Regd:UAL(user access list) access assumptions

Similar Messages

• Way to allow the user access to the saved lists of this Z report

  We have a Z report that we want to run at midnight each Sunday and then view the output/layout first thing Monday morning. We can schedule the report to run but it appears that the only way we can save the output as a 'file' for later viewing is by using the "Save with ID" option, which puts the output into a SAP 'saved list'.
  The problem with this is that it doesn't appear to be possible to access that list from the Z-report - it would appear that you have to go into SQ01 and use the 'saved list' button. This means giving the Z- report user access to SQ01 as well as Z-report, which, for security (SOD) reasons we don't want to do.
  We can run the report in foreground with the output option "File store" and save the output as a file to a specified location,. But this option doesn't appear to be available when the report is scheduled as a background job. If this is done, the background job runs but there's no output anywhere, as far as we can tell.
  So what want is to run the report in background but with the output option 'File store' or equivalent (i.e. an output stored somewhere that the report user can view). Is this not possible, or have we missed something in setting up the report run?
  Or is there a way to allow the user access to the saved lists of this Z report without giving them T-code SQ01?
  Thanks

  Hi !
  I just wonder if the answer from Varishtb below did solve your propblem.
  I have exactly the same problem as you. I also want to be able to look at the saved list without using the sq01.
  If you solved it I will be grateful to get the solution.
  regards Lars
  answer:
  You can call the infoset query directly from a transaction code. There's
  no need to copy it as a 'Z-report' (or as a custom report). In fact,
  everytime you're copying an infoset query to a report, you're calling
  for problems the next time you face an upgrade. (That is because SAP
  changes the internal logic used to handle the infosets queries from
  version to version)
  We're using some infoset queries and they work fine this way.

• APEX Pages - User Access List with NTLM

  Hi,
  I'm building several APEX Applications, and using NTLM as its Authentication Scheme. With this, the users won't have to type any user and password. And their user name stated in top right screen.
  I'd like to build another application to administer users of all created APEX Applications. So I'd like to build 3 tables:
  1. users (hold user name, and user data)
  2. pages (hold APEX Applications pages)
  3. access_list (hold combined data of users and pages and access flag)
  The last table will give me an SQL that can be used to create page level Authorization Scheme.
  The problem is:
  I cannot find a way to get a list of user ids to pre-populated the table users. Is there a way that an administrator user use an LOV of all NTLM user instead of typing domain\user to this application? OR is there a better and elegant way to create User Access List with NTLM.
  Your helps will really help me, and thanks in advance.
  Regards,
  Aulia

  This is kind of a followup to Scott's post. Instead of using your own tables to map user accounts to permissions etc, why not simply use LDAP to query the NT domain global catalog?
  You can tell what users are members of particular AD groups and control access to functions based on AD group membership. Then you would only need one table that maps Apex functionality to AD groups.
  That's what we do. Our account management people add users to different security groups and they get access to our apex app based on those groups. The type of access is controlled by the group to which they belong.
  If you try to capture a list of all users, you'll be constantly trying to keep your list of users in sync with your AD/NTLM accounts.
  Or I guess you could simply use LDAP queries inside the database to get a list of ALL your users in a nightly batch. Wouldn't help for people added in the middle of the day, but maybe that doesn't happen often in your company.
  I have posted code on using Active Directory LDAP with dbms_ldap inside the database. Shouldn't be too much trouble to modify that code to scan your directory for users every night. Search for "dbms_ldap" in this forum.

• How do you access folders/files in other users Finder list?

  How do you access folders in other users finder list, once you have shared the folder or file

  You should be able to open and view the contents of any directories you have access permissions to using FInder, by navigating the directory tree to the folders in question and opening them as you would your own folders. If you know the full path-name of the directory, you can enter it into the Finder navigator opened by Apple-Shift-G; the dialog that pops up uses the same directory listing method as all unix systems, and has tab completion for ease of use. In general, all users have their home directories in /Users/, or you can simply use ~/../<name> to go to the home folder of a user via the parent (..) directory of your home (~) directory. If you are experiencing bugs or errors with this, as opposed to simply not knowing how to do this, please post any details of your experience so that others can help troubleshoot your problems.

• WebLogic 10.3.0 WLI Domain - Microsoft AD administrator user access issue.

  Hi SOA Experts,
  We are facing issue of getting noaccess exception on console (below) when doing datasource testing using Microsoft AD administrator user. The same works fine when testing using WLS embedded LDAP administrator user in WLI domain. In plain WLS 10.3.0 domain (without WLI) with same Microsoft AD configuration they do not see this issue, they are able to successfully test data source using both embedded WLS administrator and Microsoft AD administrator user.
  I enabled security ATN and ATZ debug flags and below is my observation.
  In plain WLS 10.3.0 domain I see that default weblogic administrator user in embedded LDAP is part of administrators group. Microsoft AD administrator user is part of Administrators group from MS AD.
  Whereas in WLI domain I see that default weblogic administrator user is part of Administrators & IntegrationAdministrators groups. In WLI domain Administrators group is again part of IntegrationAdministrators group (below is debug logs).
  Below is Plain WLS Domain Debug log
  ####<Dec 6, 2010 5:20:14 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)
  '> <<WLS Kernel>> <> <> <1291674014123> <BEA-000000> < Subject: 2
  Principal = weblogic.security.principal.WLSUserImpl("weblogic")
  Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
  Below is WLI Domain Debug Log
  <> <1291669863989> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
  ####<Dec 6, 2010 4:11:03 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
  <> <1291669863989> <BEA-000000> < Subject: 3
  Principal = weblogic.security.principal.WLSUserImpl("weblogic")
  Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
  Principal = weblogic.security.principal.WLSGroupImpl("IntegrationAdministrators")
  The issue of Microsoft AD administrator user not able to test datasource in WLI domain seems to be happening because of IntegrationAdministrators group which comes by default with WLI domain (in plain WLS domain we do not have this group). Looks like the datasource which is being created in WLI domain seems to be being treated as WLI resource and user accessing it is being checked if it part of IntegrationAdministrators group. In this case weblogic default administrator user is part of IntegrationAdministrators, for which we do not see issue where as Microsoft AD administrator user which is not part of IntegrationAdministrators seems to be having problem.
  Below is snipper of Microsoft AD administrator user in Debug logs
  ####<Dec 6, 2010 4:13:31 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
  <> <1291670011687> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
  ####<Dec 6, 2010 4:13:31 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
  <> <1291670011687> <BEA-000000> < Subject: 2
  Principal = weblogic.security.principal.WLSUserImpl("MSADAdminUser")
  Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
  Also one more observation about datasource which is created is in plain WLS & WLI domain created datasource resource type is shown as “jdbc” which is expected, but in addition in WLI domain I observe that created datasource resource type is marked as JMX and DS is being considered as application (below), not sure if this has something to do with the issue.
  Below is WLS domain debug log, below you can see that datasource is being treated as JDBC resource which is expected.
  ####<Dec 6, 2010 5:21:03 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1291674063776> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<jdbc>, application=, module=, resourceType=ConnectionPool, resource=testDS, action=reserve>
  Below is WLI domain debug log, below you can see that datasource is being treated as application and it says resource type as JMX
  ####<Dec 6, 2010 4:12:17 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1291669937755> <BEA-000000> < Resource: type=<jmx>, operation=get, application=testDS, mbeanType=weblogic.j2ee.descriptor.wl.JDBCDataSourceBean, target=Name>
  I created user in embedded LDAP in WLI domain with same name as MS AD administrator user and assigned it to Administrators group, that obviously works but is not acceptable solution.
  Below is exception thrown on console when testing datasource using Microsoft AD administrator user.
  weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[MSADAdminUser, Administrators], on Resource weblogic.management.runtime.JDBCDataSourceRuntimeMBean Operation: invoke , Target: testPool at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:205) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222) at javax.management.remote.rmi.RMIConnectionImpl_1030_WLStub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:978) at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544) at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380) at $Proxy92.testPool(Unknown Source) at com.bea.console.actions.jdbc.datasources.testjdbcdatasource.TestJDBCDataSource.begin(TestJDBCDataSource.java:114) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:870) at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:809) at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:478) at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:306) at
  - BoyelT

  This issue has been resolved.
  The problem of Microsoft active directory administrator user not able to test the datasource in WLI domain is caused because of IntegrationAdministrators group & IntegrationAdmin role which comes in WLI domain. Assigning the Microsoft Administrator group to IntegrationAdmin role from WebLogic console has resolved the issue.
  Below are steps for assigning the MS AD administrator group to IntegrationAdmin role from console in WLI domain.
  ======================================================
  - Login to console and click on "Security Realms" and "myrealm"
  - Go to "Roles and Policies" tab and expand "Global Roles" tree and "Roles" tree view under it.
  - Click on "View Role Conditions" link for "IntegrationAdmin" role.
  - Click on "Add Conditions" button select Group (default) for "Predicate List" drop down box and click Next button.
  - Specify MS AD admin group name for "Group Argument Name" text box and hit on Add button.
  ======================================================
  - BoyelT
  Edited by: BoyelT on Dec 20, 2010 1:36 PM

• Re: (forte-users) access violation caught in debugmode

  Eric,
  There has been a problem with Forte debug mode for sometime now when the app
  is silent. If you attempt to inspect the variables when the app is in the
  'silent' mode, i.e., waiting on an event loop for a user input or a system
  event, then you get the "Access violation caught ..." exception message and
  the workspace including the launch server crashes.
  If you are getting this problem in the 'step-through' mode, you should look
  at the lauch server immediately after you get the exception before
  everything disappears. There could be a stack backtrace due to some illegal
  reference. We have faced a similar situation before but the error appeared
  both in the 'debug' and 'run' modes.
  Hope this helps.
  Braja K Chattaraj.
  From: Eric Decossaux <[email protected]>
  To: forte mailing <[email protected]>
  Subject: (forte-users) access violation caught in debug mode
  Date: Thu, 23 Sep 1999 17:31:39 +0200
  Hello,
  I have a problem using Forte in debug mode. If I run my program on my NT
  machine from the partition workshop (distributed run), the program works
  fine except that some object does not display what I'm expecting. So I
  want to use the debug mode to inspect the objets of this window. When I
  choose the "local variables" option to see the content of my window, I
  have a "access violation caught" and forte disappears. If I just let my
  program run without choosing this option, everything is the same than
  with the distributed run.
  Does somebody have an idea what to look for ? I really want to look the
  inside the attributes of this window.
  We recently upgraded from release 30G2 to release 30L2. Could it be the
  problem ?
  Eric Decossaux
  Cliniques Universitaires St Luc
  Informatique des Laboratoires
  av Hippocrate 10 / 1730
  1200 Bruxelles
  +32+2+764 17 53
  For the archives, go to: http://lists.sageit.com/forte-users and use
  the login: forte and the password: archive. To unsubscribe, send in a new
  email the word: 'Unsubscribe' to: [email protected]

  Eric,
  Another possibility has to do with the repository. You said you recently
  migrated 30G2 to release 30L2.
  Many strange problems have been traced to release migrations with old
  repositories. If the repository was properly migrated another thing you can try
  is to export the project(s) to PEX files, delete them from the repository, and
  then re-import. I know this can be time consuming but I have solved more than
  one unexplained problem in the IDE by doing it.
  ---------------------- Forwarded by Charlie Shell/Bsg/MetLife/US on 09/23/99
  01:19 PM ---------------------------
  "Ajith Kallambella" <[email protected]> on 09/23/99 12:08:54 PM
  To: [email protected], [email protected]
  cc: (bcc: Charlie Shell/Bsg/MetLife/US)
  Subject: Re: (forte-users) access violation caught in debug mode
  Eric,
  Sometimes( 90% ) you can solve this problem by
  checking out the class that is causing the crash
  and force-compiling it.
  If it doesn't help, run through this checklist.
  1. Do you have enough memory resources.?
  2. Is the object you are inspecting held in a lock ?
  ( mutex, transaction lock etc )
  3. Does it work when you wait for sometime at the
  breakpoint before inspecting the values? I mean
  are you interrupting some process thread?
  4. Does it work if you log the attributes using logmgr?
  5. Are you using any call-outs/call-ins? Any external
  systems integration? Sometimes( for reasons beyond
  my comprehension ) the objects allocated outside
  Forte gets corrupted when its passed back and forth.
  6. ...finally...Santa Clause, help me!
  Ajith Kallambella M.
  Forte Systems Consultant.
  From: Eric Decossaux <[email protected]>
  To: forte mailing <[email protected]>
  Subject: (forte-users) access violation caught in debug mode
  Date: Thu, 23 Sep 1999 17:31:39 +0200
  Hello,
  I have a problem using Forte in debug mode. If I run my program on my NT
  machine from the partition workshop (distributed run), the program works
  fine except that some object does not display what I'm expecting. So I
  want to use the debug mode to inspect the objets of this window. When I
  choose the "local variables" option to see the content of my window, I
  have a "access violation caught" and forte disappears. If I just let my
  program run without choosing this option, everything is the same than
  with the distributed run.
  Does somebody have an idea what to look for ? I really want to look the
  inside the attributes of this window.
  We recently upgraded from release 30G2 to release 30L2. Could it be the
  problem ?
  Eric Decossaux
  Cliniques Universitaires St Luc
  Informatique des Laboratoires
  av Hippocrate 10 / 1730
  1200 Bruxelles
  +32+2+764 17 53
  For the archives, go to: http://lists.sageit.com/forte-users and use
  the login: forte and the password: archive. To unsubscribe, send in a new
  email the word: 'Unsubscribe' to: [email protected]
  For the archives, go to: http://lists.sageit.com/forte-users and use
  the login: forte and the password: archive. To unsubscribe, send in a new
  email the word: 'Unsubscribe' to: [email protected]

• Anonymous User Access to Web Dynpro ABAP Application

  Dear All,
  I'm not able to set anonymous user access to a WDA application. The requirement is : I have to Call the application if the user clicks a link on the portal (even before logging).
  Please note that I have gone thru note No. 1020795 and 1031159 and have complied and followed all the given steps there.
  Also, I have given anonymous acces to iveiw that i had created.
  Request the gurus around to help, if they have cracked a similiar situation.
  PS : Points are up for grab for any positive helps provided.
  Thankx a Ton in advance.
  Regds,
  Srini

  Hi, Srini,
  A WDA application runs on the WAS. It needs to login to the ABAP core in order o execute. In your case, what you can do is supply a user/passord directly on the service (tcode SICF).
  Hope this helps!
  Regards,
  Andre

• MobileMe Gallery - allowing multiple users access

  Hi,
  I have a simple question - can allow more than one user access to a hidden MobileMe Gallery?
  I seem to be able to choose only one name from a drop-down list. I'd like to allow two people access to my gallery. Is this possible?
  Thanks,
  :-Joe

  Joe:
  Give the same name and password to both viewers.
  TIP: For insurance against the iPhoto database corruption that many users have experienced I recommend making a backup copy of the Library6.iPhoto (iPhoto.Library for iPhoto 5 and earlier) database file and keep it current. If problems crop up where iPhoto suddenly can't see any photos or thinks there are no photos in the library, replacing the working Library6.iPhoto file with the backup will often get the library back. By keeping it current I mean backup after each import and/or any serious editing or work on books, slideshows, calendars, cards, etc. That insures that if a problem pops up and you do need to replace the database file, you'll retain all those efforts. It doesn't take long to make the backup and it's good insurance.
  I've created an Automator workflow application (requires Tiger or later), iPhoto dB File Backup, that will copy the selected Library6.iPhoto file from your iPhoto Library folder to the Pictures folder, replacing any previous version of it. It's compatible with iPhoto 6 and 7 libraries and Tiger and Leopard. Just put the application in the Dock and click on it whenever you want to backup the dB file. iPhoto does not have to be closed to run the application, just idle. You can download it at Toad's Cellar. Be sure to read the Read Me pdf file.
  Note: There's now an Automator backup application for iPhoto 5 that will work with Tiger or Leopard.

• Giving users access to Excel reports created from cubes

  I have created several Excel dashboards and would like to give regular users access to view them.  I'd like them to be able to choose their own date ranges using different slicers in the dashboards.  What kind of security do I need to setup to
  give a user access to these with only view rights?  It looks like right now they receive a datasource error when they open the files. 
  Thanks in advance!

  On the DW SQL Server, click Start, click All Programs, click
  Microsoft SQL Server 2008, and then click SQL Server Management Studio.
  In the Connect to Server dialog box, in the Server type list, select
  Analysis Services.
  In the Server name box, select or type the name of the server where the DW DB Server is located, and then click
  Connect.
  In Microsoft SQL Server Management Studio, in Object Explorer, expand the <server name> node, expand the
  Databases node, expand the DWASDataBase node, and then expand the
  Roles node.
  Double-click the SCDW_Report_Readers node.
  In the Edit Role dialog box, in the Select a page pane, click
  Membership.
  Click Add to add users or click Remove to delete users, and then follow the instructions on the screen. This adds and deletes users who have access to the whole cube.
  Antoine AL Ibry

• User Access Security

  I would like to restrict a user to access only one application. I do not want that user to access the rest of the applications.
  How can I achieve this ?
  Thanks.

  Shreya - Read up on authorization schemes in the user guide. Normally, it's not users that carry the restrictions (User ABC can only run App XYZ) but applications that define who can run them (Users in list ... may run me).
  Scott

• What provision should i give to user accessing applications via Smartview?

  What provision should i give to user accessing applications via Smartview in Shared Services.?
  Would Server access do? Or i need to give something else?
  Requirement is tht the user should be able to retrive and submit data via Smartview.

  You need to provision the user with server access - this will give the user the ability to connect to the Essbase server in Smart View only. The user will not see any applications listed.
  Then provision the user as write on each application you want them to see and submit data.
  Regards,
  Robb Salzmann

• Can multiple XP users access the same iTunes library?

  Because I'm having a REALLY hard time getting that to work at all. I've moved my entire iTunes folder into 'Shared Documents' so that all users should be able to access it and changed the option in iTunes Preferences to the correct 'all users' path, but iTunes still tries to find the info in 'my' (sal's) documents instead of 'all.'
  Anyone figure this out, or does it somehow break the EULA and isn't supported? The wife and I just want to use the same library since we're on one computer. Seems silly to not allow a user with admin rights to allow other users access.
  Thanks,
  Sal
    Windows XP  

  Sal,
  As this article in the Apple Knowledge Base explains the trick is to move the iTunes Music folder, not the entire iTunes folder, to "a publicly accessible location" and I believe they mean to suggest C:\Documents and Settings\All Users\Documents\My Music as a good place.
  It is important that the iTunes Library files remain in Sal's Documents and Sal's Wife's Documents.

• Multiple simutaneously logged in users accessing AFP home directories?

  Hi,
  Many of our problems are described in this guy's blog:
  http://alblue.blogspot.com/2006/08/rantmac-migrating-from-afp-to-nfs.html
  The basic capability we want is to have multiple simultaneously logged in users to have access to their AFP mounted home directory, which is configured in a sane, out-of-the box setup using WGM and Server Admin.
  Multiple user access could take the form of FUS (fast user switching), or simply allowing a user to SSH into a machine that another user is already logged into and expect to be able to manipulate the contents of her home directory.
  From my extensive searches, I have no reason to believe this is currently possible with 10.4 Server and AFP.
  (here's the official word from apple: http://docs.info.apple.com/article.html?artnum=25581)
  I've read that using NFS home directories will work, though.
  I want to believe that Apple has a solution for this by now (it's been almost a year since we first had difficulty), or at least a sanctioned workaround. If Apple doesn't have one, maybe someone else has come up with something clever. I find it hard to believe that more people haven't wanted this capability! (not being able to easily search the discussion boards doesn't help, though...)
  Thanks for your help!
  Adam

  Parallels Issue. Track at http://forum.parallels.com/showthread.php?p=135585

• Service Desk User access

  Hi Experts,
  I want my service desk users login on Solman and they can update Msg status and ther remarks.
  so what are auth. object needs on there profile, please suggest.
  Can we block users access in such a way , they are not able to do add change on other users issue msg.
  bcoz , if i give access on crm_dno_monitor to any user, he may access and process all issue tickets.
  Thanks
  Andrew

  Andree,
  Actually we provide variants for crm_dno_monitor.
  so they have option of seeing only tickets belonging to themselves only
  For e.g create a variant of crm_dno_monitor by choosing mine and then save it and create a ztcode in se93 for the same.
  assign this tcode for the user menu to the respective role of the user.
  So whn this user logs in and click on the link he sees only mine tickets or tickets belonging to him..he doesnt hav access to crm_dno_monitor.
  Pls assign pts.

• How to set up reverse proxy to allow user access portal site from internet

  Hi all,
  I have installed 10g(10.1.2.0.2) AS on same machine(single IP for both mid and infra with different users respectively). there is a DMZ on which windows IIS is working through which we need to redirect the request to application server such that users access portal page from internet (within intranet all URLs are working fine). I have went through technet documentation where i found 3 ways : through this link
  http://download.oracle.com/docs/cd/B14099_19/core.1012/b13998/variants.htm
  Section 9.2.1.1, "Configuring OracleAS Web Cache as a Reverse Proxy"
  Section 9.2.1.2, "Configuring the Oracle HTTP Server as a Reverse Proxy"
  Section 9.2.1.3, "Configuring Internet Information Services as a Reverse Proxy"
  I am confused to which option to use. Also i went through the metalink document 270160.1
  Please help me which option to choose to do this.
  Thanks.

  Hi Hozy,
  May be it's too late, I am thinking to go in the same route for our sap portal access to external customers. Please can you share your experience , like what are the challenges have you faced? what is the complexity? what are all the resources we need to configure this?
  I appreciate your feedback.
  Thanks
  Krish