Issue implementing Business security profile in IDT

Similar Messages

• In R12.1.3, MO:Security Profile Vs HR:Cross Business Group precedence

  Hi All,
  In R12.1.3, Which profile option has higher precedence in MOAC structure.
  If i set the HR:Cross Business Group to NO at resp level and MO: Security Profile, which is associated to Global Security Profile which has two OUs of two different BGs.
  For example:
  I have BG1 - OU1
  BG2 - OU2
  Case 1:
  Global Security Profile - XXGSP has both OU1(BG1) and OU2(BG2) associated.
  HR:Cross Business Group - NO
  HR:Cross Business Group - BG1
  In Purchasing Responsibility, what could be the behavior when i create PO?. Will it show both OU1 and OU2? or OU1?
  Case 2:
  Global Security Profile - XXGSP has both OU1(BG1) and OU2(BG2) associated.
  HR:Cross Business Group - Yes
  HR:Cross Business Group - BG1
  In Purchasing Responsibility, what could be the behavior when i create PO?. Will it show both OU1 and OU2? or OU1?
  Case 3:
  Global Security Profile - XXGSP has both OU1(BG1) associated.
  HR:Cross Business Group - NO
  HR:Cross Business Group - BG2
  In Purchasing Responsibility, what could be the behavior when i create PO?. Will it show both OU1 and OU2? or OU1?
  Case 4:
  Global Security Profile - XXGSP has both OU1(BG2) associated.
  HR:Cross Business Group - Yes
  HR:Cross Business Group - BG1
  In Purchasing Responsibility, what could be the behavior when i create PO?. Will it show both OU1 and OU2? or OU2?
  Regards,
  Soorya

  Hi Soorya,
  We are in a similiar situation and I was wondering if you have received an answer or how you proceeded?
  Thanks,
  Cathy

• Security Profile Seeting with in a Same Business Group

  Hello,
  With in one business group I have employee of multiple country. Now the concern is that I need to have two different responsibility through which I can restrict the employee as per the country.
  The things which identify between countries are. 1. They have different GRE. 2. They have different Operating Units. I have tried to create a security profile it has the one option Secure organization by single Operating units, but I ma not able to see that working? Where exactly we need to declare the operating Unit i need to secure for? Can any one suggest me a suitable work around.
  The version we are using is 11.5.10
  Thanks

  If you security profile is 'static', then you need to run the concurrent process 'Security List Maintenance'. This will identify all records which match the security profile rule and then allow the user to see those records when the use their 'secured' responsibility.
  Regards
  Tim

• HRMS APP-PER-52803:Your business group does not match your security profile

  I see this as a common problem, please guide me as to what should be done to rectify it.
  While opening \Payroll\Description, it gives message as under:
  HRMS APP-PER-52803:Your business group does not match your security profile
  Regards
  Nemo

  Hi,
  I feel that "HR: Security Profile" option is not set properly, BZ of that screen is errors out.
  Please check the following Profile Options
  HR: Security Profile -- Enter the sec profile name which is business Group name
  HR: Business Group -- Your Business Group Name
  Note: If you set the HR: Security Profile optional first, then system will sets the HR: Business Group profile option too automatically.
  I hope this will solves your problem.
  thanks
  Krishna Prasad Rapolu
  Oracle HRMS Consultant.

• How to resolve Issues while implement gateway security by using reginfo,secinfo?

  Hi,
  I want to implement gateway security using  gw/reg_info,  gw/sec_info,  gw/reg_no_conn_info.
  so far I have created reginfo and secinfo files to allow all internal traffic and I kept gw/reg_no_conn_info=11, gw/acl_mode=1
  reginfo
  ======
  #VERSION=2
  P TP=*,HOST=local
  P TP=*,HOST=internal
  P TP=*,HOST=*.abc.com
  with the above setting I believe all the programs with in sap systems(including app servers), also system from domain abc.com can register programs with out having any issues.
  secinfo:
  ======
  #VERSION=2
  P TP=* USER=* USER-HOST=local HOST=local
  P TP=* USER=* USER-HOST=internal HOST=internal
  similarly  as per secinfo content I believe that all the internal traffic can go with out any issue with in sap system.
  beside that I have activated gateway logging to find the rejecting connections if any.
  I have following questions:
  ===================
  1)As the reginfo,secinfo files maintained can I remove gw/acl_mode=1 parameter ?
  2)if I want to add a specific programs to register from 3rd party system, suppose a program called "zram" from system "172.198.10.1" where I suppose to add it. Do I need to add that IP to secinfo along with reginfo?
  3)when I set parameter gw/reg_no_conn_info=11 when convert to binary it equals to 00001011
  what exactly this means from the following definitions from note 1444282
  1 1298433 Bypassing security in reginfo & secinfo
  2 1434 117 Bypassing sec_info without reg_info
  4 1465129 CANCEL registered programs
  8 1473017 Uppercase/lowercase in the files reg_info and sec_info
  will that means 8+2+1 means satisfying the above 3 lines except condition 4 ?
  4) I enabled  gateway logging, how could I catch rejecting connections from third party systems?
  5)From simulation mode I got to know that It will satisfy reginfo,secinfo restrictions and it will allow all other traffic.so what is the added advantage with this when activate?
  6)is there any sap native tools which help while preparing reginfo, secinfo files?
  Regards,
  Koteswararao.Davuluri(Koti).

  Hi,
  Here is answers for questions 4 and 5.
  4) I enabled  gateway logging, how could I catch rejecting connections from third party systems?
  SMGW->Goto->Expert functions->logging
  In the above path if you select security->(under that)->Rejected access only
  when you select that it should show you the connections getting rejected.
  5)For simulation mode you have 2 options. you can activate directly from the above path.Other option  if you maintain gw/sim_mode = 1  that will make the permanent simulation mode. But once after all the entries set in reginfo you have to disable simulation mode. with secinfo you will not have much problems.
  After doing steps 4, 5 you can see rejected entries in Gateway log.

• Creating a NEW Business Group, NO Security Profile generated

  Platform : R12 running on Linux86 --> FRESH install ( NOT Vision db )
  Resp : Global HRMS Super User
  Problem : No Security Profile generated for NEWLY created Business Group
  After creating a NEW business group ( ie. BG1 )
  I am able to see both BG1 and Setup Business Group ( I an view both Business Groups via Organization screen)
  When I access the Security Profile screen using the same resp "Global HRMS Super User"...
  I can ONLY see the default security profile ( Setup Business Group )...
  I am NOT able to view the default security profile ( BG1 ) that should have been created when I created my new business group earlier.
  NOTE : If I use the VISION db, and do the exact same thing... I can see both Security Profiles.. and both Business Groups.
  If I use the FRESH db, I can see both Business Groups... BUT... only 1 Security Profile... ( Setup Business Group )
  WHY ??
  Someone please HELP !!
  Thank-you
  Charlie :)

  hi charlie i tried the same in my vision instance, i am able to view my BG at the security profile level,
  when you query the system profiles,have you enabled the display checkbox at the responsibility level and try, or create an new responsibility and try... let me know the navigation you done clearly,
  Raj

• Issue with implementing Object Security in RPD (OBIEE 11g)

  Hello All,
  I am following these steps to implement Object Security, but it doesn't work. Please let me know what am I doing wrong here:
  1. I want to block a few presentation tables for the user 'weblogic'.
  2. I open the RPD in online mode and in the Identity Manager, for the application role 'BIAdministrator', I setup permissions 'no access' to these presentation tables. It asks me to 'Check Out' which I do.
  3. I check in the changes, save the RPD and deploy in back in EM.
  4. I login into OBIEE Answers using 'weblogic' user but alas these presentation tables are still available for me to use.
  I have tried looking for a solution on the internet before posting the solution here. Please don't ask me to read through the security setup guide because I have done that. Any specific answers are most welcome.
  Thanks in advance.

  Try this:
  Double click on the presentation table.
  Go to permissions and then revoke the access to BI Administrators.

• SAP BOBI 4.0: Data Security Profile Issue

  Consider the below scenario :
  We have two environments(SAP BOBI 4.0): Dev and Prod
  Schemas used are test and testABC in DEV and Prod respectively. And structure (table
  names and column names) inside both the schemas is same.
  We have created several data security profiles in Dev
  environment. So now when we migrate via Promotion Management, the universe from Dev to Prod, “data
  security profiles” also gets migrated.
  So once migrated we change schema name from test to testABC
  in data foundation layer which makes our dfx to point to testABC schema in
  Prod.
  Once above process is done when we go to data security
  profiles, table names gets changed from test to testABC But inside WHERE
  Clause, schema name is still test it doesn’t gets changed to testABC.
  Now question is  :
  Is there any way so that schema name inside
  WHERE Clause should get changed automatically from test to testABC?
  Is there any way we can restrict Data Security
  profiles to get migrated when we are migrating the universe?

  What is your data source? Did you try to edit the security profile in where clause?
  Is there any way we can restrict Data Security
  profiles to get migrated when we are migrating the universe? - You can only exclude to promote User/Folder/Object security, not inside the Universe.

• Oracle HRMS Setup Issue with Business Group

  Hi Gurys.
  need your ugrent help.
  i am implementing Oracle HRMS on 12.1.1
  Steps
  --- Responsbility Creation
  1- Responsbility Creation XX_HRMS (Responsbility created through Sysadmin)
  2- Menu Option GLB SHRMS Navigator
  -- USER Creation
  1- Create user XX_USER (User Creation done through Sysadmin)
  2- Below Responsiblities are granted to new User HRMS)
  -Application Developer
  -System Administrator
  -XX HRMS
  -System Administrator
  --KFF Creation through XX_USER with System Administrator
  --Location Creation through XX_USER with XX_HRMS Responsbility
  --Business Group creation through XX_USER with XX_HRMS Responsbility
  Here is issue, Business group created and saved, upon search it's not showing business group.
  i change the responsbility to System Administrator and set the profile at system level
  HR: Business Group to newly created Business Group.
  but when i want to set HR:Security profile , business group is not visible

  Thanks for your reply .
  1- avigate to the oraganization window and search for the business groups? how many do you see ? What are the names ?
  It show all the business grup , names are in query result below
  2- What is the result of the query -
  Select * from per_business_groups
  below is the query result
  NAME |DATE_FROM|LOCATION_ID|SHORT_NAME|LEGISLATION_CODE|CURRENCY_CODE|ENABLED_FLAG
  FAYYAZ GB |1/1/1990 |142 |Setup |US|USD|Y
  FAYYAZ |2/8/2011 |142 |Fayyaz |PK|USD|Y
  XX_TEST |2/8/2010 |142 |XX Test |GB|GBP|Y
  XX Company Final |2/8/2011 |142 |XX Company Final |GB|GBP|Y
  XX Company |2/8/2011 |142 |XX Company |GB|GBP|Y
  XX Comapny |2/8/2011 |142 |XX Company |GB|GBP|Y
  TEST |2/8/2011|142 |TEST |GB|GBP|Y
  3- Naigate to the security profile window. How many security profiles do you see ? What are the business groups they are associated with ?
  there is no business group showing in security profile, nor at site level not at responsbility.

• Error refreshing report after applying security restrictions in IDT

  Hi,
  I have created a report and now the requirement is that the user should be able to view data of his profile only for which i have created restricstions at universe at Business layer.. But after applying these if i refresh by the user id i get the error where as on removing this no error.
  "An internal error occured while calling 'porcessDPCommandsEx' API. (Error: ERr_WIS_30270) (Error: INF)".
  If i refresh using any other id other than used at restrictions the reports is getting refreshed. Please advise.
  This is on BOXIR4 SP3.
  Thanks in advance.

  I believe you are implementing Row level restrictions either in UDT or IDT, The below video is for IDT, the concept is same for UDT.
  http://scn.sap.com/docs/DOC-8461
  Create a data security profile that restricts access to specific rows: Information design tool 4.x - YouTube
  Regards,
  Ashok Vemulapalli
  Search is out best friend

• Mapping Apps security profiles in Discoverer

  Hello
  We wish to implement a 2-tiered security architecture. We already have the 1st tier in place in Disco Admin by assigning specific Business Areas to responsibilities.
  However, we also want to use the Apps custom Security Profiles to restrict access to tables and views through Discoverer Admin.
  How can this be implemented? Any examples would be most welcome.
  Thanks
  Sanjib Manna
  Oracle Practice
  IBM Business Consulting

  You can use the following query to look for all the security profiles. You can join the hr_operating_units to fnd_profile_option_values.level_value to get the desired result.
  SELECT psp.security_profile_name,
         psp.security_profile_id,
         hou.NAME,
         hou.organization_id
    FROM per_security_profiles psp,
         per_security_organizations pso,
         hr_operating_units hou
  WHERE pso.security_profile_id = psp.security_profile_id
     AND pso.organization_id = hou.organization_id;Additionally, you can also have a look at the below MOS docs.
  How To Check If a Profile Option Is Set In Oracle Applications? [ID 470102.1]
  How to Search all of the Profile Options for a Specific Value [ID 282382.1]
  How To List E-Business Suite Profile Option Values For All Levels Using SQLPlus [ID 201945.1]
  Script To List The Values Of A Profile Option At All Levels [ID 803587.1]
  How to Search all of the Profile Options for a Specific Value [ID 282382.1]
  How To Find All Users With A Particular Profile Option Set? [ID 367926.1]
  How to Change Profile Option Value Without Forms? [ID 943710.1]
  Cheers,
  ND
  Use the "helpful" or "correct" buttons to award points to replies.

• Security Profile with Assignment-level Security limitations

  Hi, We are on an R12 installation, and have a security profile based on Organization Hierarchy (With Assignment-Level Security - i.e. 'Restrict on Individual Assignments' checkbox is ticked); this is based on a specific organisation as the 'Top Org' rather than the User's own Assignment.
  The profile option "HR: Access Non-Current Employee Data" is set to 'Yes', but the security profile still restricts access to Future-Dated Assignments and Ended Assignments. Is this expected behaviour, and is the only solution to develop a Custom security profile, and is this even feasible (to replicate organisation hierarchy security using SQL in the custom security tab), or would we have to use a different criteria, such as Payroll?
  Regards, Chris

  Further investigation reveals this is a limitation of the product - within security, the selection criteria which determines which individuals (or assignments) is handled seperately to Assignment-level security (i.e. whether individual assignments are restricted), it is not possible to get around this issue even using custom security, as that does not give one the power to determine how individual assignments are handled. Thus if assignment-level security is implemented, the user cannot see Ended or Future-Dated assignments, even if the profile option "HR: Access Non-Current Employee Data" is set to 'Yes'.
  The only workaround we have found for this is to:
  a) remove assignment-level security, and
  b) ensure that where an employee has multiple assignments that cross security groups, this individual is set up twice, as two separate employees.

• Implementing Function Security in Oracle apps.

  I wanted to restrict certain menus in Payables manager for a particular user. How should i implement it? Is there any live example of implementing function security in oracle apps? Please Help.

  Hi,
  One approach is to create a custom menu and attach to it all the menus and functions you want and the add this menu to a new responsibility. But this is not the best way to solve the issue because you have to define different menus + responsibilities for each different user. Other way is to create roles which can be assigned to users.
  Thanks,
  Bahchevanov.

• REQIMPORT errors when security profile set using 12I

  I am submitting the purchase requisition import using the following script in release 12I. The request is submitted but completes with an error.
  declare
  l_request_id NUMBER;
  l_batch_id NUMBER := 1027;
  l_ou_count NUMBER;
  l_org_id NUMBER := fnd_global.org_id;
  l_ou_name VARCHAR2(200);
  BEGIN
  fnd_global.apps_initialize (1759 -- User ID
  ,50557 -- Responsibility ID
  ,201); --Application ID
  mo_global.init('PO');
  mo_global.set_policy_context('S', l_org_id);
  mo_utils.get_default_ou(l_org_id, l_ou_name, l_ou_count);
  dbms_output.put_line('OU Name: '||l_ou_name||' OU count: '||l_ou_count||' ORG ID: '||l_org_id);
  l_org_id := mo_utils.get_default_org_id;
  dbms_output.put_line('Default ORG ID: '||l_org_id);
  l_request_id := fnd_request.submit_request
  (application => 'PO'
  ,program => 'REQIMPORT'
  ,description => NULL
  ,start_time => SYSDATE
  ,sub_request => FALSE
  ,argument1 => 'CONSIGNED MANUAL'
  ,argument2 => l_batch_id
  ,argument3 => 'LOCATION' --'Location'
  ,argument4 => NULL
  ,argument5 => 'N'
  ,argument6 => 'Y');
  dbms_output.put_line('Request ID: '||l_request_id);
  END;
  The MO: Default Operating Unit and MO: Operating Unit profiles are setup for the given responsibility with an operating unit value. The MO: Security Profile profile is set to a given profile at the site and responsibility level.
  When I remove the MO: Security Profile at the site level the purchase requisition concurrent request completes successfully. Only when the MO: Security Profile is set at the site level is the purchase requisition concurrent program submitted using the attached script erroring out.
  I can submit the purchase requisition import using the submit request form without any errors. I believe this is because the operating unit field is being populated.
  Has anyone run into this issue? Am I missing any commands that define the operating unit used in the concurrent program submission in release 12I?
  Any help is greatly appreciated.
  Charles

  Hi,
  Only when the MO: Security Profile is set at the site level is the purchase requisition concurrent program submitted using the attached script erroring out.Please see if the guidelines about this profile option in the following documents help.
  Note: 784609.1 - How Does R12 MOAC Defaulting Rules and MO: Security Profile Work?
  Note: 397362.1 - Multi Org Access Control (MOAC) in Oracle Purchasing
  Note: 420787.1 - Oracle Applications Multiple Organizations Access Control for Custom Code
  Regards,
  Hussein

• Export - custom queries and reports, and security profiles

  We would like to keep a copy of our customizations to the application. 
  There are ways to import queries, reports and profiles into the app.  Is there any way to export the following to something like a CSV file for the following:
  - custom queries (all tabs)
  - custom reports (all tabs)
  - security profiles (custom and out of box u2013 all access rights)
  Thanks,
  Jerry

  Jerry,
  There are no standard queries that extract security profiles, Query Groups, Reports or Query Defintiions from the system. 
  However you can build custom queries that support this functionality.  During an implementation project I created some custom queries which allowed you to extract these objects for documenting purposes  We likely could supply these to you through SAP Consulting.  Please reach out to your SAP rep and have them Contact Me.  I have created some instruction that explain how to create these.
  Regards,
  James