Query user roles and access
hi,
How can query user roles and access in whole database? I want to list username, status, rights, and role
thanks
P
Hi,
The data dictionary view dba_users has one row per user.
The data dictionary view dab_role_privs has one row for every distinct combination of user and role that actually occurs ion your database,
Are you interested in system privileges? See dba_sys_privs.
Are you interested in individual grants, like the privilege to UPDATE a given table, or the privilege to execute a given stored procedure? See dba_tab_privs. (Don't be fooled by the name; it's not just for tables.)
I hope this answers your question.
If not, post some CREATE statements, that create tables, roles, and whatever else you want, and some GRANT statmeents that grant privileges on those objects. Pos the results that you would want to get from those objects and grants.
Similar Messages
-
ABAP User Roles and Query for accessing particular T- codes and Reports
dear Gurus
I have one problem, i want to know about ABAP User Query ,i have one requirement my user wants to Lock all the HR Std versus Customized reports in T- code SQ01,other department peoples also see the Payslips and Hr personal reports which is harmfull to the dept so i want to Lock all the reports in Std T- code in SQ01 and i have created one Customized User Roles or Query in which the T-codes and Reports are assigned only those particular user can access the T-codes and Std reports .how can it be possible i dont have any idea about user roles and Queries .
kindly help me out or send me some documents related to user roles and queries
regards ritesh sharmaHi Ritesh,
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/103cafc2-7a64-2b10-14b3-eddb7d324561
Regards,
Flavya -
User role and Authority-check ?
Hello,
Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
Thanks in advanceHello Martin,
I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
@OP:
The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
BR,
Suhas -
As we know in MM different user have different roles to play and they need different SAP transaction and related activies.
In SAP we define the particular user who are actually allow to access only certain transactions only?
What are the steps to do this in SAP?
Secondly in which stage of implementation we define those user roles and assign duties to them in SAP ?
bEST Regards,
Kapilu can create the user role using tcode su01 and pfcg for authorization management
-
Defining roles and access for OWB Designer
Hi,
Can i Define roles and access rights to different on 1 OWB Designer repository?
I want to send my mappings for code review but i dont want them to log into the OWB designer with write access.
How can i achieve this in the same OWB designer repository as the one i am using?
I am using OWB 10.1.
I found some table - WMP_USER_ROLES,WMP_GROUP_ROLES,WMP_GROUP_REPOSITORIES
when i logged into the designer schema through sqlplus
Thanks
SagarHi Sagar,
Yes you can do that. Basically you can create a db user, and then register the user with a repository. By default that user has all privileges, however it now is audited per user as to what he/she did. How to do this look at the doc (find SecurityHelper)
To enable you to protect metadata there are a couple of strategies (implemented via a simple PL/SQL API). For an example (this one works with policies on the module level) take a look here (http://www.oracle.com/technology/sample_code/products/warehouse/files/Dev_Status_Policy.SQL)
This would work as follows:
- Create user REVIEW
- Register user REVIEW to repos QA
- For a module you want review for, set the status to QA
Now the REVIEW user logs in and he can look at QA but cannot touch.
Hope this helps,
Jean-Pierre
In your situation -
User, user roles and previllages
I have made all the tables under one user for my oracle forms, is it a good approach or should i use multiple users for this and how can i use user roles and villages for oracle forms?
Thanks
HinaIn our organization, we usually has an application owner and another schema with limited privilege to connect to from application (in this case forms). For example we have application owner say DBO which owns all the objects in the application and another user IA_APP is there to connect to database from application. Privileges such as SELECT, INSERT, UPDATE, DELETE is given to IA_APP user. Object access is provided through public synonym. You can do analogy to this in your application and database.
Regards,
Virendra -
User management and Access Control in HCM Cloud
Hello,
Information is scarce about User management and Access Control in Oracle Cloud generally. Today, I have two questions :
- How can I bridge HCM Cloud user store with my on-premise IDM or security repository in order to allow identty governance to flow to HCM Cloud service ?
The only information I got was that you can declare manually and by bulk import through files my users. This is not really interresting as I have an automatic IDM with workflows and identity control on provisioning and de-provisioning.
Is there a SPML or proprietary endpoint to do it automatically ? What are the prerequisites ? Do I have to implement OIM on my side ?
- Once my users are created, how can I do webSSO from my internal security repositories to the HCM Cloud service ?
I do not want to distribute new set of login / passwords to my users. Is it possible to do Identity Federation (SAML 2.0 or WS-Fed) with HCM Cloud service ? What are the prerequisites ? Do I have to implement OAM on my side ?
I accept all pieces of information you can give me on this topic to help me understand the funcitonalites, limits and options offered by Oracle Cloud and more precisely by HCM Cloud service.
Best regards,OIDDAS has limited capability of access control and information hiding. Presently, the permissions and privileges can be set at a realm level, and fine grained access control / information hiding cannot be done.
At present, the only way to restrict view and access control is by appplying ACLs (which is not the safest bet). -
VIRSA tables for users, roles and profiles sync?
Hello,
I am in a customer, implementing CC 5.2. At the first time, we tried CC 5.2 in DEV environment, and when everything was OK, we redirect RFC connectors to QA environment.
After doing user, roles and profiles sync in DEV and in QA environment too, I have 4.500 user (1.100 from DEV + 3.400 from QA) when I recover all users "*" with "user level - risk analysis" from the "Informer" tab.
It seems that "users, roles, profiles, sync" works like and "APPEND", but I did a COMPLETE syncronization not an INCREMENTAL.
If I start an analysis for QA environment, CC works properly and only analyse QA users (3.400). But I would like to clean CC tables (users, roles and profiles) in order to have a clean copy of QA in CC.
Which VIRSA tables (users, roles and profiles) I need to clean?
It is necessary to do the same with authorization and text objects? Which would be these tables?
Thanks in advance,
VictorHi all,
SAP GRC Support provides a script which allows you to remove a connector since it does delete all data link to it. Anyway, I would recommend a deep analysis of it and find out if it does what you really want to do.
Víctor, if what you want to do it is just to remove all user, role and profile master data (stored in tables VIRSA_CC_SYSUSR and VIRSA_CC_GENOBJ) you could upload a text file using data extractor functionality with the delete field set to X. Doing so user, role and profile master data will be removed from CC database.
In order to use data extraction functionlaity you connector must be of type "File Local".
Be careful about removing data directly from DB since, as Prem states, you might loose the DB consistency.
Hope it helps. Best regards,
Imanol -
PBC 10 user users/teams/roles and access data profiles
Hello experts,
couples of questions with regards to BPC 10 security
1) In PBC 10, version SAP NetWeaver , if a team or a user was created in BPC not in BW, can the created user/team has access to SAP BW? Can the created team/user be imported and assigned assigned rights in BW? Or , if I need a user who will have acces to both SAP BW and BPC , do I HAVE to create the user in SAP NetWeaver (BW) and assign rights?? or
2)
If the defined attributes are Currency=Euro: Read and Country=France: Write, then Entity102 is writable.
Assuming that a write access to Currency = Euro : Write produce the same output as in the above, How can ensure that I can give a write access on a dimension without having allowing the write access to the whole entity as in the above case?
Thanks
JhHi John,
For your 1st question, to add a BPC user, you need to create BW user first on BW. Then add this BW user as BPC user. When you create a BW user, you need to assign two roles
/POA/BUI_FLEX_CLIENT, /POA/BUI_UM_USER.
Actually, once you created the BW user, you can use this BW user to log on to BW now, but this user has few rights, such as no rights to execute some t-code RSA1, etc. To make this BW user more powerful, you need to assign the corresponding rights directly on BW, not from BPC. The rights(Data Access profile or task profiles) added from BPC only works on BPC object, such as members, cube, etc.
Best Regards,
Charlie -
SAP Roles and Access for SAP Implementation team members
Hi,
Is it correct practice to give SAP_ALL role access for all SAP Implementation team members in Dev and QA?
If not, what is the correct practice?
Kindly let me knowMadhu,
It is NOT correct practice to give anyone SAP_ALL in any of the systems; not DEV, not QAS, and certainly not PRD. However, many implementation teams (and particularly consultants from SIs) insist that they cannot possibly do their jobs without it. This is completely incorrect as there are specific roles for them to use for that purpose. The only circumstance where it could be justified is if you require a special "firefighter" role - and even then, I would still be a bit doubtful.
You should also consider that once you have given someone SAP_ALL, they will fight tooth and nail to keep it. It also means that they probably are not testing the user roles correctly. Most of those that insist they need it simply do not understand the security issues and probably don't care.
Just think; if they have access to do soemthing that they shouldn't and then cause a big problem, are they the ones that will have to fix it or are they going to expect you to do it? If they expect you to clear up after them, then you have the right to insist on restricting their access to cause issues in the first place.
But I know just how demanding they can be....
Best of luck
Tony -
Hi,
I would like a particular user, r012, to be able to do user admin management.
I granted "User Management" and "User Security" rights to this user, but they are still not able to, for example, reset someone else's password. It says "permission denied".
I also created a role called UserAdmin, and assigned those two user rights to that role. When r012 su's to UserAdmin, they can then do most user management, although they are still not able to grep /etc/shadow, which I would like for them to be able to do to determine if a user is locked.
1. Does a user have to su to a role to be able to do user management? Can't I just assign those user management features to them and they can stay within their own account?
2. Is there anyway to grant the ability to grep /etc/shadow to a user?
Thanks./etc/shadow by default is read-only for the owner only, and the owner is root. What you can do is either assign the rights to the user to have access to such files, or create a role that allows them to do this. One way to do this is to assign the rights to the user via the SMC. For example, I can assign the role of primary administrator to a user, who can then use pfexec from a regular shell without having to su to root or some role. To grep /etc/shadow from a regular shell, you can type pfexec grep user1 /etc/shadow, and then pfexec passwd user1. No su'ing into root or a role is needed. You can assign whatever commands or rights are necessary to accomplish the function.
-
Defining BI Power User Role and Authorizations
We are looking for information/best practices/guidelines pertaining to defining BI Power Users and the appropriate authorizations to attach to this role. Our Power Users are asking for approval to access several transactions within BI, specifically within RSA1. I am curious to know how you define your power user role(s) and to what extent they have access to BW itself (i.e. BEx, Web Designer, direct access to BW transactions such as listcube, RSA1, RRI, ability to update custom tables, ability to access the data model structure, etc )? Do your power users have access to develop production queries in DEV and test in your QA environment or are they restricted to ad hoc queries in Production? Have you seen any best practices or guidelines from SAP surrounding appropriate authorizations for Power Users? Any information you would be willing to share with us would be most appreciated.
Hatem,
You have an option to use the old method however it's recommend to use analysis authorizations going forward.
Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
Cheers,
Ben -
User Roles and System Privilegies????
I need to know âMY_USERâ Roles and System Privilegies.
What query do I have to execute?
Thanks!Querying DBA_ROLE_PRIVS will give you the roles a user has been assigned. Querying DBA_SYS_PRIVS will give you the system privileges a user has been assigned.
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC -
Hi,
I am trying to enable/disable a feature based on user.roles.
Added a constraint for that feature as below,
<adfmf:constraints>
<adfmf:constraint property="user.roles" operator="contains" value="manager" id="c1"/>
</adfmf:constraints>
In this case, Users have manager role should be able to access this feature.
My AccessControlService response is
{"userId" : "sales_mgr","roles" : [ "manager","MOO_OPPORTUNITY_SALES_MANAGER_DUTY","ZBS_ENT_SALES_MANAGER_DUTY"],"privileges" : [ "managerPriv","ZSF_DEFINE_SALES_FORECAST_PRIV","MOO_MANAGE_OPPORTUNITY_GROUP_SPACE_PRIV"]}
Repsonse has "manager" as one such role.
After adding constraint to the feature, am unable to access it.
I tried many possibilities like operator="contains" or "not" or "equal", but no use.
I don't know what is going wrong. Appreciate you help.
Thanks.If you are on 11.5.10 or greater or standalone 2.6.4 if you pass the responder value to wf_notification.respond API it should be updated in wf_notifications.responder column. The comments is now updated in wf_comments table against the notification id and not wf_notifications.user_comment column.
Thanks, Vijay -
How can multiple users edit and access same ACCESS file
Hello,
We have 2 access files and multiple users needs to edit and access those files.
How can I enable mulitple access but only one user can edit rest of users are in read-only mode for one file and multiple access and edit on the another file.Hi,
You should split your database in a front and backend. Then create two seperate front ends which you can distribute. If you need readonly you can opt for two options, setting the attributes of the file to read only or create a front end with read only forms.
The last one takes a little more work but is safer than setting the attributes to read only because people can change that back themselfs.
Maurice
Maybe you are looking for
-
My wife and I been trying to use an iTunes card to share it but it. Doesn't work can you help us?
Can I share my iTunes card with my wife?
-
Unable to stream SMIL files unless the html page, swf file and the smil ffile are on the FMS server.
When I place the .swf, smil and http files on the FMS server the SMIL stream test sample works fine But When I move the files to my web server I get Connection error. This is the same issue discussed in http://forums.adobe.com/thread/554107 I added a
-
Data access through the OLAP API
We have created a number of Cubes from the AWM, and access the cubes from a web based application through the OLAP API. The cubes have both base measures and custom measures. Custom Measures are computed by creating the source object for given Formul
-
SuperDrive not working/ appearing/ powering up
So my super drive has stoped working, when i try insert a disk it does not accept it or reject it, in fact it dosent make a single sound, its like there is no power going to it. When i looked in disc utilities there is also no superdrive appearing, e
-
Clustering problems and load balancing question
I am using Weblogic 6.1. My Windows NT environment consists of 10 web client-simulator machines, 2 App. Server machines and one database server machine. I have defined one cluster on each app. server. Each cluster is run