PS Network Authorizations - CAT2

Hi Guys..
Is it possible to restrict authorizations in CAT2 based on the company code of the user?
I need to ensure that users are dropping time (in CAT2 ) only in the network activities where the company code of the network activity is the same as the company code of the person dropping time...
For example.. if the user is defined in company code XXXX and the company code of the network activity that the user uses is YYYY, then system should not allow the time drop... is there a standard SAP functionality for this?
I am relatively new to the PS area..and need your suggestions...
Thanks
Bharath

Hi Bharath.
No need to restrict. This is done by standard functionality.
It is more an FI/CO setting that you cannot transfer from one company code to another. It doesn't make sense either if you think it through, so it is restricted.
Best regards.
Jens

Similar Messages

  • PS Network Authorization Objects?

    Hi,
    I want to assign authorization for a perticular Network of a perticular WBS in a PS project.
    BUt all the standard object i have checked dose not serve the purpose.
    What is the standard procedure for doing that? Any object you know can be useful to me?
    C_AFVG_APL           PS: Work Center for Network Activities and Activity Elements
    C_AFVG_TYP           PS: Activity types for network act. and activity elements
    C_AFKO_DIS            Network: MRP Group (Plant) and Transaction Type
    C_AFKO_ACT           Activities on network header level

    Hi Hussain,
        The authorization object related to wbs in a ps project are
    *)C_PRPS_ART     you can use this object to control who can access WBS elements in the PS depending on the project type,
    *)C_PRPS_KOK     you can use this object to control who can access WBS elements in the PS depending on the controlling area assigned to them,
    *)C_PRPS_KST      you can use this object to control who can access WBS elements in the PS depending on the responsible cost center for the WBS elements,
    *)C_PRPS_PRC       you can use this object to control who can access WBS elements in the PS depending upon the profit center ,
    *)C_PRPS_USR       This authorization object is intended as a "master" for you to copy from when you create your own company-specific authorization objects for WBS elements, activities and activity elements.
    *)C_PRPS_VNR     You can use this authorization object to control who has access to the WBS elements in the Project System depending on the person responsible for the project ("project manager").
        The best way to search for authorization object as i prefer is the use the tcode SUIM.
        Hussain,One thing which i want to mention here is when u give this authorization object to any user plz check the authorization field also.where u r able to restrict a user for view/display,change, create etc..

  • The URL that was set for my homepage redirects to a network authorization page even though I cannot connect to that network.

    I am no longer within range of a network that I was ''attempting'' to connect to as ''guest'' and now the guest registration page for the network overrides the url that was set for my home page in Firefox. (I never actually established a connection to the internet on that network because the guest username and password repeatedly failed.) The redirect executes whenever I type the URL, www.yahoo.com, into the address bar or when I follow a link from a search engine to that URL, or when I click the home button. How can I stop the
    redirect? I deleted all network locations that contained that network and cookies that contained the network name but that did not stop the page redirection. I do not believe this to be a virus or malicious network because it was at an research institute. I looked in prefs.js for any keywords from that network but I did not find anything obvious.
    Thank you for your help.

    Easily fixed: clear the cache.

  • Secured Internal Network (ASA 5510)

    We have an internal subnet (Secured Server LAN) that requires network authorization. This subnet contains a separate AD forest with the servers as members of the domain. The Windows XP clients that access these resources are also members of the secure AD forest but are connected to the corporate LAN. We would want to configure RSA SecureID to provide two-factor authentication for the users. Can the ASA 5510 provide network authorization prior to attempting to login to Active Directory without configuring SSL VPN? Please see attachment...

    You can able to configure authorization in your ASA device before accessing AD. The below URL presents example procedures for configuring authentication and authorization on the security appliance using the Microsoft Active Directory server. It includes the following use cases:
    •User-Based Attributes Policy Enforcement
    •Placing LDAP users in a specific Group-Policy
    •Enforcing Static IP Address Assignment for AnyConnect Tunnels
    •Enforcing Dial-in Allow or Deny Access
    •Enforcing Logon Hours and Time-of-Day Rules
    http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/extsvr.html#wp1572118

  • Aaa authorization is confusing

    hi...this command make me mess for many times :(. is it true aaa authorization can return acl and time for user? how aaa authorization know what user will be associated in case aaa authentication is aaa authentication login default local? for make it more complete...is aaa authorization only work with tacacs? tx a lot ;)

    Hi,
    If the tacacs server fails to respond, then local network authorization will be performed.
    Assuming this command: aaa authorization network test tacacs local.
    Keep in mind that only a limited set of functions can be controlled via the local database.
    HTH
    Regards,
    Bjornarsb

  • How operation (Activity No) field mandatory can be removed in Network.

    Hi,
    In CAT2  time entries screen for a person who worked on  service order, 
    directly I can book time entries of the person with service order number without entry of operation (activity number) in CAT2 screen, no problem with service order case..
    But in case of CAT2  time entries screen  for a person who worked on PS network*, entry of network operation field  (Activity number) is mandatory.
    Please suggest how operation (Activity number) field mandatory can be removed in case of time entries to  PS network in CAT2 screen.
    I want to book time entries of the person only to the Network number don't want to include operation number in CAT2 screen.
    Thanks & Regards
    SR .

    I dont think it would be possible to book timesheet entries directly against a network. Moreover i haven't come across any business scenario that demands timesheet entry against the network header.
    Moreover, how do you think the system will calculate the cost if you book timesheets against a network? In a standard scenario, when timesheet is booked against a network activity system calculates cost based on the work center maintained in the activity. Work center has the cost center and the activity type combination for which rates are maintained in KP26.
    Lastly, could you please explain the business need behind booking timesheets against a network header?

  • Authorization mess

    Hello,
    I bought several apps for my mother's new iPod but now they don't open -- they start to launch then fail.  I believe it's an authorization issue and I'm trying, remotely via FaceTime, to walk her through authorizing those apps to run on her machine.  I thought I had done that when I was home last month but the problem persists.  I've tried having her sign into her iPod under both my Apple account AND hers -- bizarrely, the apps don't open under either account.
    For starters, where do I even FIND what computers / accounts / devices / apps are authorized to run on each other?  Where does this authorization "live"?
    Also, iTunes refuses to just sync the damned iPod apps to the machine; it will only threaten to nuke everything on the iPod with the (empty) collection of apps on her machine.  How can we do the reverse?
    Many, many thanks,
    Sean

    Hi,
    If the tacacs server fails to respond, then local network authorization will be performed.
    Assuming this command: aaa authorization network test tacacs local.
    Keep in mind that only a limited set of functions can be controlled via the local database.
    HTH
    Regards,
    Bjornarsb

  • No "list-name" option availbale for aaa authorization command.

    I have a 1721 router running 122-15.T14 and want to implement authorization but the router does not provide command option for list name.
    I want to implement the following command:
    "aaa authorization network groupauthor group radius"
    but the only option is default after "network".
    Router#sh ver
    Cisco Internetwork Operating System Software
    IOS (tm) C1700 Software (C1700-K9SY7-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2004 by cisco Systems, Inc.
    Compiled Fri 27-Aug-04 23:26 by cmong
    Image text-base: 0x80008120, data-base: 0x80F731A0
    ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
    ROM: C1700 Software (C1700-K9SY7-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
    Router uptime is 5 minutes
    System returned to ROM by reload
    System image file is "flash:c1700-k9sy7-mz.122-15.T14.bin"
    cisco 1721 (MPC860P) processor (revision 0x400) with 56844K/8692K bytes of memory.
    Processor board ID FOC08302CF6 (610086355), with hardware revision 0000
    MPC860P processor: part number 5, mask 2
    Bridging software.
    X.25 software, Version 3.0.0.
    1 FastEthernet/IEEE 802.3 interface(s)
    2 Serial(sync/async) network interface(s)
    32K bytes of non-volatile configuration memory.
    32768K bytes of processor board System flash (Read/Write)
    Configuration register is 0x2102
    Router(config)#aaa authorization network ?
    default The default authorization list.
    Router(config)#aaa authorization network

    I think that your issue is version related. I have a customer who is running a bunch of 1721 routers and when I do aaa authorization network ?
    I get both default and the option to name a list.
    I checked with the Software Advisor on CCO and it looks to me like the named-list feature was added in 12.3. As long as you are running 12.2 I do not think you will have the option for a named-list for network authorization.
    HTH
    Rick

  • ISE 1.1.1 - RegisteredDevices Identity Group

    Working on building a ISE 1.1.1 system to match our internal security policies, and have hit a dilemma. Here goes:
    The requirement states that there need to be differing network authorization profiles for different device types: Domain PCs, Non-Domain Workstations, iPads, and iPhone/Android Phones. Also, all (other than IP Phones and printers) endpoints must be self-registered by the user (My Devices workflow in CWA) who operates them so they appear in the My Device Portal.
    In the authorization rules, there appear to be no way to create a  authorization rule to match a "profiled workstation" AND a "registered  device".
    This is because within ISE, any endpoint that is "registered" joins the RegisteredDevices Identity Group, and is no longer a part of the configured indentity group created by the profiling system. For instance, a profiled Win7-Workstation is a member of the profiler-created Workstation IG until it is registered, then it becomes a member of the RegisteredDevices Identity Group.
    So basically, it appears ISE does not support per-devicetype(from profiler) authorization rules *while also* supporting device registration ("My Devices").
    Or am I missing something?

    Here is a screenshot of the rule in question:
    and here is the breakout of the Compound condition called WorkstationOSs, based on your recommendation:
    Without this compound condition, the authorization is matched. With it there, it is not matched, even though the endpoints are profiled as such.

  • VPN access based on source IP via ACS5.5

    Hi All,
    I want to allow one vpn user to access vpn based on his public IP. For example if user access vpn from 1.1.1.1 then only he should be able to connect to vpn.
    I created network authorization profile under access policies as below
    systemuser=vpnuser1
    endstationfilter=1.1.1.1
    but it does not work, user is able to connect from any public IP and when I look into the monitoring and reports for logs it matches different rule which is last rule in the list whereas the above rule is on top.
    Can somebody help

    Hello Jain,
    FYI
    Security Group Access devices communicate with their peers  and learn their SGT values. The Security Exchange Protocol-IP (SXP)-IP Mappings  diagnostic tool connects to the device whose IP address you provide and lists  the peer devices' IP addresses and SGT values.
    You must select one or more of the device's peers. This tool  connects to each of the peers that you select and obtains their SGT values to  verify that these values are the same as the values that it learned earlier.

  • Guest portal using ACS to authenticate against AD

    Running ACS 5.3, I have a Wireless Access policy that authenticates wireless users either by mac address, AD user name or computer name, depending on what AD groups the accounts belong to.  My Network Authorization policy has rules because only certain groups should access certain SSIDs.
    I am trying to get the Guest authentication portal to accept and authenticate AD users belonging to a certain group, but I run into 15039 Selected Authorization Profile is DenyAccess
    Somewhere for some reason my authorization policy is denying access. 
    Needing some assistance in troubleshooting these rules.

    You have to change the Group Map Attribute to "member" and authorization  will work.

  • FAC in CME 9.1

    Hello ,
    I need a help in configuring FAC for international calls in CME 9.1, I m following the below link but i am confused for the configuration text highlighted below.
    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/guide/cmeadm/cmefac.html
    voice lpcor enable
    voice lpcor custom
    group 11 LocalUser
    group 12 AnalogPhone
    voice lpcor policy LocalUser
    service fac
    accept LocalUser fac
    accept AnalogPhone fac
    voice lpcor policy AnalogPhone
    service fac
    accept LocalUser fac
    accept AnalogPhone fac
    application
    package auth
    param passwd-prompt flash:en_bacd_welcome.au -----from where i will get this files ??
    param passwd 54321
    param user-prompt flash:en_bacd_enter_dest.au-----from where i will get this files ???
    param term-digit #
    param abort-digit *
    param max-digits 32
    thanks

    Hi,
    the FAC in CME is a bit tricky.
    FAC call flow in CME like follow
    1) IP Phone user dials a particular pattern (international destination, for example)
    2) If this destination is enabled for FAC, the user will hear a voice prompt asking for an Account number and PIN
    3) The user enters the Account/PIN pair. If valid, the call proceeds, if not the call is dropped.
    - If the authentication fails after three retries, the call drops without notification.
    Configuration Steps:
    1- upload "enter_account.au" and "enter_pin.au" to the flash files. you can record these files.
    2- Enter the following commands in configuration mode (in this example the Account and PIN are three digits long).  This forces a user id and pid length, but it not required:
    application                          
     service clid_authen_collect         
      param uid-len 3              *length id 3 characters (can be user ext)
      param pin-len 3              *length pin 3 characters 
    3- Create usernames for authentication. Notice that the username/password will represent the Account and PIN that the caller will have to dial to be successfully authenticated. You can create multiple usernames and then hand those out to select personnel that will be allowed to place premium calls. In this example both Account and PIN are three digits long.
    aaa new-model
    aaa authentication login h323 local 
    aaa authorization exec h323 local and network authorization 
    aaa authorization network h323 local for h323
    username 107 password 123
    username 107 autocommand exit
    4- Create dial-peer cor
    voice lpcor custom
     group 1 manager
     group 2 users
    voice lpcor policy manager
     service fac
     accept manager fac
     accept users fac
    dial-peer cor custom
     name international
      name fac-int
     name user-fac
    dial-peer cor list int
     member international
    dial-peer cor list fac-int
     member fac-int
    dial-peer cor list user-fac
     member user-fac
    5- Create a dial-peer for each pattern that you want cover using this application.
    dial-peer voice 400 voip
     corlist incoming fac-int
     corlist outgoing user-fac
     service clid_authen_collect
     destination-pattern 900T
     session target ipv4:CME address
     incoming called-number 900T
     dtmf-relay h245-alphanumeric
     codec g711ulaw
     no vad
    dial-peer voice 69 pots
     corlist outgoing fac-int
     translation-profile outgoing DiscardDigit9
     preference 3
     destination-pattern 900T
     port 0/0/0
     forward-digits all
     no sip-register
    6- assign the proper cor list to match voip dial-peer for FAC
    HTH
    Anas
    don't forget to rate the helpful posts

  • AD join in 802.1X envoronment

                       Hi, I'm trying to deply 802.1X on AD envorenment.
    when the Client gets their PC at first time, they cannot join until they authenticate on 802.1X,
    after they change their workgroup to our company's domain, they have to reboot.
    when they reboot, they have to login to AD so they can download policy from GPO in Active directory.
    at that point, port is not authenticated yet, so client can't download GPO policy.
    what's the solution for this situation ? using low impact mode ? anything else ?

    From the ISE guide.
    Understanding Authorization Policies
    Authorization policies are a component of the Cisco ISE network authorization service that allows you to define authorization policies and configure authorization profiles for specific users and groups of users that access your network resources.
    Network authorization policies associate rules with specific user and group identities to create the corresponding profiles. Whenever these rules match the configured attributes, the corresponding authorization profile that grants permission is returned by the policy, network access is authorized accordingly.
    Authorization policies can contain conditional requirements that combine one or more identity groups using a compound condition that includes authorization checks that can return one or more authorization profiles. In addition, conditional requirements can exist apart from the use of a specific identity group (such as in using the default "Any"). Cisco ISE is an attribute-based policy system, with identity groups being one of the many important attributes.
    You are not able to Authorize the System because you didn't have any attributes from the System except the MAC Address of the Network Card.
    An Authorization Policy with a lower priority which authorizes the system to communicate with the Servers should work.
    I'm not very firm with ISE but it should be possible to authorize the System based on the MAC to join Domain.

  • Lync DHCP Discovery

    Hi
    As I understand, the Lync 2010 software installed on a Windows 7 PC, will send a DHCP request (class ID MS-UC-Client) in an attempt to locate SIP server information.
    I have an issue where our network authorization system (which uses DHCP class id as one of the identifying attributes of a device) is interpreting the MS-UC-Client
    DHCP request as meaning that a different device is now on the network port, and thus it fails the authorization and kicks the client off the network.
    The problem is that this issue occurs intermittently. I can see via a Wireshark trace that the Lync 2010 client does not always perform the DHCP request when we connect the Windows 7 computer into the network.
    Does anyone know if Lync 2010 only performs the DHCP request in certain circumstances.   Is there a way I can force Lync 2010 software to make a DHCP request, so I can troubleshoot my issue further. 

    Do we have the latest updated installed for Lync 2010?
    Post Cu4 update
                                  The client sign-in process has changed
    quite a bit since the introduction of the mobility discovery process.
    SRV records are used to assist the mobile clients with the sign-in
    process, no matter whether the mobile clients are inside or outside the
    organization. For example, if the domain is contoso.com, the path for
    signing in follows this order:
                                  lyncdiscoverinternal.contoso.com (A
    record for the Autodiscover service for internal connections directed to
    internal Web services)                             
                                  lyncdiscover.contoso.com (A record for the Autodiscover service for external Web
    services)                             
                                  _sipinternaltls._tcp.contoso.com (SRV record for internal TLS connections)                             
                                  _sipinternal._tcp.contoso.com (SRV record for internal TCP connections)                             
                                  _sip._tls.contoso.com (SRV record for external TCP connections)                             
                                  sipinternal.contoso.com (A record for the Front End pool)                             
                                  sip.contoso.com (A record for the Front
    End pool when the client is on the internal network; A record for the
    Access Edge Server when the client is external with no VPN access)                             
                                  sipexternal.contoso.com (A record for
    the Access Edge Server when the client is external with no VPN access)
                                  In this new sign-in process, the client's
    first DNS resolution request is sent to the lyncdiscoverinternal and
    lyncdiscover Fully Qualified Domain Names (FQDNs). This means that
    internal Lync clients could potentially be redirected out to the reverse
    proxy and treated like external clients. This is why the Autodiscover
    DNS records are a huge part of the deployment picture and need to be
    realigned to their proper locations. The lyncdiscoverinternal FQDNs
    should exist only in the internal DNS and point to the internal Front
    End Servers (or Directors Servers if you have them in place). The
    lyncdiscover DNS A record should be published only in an external DNS
    and point to a reverse proxy server. In the event you have an internal
    DNS A record for lyncdiscover, it should still point to the external IP
    address that resolves to the reverse proxy server and act in the same
    manner.
    PLEASE REMEMBER, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answered"

  • ACS 5.3 cannot create default network access authorization rule

    Hi, when I click 'Create...' under Access Policies > Default Network Access > Authorization, and then press the 'OK' button, it says 'Please configure at least 1 condition.' However I have no way to configure conditions as the 'Conditions' text is just bold text and not a link or any sort of configurable area. If I go to 'Customize' on the bottom right and add conditions to the right list box, I still have no options when I press Create. Also, the 'green light' next to Default Network Access is grey with a line through it. This is the most cryptic system I have ever used.. anyone have an idea? Thank you!

    Looks like you are using chrome amd it's not a supported browser.
    Supported Web Client/Browsers
    You can access ACS 5.3 administrative user interface using the following Web Client/Browsers:
    •Windows 7 32 bit
    •Windows XP Professional (Service Pack 2 and 3)
    •Windows Vista
    •Internet Explorer version 7.x
    •Internet Explorer version 8.x
    •Internet Explorer version 9.x
    •Mozilla Firefox version 3.x
    •Mozilla Firefox version 4.x
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp222016
    Jatin Katyal
    - Do rate helpful posts -

Maybe you are looking for

  • Cannot charge my iphone 6 after updating to ios 8.3

    Dear Sir/Mdm After updating my iphone 6 to ios 8.3, and also updating the carrier setting, now, I cannot charge my phone.  I have tried so many different USB cables, all failed. Now, I unplug the cable, the phone will show the battery icon with the c

  • Upgrade OSX or Buy a New Mac

    I have been having some funky problems that I cannot pin down. The sound is off (too loud or not loud enough) explorer and safari both will not launch or quit unexpectedly, or the whole computer just freezes up. Prefrences just shut themselves off. I

  • Context Cartridge for Oracle 8.0

    Would someone please recommend a good source for design and development with the Oracle Context Cartridge for Oracle 8. Our pharamaceutical company requires access to text based documents and key word in context searches through a web enabled applica

  • Seggragating Deliveries created for STO and Sales Order

    Hi Friends, I have a requirement.. I am looking for list of deliveries in LIPS table. But I find that this table lists all deliveries created for STOs as well as Sales order. My requirement is to select only those deliveries which are created for Sal

  • Identifying fields used in all reports held on the database

    Is there a way or tool that will allow me to identify all the fields used in all of the reports that we have saved to the database via Discover Desktop / Plus? This would be handy so we can see what reports would be affected if an item within the End