Inheritance in ACLs Authorization
Hi Gurus
I use inheritance in ACLs Authorization . I created a Folder (Doc. Type FOL) and gave ACLs authorization in there Next I created a new DIR and assigned to this Folder. I mean this Folder is a superior document of new DIR. Have no ACL authorization in new DIR.
After that, the user is given ACL Authorization can access Folder but he can't access a new DIR.
For example:
Folder FOA - get User A activity "Admin"
Create DIR TEST_DIR with superior document is FOA
User A can't access DIR with error "you don't have necessary authorization..."
With my understanding, the ACLs authorization is able to be inherited.
So why doesn't it work ?
Give me your idea if you experienced this case.
Best Regards
Thanks for advance
An NLP
Hi Iring Maeurer
When I assign ACLs for the user in DIR "admin". The user can access DIR, that is reason I think the problem is in ACLs authorization.
I'll check with Tcode su53
Regards
An NLP
Similar Messages
-
BAPI to Create ACL Authorization
Hi everyone
Is there any BAPI or method to create ACL Authorization and auto-inherited authorization in the background ?
Regards
JimmyHello ,
You can use : BAPI_BUPA_CREATE_FROM_DATA
In case you need to update additional fragments just search in trn code SE37 for BAPI_BUPA_*CREATE.
For example BAPI_BUPA_FRG0040_CREATE - Create classification data for BP , etc'.
Additional you can use XIF :CRMXIF_PARTNER_SAVE to create business partners
Rika -
Mass change in ACL Authorizations in DMS
Hi guru
I'm working with ACL authorizations in DMS. I don't know how delete (one shot) the authorizations of the user that is resigned. For example I have many documents where I set the write access for the user : Jack.
If Jack is resigned is there a transaction or report to:
mass delete this data or
sostituite the user JAck with new employee ?
Thanks in advance
CiaoHi,
I create the report as written in the note. The report doesn' solve my problem because:
select only for a document not for a range of documents
I know the user resigned not the document so I should have a report for a user , the report should show me all the document where the user has been assigned a acl authorizations.
According to you, is there a standard solution or is possibile to realize a custom solution?
thanks in advance
Vanessa -
Virtual telnet/downloadable access lists: acl authorization denied error
Hello,
has someone else experienced the same "issue" as described below ? And can someone (Cisco ?) tell whether this is by design, and if so, what the reasoning is behind this ?
We use virtual telnet for user authentication, when users need to pass traffic through a PIX, and use downloadable access-lists after successful authentication.
When a user authenticates himself, an error message appears in the virtual telnet window: "error: acl authorization denied".
And the PIX log shows:
109005: Authentication succeeded for user 'user1' from <workstation-IP>/2066 to <virtual-telnet-IP>/23 on interface inside
109015: Authorization denied (acl=#ACSACL#-IP-PIX_ACL-421492f3) for user 'user1' from <workstation-IP>/2066 to <virtual-telnet-IP>/23 on interface inside
This error message disappears when we add telnet access for the virtual telnet-IP@ in the downloadable access-list on the Cisco ACS. I could not find any reference to this configuration quirk in any document.
Now, with or without the error, the user can use virtual telnet and everything permitted
in the downloadable acl without any problem (so why post an error message then ?).
thanksTry to disable authorization and see if this error stops
-
Document browser and ACL Authorization
Dear friends,
We are working on ECC 6.0 and required to implement SAP DMS. As of with every ERP 2005 default two features are coming, document browser and ACL Authroization. These features are not required by users, so we need to de-activate these. We have a note for these wherein it is mentioned that one of the component is required to upgrade. We dont want to go with this. If any note is there by applying which we can de-activate those features will be well and good, instead of upgrading component.
Regards,Dear Tushar,
This t-code will be enable only after support pack SAPKGPAD11 or greater version is implemented. Our client is not in the position to upgrade, by implementing support packs. Alternate solution if any, pls suggest. By applying any notes if we can de-activate these features, let us know.
Regards,
Punam -
ACL authorization activities missing in EasyDMS
Hi,
As per the help, when defining document specific authorizations the following authorization activities should be available.
Admin
DeleteFol
Delete
WriteFile
Write
DelChild
CreateDoc
ReadFile
Read
NoAuth
However, when I click the drop-down all I see are the following. There is a blank line where authorizations such as DeleteFol, WriteFile etc should be. Has anybody else experienced this issue? I have tested using EasyDMS 6.0 SP14 and 7.0 SP4.
Admin
Delete
Write
CreateDoc
Read
NoAuth
Thanks,
LashanHi Surjit,
Thanks a lot for your answers. The function module is implemented. However, when I checked ACO_ACTIVITYT the authorization acitivities that I am missing were not maintained. Do I need to manually enter these values into this table? and why are some values available and others not? There were also some cProjects related activities in there (resource management, candidate management etc).
Appreciate any further help you could give me.
Lashan -
Hello DMS experts,
Scenario:
Folder 1(Created by ABC user)---XYZ user is not authorized (by creating ACL in folder with NoAutho as activity for XYZ )
Document 1(Created by ABC user)--A new document checked into this Folder1.
Issue:
According to inheritance, this document is suppose to carry the ACL authorization from Folder 1, but currently unless we create the ACL manually (By navigating to Authorization tab in the document properties, and clicking on "Create Admin Authorization")these inheritance is not copied to the document automatically. If this is standard SAP behavior, then what is the use of Inheritance?. (Registry key AutoInheritedAuth=1 maintained)
It is practically not possible to manually create these ACL for all sub folders and documents when they are created.
Need your suggestion/clarification on this....Hello Deepak,
Option 1:
My question is related only to Inheritance of ACL authorization and lets assume that PFCG objects are in line with it.
Option 2:
Lets say, I have Folder1 with 10 documents inside, I have not assigned ACO_SUPER for ABCD user and ACL is created for Folder1 with "NoAutho" to ABCD user to this folder. ABCD user is authorized to access this Folder1 and its documents as per the PFCG objects.(Hence, my requirement is, according to PFCG roles the user is authorized for relevant document types and objects but i want to restrict the user only to certain folder and its documents using ACL)
1. What is the need of assigning superior document, when the definition of inheritance itself says that properties of superior folder is copied to child items?
2. Those 10 documents are visible to ABCD user or not?.
*Currently only the folder is not displayed to user, wherein if the user searches the documents, it is visible. If we manually create ACL in the properties of each of these documents, then it copies the ACL (from inheritance) and stops displaying to user even in search (which is desired). Hence, the only issue here is, copying of inheritance ACL automatically. -
Role Authorization Vs ACL in cProjects
We do not want to use ACL (Authorization at the Project level) to grant authorization. We are looking for a way to have this authorization by roles. Not too sure if the minutest of details can be controlled by authorization objects.
Of the few requirements that we have, one goes as follows:
1. We need a role of "Resource Manager" to be able to view all projects. However, this role must not be able to edit the project structure. This is possible. However, another requirement that we have is that this role must have all "admin" level access at the "Resources" level. Which means, this role must be able to staff roles and assign tasks to roles and resources, but must have read-only access to the project structure.
Can this be done?
2. Another requirement is with regard to status management. We want a role to have the authorization to set only select statusses. We have a combination of standard and custom stasusses in the status profile that we are using. We look to control the access for roles by which one role can only set a few of these statusses.
Can this be done?
Thanks and Regards...Hi Peter,
We have exactly the same need, and unfortunately everything is not solved yet.
1/ In standard, there is no distinction between project and role authorizations. This means you need 'admin' auth at project level if you want to manage the roles. We created an OSS message for this, and SAP answer was to create a development request --> Until then, and if we get a positive answer, nothing can be done to separate project & role authorizations. So there is no solution today.
2/ For the statuses, we add to enhance class CL_DPR_STATUS_MANAGEMENT, methods GET_PERMITTED_USER_STATUS and/or GET_PERMITTED_ACTIVITIES. Thanks to this, we are now able to filter the status list that is populated in the screen.
Regards,
Matthias -
I am going out of my mind here trying to figure this out. First my needs. I have two users on a 10.4 machine that need to be able to create, save and edit Photoshop files (their own and each others) in the same folder. Until now, the only way I could figure it out was to create a second volume and "ignore" ownership on that volume. I know that I could go into the "file info" permissions everytime one of us creates a new file and modify the permissions to allow the other to edit the file but what a pain that is.
I thought my answer would lie in enabling and using Access Control Lists (ACLs) so I used Tinkertool system to enable ACL support on my main volume and then grant full access with inheritance enabled to both users. This works great for any file (MS Word, Excel, etc.) but not photoshop files. The Word, Excel and any other file created by one user correctly inherits the permissions from it's parent folder's ACL settings but not the Photoshop files. They don't seem to inherit them at all.
I can go into Tinkertool System and propagate the settings and the files seem to pick up the settings but when one users tries to edit another's photoshop files, it shows up as a locked file. I can use the "get info" dialog to confirm that the file does possess the ACL settings but it is almost as though Photoshop CS & CS2 don't recognize the ACL properties of the file.
In summary, my two issues are:
1. Photoshop files are not automatically inheriting the ACL permissions.
2. Even after manually propagating the ACL permissions to a photoshop file, it shows up as being locked (from within photoshop, not the finder) when the non-owner user tries to edit it.
Does anyone have any ideas as to what is going on here.
Thanks,
TroyTroy,
I'm suspecting that we are using ACL differently. On tiger, you have to enable them specifically. The e flag on ls will show ACL's and from your post - you don't seem to have ACL installed.
Please have a look at the first page of this article. It describes ACL's and shows you how to manipulate them:
http://arstechnica.com/reviews/os/macosx-10.4.ars/8
You can accomplish what you need with traditional groups - if you want that - simply post the id for each user and I'll send back steps to make a group for this folder. (Or someone else here might just guess and propose something)
Also - have you contacted Adobe to see if the version of Photoshop you are using even supports ACL? I honestly don't know what layer of command they use to access the disks - it's not unlikely that their application might not support reading the meta data if it accesses the files directly. It's unlikely (but not impossible) that they used high level API from Apple that would enable them to simply work with ACL out of the box. -
Authorization object of DMS Document Number
i need to limit access of users on range of document .
for example :
i have created document type ZFI with number range 100 to 500
i need grant the access of a specific user to range from 100 to 300 only .
How can i do that ?
i need to know the authorization object of Document number .Hi Reda,
You can use ACL authorization, There is the only option available to control authorization at document level.
The task for doing the same will take time if the documents are more, I hope there is some standard FM for ACL , try using the same and let me know the results.
Rgds,
Nayeem. -
Can IFS be set up so that new files inherit the ACL of the folder they are created in
I realise that a file created or saved in IFS takes on the ACL of the User who created it. This is fine if users always save items into the same folders or belong to a single group. However, it causes problems when users need to save different items in many folders, each of which may have different audiences/require different security.
With this in mind, is it possible to set up IFS so that a file inherits the ACL of the folder in which it was created/saved, at creation/saving point?
I'd appreciate any info on this, as have read the documentation and couldn't find any info on it.
Cheers,
CarolineWe are faced the same problem.
So I wrote a script that syncs ACLs of the files and folders they're in only if differs.
I use SQL script that generates ifsshell script and then it is run from the client. See below
The content of aclsync.sql :
set serveroutput on size 1000000
set feed off
set term off
spool aclsync.txt
begin
dbms_output.put_line('login system/manager');
for X in ( select
I.object_id, F.acl_id
from
ifs_folder_items I,
ifs_folders F
where
I.folder_id = F.folder_id
and I.type = 'DOCUMENT'
and F.acl_id != I.acl_id) loop
dbms_output.put_line('setattr -id '||X.object_id||' acl -avid '||X.acl_id);
end loop;
dbms_output.put_line('exit');
end;
spool off
set term on feed on
exit
And the content of the batch file that calls above mentioned script and executes its output
sqlplus -s ifssys/ifssys@IFS @aclsync
set PATH=%PATH%;C:\"Program Files"\Oracle\"Oracle 9iFS CmdLine"
ifsshell -i aclsync.txt
Anyway
I'd appreciate some automatic way of doing that.
Regards Vladimir
--- -
Hi All,
I'm an abaper & new to DMS concepts.
.How to use authorizations in DMS & EDMS.Do i need to activate something to see the authorization tab in DMS.
Where can i find these access control lists.I'm Studying this link
(http://help.sap.com/saphelp_erp60_sp/helpdata/en/bd/8063fbbc43c54e901dd7733d946198/frameset.htm).
But couldn't understand some parts regarding Access control Lists.
Any help with a basic example would be appreciated.
Thanks & regards,
Ravi S.Hi Ravi,
with the upgrade to ECC 6.0 Document Browser and ACL Authorization come as new features in the standard of the Document Management System. You can find a documentation about these new features in the SAP Help
Portal (help.sap.com):
> SAP ERP Central Component > Cross-Application Components > Document Management > Document Management
> Document Browser
> SAP ERP Central Component > Cross-Application Components > Document Management > Document Management > Authorization Objects for Documents > Access Management Using Access Control Lists
For further information also the SAP notes 1062939 and1152180 could be useful too.
Best regards,
Christoph -
Hi
I have activated the ACL switch by selecting ACL FLAG & Edit ACL check boxes in Tcode dcswitch but the authorization tab is not coming in DMS screens (CV01N, CV02N & CV03N). Can you please help me to solve it.
Regards
HarrisHi Deepak Kori
The link provides the steps to get the option for turn on / off the ACL/browser switch. But in our system i can see these option in the Tcode dcswitch.
I selected (tick mark) the ACL FLAG & Edit ACL checkboxes in Tcode dcswitch but i can't see the Authorization tab in CV01N. This problem exist only in DEV client not in IDES.
If i don't select "Use ACM" check box in DC10 for the particular document type then the authorization tab is coming for that document type in IDES system. But in DEV client there is no field like "Use ACM" check box in DC10. Can you please clarify that 1. The ACL authorization tab will come only in IDES system?
2. The ACL authorization can be used only in SAP Easy Document Management System or we can use it for SAP GUI also?
3. Do we need to install anything (ex: PLM WebUI) to use the ACL authorization?
Regards
Harris. -
Groups missing inherited permissions from parent folder on SMB share on save
If i save a file on a lion share where i have access RW over group permissions, the groups missing inherited permissions on SMB share on save.
File permissions before save:
user: read/write
group: read/write
other: no access
File permissions after save:
user2: read/write (it changed to the actual users who has permission on the Group)
group: no access !!! Why??
other: no access
On Mac OS X 10.6 i was able to force the group permission, from the parent folder.
Everytime i must manualy propagate from the parent folder to fix this !
Any ideas?I have the same problem. What exactly do you mean by add ACL. I have tried to change the permissions to add the inheritance via ACL, with no joy - so any help you can give would be appreciated. Thank you.
-
ACL granularity on XML element
Hello,
when I store a XML in a XMLTYPE (column or table) can I define an ACL on a specific XML element(node)? How fine grained is the ACL restriction? on the whole XML document or even lower to elements and attributes? If it is fine grained to elements can someone provide an example?As far as I know, it is top down...
In http://www.oracle.com/technology/products/database/oracle11g/pdf/xml-db-11g-whitepaper.pdf it is described as follows (the 11g extras):
ENHANCED ACL SECURITY
In Oracle Database 11g, the Oracle XML DB ACL-based security model has been enhanced in a number of ways, including the following:
• ACL Inheritance.
ACL inheritance simplifies the process of defining, managing, and enforcing a common set of security policies across all of the documents stored in Oracle XML DB Repository. These rules can be organization-wide policies or policies specific to certain types of documents. These rules are specified by creating one or more master ACLs. With ACL inheritance it is possible to ensure that all new ACLs must be based on an existing ACL. This ensures that the newly created ACL inherits all of security policies defined by the ACL it is derived from, ensuring that the policies defined by the parent ACL are enforced whenever the new ACL is used.
• DAV ACL Compliance.
The Oracle XML DB ACL model has been enhanced to provide more complete support for the DAV ACL specification. This will allow improved interaction with clients that provide support for the DAV ACL security model.
• User defined ACLs.
In Oracle Database 11g the set of permissions defined by Oracle XML DB can be extended to allow the ACL based security model to be used to secure other kinds of database object.
• Time-sensitive ACLs.
In Oracle Database 11g it is possible to create ACLs that enforce access control polices in a timesensitive manner. This can be used to automatically publish and then expire content, based on rules defined by the ACL.
Maybe you are looking for
-
is anyone else having trouble setting up messages with the new mountain lion software? I keep getting a notification that i cant sign in and it is saying, check network connection and try again, but i have full wifi bars, thanks, Justin
-
Can i use technical system type 'third party' for r3 system in idoc2file sc
Hi, i am doing a sample out bound scenario (idoc 2 file), distributing idoc from sap system to csv file (in same network). in this can i use thchnical system type 'third party' for R3 system. will the scenario work properly or not. And some t
-
Error when exporting to flat file in ODI 11g
This works ok in ODI 10g. I'm using IKM SQL to File Append on Windows Server 2008 R2 Getting the following error when exporting to a flat file in ODI 11g: ODI-40406: Bytes are too big for array I've seen a couple of threads like this on the forum, bu
-
Function Module to obtain date
Hi all Can anyone suggest me the function module which satisfies below scenario: Suppose i enter FROM date as :18.07.2006 and TO date as :20.07.2006 I should get number of days between these two dates as 1 and value :19.07.2006. Thanks in advance Reg
-
How to display images in a simple or alv report
Dear gurus , i want to create a classical or ALV Report showing material codes(mara-matnr) and their respective images . how can i achieve it means where i will store the images and how i will fetch it in the report .Plz send any sample code for this