Merging User groups/profiles?

Similar Messages

• Last modified by for a user/group object

  Hi All,
  Is there any way to find out who has last modified the User/Group object in the portal.
  I can see the last account unlocked by for the user object. But is there any attribute to find out who has last modified the assigned groups/users for the user/group respectively or any change in the user/group profile.
  Thanks in advance,
  Siva
  Pts will be rewarded for useful answer.

  Hi Siva,
  as far as I know there is no standard way to find out who modified a user/group object in the portal. But I just checked the official API of <a href="https://help.sap.com/javadocs/NW04S/current/se/com/sap/security/api/IUser.html">IUser</a> (represents a portal user) and <a href="https://help.sap.com/javadocs/NW04S/current/se/com/sap/security/api/IGroup.html">IGroup</a> (represents a portal user group) and found out something interesting. <a href="https://help.sap.com/javadocs/NW04S/current/se/com/sap/security/api/IPrincipal.html">IPrinciple</a> (super object of IUser and IGroup) has a field LAST_MODIFIED_BY.
  Looks like you can write your own portal component, which allows you to find out who has modified your users last.
  Best regards,
  Martin

• Is there a way in 10.8 Profile Manager to assign certain users the sole right of adding/removing users to user groups?

  Hello,
  I want to assign certain network users the ability to login via browser to the profile manager for 10.8.x server and add/remove other users from user groups.  Think teachers managing their class rosters, if the class was a group and the users their students.  I do not want any other admin funtionality beyond that for them.
  Suggestions?

  Well thank you for being so polite.  Yes, on looking on my 10.8 server, I have the same thing.  How annoying.  I have no idea how to answer your question.  If the management abilities are no longer in Workgroup Manager then there's a change that the server doesn't pay any attention to the settings, so manually changing settings in LDAP won't have any effect either.
  At least I can verify that it's not just you who gets that result.  I wonder what happened and how we're meant to do this now.

• Structural authorization : role, profile, user group

  Dear All,
  I am working in OM in Structural authorization, can anyone tell me difference among Roles, profile, user group.
  I am mainly concerned with roles and profiles, What exactly is role and what is profile.
  Pl give me practical example....
  Regards,
  Kumar

  Hi kumar,
  Roles: It is divided in to single role and Composite Role. It is used to maintain your list of allowed transactions and reports as a menu. Once you assigned this role to the user, he / she can access only those transactions, what you maintained in the menu.
  Profile: It is based on the authorization object. Unless untill, you generate the profile, the system will not consider the authorization for the assigned menu. You can provide the authorization based on various objects like infotype, transaction code, master record, org key,..
  User Group: Used to set the unique set of rules for the specific user. How system should react in case of specific user group.
  Good Luck
  Om
  Reward it, if u feel helpful.

• Trash and user group help!

  why do i need to type in password when i delete things? how do i remove it?
  and i can't delete items directly from the dock as well. like opening from the downloads folder and dragging the file to trash. i have to bring open up Finder and delete from the folder directly.
  another issue is that am i able to remove the gues user from my start up screen? i've already disabled it from the user groups but i still see it in my login screen.
  one last problem, is it a norm to have current leakage for the MBP? i've been having frequent shocks from the 2 bottom corners of it when i plug it in to a power source. i bought it from an authorized retailer and using it in the country where i've gotten it from. i've just gotten my mbp about 3 weeks back.
  thanks for replying my queries!

  Hi,
  Yeah in ACS 3.1 its under the Shared Profile Components page. In ACS 4.1 its directly under the user groups or under SPC page.
  You need to check the box for "define ip based access restriction" and deny access for all other groups to the wireless access points network device group.
  ACS 3.X)
  1. Denied Calling/Point of access restrictions
  2. AAA Clients =UPS_PDU (Power Supplies)
  3. Port = just put a * for all
  4. Src IP address = just put a * as well
  SUBMIT to SAVE
  Create a second one for the other group like so:
  1. Denied Calling/Point of access restrictions
  2. AAA Clients =Routers_Switches
  3. Port = just put a * for all
  4. Src IP address = just put a * as well
  Click submit to save it.
  Go to the ACS User groups section and select the Network Administrators Group " that don't need access to the UPS's" and apply the NAR you created to that group. Do the same for the other grouping.
  (ACS 4.X)
  Go directly under the "user groups" and create the NAR under there. No need to go under the Shared Profile Components section
  Hope this helps and let me know if you need further assistance or explanation.
  Craig

• Different user status profile for network header and activities

  Hi everyone!
  Is there any way to define different user status profile at network header level and at network activity level? As far as I know, it is only possible to enter a user profile at network type level, and both netwok headers and activities use the same statuses. Does it work this way?
  Thanks!
  Regards.
  Edited by: Thalos on Jul 2, 2011 12:27 AM

  Hi Punith, Hi abdul!
  Thanks for the reply!
  I've gone through the OPSC, but the thing is that here you define a user status profile at network plant level. But I need to define it at network activity level.
  The reason why I need this is because we have types of activities. We use network activities for client activities, for internal activities, to identify and follow-up risk management, etc. Each group of activities -since they have different usages- has different user status associated. But as I don't have any way to assign different user status profiles, all the activities have the same statuses, although  they will only use some of them.
  Thanks!
  Regards,
  Thalos.

• OIM 9.1.0.2 - User group permission

  Hi experts,
  IHAC that need to configure some user groups in order to perform just specifics activities. We have configured the user groups but with no sucess.
  1) Group that should see/track all the opened requests.
  Given all request permission. (The requests don´t appear)
  2) Group that should disable Resource from user thru User Detail -> Resource Profile.
  Given all resource objects permission. (Error message: No permission)
  3) Group that create/manage Attestation.
  Given all attestation permission. (The attestation is created, but it doesn´t appear to delegated user)
  Any tip on how to set the correct permission?
  Brgs,

  Hi,
  I was looking for the same questions! One of them I could make it to work...
  About quetion #3, some steps:
  1. Create a group with name, lets say: AttestationManagers
  2. Give the following permissions:
  Attestation Requests
  Attestation Process Tasks
  Attestation Data
  Attestation Process Definitions
  Attestation Process Administrator
  3. Make the users responsable of attestation process part of group: AttestationManagers
  4. Create an attestation process and in the last field: Process Owner, put AttestationManagers
  5. Click: "Run Now"
  6. This attestation should appear to the user responsable of it.
  You can find an explanation about the attestation process in the following link: http://download.oracle.com/docs/cd/E14049_01/doc.9101/e14057/attestation.htm#insertedID1 and about the Process Owner, the point 15.1.1 in the above link.
  I hope it helps!
  Regards.

• How to only synchronize one specific LDAP user group with SAP?

  Hi,
  Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
  Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
  Thanks, Oscar

  We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
  E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
  Then we also have a constant for the LDAP_STARTING_POINT
  For our AD Group Initial Load we filter according to these settings:
  LDAP_FILTER_GROUPS = (objectclass=group)
  LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
  The above example only reads AD groups starting at the specified OU
  Then in a Job From LDAP Pass the LDAP URL looks like this:
  LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
  I hope this helps
  Paul

• Integration - Windows Server 2003/2008R2: Creating a login script that attaches programs to a certain user group. Upgrading to Windows 7/8

  We are currently running a windows server 2003 environment with a 2003 server being the DC. We have a couple of 2008 r2 servers that are member servers.
  OK...
  Our users are primarily operating off of windows xp clients/workstations in which they use RDP to connect to the newer member servers that are windows 2008. With their base profile in xp I am using roaming profiles via server 2003. I am looking to begin
  upgrading all of the workstations to all-in-one windows7/8 boxes partially because of cosmetic reasons(#weird) and partially because we will eventually begin using the camera options that are in the all-in-one's.
  Also..I must do this one at a time as we don't have the money to do a complete overhaul of all client workstations..If that was the case, I could just redo the network and make those members servers the DC and backup DC as well as add a virtual server
  in which everyone can access those legacy programs that are still needed...
  As you guys know windows 7/8 boxes will not work with server 2003 and roaming profiles. The reason we don't completely upgrade to 2008 r2 environment is because we are still holding on to a legacy program that requires server 2003 and these programs are
  vital to our operation.
  So..broken down even further...
  A: User is part of a 'LocalAdmins' group that makes them automatically a local admin upon any system within our domain.
  B: User  logs in to windows xp with credentials in which a tailored made per user roaming profile comes up from server 2003
  C: User then logs into one of the two terminal servers via RDP with same credentials and accesses new primary application. To access the legacy applications, they merely minimize their RDP session to get back to the windows xp session.
  Ultimately..
  1. I'd like to begin replacing option B: with windows 7/8 all-in-ones and and have the RDP saved sessions,that talk to the 2008 member servers, as well as, a few vital ie shortcuts automatically come to all users that are apart of that "LocalAdmins
  group period.
  2. Setup 1 server 2003 box that runs that legacy program and allow everyone access via a Virtual Environment..
  3. If they log into a windows xp box, or a windows 7/8 box, I want them to have access to the same icons.
  I guess this is a lot to digest, but my question is, what script could I make that would essentially allow uniformity for both my xp workstations and newly added windows 7/8 boxes? What script could I create that would,I guess reside on server 2003, that
  brings all the neccessary icons to the users that are apart of that "LocalAdmins" group despite having a windows xp, 7, or 8 workstation?

  " I don't see what the issue is because a logon script will still be managed by Group Policy and will have to be applied using GP rules.  In the end you still have to write the script."
  You basically contradicted the smug part of your rant and multiple answers with this statement!!! You just recognized that some sort of script would be necessary if I chose to use it via group policy. 
  But according to you..
  "It is not and has never been done via a script."
  Clearly it has a section per user for a "profile path" and a "logon SCRIPT". Which warrants my creation of this post since I have currentely implemented
  roaming profiles. That is how I am manipulating what users can have on their desktop because of course, we have different users that have different needs. But out of all the users, there are programs that need to be laced and seen upon immediate login.I
  will consult other people as this is only preliminary planning but about half of your statements are completely unwarranted and UNNECESSARY!
  This statement also proves your additional inaccuracies...
  "All of the profile things are handled by Windows and have nothing to do with scripts.  You define all of that in Group Policy."
  That's just silly talk. I told you in my initial break down of my scenario in an entirety that I am using "tailored made per user roaming profiles" to control desktop environments not group policies in this case. But you just made an absolute statement in
  saying "You define all of that in Group policy" which is completely wrong...
  Do me a favor, please don't respond to this post anymore. I'd love to see if any other partner, staff or whatever mind responding. Thank you for your help anyway. I will use what is useful in your post and discard the rest.
  Thanks

• Win 8.1 domain workstation. Block all access, except for a fews users/groups and domain controller information/date.

  Hi!
  Win 8.1 pro, domain workstation. How Block all access, except for a fews users/groups and domain controller information/date.
  Nuance:
  From domain AD is locked Workstation Firewall "Domain profile" edit.
  Possible?
  cenubit

  Hi GirtsR,
  I am not sure the command to use the SID to accomplish what you want to achieve, if you only know the SID, you could take use Powershell to find the related information, more information, please check:
  Working with SIDs
  And a similar thread for reference:
  How to find user/group known only SID
  More reference: Default local groups.
  Best regards
  Michael Shao
  TechNet Community Support

• ISE / Active Directory: issue to get users group

  Hello,
  We have a strange issue:
  - ISE 1.2 patch 8
  - no WLC, autonomous AP
  In authentication, we check Wireless IEEE 802.11 (radius) and cisco-av-pair (ssid), then we use AD.
  We have 3 SSIDs, so 3 rules, one DATA, one GUEST, one for TOIP.
  In one more rules to grant authentication from APs to register in WDS: user in local database.
  In authorization, we check cisco-av-pair (ssid) and AD user group, then we permit access.
  (so 3 rules), and one more to authorise the internal base for WDS.
  We have something strange:
  - sometimes users can connect but later they can't: in the logs, the authorization rejects the user because the AD Group is not seen.
  Exemple:
  1- OK:
  Authentication Details
  Source Timestamp
  2014-05-15 11:43:19.064
  Received Timestamp
  2014-05-15 11:43:19.065
  Policy Server
  radius
  Event
  5200 Authentication succeeded 
  All the GROUPS of user are seen:
  false
  AD ExternalGroups
  xx/users/admexch
  AD ExternalGroups
  xx/users/glkdp
  AD ExternalGroups
  x/users/gl revue écriture
  AD ExternalGroups
  xx/users/pcanywhere
  AD ExternalGroups
  xx/users/wifidata
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa informatique
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa entreprises et cités
  AD ExternalGroups
  xx/informatique/campus/destinataires/aa campus
  AD ExternalGroups
  xx/users/aiga_creches
  AD ExternalGroups
  xx/users/admins du domaine
  AD ExternalGroups
  xx/users/utilisa. du domaine
  AD ExternalGroups
  xx/users/groupe de réplication dont le mot de passe rodc est refusé
  AD ExternalGroups
  xx/microsoft exchange security groups/exchange view-only administrators
  AD ExternalGroups
  xx/microsoft exchange security groups/exchange public folder administrators
  AD ExternalGroups
  xx/users/certsvc_dcom_access
  AD ExternalGroups
  xx/builtin/administrateurs
  AD ExternalGroups
  xx/builtin/utilisateurs
  AD ExternalGroups
  xx/builtin/opérateurs de compte
  AD ExternalGroups
  xx/builtin/opérateurs de serveur
  AD ExternalGroups
  xx/builtin/utilisateurs du bureau à distance
  AD ExternalGroups
  xx/builtin/accès dcom service de certificats
  RADIUS Username
  xx\cennelin
  Device IP Address
  172.25.2.87
  Called-Station-ID
  00:3A:98:A5:3E:20
  CiscoAVPair
  ssid=CAMPUS
  ssid
  campus 
  2- NO OK later:
  Authentication Details
  Source Timestamp
  2014-05-15 16:17:35.69
  Received Timestamp
  2014-05-15 16:17:35.69
  Policy Server
  radius
  Event
  5434 Endpoint conducted several failed authentications of the same scenario
  Failure Reason
  15039 Rejected per authorization profile
  Resolution
  Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
  Root cause
  Selected Authorization Profile contains ACCESS_REJECT attribute 
  Only 3 Groups of the user are seen:
  Other Attributes
  ConfigVersionId
  5
  Device Port
  1645
  DestinationPort
  1812
  RadiusPacketType
  AccessRequest
  UserName
  host/xxxxxxxxxxxx
  Protocol
  Radius
  NAS-IP-Address
  172.25.2.80
  NAS-Port
  51517
  Framed-MTU
  1400
  State
  37CPMSessionID=b0140a6f0000C2E15374CC7F;32SessionID=radius/189518899/49890;
  cisco-nas-port
  51517
  IsEndpointInRejectMode
  false
  AcsSessionID
  radius/189518899/49890
  DetailedInfo
  Authentication succeed
  SelectedAuthenticationIdentityStores
  AD1
  ADDomain
  xxxxxxxxxxx
  AuthorizationPolicyMatchedRule
  Default
  CPMSessionID
  b0140a6f0000C2E15374CC7F
  EndPointMACAddress
  00-xxxxxxxxxxxx
  ISEPolicySetName
  Default
  AllowedProtocolMatchedRule
  MDP-PC-PEAP
  IdentitySelectionMatchedRule
  Default
  HostIdentityGroup
  Endpoint Identity Groups:Profiled:Workstation
  Model Name
  Cisco
  Location
  Location#All Locations#Site-MDP
  Device Type
  Device Type#All Device Types#Cisco-Bornes
  IdentityAccessRestricted
  false
  AD ExternalGroups
  xx/users/ordinateurs du domaine
  AD ExternalGroups
  xx/users/certsvc_dcom_access
  AD ExternalGroups
  xx/builtin/accès dcom service de certificats
  Called-Station-ID
  54:75:D0:DC:5B:7C
  CiscoAVPair
  ssid=CAMPUS 
  If you have an idea, thanks so much,
  Regards,

  To configure debug logs via the Cisco ISE user interface, complete the following steps
  :Step 1 Choose Administration > System > Logging > Debug Log Configuration. The Node List page appears, which contains a list of nodes and their personas.
  You can use the Filter button to search for a specific node, particularly if the node list is large.
  www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_logging.html#wp1059750

• Problems with user group

  Hi, i created a new user group with some administrative rights:
  Access Administration
  Advanced Document Submission
  Create Communities
  Create Community Infrastructure
  Create Folders
  Create Portlets
  Edit Own Profile
  Then, i created a user and added to this group.
  When i login with the user i created, the Administration Tab doesn't appear.
  Somebody can help me please.
  IT'S URGENT !!!!
  Thanks

  I thought access administration was all that was required. Did you get it resolved. Usually these things clear themselves up with time.

• Nested AD User Groups in Workgroup Manager not working in Mavericks

  The setup is the traditional Golden Triangle, so Active Directory for users and groups, Open Directory for Managed Preferences. Both Apple clients and server are running 10.9.0
  While I can successfully manage the Mac's via OD computer groups, the OD user groups with nested AD groups no longer appear to work. If I nest an AD user it works fine, but not the AD users group.
  This is a new AD and new OD, no migrations. This is a setup I've done countless times over the years, but since Mavericks has been introduced, I can no longer make this work.
  Any help would be greatly appreaciated.
  Thanks,
  Alex Price

  Hello
  I have been having the same problem, when adding an AD Group to an OD group the users in the AD group are not managed, but if i add the user to the OD group it works fine, (with about 5000 active users this is not an option) this has been a problem with 10.9 and has not been fixed with 10.9.1, i assume we need a update to Workgroup manager?
  Maverick server is useless at the moment, cant upgrade the clients to Maverick if i cant manage them, are Apple just tring to make my job more difficult than it needs to be, i was happy that they provided Workgroup Manager for Mavericks because Profile Manager is simple not an option, but it would be good if it worked properly, its not a small problem so you would think apple would make it a priority.

• Restrict metadata field during an update to a specific user group

  Hello everyone,
  I am having some trouble figuring out the best way to restrict permissions to change some metadata fields for 2 different groups of users.
  I have two user groups, A and B. Group A will be checking in documents that the B group will then review for accuracy and quality. Group B will then update an optionlist field called "Status" with either "Recommended" or "Not Recommended".
  This is not a workflow situation as the scope requires that all documents are immediately available for searching. I currently have a CheckIn and Search profile for the content permitting read write access to groups A and B. The "Status" field is hidden on the CheckIn page. Can anyone please suggest a good way to restrict the field "Status" on an Update page to just "B" users? Groups A and B should be able to update all fields with the exception of the B restricted "Status" field.
  Thanks!
  Edited by: user6750815 on Jun 2, 2010 4:11 PM

  Hey rMac,
  I understand it this way you have one profile for A and B user groups. On this profile Status field is hidden.
  If this is your problem you can approach it from two places, while making the rule for hiding the Status field, use rule activation condition. Make it active only for users with Role A . This way even with single profile some of the user with Role B will be able to see the Status field.
  otherwise you can put similar code in Restrict Personalization Link where in you make this hidden field editable and compulsory for Users in B.
  cheers,
  sapan

• User Groups for Queries

  All,
  I have a user that gets a message stating that they are not assigned to any user group when using t-code SQ00.
  I have checked and the profile they are assigned to has rights to run SQ00 and I have also checked SQ03 and I do have her assigned to query groups.
  Am I missing something?  I've been administering users for years and have never had one with a problem like this.  All the usual areas are fine.
  Thanks for you help!

  i have to apologize - i didn't read your post carefully - my mistake.
  does this also happen when parameter AQB in SU3 is set to a default user-group?
  have you checked whether infosets are assigned to that particular user-group?
  Edited by: Mylene Euridice Dorias on Feb 13, 2008 5:18 PM
  i'm editing this: i have just been testing. is the infoset assigned to that usergroup properly generated?