Problems restricting AD users from logging in

Similar Messages

• How to restrict the user from accessing other screens before submittingdata

  Hi All,
    I have some screens developed in Webdynpro ABAP and all these have been linked to Portal as pages. In Portal If i click on the link in detailed navigation i can see the corresponding screen on the right side. Now in one screen i have to input some data and submit the data, Now my problem is if i enter some data and before submitting the data if i click on any other link in the detailed navigation, that corresponding screen is opening and all the data of the previous screen is lost.
  Can any one suggest me, how can i restrict the user from accessing other screens before submitting the data of that screen from portal perspective.

  Hi Prasanna,
  The pages can be restricted from the user access by using the ACL permission or you can restrict the page by making invisible in navigation area which you do not want to show to the user . Open the page properties and select navigation category in the drop down and select the Invisible in navigation area property to yes.By default this property is No.Change the property for all pcd pages which want to hide from user access.
  Hope this helps you...
  Regards,
  Rudradev Devulapalli
  Reward the points if helpful....

• Is it possible to restrict the user from creating a sibling and allow him to ONLY create child nodes in DRM?

  When in a hierarchy, a user right clicks on a node to crate a new node, he has two options
  -Child
  -Sibling
  Is it possible to restrict the user from creating a sibling and allow him to ONLY create child nodes?
  Business cases:
  1. different level nodes need to have different prefixes.
  - Thus, the default prefix property definition uses the level number to assign a prefix
  - Also, a validation, to ensure the correct prefix, uses the level number
  But if the user can create a child and a sibling then the default prefix will only be right for a single case and not both.
  Thanks

  If the images are exactly the same size then make sure the layer with the mask
  is the active layer and in the other documents go to Select>Load Selection and choose
  your document with the layer mask under Source document and under channel choose the layer mask.
  After the selection loads press the layer mask icon at the bottom of the layers panel.
  MTSTUNER

• Restrict A User From Changing A Payment Term While Adding A/R Invoice

  Dear Experts,
  We want to restrict our users from changing payment terms while adding A/R Invoice.
  We use SAP B1 2007 b.
  Thanking  you
  Pradnya

  Hi,
  try below code in transaction notification procedure:
  if (@object_type = '13') and (@transaction_type IN ('A', 'U'))
  BEGIN
  IF exists (select T0.DocEntry FROM OINV T0 Inner Join OCRD T1 on T0.CardCode=T1.CardCode Where T0.GroupNum  !=T1.GroupNum and T0.DocEntry =@list_of_cols_val_tab_del)
            Begin
                 SET @error = 30
                 SET @error_message =N'You are not authorized to change payment terms'     
            end
  END
  for how the transaction notification works or how to use :
  check How to use Transaction Notification
  Thanks,
  Neetu

• Problem in provisioning user from oim to active directory using ssl

  hi,
  problem in provisioning user from oim to active directory using ssl i am getting following error while provisioning user to AD.
  15:18:12,984 ERROR [ADCS] Communication Errorsimple bind failed: 172.16.30.35:636
  15:18:12,984 ERROR [ADCS] The error occured in tcADUtilLDAPController::connectTo
  AvailableAD():simple bind failed: 172.16.30.35:636
  15:18:13,015 ERROR [SERVER] Class/Method: tcProperties/tcProperties encounter so
  me problems: Must set a query before executing
  com.thortech.xl.dataaccess.tcDataSetException: Must set a query before executing
  at com.thortech.xl.dataaccess.tcDataSet.checkExecute(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.util.tcProperties.<init>(Unknown Source)
  at com.thortech.xl.dataobj.util.tcProperties.initialize(Unknown Source)
  at Thor.API.tcUtilityFactory.getLocalUtility(Unknown Source)
  at Thor.API.tcUtilityFactory.getUtility(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.co
  nnectToAvailableNextAD(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.se
  archResultPageEnum(Unknown Source)
  at com.thortech.xl.schedule.tasks.ADLookupRecon.performReconciliation(Un
  known Source)
  at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Sour
  ce)
  at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
  at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionActi
  on.run(Unknown Source)
  at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source
  at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown S
  ource)
  at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
  at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.j
  ava:520)
  can any one help.
  Thanks and Regards,
  praveen,

  Are you able to connect to AD over SSL through some LDAP Browser ?
  Check the validity of Certificate ?
  Does your certificate appear in the list ?

• How to restrict the user from making any changes in Sales order- item level

  Hi to all
  How to restrict the users from making any changes in sales order at item level if the same sales order is released by senior user through status profile.
  Regards
  Anish Parikh
  Edited by: anish parikh on Jan 24, 2008 5:16 AM

  Hi Anish,
  This can be achieved through the roles and authorization.
  This can be done through the basis team. they can create user profiles and roles.
  For the roles they assign some transaction codes so that they can view the only assigned tr. codes.
  Like that ur requirement can be done.
  Also u can prevent the user to change any fields in the sales order screen (VA02). for that please modify the authorisations.
  Hope i answers.
  Reward points if useful.
  Edited by: kaleeswaran bhoopathy on Jan 24, 2008 9:57 AM

• Restricting the user from deleting a personel number

  Hi All,
  Can anyone help me in restricting the user from deleting a personel number.
  Thanks & regards,
  Venkat

  Hi Venkat,
  The utility menu will ultimately calls to PU00 so it doesnt matter , system wont allow him to delet.
  You can try it out in quality if you want.
  Award points if useful
  Regards,
  Bhupesh Wankar

• Restrict Standard User from not removing the COM-Addins registered under HKLM with Admin rights.

  Hello,
  I have developed a COM-Addin for word 2013 by VS 2013 and installed it under the HKLM with Admin rights. Now from an non-admin account, ie Standard User I'm able to uncheck that addin from the COM-Addins dialog and remove it also. Previously I have done the
  same thing for word 2007 addins and if a non-admin user tries to uncheck it the warning "The
  connected state of Office Add-ins registered in HKEY_LOCAL_MACHINE cannot be changed" pops
  up. But this is not happening for office 2013 apps(basically word, excel and powerpoint). 
  This is happening for all Add-Ins installed under HKLM.
  How can a Standard User be restricted from unchecking and removing the Office Addins registered under HKEY_LOCAL_MACHINE with same warning "The
  connected state of Office Add-ins registered in HKEY_LOCAL_MACHINE cannot be changed" in
  a pop-up box?
  Regards, Sayan

  Hi,
  The behavior is changed since Office 2010. Office 2010 and Office 2013 allows a standard user to turn a per-machine add-in off by unchecking the add-in in the COM Add-ins dialog.
  To restrict Standard User from not removing the COM Add-ins, we can try to add the add-in to
  the Group Policy option: List of managed add-ins in the Office Group Policy template.
  Word for example, the policy is under:
  User Configuration\Administrative Templates\Microsoft Word 2013\Miscellaneous
  To enable this policy setting, provide the following information for each add-in:
  In "Value name", specify the programmatic identifier (ProgID) for COM add-ins, or specify the file name of Word add-ins.
  To obtain the ProgID for an add-in, use Registry Editor on the client computer where the add-in is installed to locate key names under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins.
  To obtain the file name of an add-in, click the File menu in the application where the add-in is installed. Click Options, click Add-ins, and then use the Location column to determine the file name of the add-in.
  In "Value," specify the value as follows:
  To specify that an add-in is always enabled, type 1.
  Hope this helps.
  Regards,
  Steve Fan
  TechNet Community Support

• How to restrict a user from deleting a PO

  Dear All,
  I have to restrict some users from deleting a line item in PO. They will be authorised to create & change the PO but they must not be able to delete the line item.
  Further it would be more helpful if it is possible to restrict them from deleting one perticular type of  PO(ex-Capex PO). They can change a capex PO but can not delete it.
  Any of the answars will be highly appreaciated.
  Regards
  Rutabhadra Panda

  Hello,
  Speak to your basis guy, put if you have created Capex PO as a particular document type, then maintain authorisation object M_BEST_BSA (Document Type in Purchase Order) and activity 06 delete.
  You may find that delete is still possible through activity 02 change, so you might need to maintain different roles depending on what you need.
  Thanks.

• Is it possible to restrict certain users from printing from Adobe Reader?

  Is it possible to restrict certain users from printing from Adobe Reader?

  First of all, with Reader you can't change any security settings.
  If you have Acrobat, then you could place a password on changing the document (which includes printing), and then give it to only some users.

• Deny local admin users from logging on (or at least restrict them)

  I have a fully managed environment (AD authentication, using managed preferences from OD) that I am testing before rollout.
  My concern is that once preferences are managed, admin users will be able to create local admin accounts (I can't block the accounts pane otherwise users will not be able to change their passwords), then login and bypass preference management.
  Is there a way for local admin accounts logging on to inherit a default set of preferences that are only applied when a local account (or someone not in one of my directory groups) logs in, or better still - DENY local admins from logging in, or deny anyone from being able to create new local accounts?
  (Please don't suggest denying the users admin rights - it's not possible for political reasons).
  Many thanks in advance!
  FZ.

  There is no root or admin privilege that controls root or admin privilege. You have it, or you don't.
  I've been in exactly this case many years ago, and with replete with the politics of privileges and perceived prestige.
  I ended up documenting the foibles of the privileged folks and the time spent on recovery and restoration and related for each event, and waiting for a sufficient accumulation of same (and that didn't take very long), and I then preemptively yanked the access.
  Yes, the good folks squawked. Loudly. Yes, I got called onto the carpet.
  The Designated Responsible Individual (DRI) was then left to ruminate and make a decision, and (with the assistance of the foibles-related documentation around the efforts and time and costs) made the call. The proffered alternative (with the costs and the design and time estimates ready) with a private subnet or private LAN and private services and and a dedicated firewall configured between the privileged folks and the production LANs to keep the good folks safe and secure. Here's what that'll cost...
  Either way, you've punted the responsibility and the decision up the management chain to the DRI.
  (Oh, wait, did I mention which way that firewall was going to be facing? No? Oops. Bummer.)

• Problem to send result from log file, the logfile is to large

  Hi SCOM people!
  I have problem when monitoring a log file on a Red Hat system, I get a alert that tells me that the log file is too large to send (see the alert context below).I guess that the problem is that the server logs to much between the 5 minutes that SCOM checks.
  Any ideas how to solve this?
  Date and Time: 2014-07-24 19:50:24
  Log Name: Operations Manager
  Source: Cross Platform Modules
  Event Number: 262
  Level: 1
  Logging Computer: XXXXX.samba.net
  User: N/A
   Description:
  Error scanning logfile / xxxxxxxx / server.log on values ​​xxxxx.xxxxx.se as user <SCXUser><UserId>xxxxxx</UserId><Elev></Elev></SCXUser>; The operation succeeded and cannot be reversed but the result is too large to send.
  Event Data:
  < DataItem type =" System.XmlData " time =" 2014-07-24T19:50:24.5250335+02:00 " sourceHealthServiceId =" 2D4C7DFF-BA83-10D5-9849-0CE701139B5B " >
  < EventData >
    < Data > / xxxxxxxx / server.log </ Data >
    < Data > ​​xxxxx.xxxxx.se </ Data >
    < Data > <SCXUser><UserId>xxxxxx</UserId><Elev></Elev></SCXUser> </ Data >
    < Data > The operation succeeded and cannot be reversed but the result is too large to send. </ Data >
    </ EventData >
    </ DataItem >

  Hi Fredrik,
  At any one time, SCX can return 500 matching lines. If you're trying to return > 500 matching lines, then SCX will throttle your limit to 500 lines (that is, it'll return 500 lines, note where it left off, and pick up where it left off next time log files
  are scanned).
  Now, be aware that Operations Manager will "cook down" multiple regular expressions to a single agent query. This is done for efficiency purposes. What this means: If you have 10 different, unrelated regular expressions against a single log file, all of
  these will be "cooked down" and presented to the agent as one single request. However, each of these separate regular expressions, collectively, are limited to 500 matching lines. Hope this makes sense.
  This limit is set because (at least at the time) we didn't think Operations Manager itself could handle a larger response on the management server itself. That is, it's not an agent issue as such, it's a management server issue.
  So, with that in mind, you have several options:
  If you have separate RegEx expressions, you can reconfigure your logging (presumably done via syslog?) to log your larger log messages to a separate log file. This will help "cook down", but ultimately, the limit of 500 RegEx results is still there; you're
  just mitigating cook down.
  If a single RegEx expression is matching > 500 lines, there is no workaround to this today. This is a hardcoded limit in the agent, and can't be overridden.
  Now, if you're certain that your regular expression is matching < 500 lines, yet you're getting this error, then I'd suggest contacting Microsoft Support Services to open an RFC and have this issue escalated to the product team. Due to a logging issue
  within logfilereader, I'm not certain you can enable tracing to see exactly what's going on (although you could use command line queries to see what's happening internally). This is involved enough where it's best to get Microsoft Support involved.
  But as I said, this is only useful if you're certain that your regular expression is matching < 500 lines. If you are matching more than this, this is a known restriction today. But with an RFC, even that could at least be evaluated to see exactly the
  load > 500 matches will have on the management server.
  /Jeff

• How to Restrict the users from changing the Default variant of report.

  Hello everybody,
  The requirement is to restrict the users to save and overwrite  the default layout variant (Layout for higher managenet)set for the report, but at the same time they should be able to change and save the other layouts for which they are having access.
  I have written the logic in the program which is working fine for all the scenario when we execute the report. But the logic doesnt work if the user is selecting the layout on the output screen of the report.
  for e.g if the user runs the report using the layout varaint for which he is having the authorization then he gets the all 4 options so he then he can select the layout for which he is not authorized and he can overwrite.
  i have debugged and check as i have found that after the report output is shown all the layout paramater is controllled by the statndard SAP objects.
  Can anyone help me out in this issue.
  Thankyou in advance.
  *to get the default layout variant.
    w_save = 'A'.
    if p_vari is initial.
      clear disvariant.
      disvariant-report = sy-repid.
      w_variant = disvariant.
      call function 'REUSE_ALV_VARIANT_DEFAULT_GET'
        exporting
          i_save     = w_save
        changing
          cs_variant = w_variant
        exceptions
          not_found  = 2.
      if sy-subrc = 0.
        p_vari = w_variant-variant.
      endif.
    endif.
  *logic to check user authorization to change the layout setting.
    if p_vari = c_layout.
      if not sy-uname is initial.
        select single * from agr_users
                where agr_name = c_role
                and   uname    = sy-uname.
        if sy-subrc = 0.
          w_save = 'A'.
        else.
          w_save = ' '.
        endif.
      endif.
    endif.
  Regards,
  Satish.

  Hi Maine,
  Thanks for your reply.
  As you mentioned for your own program, you can control the parameter "I_SAVE", when calling "REUSE_ALV_GRID_DISPLAY".
  so already i have use the same logic and control the parameter through I_SAVE and here i am calling method ALV_GRID->SET_TABLE_FOR_FIRST_DISPLAY instead of "REUSE_ALV_GRID_DISPLAY".
  and it works fine when we execute the report but the logic doesnt work when the user tries to change and save the layout variant on the output screen of the report.
  Regards,
  Satish

• How to restrict some users from viewing a screen of standard transaction

  Hi All,
  I need to restrict certain user ids from viewing the 'Payment Transactions' screen for the below mentioned transactions.
  FK01, FK02, FK03, MK01, MK02, MK03, XK01, XK02, XK03
  The Basis consultant has tried to configure it. However its not working. So need to find other solution.
  For all transactions other than FK01, MK01, XK01 (create vendor), the BAdi GOS_SRV_SELECT is called before the payment transaction screen appears. But for transactions FK01, MK01and XK0, no such BAdi is there.
  Also I'm not able to figure out how to restrict that particular screen using Badi GOS_SRV_SELECT. What will be the service name for this?
  Please help !!!
  Thanks in advance,
  Radhika

  hi,
  u can do this using user exits.
  identify the appropriate exit for ur transaction and thn put condition like
  if username = ...
  loop at screen.
  hide..
  endloop.
  i was just trying to give u some hint .make it to ur best.
  reward if hlpful.

• Restrict the Users from doing Transactions from transactional Iview.

  Dear all,
  We are having  some transactional iviews in EP7.0 and ECC 6.0. We want to restrict the enduser from doing transactions by entering the transaction codes.
  1.Can we remove the command line
  2.Can we restrict the user
  We are using transactional iviews using connectors.
  Reply asap
  Thanks
  Ravi.S

  1) There is an its parameter you add in transaction SICF in the webgui service.  It is something like ~noheaderokcode.
  See here:
  http://help.sap.com/saphelp_webas620/helpdata/en/96/c09788c65b11d480c100c04f99fbf0/content.htm
  2) Backend authorisations define which transaction codes you have access to.
  Paul