Regd : Tcode Access in a Role.

Similar Messages

• Unable to access PCD's role properties from Java Web Dynpro  (Access Denied

  Using the IPcdContext to access the portal roles does not produce the required list of roles due to the following error
  Access denied (Object) .....
  This occurs once I try to use the lookup() method
  I have tried security zones, adding sharingReferences and permission, but no luck.
  I have searched the SDN but again whatever I found still gave the same result. I now think that it's a configuration settings rather than code.
  Sample code
  Hashtable env = new Hashtable();
  env.put(Context.SECURITY_PRINCIPAL, strCurrentUser);
    env.put(Context.INITIAL_CONTEXT_FACTORY, IPcdContext.PCD_INITIAL_CONTEXT_FACTORY);
    //DirContext ictx = new javax.naming.directory.InitialDirContext(env);
  // InitialDirContext     ictx = new InitialDirContext(env);
    InitialContext ictx = new InitialContext(env);
    lookupObject = "portal_content";
    IPcdContext myPcdContext =      (IPcdContext) ictx.lookup(lookupObject);
  Any suggestion will be appreciated

  Rob,
  The only thing I see different as per this [document |https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/6112ecb7-0a01-0010-ef90-941c70c9e401]  is following line of codes. Check if adding it resolves the issue:
  env.put(com.sap.portal.directory.Constants.REQUESTED_ASPECT, PcmConstants.ASPECT_SEMANTICS);
  lookupObject = "pcd:portal_content/"
  ... note the /
  Chintan

• Reg Re-authentication for Tcode access

  Dear All,
      I want to enable Re-authentication for certain tcode access in my SAP ABAP system. The SAP as such supports this with the SSF settings. I have the SSF working but am not sure how to enable the particular tcode for Re-authentication.For example i have created a z code zAl08 out of Al08 for test purpose.When an user tries to access zAL08 he should be asked to give his credentials for authentication and then should be able to access the tcode.
  1.Is this possible. (am already using a Security product working properly in my environment)
  2.How to configure(Steps) the zcode for enabling Re-authentication?
  Regards,
  Karthik

  Basically, what I said was:
  function auth_check_tcode.
  ""Lokale Schnittstelle:
  *"  IMPORTING
  *"     VALUE(TCODE) LIKE  TSTC-TCODE
  *"  EXCEPTIONS
  *"      PARAMETER_ERROR
  *"      TRANSACTION_NOT_FOUND
  *"      TRANSACTION_LOCKED
  *"      TRANSACTION_IS_MENU
  *"      MENU_VIA_PARAMETER_TRANSACTION
  *"      NOT_AUTHORIZED
  Dieser Funktionsbaustein dient als reine Kapsel für den C-Call
  auth_check_tcode und ist daher im Gegensatz zu authority_check_tcode
  nicht für die Prüfung vor dem Call Transaction gedacht, sondern für
  die Fälle, in denen ein Start Transaction geprüft werden soll,
  z.B. in der SE93.
  authority_check_tcode berücksichtigt wie der Kernel die per SE97
  pflegbaren Einträge in der Tabelle tcdcouples.
  Berechtigungsprüfung
    call 'AUTH_CHECK_TCODE'
         id 'TCODE' field tcode.
    if sy-subrc = 0.
    auth_check_tcode enthält die Prüfungen von tcode_executable,
    daher im OK-Fall keine Aufruf nötig.
    else.
      perform tcode_executable using tcode.
    Keine Berechtigung für Transaktion &
      message i077(s#) with tcode raising not_authorized.
    endif.
  endfunction.
        FORM tcode_executable                                         *
  -->  TCODE                                                         *
  form tcode_executable using tcode.
    call 'DY_CHECK_TRANSACTION'
      id 'TX' field tcode.
    case sy-subrc.
      when 0.         " Alles ok, return
      when 1.         " Parameter Error
        message i274(00) raising parameter_error.
      when 2.         " Transaktion nicht gefunden
        message i343(s#) with tcode raising transaction_not_found.
      when 3.         " Transaktion gesperrt
        message i348(s#) with tcode raising transaction_locked.
      when 4.         " Transaktion ist Bereichsmenü
        message i037(oz) with tcode raising transaction_is_menu.
      when 5.         " Bereichsmenü via Parameter-Transaktion
        message i350(s#) with tcode
                         raising menu_via_parameter_transaction.
      when 6.   " Nicht berechtigt; vorgesehen, aber nicht implementiert
        message i077(s#) with tcode raising not_authorized.
    endcase.
  endform.                    "tcode_executable
  </pre>
  Sorry, the comments are in German. But as you can see, there is no exit and the checks are in the kernel only.
  My hat is safe...
  Cheers,
  Julius
  Edited by: Julius Bussche on Jul 29, 2009 5:55 PM

• Tcode authorization without any role or profile

  Hi Experts ,
  Can you please suggest on authorization issue , if observed that one Tcode not given in to any roles or profile but some user still using this authorization.
  When I checked role and profile for such user using the SUIM still it shows no data.
  So is there any other way to assign direct Tcode without using any role or profile.
  Thanks in advance .

  not sure how you are using SUIM to check, just to be sure, use the complex selection method or the authorization values method. the by transaction method only check for transactions that were added via the menu.
  look for object= S_TCODE, value=(the transaction code)
  SUIM will then calculate if the transaction code was added manually and as part of a wild card or a range.
  i.e. if the transaction was MM02 it will be accessible if the S_TCODE had
  wild card value M*, MM*, MM0* or
  range value A*-Z*
  Otherwise, it is possible that it was called indirectly and the BADI does not perform a S_TCODE check.

• Oim 11g r2: data access restriction using roles instead of organisations

  can i implement data access restriction using roles instead of organisations in oim 11g r2?

  in my use case a particular user can be member of more than one organisation. as far as i know oim does not suoport this use case using organisation, so i decide to use roles to represent my "organizations", but now i loose all the data access restrictions (scope).

• Tcode to find all Tcode access by user

  What is TCODE to find all the Tcode executed by perticular user in last 24 hrs
  I try ST03 but i didnt get desired result Plz help

  Hi,
  You can get the information from ST03 > Performance database>Choose the latest record> Previous day> Select Dialog --> Transcation profile
  You get list if T-code access for last 24 hours..if you double click on each T-code you get the users.
  Hope this resolves your query.
  Cheers
  Deepu

• Role Based Access through business roles? Switch b/w business roles?

  Hey Guruz:
  We have a situation where we want to really chop down on what the user should see in UI.
  What this basically means is that we want to define job based business roles. In essence a user should only see what he is allowed to execute as part of his job function.
  One solution would have been to create 1 business role and control everything through the pfcg role. But, this will be a very unfriendly approach, as the user would never really know what is part of job profile and what not till he clicks on it to find out that it doesnt work and is not authorized for it.
  To avoid the above situation, we want to give managers and users the liberty to pick out their own combination of business roles which suits a users job profile. I know this would mean we might have to create quite a few business roles, but atleast it avoids reduntant access.
  Any thoughts are welcome.
  Questions:
  If a user is assigned multiple business roles how to switch without really logging off?
  Can we have tabs or something on the header or nav bar which allows a user to switch b/w business roles?
  Can the net affect of multiple business roles be combined when assigned to a user ?
  Thanks
  KT

  Hi KT
  The whole concept around assigning a Business Roles is to provide a specific set of functions to a specific user or user group.
  There should not be any reason for a User to log off from one role and then log in with another.
  If for example you want a user to have some Sales Professional access as well as some Service Professional access then you would copy Sales Professional Role to you own custom role, remove the Sales Professional attributes that you do not want, then add in the required Service Professional attirbutes required.
  The WEB UI views can then be configured for that particular Custom role you have created.
  Hope this helps
  Arden

• Finding roles which has many tcodes in the same role using SUIM

  Hello Guru's
  If I want to find a role for a t-code will get through SUIM. But now I have a multiple t-codes(eg,100 t-codes) want to find out the exact role in which all the t-codes are there.
  Is there any way,please let me know. Thank you
  Dina
  Edited by: Julius Bussche on Nov 17, 2011 8:45 PM
  Subject title made more meaningful...

  For 100 tcodes in a menu of 1 role you can easily work by elimination:
  --> take the most exotic transaction and run it to find the roles.
  --> add the role list to the role name select options of the report (this is the trick!) and run it for the next most exotic transaction in a different module unrelated to the first tcode.
  --> somewhere around here you should reach a system message stating "No roles found which meet the selection criteria".
  --> If you are still going strong here with a long list of functionally differentiated roles then there is a problem.
  --> 5th time lucky?
  --> Proceed to jail for 2 rounds and do not collect $200 at the start...
  --> etc 
  Same goes for the Users by Complex selection criteria when you have a 4th object to check with an AND operator. Choose the most exotic one first and add the result to the select options for the user name.
  Cheers,
  Julius

• Weblogic Console Access Denied - Admin Role group question

  I need to grant access to a user that is authenticated via OAM.
  My authentication is succeeding and I am getting the following back as my Principal:
  <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 3
       Principal = class weblogic.security.principal.WLSUserImpl("IdentityGuardAppID")
       Principal = class weblogic.security.principal.WLSGroupImpl("cn=FUNC-LDAP-Browse,ou=secure,o=admin")
       Principal = class weblogic.security.principal.WLSGroupImpl("cn=FUNC-IDV-APP,ou=secure,o=admin")
  My authorization is failing and I think it's because I cannot figure out how to add the groups returned above to the Admin role in WLS.
  Normally, this is a breeze - I simply add it from the Realm Role under the Roles and Policies tab in myrealm.
  In this case, my group looks like a subject DN (i.e., it contains commas).
  Does anyone know how to add a group that contains a comma to the Admin Role?

  Hi Sameer Gawde,
  Would you please let me know complete error messages when use RSAT and PowerShell?
  In addition, the RSAT is based on MMC console. Please check if you have enabled group policy setting to restrict
  MMC snap-ins? In GPME, please refer to the path: User Configuration-> Policies-> Administrative Templates-> Windows Components-> Microsoft Management Console-> Restrict users to the explicitly permitted list of snap-ins. Meanwhile, please check
  if you configure the Don't run specified Windows applications setting (path:
  User Configuration-> Policies-> Administrative Templates-> System-> configure) to limit RSAT and apply to the domain admin group. This issue is really strange. Just please check and confirm. Thanks for understanding.
  Please logon DC via Admin account, then navigate to: ADUC-> Users. Please select and right click Domain
  Admins group and select Properties. Please select Member Of tab and check which did this group member of.
  Meanwhile, please open Component Services and expand “Component Services-> Computers-> My Computer”. 
  Then right click My Computer and select Properties. In COM Security tab, under Access Permissions, please check how configure the “Edit Limit”.
  By the way, please navigate to Event Viewer and check if can find some related clues.
  Hope this helps.
  Best regards,
  Justin Gu

• Access Enforcer Import Role Automation

  We would like to automatically import roles from SAP.
  We do know that you can use Role Expert which in itself can be used to automate the import. However, we still have to manually import into AE - even if RE is used as the role source.
  Is there a way to periodically automate the import from either SAP or RE because it does not make sense to have to manuall import roles every time a new role is created in SAP.
  Thanks

  Actually, it does make sense.
  One of the prime features of Access Enforcer is that you don't import all the roles, but just the ones you want users to be able to request.
  For each of the roles, it's useful to put them into some kind of category (functional area, business process, sub-process), which makes handling for users a lot easier, and you have to assign approvers.
  One way to do that is to use an Excel spreadsheet and manage the data there. Easy to use and update, and quick to upload into AE.
  Kind regards,
  Frank.

• Access Request Creation - Role or System Required at Creation

  Hi - We are installing GRC 10.1 SP6.  When I create a request it is forcing me to include at least one system or role.  Is there a system setting that I'm missing to not enforce the requirmenet to add either a system or a role at the time you create a request?
  This is not a huge deal to me as I created templates that include the systems we provision to by default.  However, if I don't need to include a system or role at time of request creation I would prefer that this requirement be turned off.
  Thanks,
  Rich

  Hi Richard,
  additionally to what Colleen has already mentioned you can set up the provisioning configuration in the way that you don't have to select a system in the access request. So basically a requests requires either a system or a role. Most of the time (best practice) users select a role without a system. Personally I also recommend that way as the system comes with the role automatically.
  In the global provisioning configuration (SPRO > AC > User Provisioning > Maintain Provisioning Settings) you have to define that the user gets created when the role gets assigned.
  Alternatively, as you would like to remove both, you can check if it is workable via the request type settings. I don't have a system to test, but you might be lucky. Remove the "Assign object" action from the request type and check if it is still mandatory to add at least one assignment.
  SPRO > GRC > AC > User Provisionign > Define Request Type
  Please let me know  if this helps.
  Regards,
  Alessandro

• I have access to sa role not to the sa  user itself

  Hi ,
  I'm a sybase/oracle dba, I have full access of the sybase db (via the sa role),
  but I do not have access to the sa user itself.
  How can I iuse the Migration tool ?

  Cornelia
  The problem one faces is that the SDK does not access Print or Book. You'll need to (ab)use the fields that are available, and I'd suggest you look at my Search and Replace plugin which can transfer values between fields. So you could move info from an inaccessible field to one that can be printed. Maybe use virtual copies which you can just discard afterwards?
  John

• Access Enforcer - REMOVE roles/existing roles inoperant

  Hello
  After some time using the capability to ADD and REMOVE roles when creating a request on Access Enforcer (using the option 'Existing Roles' to REMOVE), now Access back to the screen to ADD always that we try to access 'Existing Roles'.
  So, the function to REMOVE roles are inoperant.
  Any ideas what It cold be?

  Hi,
  When you open a changing access request it's possible to add new roles and remove existing roles from the user, right?
  However, the option to remove roles (which is accessed through the 'existing roles' button) is not working longer.
  When that option is accessed, it's not showed anymore the current user's access: the screen returns to the add roles option.
  I haven't found any setting for the feature to remove roles and still don't know how that option, previously used in other requests, is not working for anyone else.
  Regards
  Heverton Kesseler

• WAD Item to get access on all role items

  normally you use the portal to get access in to all the reports of your role(s).
  but I don't wanna use the portal (customer requirement).
  can I build a template with WAD or other tools which show all the reports, saved by a specific user role?
  of course I can design a template and put every query in it I need. but I don't wanna change this report every time I make a new report.
  thanxs, danga

  Hello ,
              Yes you can create a query and assign it to a web template, and you can save the web template under a role .
  In that role you can add teh users who can view the items saved under that role.
  You can also view the created web templates each one under different role  through web browser.
  One thing is that when you transport the web template , along with that you have transport the updated role, so that when you view the reports through web browser you can see all updated reports.
  hope it is clear
  assign points if useful

• User able to execute Tcode after validity of role is over

  Dear all,
  we have given a temporary access to the transaction MR21  to the user for one day but the user was able to use this transaction after validity of role is over.  screen in SU01 shows the role is already expired to her.Is this due to bug or incomplete maintenance nodes in the role

  Hi ,
  Use SUIM make sure that the user does not have that transaction in any other role in his profiles
  second find the role which has the transaction for him .
  Delete that specific role/roles
  Then run  SUPC and PFUD if its a development box or talk to basis  if your project policy is to run this as background job.
  If all the above steps were already done then use ST01(trace) to find what is allowing the user to succeed with the transaction and disable that object.
  Cheers