How to determine if a user has access to an item

Without using the WWSEC_API, i need to find out if a user (not the logged in user) has the right privileges to view an item (url).
Has anyone identified what tables are involved in determining if a user has access to view an item ?

Create a vo with the following SQL passing userid as bind value:
SELECT C.USER_NAME,
B.RESPONSIBILITY_NAME,
A.START_DATE,
A.END_DATE
FROM APPS.FND_USER_RESP_GROUPS_DIRECT A,
APPS.FND_RESPONSIBILITY_TL B,
APPS.FND_USER C
WHERE C.USER_ID = A.USER_ID
AND C.USER_NAME= :1
AND B.RESPONSIBILITY_ID = A.RESPONSIBILITY_ID
You will have the list of all the responsibilities of a user.
Kristofer

Similar Messages

  • How to check if a user has access to a responsibility

    Hi,
    I have a user_id in the controller. How do I know if this user has a particular responsibility added to him or not. I guess there a specific proflle call which gives this information. Can you give me that information.
    Thanks,
    HC

    Create a vo with the following SQL passing userid as bind value:
    SELECT C.USER_NAME,
    B.RESPONSIBILITY_NAME,
    A.START_DATE,
    A.END_DATE
    FROM APPS.FND_USER_RESP_GROUPS_DIRECT A,
    APPS.FND_RESPONSIBILITY_TL B,
    APPS.FND_USER C
    WHERE C.USER_ID = A.USER_ID
    AND C.USER_NAME= :1
    AND B.RESPONSIBILITY_ID = A.RESPONSIBILITY_ID
    You will have the list of all the responsibilities of a user.
    Kristofer

  • Determine if a user has access to a URL in a webApp?

    Hello All.
    I have created a WebApp and defined <security-constraint>'s in the
    /WEB-INF/web.xml file, and all works fine.
    However, I would like to enable/disable links on my User Interface based on
    the current user's groups/roles and the <security-constraints>'s.
    I can use the request.isUserInRole() method to determine if a user belongs
    to a particular role.
    However, what happens if the access to the URL changes in the web.xml file.
    I need to programmatically determine which roles can access a URL defined in
    the <security-constraint>.
    Are there any weblogic classes that will assist in determining url patterns
    and roles.
    Any help would be greatly appreciated.
    Thank you
    Brad Hof

    Bradley Hof wrote:
    Hello All.
    I have created a WebApp and defined <security-constraint>'s in the
    /WEB-INF/web.xml file, and all works fine.
    However, I would like to enable/disable links on my User Interface based on
    the current user's groups/roles and the <security-constraints>'s.
    I can use the request.isUserInRole() method to determine if a user belongs
    to a particular role.
    However, what happens if the access to the URL changes in the web.xml file.You can't redeploy webapps in WL 5.1 so this will never happen :)
    Cheers,
    Alex

  • How to find if a user has access to view "all_directories" ??

    A developer has complained that he cannot access view all_directories which he was able to access few days ago in production.However in development instance , he is able to query from the view all_directories.
    How to compare the two access for the same schem ain two different instance ??

    Vicky wrote:
    Ask them to provide proof (screen copy-paste or whatever) indicating the failure.Yeah , you were right, they were able to query the table, but not returning any rows. ( they flabbergasted me...). They are telling me that earlier they were able to query and get output, but they are not getting any row now ....just no rows selelctedThat makes more sense - all accessible directories for the user removed by the administrators.

  • How can I check if an user has access to an url within my web app?

    Hi,
    I have a web application where I allow the users to set their startup page by presenting them a list of startup pages. However, some startup pages can accessed only by certain users, so I want to present the user only those pages the user has access to.
    How can I do this with weblogic?
    One way is to read the web.xml file and determine the roles that have access to the page, then check whether the user has any of those roles.
    Is there a better way eventually using some weblogic api?
    Thanks

    Just for the record, I decided to parse the web.xml file and to simulate whatever the container does.

  • How do I test to see if a user has access on a site?

    I am completely new to PowerShell, but I have a requirement to build a PowerShell script that will run against a site, a set of sites or a web application. How do I add a check within my script to test if a user has rights on the site they are running it
    on or not? Am clueless on how to test if the user has rights to a site....I basically am trying to test, then let them know that they do not have access on a site or not. 
    How can I get this done? Please help.

    I now have this code which I think should do the trick, but I am getting an exception when i step through it. The $serverContext variable is always null. Does anyone know why I am getting this?
    write-host "Please enter the url of the site collection"
    $url = read-host
    write-host "Please enter the username of the user"
    $userName = read-host
    $site = New-Object Microsoft.SharePoint.SPSite($url)
    $serverContext = [Microsoft.Office.Server.ServerContext]::GetContext($site)
    $userProfileManager = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($serverContext)
    $userProfile = $userProfileManager.GetUserProfile($userName)
    $userLogin = $userProfile[[Microsoft.Office.Server.UserProfiles.PropertyConstants]::AccountName].Value.ToString()
    $webs = $site.AllWebs
    foreach ($web in $webs)
    $permissionInfo = $web.GetUserEffectivePermissionInfo($userLogin)
    $roles = $permissionInfo.RoleAssignments
    write-host "Now checking the permissions of the user " $userLogin " " "in the site " $web.Url
    for ($i = 0; $i -lt $roles.Count; $i++)
    $bRoles = $roles[$i].RoleDefinitionBindings
    foreach ($roleDefinition in $bRoles)
    if ($roles[$i].Member.ToString().Contains('\'))
    write-host "The User " $userLogin " has direct permissions " $roleDefinition.Name
    else
    write-host "The User " $userLogin " has permissions " $roleDefinition.Name " given via " $roles[$i].Member.ToString()
    Thanks for the help.
     

  • How do I get a list of the reports that a user has access to?

    <p>I need to be able to determine which reports a specified user has access to.  This is for an application where users will be able to search and view reports that have been archived through a separate process.  </p><p>I&#39;ve searched through the developer library, but I can&#39;t find this specific information.  Can I use the ObjectPrinicpals class to get this info?</p><p>Thanks!</p><p>-Dell<br /></p>

    Hi Robert!
    Yes, the presentation went well. It was a lot of fun to do and I had a great time at the conference.
    Your suggestion works great if I'm walking down through the reports looking to see who has access to them.Â
    However, I need to do this starting from the User object. When I use the ObjectPrincipals of the User, I get a list of the users who have the rights to modify the user. I did a lot of work on this last week and it boils down to I'm going to have to actually log in as the user (I can use trusted authentication to do this without having the user's password) and then run a query to select all of the reports in the system - this should give me just the reports that the user has access to. Not the most efficient way to get the data from my perspective, but it should work.
    This would be a great feature to have added to future versions of the SDK. I need it for a couple of purposes:
    1. To gather information to set up the security in my archive viewer application.
    2. For auditing purposes - we currently have only Professional licenses so I don't have access to the internal auditing functionality. Plus, I'm not sure that that includes the kind of info I'm looking for so I'm building an app that extracts information to XML which is then used by a couple of reports so that I can provide the audit info as needed.
    -Dell
    Â - A computer only does what you told it to, not what you thought you told it to!</p>

  • How can i see when someone has accessed my call/text log. (This is possible on google) I have been informed that someone has accessed my activity log and is giving my information to a third party. I believe it is a service tech, but I am not interested in

    How can i see when someone has accessed my call/text log. (This is possible on google/gmail) I have been informed that someone has accessed my activity log and is giving my information to a third party. I believe it is a service tech, but I am not interested in persuing that further. I just need to see when my account has been accessed if possible.

    Hi lynniewigs,
    This is a common concern among Android and I-phone user, and one of the drawbacks to using a smart phone.  We lose so much privacy. Our phones become cameras into our homes for us to be spied on.
    I don't know what type of phone you have, if it is even a smart phone, but here is an example of an application that you can use to determine which applications are accessing your information and sending it out. 
    Permission Scanner - Android Apps on Google Play
    Google just recently revamp their permissions geared to hide invasive applications that spy and send out your information without your knowledge.  Report says be aware of what your Android app does - CNET
    Please continue to be mindful of the apps you download and the permissions you give. 

  • How to check if the user has only the display authority of a message

    hi,
    How to check if the user has only the display authority of a message but does not have the change authority for a certain message?
    Best regards,

    hi blake
    though i am an application consultant and for authorisation u need to have help of BASIS person if u r not the one but still i can guide u regarding the same,
    Basically Authorization Management 
    Use
    You can use the following authorization objects to control the authorizations for maintaining business partner data:
    •        Authorization objects for the Business Partner:
    •     &#61601;        B_BUPA_GRP
    •     &#61601;        B_BUPA_ATT
    •     &#61601;        B_BUPA_FDG
    •     &#61601;        B_BUPA_RLT•       
    Authorization objects for relationships:
    •     &#61601;        B_BUPR_BZT
    •     &#61601;        B_BUPR_FDG
    In addition, you can assign an authorization group to a business partner in the dialog. The authorization group controls which users may maintain data for this business partner.
    You can also define authorizations for fields and field groups using the Business Data Toolset (BDT). Depending on the settings you have made, the system carries out the relevant authorization checks.
    In the dialog in the SAP GUI, you can display an overview of the authorizations assigned to you by pressing the button Settings.
    For more information on authorization management, see the Implementation Guide (IMG) of the Business Partner, as well as in the Developer’s Handbook for the BDT under  Authorizations.
    IntegrationAuthorization management for the Business Partner forms part of the  SAP authorization concept.
    Prerequisites
    You have made the necessary settings in Customizing of the Business Partner under Basic Settings--> -Address Management.
    Moving over
    AS ABAP Authorization Concept 
    The ABAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. On the basis of the authorization concept, the administrator assigns authorizations to the users that determine which actions a user can execute in the SAP system, after he or she has logged on to the system and authenticated himself or herself.
    To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks.
    Authorization Checks 
    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
    The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:
    •        Starting SAP transactions (authorization object S_TCODE)
    •        Starting reports (authorization object S_PROGRAM)
    •        Calling RFC function modules (authorization object S_RFC)
    •        Table maintenance with generic tools (S_TABU_DIS)
    Checking at Program Level with AUTHORITY-CHECK
    Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code of the program, to check whether users have the appropriate authorization and whether these authorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactions that are called indirectly by other programs.
    AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.
    Starting SAP Transactions
    When a user starts a transaction, the system performs the following checks:
    •        The system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction.
    •        The system then checks whether the user has authorization to start the transaction.
    The SAP system performs the authorization checks every time a user starts a transaction from the menu or by entering a command. Indirectly called transactions are not included in this authorization check. For more complex transactions, which call other transactions, there are additional authorization checks.
    •     &#61601;        The authorization object S_TCODE (transaction start) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code.
    •     &#61601;        If an additional authorization is entered using transaction SE93 for the transaction to be started, the user also requires the suitable defined authorization object (TSTA, table TSTCA).
    If you create a transaction in transaction SE93, you can assign an additional authorization to this transaction. This is useful, if you want to be able to protect a transaction with a separate authorization. If this is not the case, you should consider using other methods to protect the transaction (such as AUTHORITY-CHECK at program level).
    •        The system checks whether the transaction code is assigned an authorization object. If so, a check is made that the user has authorization for this authorization object.
    The check is not performed in the following cases:
    You have deactivated the check of the authorization objects for the transaction (with transaction SU24) using check indicators, that is, you have removed an authorization object entered using transaction SE93. You cannot deactivate the check for objects from the SAP NetWeaver and HR areas.
    This can be useful, as a large number of authorization objects are often checked when transactions are executed, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload. You can therefore deactivate authorization checks of this type in a targeted manner using transaction SU24.
    •     &#61601;        You have globally deactivated authorization objects for all transactions with transaction SU24 or transaction SU25.
    •     &#61601;        So that the entries that you have made with transactions SU24 and SU25 become effective, you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to “Y” (using transaction RZ10).
    All of the above checks must be successful so that the user can start the transaction. Otherwise, the transaction is not called and the system displays an appropriate message.
    Starting Report Classes
    You can perform additional authorization checks by assigning reports to authorization classes (using report RSCSAUTH). You can, for example, assign all PA* reports to an authorization class for PA (such as PAxxx). If a user wants to start a PA report, he or she requires the appropriate authorization to execute reports in this class.
    We do not deliver any predefined report classes. You must decide yourself which reports you want to protect in this way. You can also enter the authorization classes for reports with the maintenance functions for report trees. This method provides a hierarchical approach for assigning authorizations for reports. You can, for example, assign an authorization class to a report node, meaning that all reports at this node automatically belong to this class. This means that you have a more transparent overview of the authorization classes to which the various reports are transported.
    You must consider the following:
    •     •         After you have assigned reports to authorization classes or have changed assignments, you may have to adjust objects in your authorization concept (such as roles (activity groups), profiles, or user master records).
    •     •         There are certain system reports that you cannot assign to any authorization class. These include:
    •     •         RSRZLLG0
    •     •         STARTMEN (as of SAP R/3 4.0)
    •     •         Reports that are called using SUBMIT in a customer exit at logon (such as SUSR0001, ZXUSRU01).
    •     •         Authorization assignments for reports are overwritten during an upgrade. After an upgrade, you must therefore restore your customer-specific report authorizations.
    Calling RFC Function Modules
    When RFC function modules are called by an RFC client program or another system, an authorization check is performed for the authorization object S_RFC in the called system. This check uses the name of the function group to which the function module belongs. You can deactivate this check with parameter auth/rfc_authority_check.
    Checking Assignment of Authorization Groups to Tables
    You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.
    You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).
    please See also:
    •        SAP Notes 7642, 20534, 23342, 33154, and 67766
    guess this info will help you,there is one graphic which actually explain the hierarchy of authorisation,i will find some time out to let u know more info about the authorisation
    but if u sit with ur BASIS guy then u can learn lot of things in PFCG
    i guess u r a basis guy,then its not a problem
    best regards
    ashish

  • Getting list of reports a user has access to

    Hi,
    I'm new to BO and have been trying to figure out a way to get a list of reports a specific user has access to. In reading the documentation in the SDK it appears the only way to do this is to get a list of all reports, loop through them, getting the ObjectPrincipals, looping through that then checking if the objectPrincipal.Name == user.Title.
                foreach (InfoObject report in infoObjects)
                    SecurityInfo securityInfo = report.SecurityInfo;
                    ObjectPrincipals objectPrincipals = securityInfo.ObjectPrincipals;
                    foreach (ObjectPrincipal objectPrincipal in objectPrincipals)
                        if (objectPrincipal.Name != user.Title) continue;
                        if (!sortedList.Contains(report.ID))
                            sortedList.Add(report.ID, report.Title);
    This works, but takes over 90 seconds to generate the list of reports I want, as it is looping through all reports in the CMS (120). My logic is telling me there must be a better way to do this, I just haven't found the answer. It appears that calling securityInfo.ObjectPrincipals is what is taking the most time.
    Advice, thoughts, suggestions are all appreciated.
    Thanks
    James

    Ok, logging in as a user and getting a list of reports is working well and fast. But how would you recommend getting a list of all users and the reports they are assigned to. Is there a query for that using the relationship functions of Query Builder?
    Thanks
    James

  • How to determine that the user/ pernr is comp cord?

    Hi,
    In tcode pa30 i see there is Comp Cord field. so these are the HR persons right which use the three digits numbers.
    So my question is how to determine that the user/ pernr is comp cord?
    I want to create the fm and pass user id as import and want to find out where this user is belongs to comp coordinator or not.
    i do see some entry in the T526 table but not sure, how it work.
    Regards
    Ali

    hi ali,
    SACHX is the field you are looking for ..
    regards
    Manthan Raja

  • Getting list of tables the user has access to across different schemas.

    Hi,
    I have to get the list of tables that an User has access to. I tried the below code. It takes a very long time. Is there any way in which I can specify the user name and get all the tables that he has access to? I know that we can use dbMetadata.getTables api. But this returns the list of tables under the said schema. But I want the list of tables that the user has access including tables in other schema.
    In the below code, I am trying to get the tables for which USER_MICHAEL has access to.
    DatabaseMetaData dbMetadata = connection.getMetaData(); String userName = null; dbrs = dbMetadata.getTables(null,userName , "%", new String[] { "TABLE" }); dbrs=dbMetadata.getTablePrivileges("",userName,"%"); while (dbrs.next()) { String tableName = dbrs.getString("TABLE_NAME"); String schema = dbrs.getString("TABLE_SCHEM"); String privilege = dbrs.getString("PRIVILEGE"); String grantee = dbrs.getString("GRANTEE"); if(grantee!=null && grantee.equals("USER_MICHAEL")){       System.out.println("Schema---"+schema+" Table---"+tableName+"  Privilege----"+privilege+"  grantee---- "+grantee); } }

    That would be database dependent.
    Some engines have some system tables that together may be used to extract such information, others may not make it available at all outside closed APIs.

  • How to check if the user has log in when he log in again?

    Hi all,
    I was wondering how to track if the user has already log in?
    When this user using browser A to log in then he try to log in using a new browser, then hw I am I going to know that, and terminate his session?

    Hello!
    You can try this code if you want that if a user is login at a machine and tries to login from the other, then he can continue his processing at second machine ('cos it will get the high priority) but can not process from the first machine. This code allows to login but only second one will be active.
    <jsp:useBean id="monitor1" scope="application" class="java.util.HashMap"/>
    if(monitor1.containsKey(num)){
    HttpSession oldSession = (HttpSession) monitor1.get(num);
    oldSession.invalidate();
    monitor1.remove(num);
    monitor1.put(num , session);
    But if you want to restrict it at the time of second login then u can use any of the techniques discussed above.
    aNTUMNIHA

  • Restricting user search to the communities the user has access to

    We want to be able to restrict our users to search within the community that user is in or to the communities that user has access to.
    A global portal search is not acceptable. Could someone help me with this. We are running portal 6.0sp1 on solaris.
    Thanks!
    Jamal Najmi

    Hi Jamal Najmi,
    If you have KD hierarchy based on community, then you develop a small search portlet using adaptive tags that will search only those folders in the KD.
    Hope this helps.
    Bharat

  • Maxl/esscmd to get list of applications/databases that user has access to

    Is there any maxl/esscmd to get the list of applications/databases that a user has access to?
    I know that LISTGROUPUSERS 'groupName' -- this list all users of a group.
    Can anyone help please?

    MaxL
    display privilege user SomeUser;

Maybe you are looking for