PMP Restriction Across Administrator or BG

Similar Messages

• Restricting an administrator to only adding or removing Business Roles

  Hi:
  Is there an out of the box rule or form in IDM that can restrict an administrator to only adding or removing business roles from accounts?
  Thanks.

  Hi Dwayne,
  This BU ruling is somewhat of a newer function with OIA. For mass alteration, the old-school way would be to execute a SQL script directly towards the DB.
  Simply change the last line on what correlation you wish (in this situation, it's looking at the BU Name and the GU office name)
  delete from BU_GLOBALUSERS where businessunitkey > 0;
  insert into BU_GLOBALUSERS(BusinessUnitKey,GlobalUserKey)
  select BU.BusinessUnitKey, GU.GlobalUserKey from BUSINESSUNITS BU, GLOBALUSERS GU
  where BU.BusinessUnitName = GU.officename;
  Regards,
  Daniel Redfern
  Technicalconfessions.com

• Restrict Workflow Administrator responsibility for a business group

  My requirement is to restrict the Workflow Administrator responsibility to a specific business group so that the administrator can view all notifications/transactions for a given business group only for ALL item types. I tried following the steps given in the document 'Oracle Self-Service Human Resources (SSHR) Release Notes, Release 12.1.1' metalink id 578360.1. However, it doesnt seem to be working. Any idea on how to do this configuration?
  Thanks,
  Pallavi

  Hi,
  EBS version: 12.1.3, Database 11g
  Below are the steps to reproduce the issue:
  1) Create a security profile 'XXX-UK-WF' with following values:
  Business Group: <UK business group name>
  View Employees: Restricted
  View Contingent Workers: Restricted
  View Applicants: restricted
  View Contacts: Restricted
  View Candidates: All
  Organization Security Tab--> Security Type: View All Organizations(No Security)
  2) Set the HR: Security Profile option at the responsibility level for the Workflow Administrator Web(New) responsibility.
  3) Log on to the Functional Developer responsibility and search for the predefined Workflow Item Attribute Values (WF_ITEM_ATTRIBUTE_VALUES) object.
  4) Click the Update icon to navigate to the Update Object page.
  5) Click Create Grant on the Grants tab.
  On the Define Grant page, enter the following details:
  In the Name field, enter a descriptive name for the grant.
  Specify the effective date for the grant as '01-Sep-2011'.
  In the Grantee Type field, select 'Group of users' and select teh responsibility 'Workflow Administrator Web(New)' in the Grantee field.
  6)In the Object field, select the delivered object Workflow Item Attribute Values
  7)On the Grant: Select Object Data Context page, select the HR Self-Service Selected Person ID Instance Set (HRSS_WF_ATTR_PERSONID_INSTSET)
  8) On the Grant: Define Object Parameters and Select Set page:
  In the Set field, enter the delivered Business workflow item attribute permission set (WF_ADMIN_ITEM_ATTR_PSET).
  Click Finish to complete the grant creation process.
  9) Logout and login as a user having Workflow Administrator Web(New) responsibility. Navigate to Administer--> Status Monitor. Search for all the workflows started this week. All the transactions from all the business groups will be listed. ideally, only the transactions occuring in UK business groups should have been listed.

• Restrict Visual Administrator Services

  Hi,
     Does anybody know how I can restrict the Visual Administrator's services that one user can see in the tool?
     Thanks in advance.

  Hi Luis,
  I have no clue.  Sorry for that. 
  Just go thro' this link to hunt a solution for our issue:-
  http://help.sap.com/saphelp_nw04/helpdata/en/39/83682615cd4f8197d0612529f2165f/frameset.htm
  Hope this helps.
  Regards.
  Praveen

• Is it possible to restrict Content Administrator from a room?

  I'm having a hard time wrapping my brain around this one so please bare with me.
  The client wants the following situation:
  - they want a collaboration room that is restricted to 4 individuals in the company
  - this room needs to be secure so that only those 4 individuals can access the content in the room, these are end users
  - the Portal admin person will setup the room initially and then should no longer be able to access the room or content
  I can't think of any way to do this.  I've thought that maybe we could create a custom Content Admin role that has all access except to the room folder but this doesn't seem to be possible.  From my testing it looks like you can see all the documents in the room from Content Admin -> KM Content if you have the Content Admin role (or a copied version of it).
  Currently the portal team has Super Admin in production.  We'd obviously like to keep that access because maintenance and support becomes difficult without it.  The client would allow for special Super Admin access for temporary periods but it seems that we'd have to create a scaled down admin role that we would have all the time and then when we needed further access we'd need to get special approval to get the Super Admin role for a temporary period.
  So, is there any way that we can revoke all access to a room and it's content except for the specific users assigned to that room?  Any other ideas?
  Thanks in advance for any help,
  Robin Schmidt

  Hello,
  I'll explain what I am trying to achieve.
  I've written phone book application. Each person has his/her personal card with his/her picture. In order to display the picture I need it to available in http. I've created an HTTP Alias (Like can be done on IIS). What I do is simply conctenate the HTTP alias the unique id number of each person which is also his picture's file name. The workers have an option to show or hide their pictures if they want to. The problem is that once creating an HTTP alias (or virtual directory on an IIS) this url becmes available to every person inside the LAN and the whole pivacy cocept is lost. If I could reveal this alias only to users who are entering the portal I could have control over the displying of the pictures but like this everyone can see every picture if he wants to. I beleive I can change the method of the picture retreival so it will take it from the file and not from http, but this methos is much more faster and simple.
  Roy

• CFC access restrictions across sandboxes

  I am trying to prevent files in a directory from invoking
  CFCs in another directory. Here's the scenario:
  \restricted\secure.cfc
  \restricted\secure.cfm
  \open\public.cfm
  I want to restrict /open/public.cfm from accessing any files
  in /restricted/. Accordingly, I setup a sandbox for /open/ that had
  the following files/dirs restrictions:
  C:\CFusionMX7\wwwroot\open\ (read,write,execute,delete)
  C:\CFusionMX7\wwwroot\open\- (read,write,execute,delete)
  From what I've read in the docs, these should be the ONLY
  things that /open/ should have access to. /restricted/ should not
  be accessible.
  Trying to include secure.cfm from public.cfm:
  <cfinclude template="/restricted/secure.cfm">
  This results in the expected security error:
  "The requested template has been denied access..."
  However, when I invoke secure.cfc from public.cfm like this:
  <cfinvoke component="restricted.secure" method="echo"
  value="hello world" />
  it gives me access--no security error. Am I missing something
  here? How can I secure my CFCs from being called from another
  directory?

  This technote was just published:
  ColdFusion MX 7.0.1:
  Sandbox Security for ColdFusion Components
  Talk about timing!

• Unable to view BIPub report in the Dashboard by Non Administrator users

  Hi All,
  I have created a BI Publisher report and added the same to the Dashboard, I can view it as the Administrator user but unable to view it as any other Users.
  I updated the privileges in the BI Presentation services and gave permission to Everyone for BI Publisher:
  Oracle BI Publisher Enterprise
  Add BI Publisher Reports to Dashboard - Everyone
  View BI Publisher Reports - Everyone
  Schedule BI Publisher Reports - Everyone
  Send BI Publisher Reports - Everyone
  Build BI Publisher Reports - Everyone
  Analyze BI Publisher Reports - Everyone
  but users still get the below error:
  The error message is :
  "Unauthorized Access: Please contact Administrator"
  Any help is greatly appreciated.
  Regards

  Hi Saichand,
  Thanks for the reply, I did add and it worked successfully; but the issue now is that I had assigned the XMLP_ADMIN, XMLP_DEVELOPER roles to this user and he now has XMLP Administration rights. Which is not very good.
  Is there any workaround to restrict XMLP Administration to this user and allow him just to view the BI Pub Report?
  Your comments are greatly appreciated.
  Best Regards
  B

• How to create queries on multiproviders& what are steps to be taken.

  Hi all,
  How to create queries on multiproviders& what are steps has to be take care.
  Thanks,
  cheta.

  Hi,
  Following scenario for  sample for slow moving items for multiproviders.
  Slow Moving Item Scenario
  You want to define a query that displays all products that have been purchased only
  infrequently or not at all. In other words, the query is also display characteristic values for
  which no transaction data or only low values exist for the selected period.
  Procedure
  In the Administrator Workbench;
  1. Create a MultiProvider consisting of a revenue InfoCube, containing the InfoObject
  Material (0MATERIAL), and the InfoObject 0MATERIAL. The InfoObject must be set as
  an InfoProvider in InfoObject maintenance. In other words, you need to have assigned
  the InfoObject to an InfoArea. (also refer to Tab Page: Master Data/texts [Ext.]).
  In the BEx Analyzer:
  2. Select your MultiProvider in the Query Designer.
  3. Define a query that contains the InfoObject 1ROWCOUNT in the columns.
  The InfoObject 1ROWCOUNT is contained in all “flat” InfoProviders, that is, in all
  InfoObjects and ODS objects. It counts the number of records in the InfoProvider.
  In this scenario, you can see from the row number display whether or nor values
  from the InfoProvider InfoObject are really displayed.
  4. Save the query and execute it. All values are now displayed, including those for materials
  that were not purchased.
  If you filter by time (0CALYEAR, for example), values from the InfoProvider
  InfoObjects are not displayed since 0CALYEAR is not an attribute of
  0MATERIAL. You can see this from the absence of values in the 1ROWCOUNT
  column in the query. If you want to restrict by time, you need to proceed as
  follows:
  Constant Selection for the InfoObject
  You need to set the constant selection for the 1ROWCOUNT key figure in order to be able to
  set a filter by time in this query.
  1. In the Query Designer, via the context menu for 1ROWCOUNT, choose Edit.
  2. On the left hand half of the screen, under the data package dimension, select the
  characteristic InfoProvider (0INFOPROV) and drag it into the right-hand screen area.
  3. From the context menu for the InfoProvider, choose Restrict, and restrict across the
  InfoProvider InfoObject.
  4. Also from the context menu for the InfoProvider, choose the function Constant Selection.
  5. Save the query and execute it. You can now also set a filter for a time characteristic, the
  materials display remains as it was.
  Displaying Slow Moving Items
  If you want to display a list of slow moving items, excluding products that are selling well, you
  need to proceed as follows:
  1. In the Query Designer, via the context menu for 1ROWCOUNT, choose Edit.
  2. Via the context menu for InfoProvider, choose the function Display Empty Values. Also
  select Constant Selection.
  3. Save the query and execute it. The result is that the system displays the materials for
  which there was no revenue.
  Displaying Products with Small Revenues
  If you want to display a list of products that have not been sold or have only been selling
  badly, you need to proceed as follows:
  1. Set constant selection as described above, but do not select the display empty values
  function.
  2. In the Query Designer, define a condition for the 0MATERIAL InfoObject. Specify a value
  that is to be the upper limit for a bad sale.
  3. Save the query and execute it. The result is that the system displays all materials that
  have not been sold or have been selling badly.
  Thanks,
  Sankar M

• Display master data without data in the fact table

  Characteristic 0PROJECT
  Attribute Price
  I want to show in the query all the prices including the projects that don't have registers in the fact table.
  How do I do this?
  Tnks.

  I believe you are describing what SAP referes to as the Slow Moving Item scenario.  Search SDN using that phrase and you'll get hits on documents and  Notes that talk more about this.  Here's something from an old How To
  Slow Moving Item Scenario
  You want to define a query that displays all products that have been purchased only
  infrequently or not at all. In other words, the query is also display characteristic values for
  which no transaction data or only low values exist for the selected period.
  Procedure
  In the Administrator Workbench;
  1. Create a MultiProvider consisting of a revenue InfoCube, containing the InfoObject
  Material (0MATERIAL), and the InfoObject 0MATERIAL. The InfoObject must be set as
  an InfoProvider in InfoObject maintenance. In other words, you need to have assigned
  the InfoObject to an InfoArea. (also refer to Tab Page: Master Data/texts [Ext.]).
  In the BEx Analyzer:
  2. Select your MultiProvider in the Query Designer.
  3. Define a query that contains the InfoObject 1ROWCOUNT in the columns.
  The InfoObject 1ROWCOUNT is contained in all “flat” InfoProviders, that is, in all
  InfoObjects and ODS objects. It counts the number of records in the InfoProvider.
  In this scenario, you can see from the row number display whether or nor values
  from the InfoProvider InfoObject are really displayed.
  4. Save the query and execute it. All values are now displayed, including those for materials
  that were not purchased.
  If you filter by time (0CALYEAR, for example), values from the InfoProvider
  InfoObjects are not displayed since 0CALYEAR is not an attribute of
  0MATERIAL. You can see this from the absence of values in the 1ROWCOUNT
  column in the query. If you want to restrict by time, you need to proceed as
  follows:
  Constant Selection for the InfoObject
  You need to set the constant selection for the 1ROWCOUNT key figure in order to be able to
  set a filter by time in this query.
  1. In the Query Designer, via the context menu for 1ROWCOUNT, choose Edit.
  2. On the left hand half of the screen, under the data package dimension, select the
  characteristic InfoProvider (0INFOPROV) and drag it into the right-hand screen area.
  3. From the context menu for the InfoProvider, choose Restrict, and restrict across the
  InfoProvider InfoObject.
  4. Also from the context menu for the InfoProvider, choose the function Constant Selection.
  5. Save the query and execute it. You can now also set a filter for a time characteristic, the
  materials display remains as it was.
  Displaying Slow Moving Items
  SAP Online Help 05.11.02
  MultiProviders 3.0B, Support Package 07 10
  If you want to display a list of slow moving items, excluding products that are selling well, you
  need to proceed as follows:
  1. In the Query Designer, via the context menu for 1ROWCOUNT, choose Edit.
  2. Via the context menu for InfoProvider, choose the function Display Empty Values. Also
  select Constant Selection.
  3. Save the query and execute it. The result is that the system displays the materials for
  which there was no revenue.
  Displaying Products with Small Revenues
  If you want to display a list of products that have not been sold or have only been selling
  badly, you need to proceed as follows:
  1. Set constant selection as described above, but do not select the display empty values
  function.
  2. In the Query Designer, define a condition for the 0MATERIAL InfoObject. Specify a value
  that is to be the upper limit for a bad sale.
  3. Save the query and execute it. The result is that the system displays all materials that
  have not been sold or have been selling badly.

• Distributed JMS Queues and Port Information

  Hello,
            I am a reasonably inexperience WebLogic user, so forgive my ignorance.
            We are setting up a distributed JMS queue as a destination for messages being sent from our EAI server. The distribution will be across 2 servers in our QA environment and 3 servers in our production. We are using WebLogic Server 8.1.3 on an Windows 2003 environment.
            The people in our EAI environment need a port number on for the Queue in order to forward their messages to us. My question's are:
            1) Is the listen port for the Distributed Queue the same as the listen port for the Admin Server?
            2) If it is not, does it correspond to the listen port for the individual queues (which is the same between our environments)?
            3) If there is a third port in play, how does this get configured and where do I retreive this information?
            I appreciate any answers people are willing to give me on the issue.
            Thank you,
            Steven Enk
            Harley-Davidson Motor Company

  Hi Steven,
            WebLogic JMS shares the same WebLogic port as other WebLogic services, regardless of whether or not the destinations are distributed.
            One way to determine which ports are configured for a particular WebLogic server is to look at the log for that server.
            Ports are usually configured to support multiple protocols, and typically, one uses the "t3" protocol for URLs (its the highest performer), but there are other options (such as "http" for tunneling).
            You can configure additional ports (beyond the "default" port(s)) using the "channel" feature - i think you can find channels under the "WebLogic server" tabs on the console.
            For a server or client to establish communication with a remote cluster, one need only specify a URL for any one of the server's within the remote cluster. J2EE JNDI name location transparancy and WebLogic RMI load balancing will usually take care of the rest, although some customers setup DNS to help with load balancing (by for example, configuing their DNS "round-robin" addresses).
            Best practice is for the administrative server to be restricted to administrative purposes only. This means the admin server typically (A) doesn't host JMS (or any other services or any applications) and (B) is not a member of a cluster. So typically you won't be able to access JMS using an admin server's URL.
            Tom

• Dimension security is not working if user have two roles in SSAS while connecting from Excel

  Hello Genius,
  I am facing the issue when user trying to connect the cube from excel if user have more than one role in ssas db.
  Role 1: Countryuser, I have implemented the dimension security with country
  dimension and  countrycode attribute.
  Role 2: CityUser,   I have implemented the dimension security with
  city dimension and  citycode attribute.
  If user is mapped to any one of above role dimension security is working perfectly according to the logic but mapped to both role, cube is exposing all the data in this case dimension security is not working.
  Please give me the solution to fix this issue or incase I am wrong kindly advice.
  Thanks
  Ganesh

  This is the expected behaviour as allowed sets in roles are unioned together.
  This is not a problem when your roles are restricting across a single attribute.
  eg.
  US_role = {[Geography].[Country].[USA]
  France_role = {[Geography].[Country].[France] }
  as someone in both roles ends up seeing {[Geography].[Country].[USA], [Geography].[Country].[France] }
  But when you have different attributes:
  NY_role = {[Geography].[City].[New York] }
  France_role = {[Geography].[Country].[France] }
  The first role is unrestricted on countries and the second is unrestriced on cities which is effectively:
  NY_role = {[Geography].[Country].AllMembers , [Geography].[City].[New York]  }
  France_role = {[Geography].[Country].[France], [Geography].[City].AllMembers }
  And when you union those two sets together you end up with:
  {[Geography].[Country].AllMembers , [Geography].[City].AllMembers }
  Which means that someone in both roles can see everything.
  So if you want to restrict someone to City = New York and Country = France you have to create a
  single role where both attributes are restricted. So if you have a lot of these combinations you will either have to create a lot of "combination" roles or look at dynamic security.
  The other thing that might work is make sure that you only give some users access to certain cities and others access to certain countries. It's the mixing of the two for a single person that causes the issues.
  http://darren.gosbell.com - please mark correct answers

• Best Practice for Storing Program Config Data on Vista?

  Hi Everyone,
  I'm looking for recommendations as to where (and how) to best store program configuration data for a LV executable running under Vista.  I need to store a number of things like window location, values of controls, etc.  Under XP I just stored it right in the VIs own execution path.  But under Vista, certain directories (such as C:\Program Files) are now restricted without administrator rights, so if my program is running from there, I dont think it'll be able to write its config file.
  Also right now I'm just using the Write to Spreadsheet File block to store my variables.  Does this sound alright or are these better suggestions?
  Thanks!
  Solved!
  Go to Solution.

  I fopund some stuff on microsoft page. Here the link and a short past from taht document:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=BA73B169-A648-49AF-BC5E-A2EEBB74C16B&displa...
  Application settings that need to be
  changed at run time should be stored in one of the following
  locations:
   CSIDL_APPDATA
   CSIDL_LOCAL_APPDATA
   CSIDL_COMMON_APPDATA
  Documents saved by the user should be
  stored in the CSIDL_MYDOCUMENTS folder.
  Can't tell you more as I have no Vista around to look for the CSILD stuff.
  Felix
  www.aescusoft.de
  My latest community nugget on producer/consumer design
  My current blog: A journey through uml

• Change Management & Change Transport Process in GRC AC RAR

  With RAR not being able to leverage the SAP ABAP Change Management Process (CTS) what is the best practise for controlling the changes for RAR rule set ?
  How do we acheive job segregation from
  1. Making Changes to Rules in Dev RAR
  2. Transporting (Importing) them to RAR Prod
  How do we make sure the 'Import Rules' functionality is restricted. ? (Can we remove Action 'ImportRules' from all the roles and restrict that to one role & restrict the administrator from making role assignments directly in RAR (Only from CUP) )
  Thanks

  Hi Prashanth,
                        You can restrict the access by removing the action ImportRules from the customized role that you can create in UME for RAR.
  Thanks,
  Darshan

• ACS/ASA authentication for vpn access vs. console management access

  I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent.

  Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.
  By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.
  In your case it should be VPNUSERS group in ACS.
  HTH
  Ahmed

• Automatic assignment of authoriztaion values in a profile or role with code

  Hi,
  I would like to assign values into an authorzation by coding. Is it possible?
  In BI, it is possible to do that by using a BEx variable inside the authorization in the role.
  is it possible with other authorzation objects?
  Best regards,
  Tomer Steinberg.

  Hi Tomer,
  It is possible, but only with a significant amount of coding and changes to standard SAP.
  Basically you need to replace the AUTHORITY-CHECK logic with your own code which gets the data from a different source.
  I have worked on a project where we used it for profit and cost centre values and the coding/testing effort was 3 months+ due to the complexity of providing this restriction across the application area.