How to restrict FBL1N only to display access
Hi,
I need some help in restricting access for FBL1N. The requirement is the user should be able to only display the vendor items for the given opcos. I created a test role for this tcode and maintained the activity for all the auth objects to 03. But still user is able to change the vendor details. When ran trace, it was showing the access to Tcode FB02. but not sure how the test user is getting this access as the test role does not contain FB02 and user does not have any other role. Please advise
Regards
Kavitha
Raghu Boddu wrote:
Hi Kavitha,
>
> FBL1N internally calls lots of tcodes and FB02 is one among them. Check the table TCDCOUPLES.
>
> I don't think this restriction is possible only with adding 03 activity for the F_LFA1* and F_BKPF* objects.
>
> If you check FBL1N in SU24, there are a few other authorization objects that are in check state. You need to make them check maintain and further maintain the activites in the individual roles.
>
> However, this may impact on the current roles that have FBL1N transaction code.
>
> Hope this helps!!
>
> Regards,
> Raghu
Despite the SAP_ALL removing the authorization problem.... I would like to enquire about this post.
Can you please explain each of the statements you have made and provide some evidence?
If the user has the correct authorizations then they are are wrong and the "check" and "check/maintain" status has no impact on the coding in customer type systems.
Cheers,
Julius
Similar Messages
-
How to restrict number of rows display using ig:gridView
Hi
All
How to restrict number of rows display using <ig:gridView datasource="{mybean.mylist}">
i am getting 10 rows using data_row . i wanna show only first 5 rows .
pageSize ="5" will be ok . but it displays remaining rows in next page. but i want to display only first 5 rows . is there any attribute to restrict number of rows.
thanks
rambhapuriI have no idea which component you're talking about. If want to discuss here about a non-Sun JSF component, then please mention about the name, version and build in detail. You can also consider posting this question at the website/forum/mailinglist of the component manfacturer rather than here. At least I can tell you that the Sun JSF h:dataTable has the 'rows' attribute for that. I can also suggest you to just take a look in the TLD documentation of the component in question. There should be all possible attributes listed with a detailed explanation about the behaviour.
-
How to Restrict a user to a access a particular table
HI ,
how to restrict an user to a one particular table and he should have only dispaly authorization for that , can anyone suggest me how to do this.Hi,
Is it a standard table ? S_TABU_DIS (Client Dependant) and S_TABU_CLI (Cross client) are the the authorization objects that controls table maintenance. With Authorization group and activity 03, you can give user access only to Display.
You can look at table TDDAT to find the authorization group of the table. If it is a custom table for which original t-code is SM30 ( You can look at SU24 to verify that) and it does not have authorization group assigned to it, then you can ask your developer to assign authorization group to the table using t-code SE54. then again make use of S_tabu_dis with activity 03 and Auth group as designed to restrict access.
Also something to look for is Note 1481950 - New authorization check for generic table access using new auth object S_TABU_NAM. Remember Bernhard talking about it.
Edited by: Nishant Sourabh on Oct 1, 2010 8:13 PM -
How to restrict multiple ess session and access?
Hi experts,
how to restrict multiple session for ess user? and multi access for same ess user?
our problem is when user login to ess (doing session, for example leave request) and at the same time their manager is accessing travel approval task for that user, the approval process getting error. (we use travel workflow to approve travel request)
how to overcome this situation?
thanks.but there is no information on ESS screen for user being lock.
how to show the information on ess screen?
thanks -
How to restrict "sftp only" user into your home dir and subdir
Hi OTN forums members
Question : I want restrict a sftp only user to browse ONLY in your home directory and subdirectory . I don't want sftp user access into other directory.
Details : I want use a "ssh bundle package" on s10(only package on SUNWCXall installation cluster). I don't want to use the "extrernal package", as "ProFTP", "Chroot", sunfreeware OpenSSH package,ecc. It's possible?
Technical Details of my system(test) : the hostname and username it's fantasy name, not real ;-)
root@sunlab1:/[1]$ cat /etc/release
Solaris 10 5/09 s10s_u7wos_08 SPARC
Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 30 March 2009
root@sunlab1:/[2]$ uname -a
SunOS sunlab1 5.10 Generic_142909-17 sun4u sparc SUNW,Sun-Blade-100
root@sunlab1:/[3]$ grep explorer /etc/group
explorer::111:
root@sunlab1:/[4]$ grep explorer /etc/passwd
explorer:x:111:111:Sun Explorer Data Collector sftp only user:/export/home/explorer:/usr/lib/ssh/sftp-server
root@sunlab1:/[5]$ zfs list
NAME USED AVAIL REFER MOUNTPOINT
rpool 27.3G 9.33G 96K /rpool
rpool/ROOT 11.6G 9.33G 18K legacy
rpool/ROOT/s10s_u7wos_08 11.6G 9.33G 11.6G /
rpool/cfengine 73.7M 950M 73.7M /var/cfengine
rpool/dump 1.00G 9.33G 1.00G -
rpool/export 5.01G 9.33G 11.8M /export
rpool/export/home 1.40G 3.60G 1.40G /export/home
rpool/mp3 2.65G 2.35G 2.65G /mp3
rpool/patches 206M 2.80G 206M /var/patches
rpool/swap 768M 9.58G 514M -
root@sunlab1:/[6]$
root@sunlab1:/[7]$ cd /export/home
root@sunlab1:/export/home[9]$ ls -la
total 47
drwxr-xr-x 5 root root 9 Oct 7 09:51 .
drwxr-xr-x 4 root sys 6 Jun 7 09:44 ..
drwxr-x--- 11 explorer explorer 11 Oct 7 11:30 explorer
root@sunlab1:/[8]$ sftp explorer@sunlab1
Connecting to sunlab1...
Password:
sftp> dir
[...more output...]
sftp> pwd
Remote working directory: /export/home/explorer
sftp> cd /var/adm
sftp> dir
[...more output...]
sftp> get messages
Fetching /var/adm/messages to messages
sftp> pwd
Remote working directory: /var/adm
sftp> bye
root@sunlab1:/[9]$
root@sunlab1:/[10]$ pkginfo -l SUNWsshr
PKGINST: SUNWsshr
NAME: SSH Client and utilities, (Root)
CATEGORY: system
ARCH: sparc
VERSION: 11.10.0,REV=2005.01.21.15.53
BASEDIR: /
VENDOR: Sun Microsystems, Inc.
DESC: Secure Shell protocol Client and associated Utilities
[...snip...]
root@sunlab1:/[11]$ pca -l installed --pattern=[Ss]sh
[...snip...]
Using /var/patches/pca/patchdiag.xref from Oct/14/10
Host: sunlab1 (SunOS 5.10/Generic_142909-17/sparc/sun4u)
List: installed (3/584)
Patch IR CR RSB Age Synopsis
141742 04 = 04 -S- 427 Obsoleted by: 141444-09 SunOS 5.10: sshd patch
143140 04 = 04 RS- 119 Obsoleted by: 143559-03 SunOS 5.10: ssh patch
143559 03 = 03 RS- 38 SunOS 5.10: ssh scp patch
root@sunlab1:/[12]$ pca -l 141444 143559
Using /var/patches/pca/patchdiag.xref from Oct/14/10
Host: sunlab1 (SunOS 5.10/Generic_142909-17/sparc/sun4u)
List: 141444 143559 (2/405)
Patch IR CR RSB Age Synopsis
141444 09 = 09 RS- 367 SunOS 5.10: kernel patch
143559 03 = 03 RS- 38 SunOS 5.10: ssh scp patch
root@sunlab1:/[13]$Legenda:
PCA = [url http://www.par.univie.ac.at/solaris/pca/] Patch Check Advanced , PCA is 3PP free and fast tool for Analyze, download and install patches for Solaris
IR =Installed Rev. CR = Current Rev. (published on patchdiag.xref from Oct/14/10)
RSB =[R]eccommended,[S]ecurity, [\B]ab patches
Not helpful reading "<tt>man sshd_config</tt>" and "<tt>man sftp-server</tt>", and Google searching. Nothing by MOS Community search.
Any idea?
Best Regards
Michele V.
P.S.: Excuse me for my bad English.Hi OTN forums members,
I find the solution. Thanks Andrea Manganaro (aka Amanga) for the help.
1) Download and install OpenSSH for Solaris 10/SPARC and all dependencies(Please read the http://www.sunfreeware.com/openssh.html note):
- [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/openssh-5.6p1-sol10-sparc-local.gz]openssh-5.6p1-sol10-sparc-local.gz
- [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/openssl-1.0.0a-sol10-sparc-local.gz]openssl-1.0.0a-sol10-sparc-local.gz
- [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/zlib-1.2.5-sol10-sparc-local.gz]zlib-1.2.5-sol10-sparc-local.gz
- [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/libgcc-3.4.6-sol10-sparc-local.gz]ibgcc-3.4.6-sol10-sparc-local.gz
2) Configure <tt>/usr/local/etc/sshd_config</tt> file with the "+<tt>ChrootDirectory</tt>+" directive. For me:
# override default of no subsystems
#Subsystem sftp /usr/local/libexec/sftp-server
Subsystem sftp internal-sftp[...]
# Example of overriding settings on a per-user basis
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no3) Create group and user for sftp-only account. For me:
root@taurus # groupadd sftponly
root@taurus # grep sftponly /etc/group
sftponly::202:
root@taurus # useradd -g sftponly -c "Sftp only user" -d /export/home/explorer -s /bin/false -m explorer
explorer:x:1002:202:Sftp only user:/export/home/explorer:/bin/false
root@taurus # passwd explorer
New Password:
Re-enter new Password:
passwd: password successfully changed for explorer
root@taurus # 4) Change home directory permission and create a r/w direcorty (uploads) for sftponly user account.
root@taurus # cd /export/home
root@taurus # ls -la
total 14
drwxr-xr-x 4 root root 4 Oct 29 15:28 .
drwxr-xr-x 3 root sys 3 Jan 22 2009 ..
drwxr-xr-x 3 explorer sftponly 3 Oct 29 15:41 explorer
root@taurus # chown root:sftponly explorer; chmod 750 explorer
root@taurus # ls -la
total 14
drwxr-xr-x 4 root root 4 Oct 29 15:28 .
drwxr-xr-x 3 root sys 3 Jan 22 2009 ..
drwxr-x--- 3 root sftponly 3 Oct 29 15:41 explorer
root@taurus # This will make a read-only, chrooted directory perfect for people to come in and get stuff, but never write.
For example, you could make a directory explorer/uploads that allow people to write in.Then you can moderate what gets copied into the read-only /explorer area. Remember that if a user can write in a directory then they can also delete anything in that directory.
root@taurus # cd explorer
root@taurus # mkdir uploads && chown -R explorer:sftponly uploads && chmod 0755 uploads
root@taurus # ls -al
total 9
drwxr-x--- 3 root sftponly 3 Oct 29 15:41 .
drwxr-xr-x 4 root root 4 Oct 29 15:28 ..
drwxr-xr-x 2 explorer sftponly 2 Oct 29 15:56 uploads
root@taurus # 5) Disable SunSSH "service" and enable OpenSSH "service" (with SMF):
root@taurus # svcadm disable sshSee [url http://www.sunfreeware.com/sshsol10.html]here for Running openssh vis SMF on Solaris 10 Systems
root@taurus # svcadm disable ossh
root@taurus # svcs -a | grep ssh
disabled 12:37:51 svc:/network/ssh:default
online 15:29:41 svc:/network/ossh:default
root@taurus # 6) Test your job :-)
Helpful links:
==============
http://www.sunfreeware.com
http://www.openssh.org
http://calomel.org/sftp_chroot.html
HTH
Michele Vecchiato -
OS: Linux
DB: 11.2.0.3
ERP: 11g
Hi There,
I would like to create a new custom responsibility, which the responsibility is having access to Standard Customer Form (ARXCUDCI.fmb) , but I would like to make a restriction in the customer search form is that, everytime the responsibility user search by customer number, customer name, party name or what ever search field, I would like to limit to restrict further of searching criteria where SALES_CHANNEL_TYPE = 'RTL' is allowed to populate the customer records, there rest of customer records are not allowed to search out.
This SALES_CHANNEL_TYPE column is from HZ_CUST_ACCOUNTS table.
I have tried the Form Personalization already, but the customer searching form has too many fields for user to search, therefore form personalization will be putting all over the places in the form. Therefore I saw others recommended of doing "Custom DLL"...may I know for my scenario, how to I go about Customer DLL? or any other more effective solution?
Appreciate if anyone can share your experience related to matter above.
Regards,
LygineHi Lygine,
The personalization i sent you works in this way:
-It does not matter which field you choose to enter the query.
-If a record is found, when the form opens and the cursor hits the Customer Name field, the personalization looks for the content of the Sales Channel field.
-If the content of this field is different from the 'RTL' string, the form Customers form (ARXCUDCI) is cleared.
Independently from the field you fill to perform the query, is a record is found, the Customer Name field is the first the cursor hits when the form is opened.
Octavio -
How to restrict data that is displayed in adf query
Hi all,
i have a VO with query criteria, which i have added to the jsf page as adf query panel with table. There may be particular queires that return large number of records. Suppose i want to restrict the number of records being displayed to 10,000. Is this possible with jdeveloper 11g? How can it be done? pls advice.
Thnx,
NadHi Nad
You can do this, open the VO Editor go to sql statement option add this code inside the where clause:
and rownum <= 10000 -- limit your query.
Good Luck -
How to restrict AS02 access to certain fields only
How to restrict AS02 (Asset Master Record) access to certain fields only. Currently when you assigned AS02 to a certain user, this will enable the user to change all the fields in the asset master record. Suppose i want only the user to restrict the access to certain field eg.NDJAR (Life in Yrs).
Thanks for your inputs.
Regards,
Roberthello,
basis has to assign the proper activity with object A_S_ANLKL. in this case they have to allow activity 03 only with combination of Cocode,asset class. see some more details below.
This authorization object is the first part of the object "asset master record."
The definition at this level determines whether the user is authorized to process data in a given company code. The activity type for the transaction is also defined here. This authorization object is used for master data transactions, for the display of value fields, and for reporting.
Defined Fields
The following fields are assigned to the authorization object
Asset class (specified by entering a value in the pop-up window)
Company code (specified by entering a value in the pop-up window)
Activity type - there are three different activity types:
01 = Create
02 = Change (including blocking and deleting)
03 = Display -
PE51- Display Access only??
Dear all
how do we restrict PE51 SAPMPE51 HR form editor for only display access..sooner i gave it it dosent give any objects for me to maintain the disply authorization..can come one tell me if there any objct goes with this T-code where i can maintain only the Display access to the user..Hi,
Goto SU24> enter the T.code in which u want the user should have only display . Execute it (Button on Appl> Toolbar), it gices 2 objects and on Appl. toolbar its a button as check indicator> click on this button.
It display a list of objects, select the objects with CHECK AND MAINTAIN priority.
Now goto the role of that user in which u assigned tat perticular Authorization , Double click on that role, it takes u in PFCG screen, click on Authorization Tab. Check that it shold be in change mode. Now check tat perticular object which v searched in SU24 with check and maintain, (cntrl+F), find tat object, after getting the object , in activity remoce all the selected fields, and just select 03 which is for display. Repeat the same for all objects and generate.
Now the user has only Display access.
Regards
Syed. -
How to Restrict some G/L accounts to 3 Users only
Dear All,
Please tell me how to restrict SAP Users not to access some(around 20)G/L accounts, and the same should be accessiable by 3 Users.
Thanks in advance.
Regards,
Veda GandhamAuthorization object to G/L accounts
F_BKPF_BUK for restriction by company code
F_BKPF_GSB for restriction by business area
F_BKPF_KOA for restriction by account type
Maintain the user role in PFCJ and then assign it in su01
Regards -
How to restrict number of rows returned in BIP
Hi Friends..
How to restrict no of rows displayed by the report to some 10 rows for example.. in BIPIf its in RTF you can use position to restrict.
<?for-each:ROW[position()<11]?>
You can also restrict it in your sql query using ROWNUM. -
Display access for the tcode SCC4
Hi all,
I want only the display access for the tcode SCC4. In which authorization object I can do this.
Regards,
R.SuganyaGood Afternoon yes you can goto transaction SU24 insert transaction SCC4 and execute, click on display indicator, and you will see the object S_TABU_DIS assign activity value (03) to your role for this object which has that transaction SCC4 assigned to it. Also make sure that no other roles for that user has this object other wise the values will overwrite it.
Make sure you have locked transaction code OY24 as its a duplicate of SCC4.
Hope this helps
Edited by: nadim razaq on Sep 17, 2008 4:13 PM -
How to restrict access to portal based on entitlements.
Hi,
I am working on weblogic 8.1 portal project. i want to restrict the user to access
the portal based on the entitlements. However when user try to login he is seeing
Weblogic Error 403 forbidden page. How to display custom error page, instead of
weblogic default error page.
How to programatically check whether user has access to portal or not based on
entitlements.
Please give me code.
regards,
-chada-Chada,
The 403 is by design. If you want to place a page in front of one or more
portal desktops and only show links to desktops the current user is entitled
to, review the attachment.
-Phil
"Chada" <[email protected]> wrote in message
news:3fcd6969$[email protected]..
>
Hi,
I am working on weblogic 8.1 portal project. i want to restrict the userto access
the portal based on the entitlements. However when user try to login he isseeing
Weblogic Error 403 forbidden page. How to display custom error page,instead of
weblogic default error page.
How to programatically check whether user has access to portal or notbased on
entitlements.
Please give me code.
regards,
-chada-[login.zip] -
How to restrict the change access in CRM for OLTP orders
Hi Guru's,
Please let me know how to restrict the change access in CRM for the orders that are created in ECC. The ECC orders will only for display in CRM but not for change,
We have the orders that are created in ECC, it will flows to CRM and should restrict the access to get in to the change mode in CRM but as of now CRM system is allowing change mode for ECC orders and ending up with errors.
Is there any additional middleware parameter that needs to be added to SMOFPARSFA table to get this functionality! Please advice! Thank your for your help.
Regards
SuneelHi.
You can use the PFCG role to control if the user is able to create, change, delete or only display a business transaction type.
Regards. -
How to restrict the job start conditions (only "Immediate" type) ?
Hi,
We allow our users to schedule and execute in background mode transactions (example IP19, IW38). We gave them for that authorizations (object S_BTCH_JOB with LIST, PROT, RELE and SHOW - objetct S_PROGRAM with BTCSUBMIT).
We would like that users can schedule and execute their jobs only with the u201CImmediateu201D job start condition (in the Start Time screen for the type of start condition : Immediate, Date/Time, After job, After event, or At operation mode).
Another solution: prohibit the scheduling and the execution background job in a certain time interval ...
How can restrict the job start conditions ?
Thank you.
Patrice.Hi Jan,
Yes, sa38 makes it possible indeed to execute in background into immediate mode a job but
the user have to know the name of the program to be carried out ...
The user knows only the name of these transactions trade. For example, IW38.
In the menu of this transaction, SAP gives the possibility to execute in background :
Program --> Execute in Background --> display of Start Time screen for the type of start condition :
Immediate, Date/Time, After job, After event, or At operation mode).
It is at this time there that we want that the user can only choose the "immediate" mode.
We must thus prohibit the other choices (Date/Time, After job, After event, or At operation mode) ... and
and we don't know how to restrict these other options in this screen "Start Time screen for the type of start condition".
Thank you.
By.
Maybe you are looking for
-
Tour got wet - here's what it does - how can I tell if it is "fried"?
My Blackberry Tour (from 2009 - Blackberry device manager says I am running BB OS 4.7.1) got wet in a rainstorm (phone was outside, not submerged, the wetness indicator strip on the battery has not had a line appear on it but a tab inside the phone
-
At line selection in alv report
hi, i had developed a code in which at 1st execution the normal output is displayed and if i click on a purticular Itemid it displays the whole of items and i want to display only that item's data which i had clicked on. following is the code which
-
Letter F not working on iPad 2..have to press real hard to get it working
-
Lost Adobe X Standard CD.... Have Serial Number...
I see Adobe 10 Standard updates at this link but no link to the Acrobat 10 Standard download. My tech changed my harddrive and then he quit the company. I have my serial number but no CD. Please help me to download the software.
-
I forgot my iPhone passcode, what can I do?
yeah so ive been trying random codes for a whole day now :L