Inheritance in ACLs Authorization

Similar Messages

• BAPI to Create ACL Authorization

  Hi everyone
  Is there any BAPI or method to create ACL Authorization and auto-inherited authorization in the background ？
  Regards
  Jimmy

  Hello ,
  You can use : BAPI_BUPA_CREATE_FROM_DATA
  In case you need to update additional fragments just search in trn code SE37  for BAPI_BUPA_*CREATE.
  For example BAPI_BUPA_FRG0040_CREATE - Create classification data for BP , etc'.
  Additional you can use XIF :CRMXIF_PARTNER_SAVE to create business partners
  Rika

• Mass change in ACL Authorizations in DMS

  Hi guru
  I'm working with ACL authorizations in DMS. I don't know how delete (one shot) the authorizations of the user that is resigned. For example I have many  documents where I set the write access for the user : Jack.
  If Jack is resigned is there a transaction or report to:
  mass delete this data or
  sostituite the user JAck with new employee ?
  Thanks in advance
  Ciao

  Hi,
  I create the report as written in the note. The report doesn' solve my problem because:
  select only for a document not for a range of documents
  I know the user resigned not the document so I should have a report for a user , the report should show me all the document where the user has been assigned a acl authorizations.
  According to you, is there a standard solution or is possibile to realize a custom solution?
  thanks in advance
  Vanessa

• Virtual telnet/downloadable access lists: acl authorization denied error

  Hello,
  has someone else experienced the same "issue" as described below ? And can someone (Cisco ?) tell whether this is by design, and if so, what the reasoning is behind this ?
  We use virtual telnet for user authentication, when users need to pass traffic through a PIX, and use downloadable access-lists after successful authentication.
  When a user authenticates himself, an error message appears in the virtual telnet window: "error: acl authorization denied".
  And the PIX log shows:
  109005: Authentication succeeded for user 'user1' from <workstation-IP>/2066 to <virtual-telnet-IP>/23 on interface inside
  109015: Authorization denied (acl=#ACSACL#-IP-PIX_ACL-421492f3) for user 'user1' from <workstation-IP>/2066 to <virtual-telnet-IP>/23 on interface inside
  This error message disappears when we add telnet access for the virtual telnet-IP@ in the downloadable access-list on the Cisco ACS. I could not find any reference to this configuration quirk in any document.
  Now, with or without the error, the user can use virtual telnet and everything permitted
  in the downloadable acl without any problem (so why post an error message then ?).
  thanks

  Try to disable authorization and see if this error stops

• Document browser and ACL Authorization

  Dear friends,
  We are working on ECC 6.0 and required to implement SAP DMS. As of with every ERP 2005 default two features are coming, document browser and ACL Authroization. These features are not required by users, so we need to de-activate these. We have a note for these wherein it is mentioned that one of the component is required to upgrade. We dont want to go with this. If any note is there by applying which we can de-activate those features will be well and good, instead of upgrading component.
  Regards,

  Dear Tushar,
  This t-code will be enable only after support pack SAPKGPAD11 or greater version is implemented. Our client is not in the position to upgrade, by implementing support packs. Alternate solution if any, pls suggest. By applying any notes if we can de-activate these features, let us know.
  Regards,
  Punam

• ACL authorization activities missing in EasyDMS

  Hi,
  As per the help, when defining document specific authorizations the following authorization activities should be available.
  Admin 
  DeleteFol
  Delete
  WriteFile
  Write
  DelChild
  CreateDoc
  ReadFile
  Read
  NoAuth
  However, when I click the drop-down all I see are the following. There is a blank line where authorizations such as DeleteFol, WriteFile etc should be. Has anybody else experienced this issue? I have tested using EasyDMS 6.0 SP14 and 7.0 SP4.
  Admin 
  Delete
  Write
  CreateDoc
  Read
  NoAuth
  Thanks,
  Lashan

  Hi Surjit,
  Thanks a lot for your answers. The function module is implemented. However, when I checked ACO_ACTIVITYT the authorization acitivities that I am missing were not maintained. Do I need to manually enter these values into this table? and why are some values available and others not? There were also some cProjects related activities in there (resource management, candidate management etc).
  Appreciate any further help you could give me.
  Lashan

• ACL Inheritance in DMS

  Hello DMS experts,
  Scenario:
  Folder 1(Created by ABC user)---XYZ user is not authorized (by creating ACL in folder with NoAutho as activity for XYZ )
  Document 1(Created by ABC user)--A new document checked into this Folder1.
  Issue:
  According to inheritance, this document is suppose to carry the ACL authorization from Folder 1, but currently unless we create the ACL manually (By navigating to Authorization tab in the document properties, and clicking on "Create Admin Authorization")these inheritance is not copied to the document automatically. If this is standard SAP behavior, then what is the use of Inheritance?. (Registry key AutoInheritedAuth=1 maintained)
  It is practically not possible to manually create these ACL for all sub folders and documents when they are created.
  Need your suggestion/clarification on this....

  Hello Deepak,
  Option 1:
  My question is related only to Inheritance of ACL authorization and lets assume that PFCG objects are in line with it.
  Option 2:
  Lets say, I have Folder1 with 10 documents inside, I have not assigned ACO_SUPER for ABCD user and ACL is created for Folder1 with "NoAutho" to ABCD user to this folder. ABCD user is authorized to access this Folder1 and its documents as per the PFCG objects.(Hence, my requirement is, according to PFCG roles the user is authorized for relevant document types and objects but i want to restrict the user only to certain folder and its documents using ACL)
  1. What is the need of assigning superior document, when the definition of inheritance itself says that properties of superior folder is copied to child items?
  2. Those 10 documents are visible to ABCD user or not?.
  *Currently only the folder is not displayed to user, wherein if the user searches the documents, it is visible. If we manually create ACL in the properties of each of these documents, then it copies the ACL (from inheritance) and stops displaying to user even in search (which is desired). Hence, the only issue here is, copying of inheritance ACL automatically.

• Role Authorization Vs ACL in cProjects

  We do not want to use ACL (Authorization at the Project level) to grant authorization. We are looking for a way to have this authorization by roles. Not too sure if the minutest of details can be controlled by authorization objects.
  Of the few requirements that we have, one goes as follows:
  1. We need a role of "Resource Manager" to be able to view all projects. However, this role must not be able to edit the project structure. This is possible. However, another requirement that we have is that this role must have all "admin" level access at the "Resources" level. Which means, this role must be able to staff roles and assign tasks to roles and resources, but must have read-only access to the project structure.
  Can this be done?
  2. Another requirement is with regard to status management. We want a role to have the authorization to set only select statusses. We have a combination of standard and custom stasusses in the status profile that we are using. We look to control the access for roles by which one role can only set a few of these statusses.
  Can this be done?
  Thanks and Regards...

  Hi Peter,
  We have exactly the same need, and unfortunately everything is not solved yet.
  1/ In standard, there is no distinction between project and role authorizations. This means you need 'admin' auth at project level if you want to manage the roles. We created an OSS message for this, and SAP answer was to create a development request --> Until then, and if we get a positive answer, nothing can be done to separate project & role authorizations. So there is no solution today.
  2/ For the statuses, we add to enhance class CL_DPR_STATUS_MANAGEMENT, methods GET_PERMITTED_USER_STATUS and/or GET_PERMITTED_ACTIVITIES. Thanks to this, we are now able to filter the status list that is populated in the screen.
  Regards,
  Matthias

• Photoshop files & ACLs?

  I am going out of my mind here trying to figure this out. First my needs. I have two users on a 10.4 machine that need to be able to create, save and edit Photoshop files (their own and each others) in the same folder. Until now, the only way I could figure it out was to create a second volume and "ignore" ownership on that volume. I know that I could go into the "file info" permissions everytime one of us creates a new file and modify the permissions to allow the other to edit the file but what a pain that is.
  I thought my answer would lie in enabling and using Access Control Lists (ACLs) so I used Tinkertool system to enable ACL support on my main volume and then grant full access with inheritance enabled to both users. This works great for any file (MS Word, Excel, etc.) but not photoshop files. The Word, Excel and any other file created by one user correctly inherits the permissions from it's parent folder's ACL settings but not the Photoshop files. They don't seem to inherit them at all.
  I can go into Tinkertool System and propagate the settings and the files seem to pick up the settings but when one users tries to edit another's photoshop files, it shows up as a locked file. I can use the "get info" dialog to confirm that the file does possess the ACL settings but it is almost as though Photoshop CS & CS2 don't recognize the ACL properties of the file.
  In summary, my two issues are:
  1. Photoshop files are not automatically inheriting the ACL permissions.
  2. Even after manually propagating the ACL permissions to a photoshop file, it shows up as being locked (from within photoshop, not the finder) when the non-owner user tries to edit it.
  Does anyone have any ideas as to what is going on here.
  Thanks,
  Troy

  Troy,
  I'm suspecting that we are using ACL differently. On tiger, you have to enable them specifically. The e flag on ls will show ACL's and from your post - you don't seem to have ACL installed.
  Please have a look at the first page of this article. It describes ACL's and shows you how to manipulate them:
  http://arstechnica.com/reviews/os/macosx-10.4.ars/8
  You can accomplish what you need with traditional groups - if you want that - simply post the id for each user and I'll send back steps to make a group for this folder. (Or someone else here might just guess and propose something)
  Also - have you contacted Adobe to see if the version of Photoshop you are using even supports ACL? I honestly don't know what layer of command they use to access the disks - it's not unlikely that their application might not support reading the meta data if it accesses the files directly. It's unlikely (but not impossible) that they used high level API from Apple that would enable them to simply work with ACL out of the box.

• Authorization object of DMS Document Number

  i need to limit access of users on range of document .
  for example  :
  i have created document type ZFI with number range 100 to 500
  i need grant the access of a specific user to range from 100 to 300 only .
  How can i do that ?
  i need to know the authorization object of Document number .

  Hi Reda,
  You can use ACL authorization, There is the only option available to control authorization at document level.
  The task for doing the same will take time if the documents are more, I hope there is some standard FM for ACL , try using the same and let me know the results.
  Rgds,
  Nayeem.

• Can IFS be set up so that new files inherit the ACL of the folder they are created in

  I realise that a file created or saved in IFS takes on the ACL of the User who created it. This is fine if users always save items into the same folders or belong to a single group. However, it causes problems when users need to save different items in many folders, each of which may have different audiences/require different security.
  With this in mind, is it possible to set up IFS so that a file inherits the ACL of the folder in which it was created/saved, at creation/saving point?
  I'd appreciate any info on this, as have read the documentation and couldn't find any info on it.
  Cheers,
  Caroline

  We are faced the same problem.
  So I wrote a script that syncs ACLs of the files and folders they're in only if differs.
  I use SQL script that generates ifsshell script and then it is run from the client. See below
  The content of aclsync.sql :
  set serveroutput on size 1000000
  set feed off
  set term off
  spool aclsync.txt
  begin
       dbms_output.put_line('login system/manager');
       for X in (     select
                                     I.object_id, F.acl_id
                                from
                                     ifs_folder_items I,
                                     ifs_folders F
                                where
                                          I.folder_id = F.folder_id
                                and     I.type = 'DOCUMENT'
                                and     F.acl_id != I.acl_id) loop
            dbms_output.put_line('setattr -id '||X.object_id||' acl -avid '||X.acl_id);
       end loop;
  dbms_output.put_line('exit');
  end;
  spool off
  set term on feed on
  exit
  And the content of the batch file that calls above mentioned script and executes its output
  sqlplus -s ifssys/ifssys@IFS @aclsync
  set PATH=%PATH%;C:\"Program Files"\Oracle\"Oracle 9iFS CmdLine"
  ifsshell -i aclsync.txt
  Anyway
  I'd appreciate some automatic way of doing that.
  Regards Vladimir
  ---

• Regarding ACL

  Hi All,
  I'm an abaper & new to DMS concepts.
  .How to use authorizations in DMS & EDMS.Do i need to activate something to see the authorization tab in DMS.
  Where can i find these access control lists.I'm Studying this link
  (http://help.sap.com/saphelp_erp60_sp/helpdata/en/bd/8063fbbc43c54e901dd7733d946198/frameset.htm).
  But couldn't understand some parts regarding Access control Lists.
  Any help with a basic example  would be appreciated.
  Thanks & regards,
  Ravi S.

  Hi Ravi,
  with the upgrade to ECC 6.0 Document Browser and ACL Authorization come as new features in the standard of the Document Management System. You can find a documentation about these new features in the SAP Help   
  Portal (help.sap.com):
  > SAP ERP Central Component > Cross-Application Components > Document Management > Document Management
  > Document Browser                                                                               
  > SAP ERP Central Component > Cross-Application Components > Document Management > Document Management > Authorization Objects for Documents > Access Management Using Access Control Lists
  For further information also the SAP notes 1062939 and1152180 could be useful too.
  Best regards,
  Christoph

• ACL issue

  Hi
  I have activated the ACL switch by selecting ACL FLAG & Edit ACL check boxes in Tcode dcswitch but the authorization tab is not  coming in DMS screens (CV01N, CV02N & CV03N). Can you please help me to solve it.
  Regards
  Harris

  Hi Deepak Kori
  The link provides the steps to get the option for turn on / off the ACL/browser switch. But in our system i can see these option in the Tcode dcswitch.
  I selected (tick mark) the ACL FLAG & Edit ACL checkboxes in Tcode dcswitch but i can't see the Authorization tab in CV01N. This problem exist only in DEV client not in IDES.
  If i don't select "Use ACM" check box in DC10 for the particular document type then the authorization tab is coming for that document type in IDES system. But in DEV client there is no field like "Use ACM" check box in DC10. Can you please clarify that 1. The ACL authorization tab will come only in IDES system?
  2. The ACL authorization can be used only in SAP Easy Document Management System or we can use it for SAP GUI also?
  3. Do we need to install anything (ex: PLM WebUI) to use the ACL authorization?
  Regards
  Harris.

• Groups missing inherited permissions from parent folder on SMB share on save

  If i save a file on a lion share where i have access RW over group permissions, the groups missing inherited permissions on SMB share on save.
  File permissions before save:
  user: read/write
  group: read/write
  other: no access
  File permissions after save:
  user2: read/write (it changed to the actual users who has permission on the Group)
  group: no access !!! Why??
  other: no access
  On Mac OS X 10.6 i was able to force the group permission, from the parent folder.
  Everytime i must manualy propagate from the parent folder to fix this !
  Any ideas?

  I have the same problem. What exactly do you mean by add ACL. I have tried to change the permissions to add the inheritance via ACL, with no joy - so any help you can give would be appreciated. Thank you.

• ACL granularity on XML element

  Hello,
  when I store a XML in a XMLTYPE (column or table) can I define an ACL on a specific XML element(node)? How fine grained is the ACL restriction? on the whole XML document or even lower to elements and attributes? If it is fine grained to elements can someone provide an example?

  As far as I know, it is top down...
  In http://www.oracle.com/technology/products/database/oracle11g/pdf/xml-db-11g-whitepaper.pdf it is described as follows (the 11g extras):
  ENHANCED ACL SECURITY
  In Oracle Database 11g, the Oracle XML DB ACL-based security model has been enhanced in a number of ways, including the following:
  • ACL Inheritance.
  ACL inheritance simplifies the process of defining, managing, and enforcing a common set of security policies across all of the documents stored in Oracle XML DB Repository. These rules can be organization-wide policies or policies specific to certain types of documents. These rules are specified by creating one or more master ACLs. With ACL inheritance it is possible to ensure that all new ACLs must be based on an existing ACL. This ensures that the newly created ACL inherits all of security policies defined by the ACL it is derived from, ensuring that the policies defined by the parent ACL are enforced whenever the new ACL is used.
  • DAV ACL Compliance.
  The Oracle XML DB ACL model has been enhanced to provide more complete support for the DAV ACL specification. This will allow improved interaction with clients that provide support for the DAV ACL security model.
  • User defined ACLs.
  In Oracle Database 11g the set of permissions defined by Oracle XML DB can be extended to allow the ACL based security model to be used to secure other kinds of database object.
  • Time-sensitive ACLs.
  In Oracle Database 11g it is possible to create ACLs that enforce access control polices in a timesensitive manner. This can be used to automatically publish and then expire content, based on rules defined by the ACL.