</ref>
</isnull>
</Transition>
Is there a quicker way to combine both steps 1 and 2 into one step?Here's my code
<Action id='0' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='queryObjectNames'/>
<Argument name='type' value='User'/>
<Argument name='single' value='true'/>
<Argument name='attributes'>
<map>
<s>accountId</s>
<ref>accountId</ref>
<s>deferredTaskDate</s>
<s>Task 123</s>
</map>
</Argument>
</Action>
So I'll pass in 2 parameters, the accountId and a task name. I want to see if this user has that particular task name or not.
In the WF trace, I see this
Argument attributes = {accountId=ABC, deferredTaskDate=Task 123}
queryResult is null because it could not find this user even though user ABC exists in IDM and has a deferred task named Task 123.
Is my code wrong and how do I use AttributeCondition in the queryObjectNames above? -
How to check if a user has SAP_ALL in a program?
Hi:
I want to create a program that will check if the user has SAP_ALL. Is there a standard FM or BAPI?. Otherwise, can someone pelase help.
Thank you.
Seshagiri GopiHi,
Please check the below link:
http://wiki.sdn.sap.com/wiki/display/BI/AuthorizationinSAPNWBI
Regards,
Nilesh. -
How to check if a user has access to a responsibility
Hi,
I have a user_id in the controller. How do I know if this user has a particular responsibility added to him or not. I guess there a specific proflle call which gives this information. Can you give me that information.
Thanks,
HCCreate a vo with the following SQL passing userid as bind value:
SELECT C.USER_NAME,
B.RESPONSIBILITY_NAME,
A.START_DATE,
A.END_DATE
FROM APPS.FND_USER_RESP_GROUPS_DIRECT A,
APPS.FND_RESPONSIBILITY_TL B,
APPS.FND_USER C
WHERE C.USER_ID = A.USER_ID
AND C.USER_NAME= :1
AND B.RESPONSIBILITY_ID = A.RESPONSIBILITY_ID
You will have the list of all the responsibilities of a user.
Kristofer -
How to check if the user has log in when he log in again?
Hi all,
I was wondering how to track if the user has already log in?
When this user using browser A to log in then he try to log in using a new browser, then hw I am I going to know that, and terminate his session?Hello!
You can try this code if you want that if a user is login at a machine and tries to login from the other, then he can continue his processing at second machine ('cos it will get the high priority) but can not process from the first machine. This code allows to login but only second one will be active.
<jsp:useBean id="monitor1" scope="application" class="java.util.HashMap"/>
if(monitor1.containsKey(num)){
HttpSession oldSession = (HttpSession) monitor1.get(num);
oldSession.invalidate();
monitor1.remove(num);
monitor1.put(num , session);
But if you want to restrict it at the time of second login then u can use any of the techniques discussed above.
aNTUMNIHA -
How to check if a user has clicked on a digital control and changed its value?
Greetings !!!
I am looking for a simple way (without using Windows messages)of knowing if an user has clicked on a digital control and changed its value.
I have tried the key focus property; but I have to click twice to make it work.
If somebody knows a better solution; please let me know.
Thank you in advance for your helpIf you just want to know if the value has changed you can put it in a while loop and use shift registers to see if the value has changed.
Brian
Attachments:
Changed.vi 22 KB -
How to check if a user session is active in Java application server
Hi Experts,
We have a online scenario with a third party system by which a portal user will launch the third party application in a new window from portal. The SSO will work at the third party web application with the dynamic key that is generated by calling a webservice for that user. Now, as the user works on the launched screen, they will have to check whether the user (logged in portal) session is still active. ie., they will be periodically calling a service hosted by SAP java application server to find out whether the corresponding user who launched the session is still logged in or logged out.
So, my question is, how can i find out programatically whether a user/user's session is still logged in/active in SAP Netweaver Java AS? We are in version 7.3.
Kindly help me in this regard.
Regards
Vijay.KHi Vijay,
Could you check below links
Tracing Single User Sessions - Administration - SAP Library
Display and Manage User Sessions (SAP Library - Tools for Monitoring the System)
Hope this helps.
Regards,
Deepak Kori -
How to check whether the user has a certificate or not?
Hi everyone.
We're currently finishing a web project and the last step is to check whether users accessing the application have a valid certificate or not.
Users with a valid certificate can access all the data. Users without any certificate installed on their browsers may still proceed, but they won't be able to see all data. Please note that the lack of a certificate doesn't mean an error - it's just another use case.
Is there any way to check whether users have a certificate installed on their browsers?
Thanks in advance.
Edit: sorry, I forgot to post some tech details. We're using Struts 1.2 on a Tomcat 5 app server.
Message was edited by:
advacaI am not sure how Tomcat handles this, but you need to use two-way (mutual authentication) request but not enforce SSL between Tomcat and the client browser. This will make the browser prompt the user for the cert they want to send. Then you'll need to tackle the other part of your problem, getting the correct content displayed depending on whether the user sent a cert or not. I'm even less help there than I was on the first part of your question.
So, yeah - good luck with that
Lee -
How to check whether a user has permission to create term in Taxonomy Term Store using CSOM ?
I want to check programmatically whether the current user is a Term Store Administrator or not.
I am not sure how Tomcat handles this, but you need to use two-way (mutual authentication) request but not enforce SSL between Tomcat and the client browser. This will make the browser prompt the user for the cert they want to send. Then you'll need to tackle the other part of your problem, getting the correct content displayed depending on whether the user sent a cert or not. I'm even less help there than I was on the first part of your question.
So, yeah - good luck with that
Lee -
How to check logged in user belongs to particular group using workflow
HI All,
I have a list and I want o implement row level security based on the list filed called Relevant group.
I have a list filed called RelevantGroup , this filed is a choice filed and it has couple of SharePoint site's groups that I have created. Now what I want to do is give current logged in user to edit the record based on his/her security group. For example
if I logged in and if I m a member of the current record RelevantGroup I can edit the record, if I m not a member of the RelevantGroup then the system shouldn't allow to edit the record.
I want to do this SharePoint designer workflow. Can someone please help me. Using SPD2013.
Thanks.
d.n weerasingheIs the form being served up from livecycle? If not how is the form being served up to the user?
-
How can I check if an user has access to an url within my web app?
Hi,
I have a web application where I allow the users to set their startup page by presenting them a list of startup pages. However, some startup pages can accessed only by certain users, so I want to present the user only those pages the user has access to.
How can I do this with weblogic?
One way is to read the web.xml file and determine the roles that have access to the page, then check whether the user has any of those roles.
Is there a better way eventually using some weblogic api?
ThanksJust for the record, I decided to parse the web.xml file and to simulate whatever the container does.
-
Access 2010 checking if a user has opened a zipped rather than expanded database
Is there a property or method that can be used to detect/ check if a user has opened a zipped copy of a database?
I distribute a zipped copy of a database and expect users to extract it before using it but some times a user simply opens the zipped copy and later encounters problems. I would like to display a message notifying the user that they must first expand the
zipped file before opening the database.
phil kellyMaybe this will help.
Option Compare Database
Option Explicit
'See MSDN for more constants: http://msdn2.microsoft.com/en-us/library/ms839432.aspx
Const CSIDL_APPDATA = &H16
Const CSIDL_DESKTOP = &H0
Const CSIDL_PROGRAMS = &H2
Const CSIDL_CONTROLS = &H3
Const CSIDL_PRINTERS = &H4
Const CSIDL_PERSONAL = &H5
Const CSIDL_FAVORITES = &H6
Const CSIDL_STARTUP = &H7
Const CSIDL_RECENT = &H8
Const CSIDL_SENDTO = &H9
Const CSIDL_BITBUCKET = &HA
Const CSIDL_STARTMENU = &HB
Const CSIDL_DESKTOPDIRECTORY = &H10
Const CSIDL_DRIVES = &H11
Const CSIDL_NETWORK = &H12
Const CSIDL_NETHOOD = &H13
Const CSIDL_FONTS = &H14
Const CSIDL_TEMPLATES = &H15
Const MAX_PATH = 260
Private Type SHITEMID
cb As Long
abID As Byte
End Type
Private Type ITEMIDLIST
mkid As SHITEMID
End Type
Private Declare Function SHGetSpecialFolderLocation Lib "shell32.dll" (ByVal hwndOwner As Long, ByVal nFolder As Long, pidl As ITEMIDLIST) As Long
Private Declare Function SHGetPathFromIDList Lib "shell32.dll" Alias "SHGetPathFromIDListA" (ByVal pidl As Long, ByVal pszPath As String) As Long
Public Function GetProgramFilesFolder() As String
Const PROGRAM_FILES = &H26&
Dim objShell As Object
Dim objFolder As Object
Dim objFolderItem As Object
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace(PROGRAM_FILES)
Set objFolderItem = objFolder.Self
Debug.Print objFolderItem.Path
End Function
Private Function GetSpecialfolder(CSIDL As Long) As String
Dim r As Long
Dim IDL As ITEMIDLIST
Dim sPath As String
'Get the special folder
r = SHGetSpecialFolderLocation(100, CSIDL, IDL)
If r = 0 Then
'Create a buffer
sPath$ = Space$(512)
'Get the sPath from the IDList
r = SHGetPathFromIDList(ByVal IDL.mkid.cb, ByVal sPath$)
'Remove the unnecessary chr$(0)'s
GetSpecialfolder = Left$(sPath, InStr(sPath, Chr$(0)) - 1)
Exit Function
End If
GetSpecialfolder = ""
End Function
Public Sub PrintSpecFolderPaths()
'KPD-Team 1998
'URL: http://www.allapi.net/
'E-Mail: [email protected]
'Print the folders to the form
Debug.Print "Start menu folder: " & GetSpecialfolder(CSIDL_STARTMENU)
Debug.Print "Favorites folder: " & GetSpecialfolder(CSIDL_FAVORITES)
Debug.Print "Programs folder: " & GetSpecialfolder(CSIDL_PROGRAMS)
Debug.Print "Desktop folder: " & GetSpecialfolder(CSIDL_DESKTOP)
Debug.Print "My Docs folder: " & GetSpecialfolder(CSIDL_PERSONAL)
End Sub
Bill Mosca
www.thatlldoit.com
http://tech.groups.yahoo.com/group/MS_Access_Professionals -
Checking if a user has a role (FGAC)
Hi!
I am implementing Fine Grained Access Control on a table and in my policy function I do not want to restrict the amount of result data on a select if the current user has a certain role (otherwise I want to).
My idea was to check USER_ROLE_PRIVS/ROLE_ROLE_PRIVS for the role, but the stored procedure runs with definer-rights, so that won't help.
Running the procedure with invoker-rights won't help either, since not the current user is the invoker of the policy function but the DB system (user sys?).
And finally, the definer of the policy function does not have DBA privs, so I can't select the DBA_* views to check if the current user has the role.
Is there another way to check if the current user that is known inside the policy function by the USER variable has a certain role?
Thanks for your help!
MarcusHi Frank,
thanks for your answer!
Frank Kulash wrote:
Policy functions are run by the user who queries or tries to do DML on the table.I don't see that this is happening. Here's my test case:CREATE OR REPLACE FUNCTION CU_is_member_of
(v_role IN VARCHAR2) RETURN NUMBER
AUTHID CURRENT_USER
is
v_res VARCHAR2(255);
begin
SELECT COUNT(*)
INTO v_res
FROM
(SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS
UNION
select GRANTED_ROLE from role_role_privs)
WHERE UPPER(GRANTED_ROLE)=UPPER(v_role);
RETURN to_number(v_res);
end;
CREATE OR REPLACE FUNCTION POLIFUNC_PARTTYPES_WRITE
(p_schemaname IN varchar2, p_tablename IN varchar2)
RETURN VARCHAR2
IS
BEGIN
IF USER=p_schemaname
THEN RETURN '';
ELSE
BEGIN
if SYSWM_TOOL.CU_is_member_of('#ACT#WMT_MANAGE_PARTTYPES')=1
THEN RETURN ''; -- *****
ELSE
BEGIN
RETURN '1=0';
END;
end if;
end;
END IF;
END;
CALL SYS.DBMS_RLS.ADD_POLICY('SYSWM_TOOL', 'TBL_PARTTYPES', 'POL_PARTTYPES', 'SYSWM_TOOL', 'POLIFUNC_PARTTYPES_WRITE', 'select'); --TODO: SELECT->UPDATE,INSERT,DELETE
If the policy function is run by the user who queries, then I would expect that a user who has the role querying table TBL_PARTTYPES would see all entries since he would run into the line marked with *****.
SQL> select SYSWM_TOOL.CU_is_member_of('#ACT#WMT_MANAGE_PARTTYPES') FROM DUAL;
SYSWM_TOOL.CU_IS_MEMBER_OF('#ACT#WMT_MANAGE_PARTTYPES')
1
SQL> SELECT COUNT(*)
2 FROM
3 (SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS
4 UNION
5 select GRANTED_ROLE from role_role_privs)
6 WHERE UPPER(GRANTED_ROLE)=UPPER('#ACT#WMT_MANAGE_PARTTYPES');
COUNT(*)
1
So, the current user has the role and the stored function CU_IS_MEMBER_OF works correctly. However:
SQL> select count(*) from syswm_tool.tbl_parttypes;
COUNT(*)
0
What am I missing here?
Marcus
Maybe you are looking for
-
I'm having a problem creating a job in oracle . I want at the end of each day to put some values from table1 in table2, empty table1, and then delete and re-create some sequences..because I have auto-increment id and each day I want to sequence to st
-
Blue screen (Yes Apples posted fixes don't work for me)
I am tired tired... I can't get rid of the blue screen delay at startup in 10.5.2 or 10.5.3. I've tried the fixes. No go... I even tried wiping a drive and doing a Clean Leopard install. After adding the .5.3 update the long delay returns. My delay i
-
Bold letters in the area of images
Hi together. I have a Indesign table with 3 columns. First col. is the item-no., second col. is product descr. and third col. is the price. The first col. is much wider than it needs to be because I have a small image of the product following the ite
-
I have a simple SQL from which i get XML data from the SQL 2000 Database. SQL : select * from customer for xml auto I would like to execute the SQL thru JDBC, but i am getting the following error java.sql.SQLException: [MERANT][SequeLink JDBC Driver]
-
Hello, Does anybody on this list know how to get the IP address of the current machine using Forte? I was originally going to use the registry entry but it seems that the IP address in Win 95 is not stored in the same place on each machine. Besides I