HR Auth Question

I want to build a role which have display authorisation to all infotype except some 3 -4 infotype .Is there any other way then maintaining ranges skiiping the 4 infotypes .Will there be any performance issue if i maintain ranges .

There is no performance penalty for maintaining ranges.
For audit and maintenance purposes however, I advise you to put each allowed infotype into the role separately. Basically SAP authorization design is about giving people what they need and not about giving people everything and then taking away what they shouldn't have.
Initially it's more work but it will pay back during audits, maintenance and upgrades.
An example in this case would be introducing a new infotype which almost no-one is allowed to see or manipulate.
With ranges this introduction of an infotype will force you to review all your roles and amend the ranges. With named infotypes a non-existent one is not in your roles yet so it'll be safe from the beginning .....
Jurjen

Similar Messages

  • Upgraded from 4.1 to %, auth questions broke

    Hello,
    I updated my lighthouse system 4.1 -5.0, (I know we're far behind), and my authentication question functionality broke.
    Basically when someone tries to update their auth questions, it either fills them in blank, or a random set of characters is added in the field. Of course we didnt notice this until we rolled out into prod either. Luckily it hasnt been that big of an issue yet.
    Any suggestions?

    Hi jbyrnes,
    Are you still using the gateway for 4.1? If so try to use the gateway for v5. Sometimes problems may occur due to incompatibility of gateway also. If this works or if you come up with a solution yourself pls let me know.
    All The Best!!
    regards,
    Zebra7

  • Shell Command Auth Question

    I'm trying to setup a Shell command auth set for clearing interface counters but I can't think of a way to do so. Is there a way to do something like:
    "permit counters interface *"?
    TIA

    I'm assuming you are using CSACS (not indicated) for defining your command sets.
    e.g.:
    "Deny" radio button selected (i.e.: only listed commands will be authorized).
    Command List:
    clear
    disable
    enable
    show
    "Clear" command argument(s) set as follows:
    (a) Deselect the "Permit Unmatched Args" checkbox.
    (b) Enter the following argument(s) into the list:
    permit counters
    ... or, to be more specific:
    permit counters Ethernet 0
    permit counters FastEthernet 0
    This should result in the ability to clear all counters, or the counters of specific interfaces (if you define them).
    Notes:
    (1) Command arguments are case sensitive and may differ from how they are entered at the CLI.
    (2) A sniffer is helpful in determining proper case.
    (3) Wireshark is capable of decrypting TACACS+ packets if you configure the application with the password.

  • OID 10G - uid auth question

    I have some user entries in ou=test,dc=acme,dc=com container. The ou=test container has the objectclass of organizationalunit. The user entry DNs format is:
    dn: cn=test1,ou=test,dc=acme,dc=com
    dn: cn=test2,ou=test,dc=acme,dc=com
    dn: cn=test2,ou=test,dc=acme,dc=com
    I can successfully bind as the users (via ldapsearch) using -D dn: cn=test1,ou=test,dc=acme,dc=com
    ...but I get error 49 "Invalid credentials" when I attempt to bind using dn: uid=test1,ou=test,dc=acme,dc=com
    I've scripted this and the password is entered into the script the same for:
    dn: cn=test1,ou=test,dc=acme,dc=com (successful bind)
    dn: uid=test1,ou=test,dc=acme,dc=com (failed bind)
    Why?

    because the dn is cn=test1,ou=test,dc=acme,dc=com, not uid=test1,ou=test,dc=acme,dc=com

  • Another External Auth Question

    We have implemented a custom login page
    ('borrowed' from http://technet.oracle.com:89/ubb/Forum83/HTML/000206.html) and authenticate externally
    to NT PDC. I am required to add an additional field "PIN" to the login page. I
    will handle validating the PIN in my custom code. What I need to know is which packages do I need to touch to add this field? Also, can I control the message back to the user -
    ie 'invalid pin' vs 'invalid password'?

    Brian,
    You should probably post the login form to a procedure that you write that will process the PIN. Then that procedure should call the ls_login procedure, with only the parameters that it takes, excluding the PIN.
    If the first step determined that the PIN was wrong, then you should not call the ls_login, but instead redirect back to the custom login page, passing an error code for the bad PIN. Since you are writing your own custom error code, you can display any text you want, corresponding to a bad_pin error code.
    Note that this approach assumes that your procedure is in the login server schema also.

  • Authentication Question in SAP IDM 7.1

    Hi All,
    I am currently working on SAP IDM 7.1 , My requirement is to set authentication question in SAP IDM and enforce the same at the first time login of the user. Presently I am setting my authentication question answer in OOB attributes -- MX_AUTH_Q01   - Q05.
    For the first time login user i am getting the default password change screen , thereafter i need to enforce Set Authentication for every user , logged in for first time. Please, suggest if SAP provides any feature like this to  set authentication question, at the time of login. Thanks in advance
    Regards
    Swati Pandey

    Hi Christian,
    I have implemented the security question using the same concept i.e by limiting access to process throgh access control.  Now, my requirement is to store Dynamic question in user profile, i.e users can store his/her own custom question /answer. Do we have any such facility in sap idm, presently the auth question provided are static for each user profile.
    Thanks
    Swati Pandey

  • Prevent Lighthouse account updates on UserView checkin

    Hello!
    I'm using a custom workflow to update some attributes on a resource account. The problem is the Lighthouse account also gets updated. In the user view, I set:
    <set name='userView.update.selectAll'>
    <s>false</s>
    </set>
    And also set all the userView.update.accounts[*].selected attributes to false (except for the one I am updatingm, which I set to true).
    When I checkin the view and the Lighthouse account has anything to be updated, it is also updated.
    The real problem is: I have some invalid attributes in the lighthouse accounts (say, auth questions), and when I try to change anything in a resource account, the update fails because the auth question is invalid. I want the update to ignore the lighthouse account and do the updates only in the resource accounts.
    Any clues?
    Thanks a lot!
    Joao.

    Hi,
    Use target resource on which resource u want to update while getting user view.........
    see below code....
    <Action id='0'>
    <expression>
    <set name='options'>
    <map>
    <s>TargetResources</s>
    <list>
    <s>Resource1</s>
    <s>Resource2</s>
    </list>
    </map>
    </set>
    </expression>
    </Action>
    <Action id='1' application='com.waveset.session.WorkflowServices'>
    <Argument name='op' value='getView'/>
    <Argument name='type' value='User'/>
    <Argument name='options' value='$(options)'/>
    <Argument name='id'>
    <ref>accountId</ref>
    </Argument>
    <Return from='view' to='user'/>
    </Action>
    Thanx
    Shant

  • Questions 'bout setting up auth. for 4 domains: 2 SecurID, 2 PDC

    We have setup a portal with 4 domains. We are currently using one gateway. 2 domains are configured for securID authentication. We'd like to setup the other two domains for authentication using browser certificates. If possible followed by LDAP auth.
    I have the following questions:
    A. We will add a second gateway and configure this one for PDC authentication. Can the portal server handle this (2 domains SecurID, 2 domains PDC), or do we need to configure a second portal instance? Everything is running in secure mode and is communication over SSL. Any tips, pitfalls etc. we should know about (as previous attempts to set this up failed)?
    B. Is it out-of-the-box possible to cascade PDC and LDAP authentication (just like for the other NON-PDC authentication modules) or do we have to build or own authentication module? Again, previous attempts to set this up failed :-)

    A.) You can have multiple domains with multiple types of authentication, however if you enable pdc for a gateway you cannot use any other type of authentication mechanism then.
    For sp3a pdc setup documentation outdated, see my earlier posting ( within the last 1 week) that contains detailed steps to do PDC.
    B.) Yes you can do auth chaining, you enable auth chaining in the authentication and then in the module name you give Ldap.

  • Auth properties question for IPS3 or IPS6

    The Auth module in Portal 3.0 and 6.0 has
    the same template based logic, where
    the placeholder <subst data="XtokensX">
    in the mylogin.html template will be replaced
    with parameters specified in "mylogin.properties".
    In the mylogin.properties I can specify:
    TOKEN (will be translated to edit input field e.g. user name)
    PASSWORD (will be translated to password input field)
    Now the question:
    Sometimes I need other input types:
    e.g. select box (for selecting NT domain or LDAP directory)
    or hidden field (e.g. to hide challenge request password for assynch RADIUS auth)
    Are there any other undocumented tags
    for "mylogin.properties" which I can use?
    PS: I already described a workaround, which I used so far in
    http://softwareforum.sun.com/NASApp/jive/thread.jsp?forum=2&thread=14219
    but I am wondering, if there is a more sophisticated way
    to address customer needs.
    Thanks,
    Alex

    The Auth module in Portal 3.0 and 6.0 has
    the same template based logic, where
    the placeholder <subst data="XtokensX">
    in the mylogin.html template will be replaced
    with parameters specified in "mylogin.properties".
    In the mylogin.properties I can specify:
    TOKEN (will be translated to edit input field e.g. user name)
    PASSWORD (will be translated to password input field)
    Now the question:
    Sometimes I need other input types:
    e.g. select box (for selecting NT domain or LDAP directory)
    or hidden field (e.g. to hide challenge request password for assynch RADIUS auth)
    Are there any other undocumented tags
    for "mylogin.properties" which I can use?
    PS: I already described a workaround, which I used so far in
    http://softwareforum.sun.com/NASApp/jive/thread.jsp?forum=2&thread=14219
    but I am wondering, if there is a more sophisticated way
    to address customer needs.
    Thanks,
    Alex

  • [Question!!] How to satisfied security status after External Auth. ??

    Situation :
    I want to do Post Issuance functions on card , the card has personalized , and card
    status is been set to 'Secured'.
    Card Status :
    The Card is in secured status when has perso. from card manufacturer.
    First : External auth.
    External auth. is OK and response no error.
    (APDU 's P1 set to '0x03')
    Second: Try to delete existd applet(ex:VSDC applet) from card.
    According to the Card Spec. , APDUs after secured channel has opened must
    add MAC and encipher , so use first step 's C-MAC value as initial value to caculate
    new MAC and do encipher , then send command to IC Card , it return SW in '0x6982'
    Questions :
    Why it return 'Security level not satisfied' after pass the card ext. auth. ?
    Do I get error in caculate MAC or do Encipher the command ?
    If really got the error in my MAC or cipher step , IC Card check it and return '6982' ,
    is it correct ?
    APDU results are as follows:
    KMC Key = "FDA1DAF3CC95D48C7B891DCA1F7C5769"(Hex dump)
    16 bytes 2Des Key
    Detect Reader :
    0 - [ CASTLES EZ100PU 1 ]
    Send APDU >> 00A4040007A0000000030000
    Response APDU << 6F198408A000000003000000A50D9F6E0640512179100E9F6501FF9000
    Send APDU >> 80CA00CF00
    Response APDU << 00CF0A000049381701100101629000
    Send APDU >> 80500000080000000000000000
    Response APDU << 00004938170110010162010152BD13F4BB10ECF64875DAFF86BF89299000
    -- External Authenticate
    Plantext APDU : 848203000807556D1359960AD3
    IV : 0000000000000000
    C-MAC : 766F793916F59ABD
    APDU After C-MAC : 848203001007556D1359960AD3766F793916F59ABD
    Send APDU >> 848203001007556D1359960AD3766F793916F59ABD
    Response APDU << 9000
    -- Delete Instance AID
    Plantext APDU : 84E40000094F07A0000000031010
    IV : 766F793916F59ABD
    C-MAC : 21E59ADBCE506D20
    APDU After C-MAC : 84E40000114F07A000000003101021E59ADBCE506D20
    APDU After Cipher : 84E40000180CC8DE40AB34AC8C66285D6A2B0B4C5421E59ADBCE506D20
    Send APDU >> 84E40000180CC8DE40AB34AC8C66285D6A2B0B4C5421E59ADBCE506D20
    Response APDU << 6982
    Delete Instance AID fail ! (SW:6982)

    hi! Bennel,
    what kind of your card?

  • Authorization question: infoObject combined with auth var and input va

    In a sales forecast report an authorization variable 0version is used. 5 different versions are available (1 to 5). When running the query the user has to fill in what version he wants to update by filling in the correct 0version variable. The query itself has also an authorization variable which authorize on the version (users are allowed to see/correct version 1 to 4 and special users only 5).
    Is it possible to have two variables(1. auth var    2. sel var) on 0version in one query?

    Looks all perfect.. Can you recheck while creating the Authorisation variable did u selected 'Value Range' or the 'Single Values' While restricting the variable (or) defining the variable.
    Can you create the variable with Value range option while restricting screen with variables and see?
    regards,
    hari

  • Dot1x (Switch) Question with MAC bypass & Web Auth

    Is it possible to configure dot1x with MAC Auth bypass along with web authentication?
    The goal is to first try dot1x
    If machine doesn't support dot1x, then use MAC address. If MAC isn't in list, redirect through a web browser.
    From what I read, it sounds like MAC bypass gives me half of what I need and using web auth as a fall back to dot1x gives me the other half. Can these be using in conjunction to accomplish what is needed here?
    There is also Web Auth with Automatic MAC Check, but there is mention of this only working in "web auth standalone mode." Can anyone comment on this?
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1281903
    Help is much appreciated.
    Thanks,
    Jason

    Is it possible to configure dot1x with MAC Auth bypass along with web authentication?
    The goal is to first try dot1x
    If machine doesn't support dot1x, then use MAC address. If MAC isn't in list, redirect through a web browser.
    From what I read, it sounds like MAC bypass gives me half of what I need and using web auth as a fall back to dot1x gives me the other half. Can these be using in conjunction to accomplish what is needed here?
    There is also Web Auth with Automatic MAC Check, but there is mention of this only working in "web auth standalone mode." Can anyone comment on this?
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1281903
    Help is much appreciated.
    Thanks,
    Jason

  • Frequency of /var/log/auth.log purges (question answered)

    I check /var/log/auth.log almost daily for break-in attempts - always unsuccessful (knock on wood) thanks do DenyHosts. However, I recently found that the log had been emptied!
    Being a little paranoid as I usually am, I thought at first that someone had broken in and was trying to cover their tracks. But then I realized it was November 1...
    Is /var/log/auth.log cleared monthly? How can I control how often it is cleared, if at all?
    Last edited by deconstrained (2009-11-01 17:06:36)

    I agree with vacant. And you can run this command to see your earlier auth.log files:
    ls -la /var/log/auth.log*
    If you care about log files then you should definitely read more about logrotate, cron, anacron and syslog.

  • Questions on SETSPN syntax and what is required for MANUAL AD auth

    I'll preface this by stating that I don't need to do all the extra stuff for Vintela SSO, SSO to database, etc.  I just need to know precisely what is necessary to do to get AD authentication working.  I managed to get it working in XIr2 previously but it's been so long and I'm not 100% sure that everything I wound up doing was absolutely necessary that I wanted to sort it out for good as we look at going to XI 3.1 SP3.
    In the XI 3.1 SP3 admin guide, page 503, the SETSPN command which is
    used as part of the setup process to establish a service account to
    enable AD authentication is outlined as follows:
    SETSPN.exe -A <ServiceClass>/<DomainName> <Serviceaccount>
    The guide suggests that the <ServiceClass> can be anything you want to
    arbitrarily assign. If I choose something other than the
    suggested "BOBJCentralMS" value, is there anywhere else I have to
    specify this value to allow the service account to function properly?
    The guide suggests that the <DomainName> should be the domain name on
    which the service account exists however I've seen many posts online which seem to
    indicate this <DomainName> should actually be the FQDN of the server
    running the CMS service instead of the general domain name.
    Clarification there would be very helpful if anyone has some insight.

    The CMS account can have an SPN of spaghetti/meatballs, there are no requirements (cept 2 characters on each side of the / I believe). The SPN created should be the value entered in the CMC > Authentication > Windows AD
    The account must run the SIA and it therefore must have AD permissions. Now if you are using IIs or client tools you don't even need an SPN. The SPN is for kerberos only which is required for java app servers.
    The vintela SSO white paper in the this forums sticky post explains the roles of a service account.
    Regards,
    Tim

  • How do I use my own Custom Auth/Authentication/Entitlement (Token)?

    [ Background ]
    Adobe Access DRM provides for 3 authentication mechanisms:
    Anonymous - Licenses are issued irregardless on if there is/isn't a valid authentication token attached to the license request.
    UsernamePassword - Licenses are ONLY issued if the license request has a valid Adobe-Access-Server-Issued authentication token.
    Custom - Licenses are ONLY issued if there is a valid cusom authentication token attached to the license request.
    Typically, customers already have some authentication scheme in place and choose to re-use that system, instead of leveraging Adobe Access' built-in usernamePassword support.  For this to succeed, accomodations must be made during packaging time, on the client device, and at the Adobe Access license server endpoint.
    [ More Background ]
    Here's a forum thread that prompted this thread: http://forums.adobe.com/message/5085330#5085330
    [ Recipe ]
    1. Adobe Access DRM Policy is created that specifies a "custom" authentication token.  As of Adobe Access 4.0, the tools that ship with the Java SDK cannot create a DRM policy with "custom" authentication out the box; a small Java application will have to be written to do this, which is covered in the thread posted above.
    2. Content is packaged using this custom_auth policy.
    3. Client device performs authentication via whatever channel already exists for you to perform authentication (e.g. SAML tokens, etc...)
    4. Client device sets the authentication token: DRMManager.setAuthenticationToken()
    5. Client device attempts to acquire a license for the content created in step #2: DRMManager.loadVoucher();
    5a) Because step #4 set the authentication, all license requests going forward will automatically have this custom auth token appended to it
    6. License server receives request & extracts custom auth token to parse & perform additional entitlement checks
    7. Licnese server generates a license to return to client device.
    [ Server Code Snippet (RefImplLicenseReqHandler.java) ]
    try {
      ServletInputStream in = request.getInputStream();
      ServletOutputStream out = response.getOutputStream();
      HandlerConfiguration context = super.getHandlerContext();
      ServerCredential licenseServerCred = getLicenseParams().getLicenseServerCred();
      licenseHandler = new LicenseHandler(context, in, out, licenseServerCred);
      licenseHandler.parseRequest();
      List<? extends LicenseRequestMessage> requests = licenseHandler.getRequests();
      // Multiple request in one message is not supported in FAXS 2.0 or 3.0 client.
      for (LicenseRequestMessage licenseReq : requests) {
         try {
      // TODO: If custom authentication is specified in the DRM policy, here is where
      // you can retrieve the custom authentication token and perform custom parsing to
      // determine further business rules and entitlement before issuing a license.
      // The "Custom Authentication" will look like:
      // 1. Client device obtains auth token using some other channel
      // 2. Client device sets auth token by calling DRMManager.setAuthenticationToken()
      // 3. Client makes a license request by calling DRMManager.loadVoucher()
      // 4. Adobe Access Server receives request and:
      // 4a) Determines Custom Auth is required by DRM Policy: licenseReq.getContentInfo().getContentMetadata().getPolicies()[0].getLicenseServerInfo(). getAuthenticationType();
      // 4b) Retrieves Custom Auth token for custom parsing/handling: licenseReq.getRawAuthenticationToken()
      // 5. If there are no errors when parsing the custom token, Adobe Access Server generates a license.
                                                      V2ContentMetaData metadata = licenseReq.getContentInfo().getContentMetadata();
                                                      ApplicationProperties applicationProperties = null;
                                                      String usageModelString = null;
                                                      if (metadata != null) {
                                                                applicationProperties = metadata.getCustomProperties();
                                                                if (applicationProperties != null) {
                                                                          usageModelString = applicationProperties.getSingleValueAsUTF8String(DEMOMODE);
    cheers,
    /Eric.

    Google Search: '''firefox create a persona'''
    * '''Personas for Firefox''' | How to Create Personas<br>https://www.getpersonas.com/en-US/demo_create
    * '''Personas for Firefox''' | Frequent Questions<br>http://www.getpersonas.com/en-US/faq
    * '''Personas for Firefox''' | Getting Started<br>http://www.getpersonas.com/en-US/getting_started
    '''I think you'd have a lot more fun with Styles though''', personas tend to hide things on toolbars, styles can be more helpful (or just as bad)
    * '''Stylish''' :: Add-ons for Firefox<br>https://addons.mozilla.org/en-US/firefox/addon/stylish/
    * '''Restyle the web with Stylish!''' - userstyles.org<br>http://userstyles.org/
    * '''Scrollbar Context Menu''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/54
    * '''Scrollbar Menu''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/52
    * '''Link Warning''' - Themes and Skins for Mozilla - userstyles.org<br>http://userstyles.org/styles/1301
    * '''Tabs, Enlarge list-all-tabs button''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/18553
    * '''Tabs Bar Minimal Size''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/9043
    * '''Tab Color Underscoring active/read/unread (Fx3.6)''' - Themes and Skins for Browser - userstyles.org<br>http://userstyles.org/styles/24728

Maybe you are looking for

  • My ipod no longer shows up properly?

    My ipod used to appear as Luke's Ipod, now not only does it not show up at all in itunes, it appears only as Apple Ipod anywhere else. I've reset my ipod and itunes, re-installed itunes, restarted the mobile device serivce, emptied the Temp folder, t

  • TS3775 can i connect my ps3 to imac 27 inch

    Is it possible to connect a PS3 to the 27 inch imac computer?

  • More printer issues

    I have a cable modem, new AExtreme, one g5 imac wired to router, and several laptops(PC and Mac) connecting wirelessly. I have added a HP 4050 laserjet (via ethernet, RJ45 cable). I have tried ever friggin setting, config i can think of, and I cannot

  • Optical Input Problem

    I checked system preferences, and it looks like it is recognizing the input as "Optical digital-in port." When I unplug the mini-toslink cable, it goes away. I am also getting the red light, so I am getting information through the cable. When I plug

  • IS THIS POSSIBLE IN FLEX.

    Hi , TILL NOW ANY BODY HAS RUN APPLICATION ( calling flex application in url) WHICH INVOKES A SERVLET PERFORMS REQUEST/RESPONCE . IF YES PLEASE SOLVE MY CODE. ELSE PLEASE HELP ME WITH A SAMPLE CODE/Example. currently i have a login.jsp in which i am