Restrice subroles as per Users/Groups

Similar Messages

• Selective LOV per User/Group

  Hi Guys,
  Just would like to ask if there's a way on how to limit or only show a selected number of LOVs per User?  For example,
  I have a parameter for Country and I have 2 Users... User1 should only see let's say China, Japan and Korea, while User2
  should be able to see all countries..
  Kind  Regards and Many Thanks,
  Mark

  I am facing the Same Issue. I implemented Dynamic LOV and published the CR into BOE. But when user runs the report he/she see all the avilable LOVs.  But we need only Selective LOV per User/Group.
  Please suggest me where can I use the Current CE User function becuase we are already using security table in Crystal Reports.
  Thanks
  Reddy

• ISE 1.2 & AD & Meraki - Per User Group Policy ?

  I am working on a PoC for a deployment in an MDU. We are using Meraki switches and access points. There are 250 units in the building, each unit will have it's own subnet. The goal is to have the tenant be able to connect to a common building SSID and be placed into their assigned VLAN. There will also be physical ports in each unit that will need to do the same. I am trying to figure out a way to use ISE to authorize on a per user basis and not based on groups of users. On the Meraki system there are group policies that will assign the VLAN for the user as well as any type of layer 7 firewalling and bandwidth control. So there will be 250 group policies, one for each unit. There is a deployment guide that shows how to setup ISE for use with Meraki and it is great but it assumes that there will be large groups like Employees, Contractors, etc.. that will be used. This is where I'm being tripped up, also... this is my first swing at a NAC deployment so I have a lot to learn.
  1.Can I setup each user in Active Directory to have a tag that ISE can then forward on to Meraki for the group policy? Say it's unit 101 and I have a group policy called 101 in Meraki, Meraki documentation says to use the Airespace-ACL-Name attribute in ISE to indicate the group policy to use. This gives me the ability to place a group into that policy but not an individual. Or would this be better done by creating the users in ISE directly? Omit AD entirely?
  2. Each unit will have devices that will need MAB because they are not 802.1x compatible. I need to do the same as above with them. I would create a separate SSID for these devices but then use the MAC address to authenticate them but will need to authorize them to go into a specific group policy.
  I know this isn't a typical ISE application but I think that this will work really well in the end, just need to iron out these details and get a test system functioning. Any help would be greatly appreciated!!!
  Thanks,
  Nathan

  Please find the Meraki_ISE integration doc. in attachment.
  When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.
  In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:
  MAC-based access control (no encryption)
  WPA2-Enterprise with 802.1x authentication
  A per-user VLAN tag can be applied in 3 different ways:
  The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
  The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
  On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. 

• Server 2008 R2 RDP: limit max number of rdp connections per user group?

  Hello everyone,
  I have a Windows Server 2008 R2 with RDP installed.
  I want to create a couple of user groups which will have 5 different users in each. Then I would like to limit RDP connections, let's say 2 connections for the first group and 3 connections for the second group. For example, if 2 users from Group 1 are connected
  then when a 3rd user from Group 1 tries to connect it will be rejected to connect, but 3 users from Group 2 still can connect. Is it doable?
  Thanks in advance.

  Hi,
  I would like to check if you need further assistance.
  If you need help to create script, please post your questions in our related forums.
  http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home
  Thanks.
  Jeremy Wu
  TechNet Community Support

• Unique item permissions per user/group of ListItems

  Hello,
  i have following scenario:
  1.) Sharepoint group named "(Adminstrator) Company A" <-> Has Add/Edit rights on the list
  2.) Sharepoint group named "Company A" <-> Has only Add/read access to the list
  3.) .....many many other groups (50+) with same schema.
  Each pair of groups (Company A) should "only" see their own entries in the sharepoint list.
  My Logical approach and research on how to accomplish this ended up in writing a ItemEventHandler.
  The problem i ran into now is that whenever i try to use "currentListItem.BreakRoleInheritance(false);" i get a access denied
  message whenever the limited user group is trying to add a item to the list even when i use the SPSecurity.RunWithElevatedPrivileges(delegate().
  So i wonder what is wrong. Isn't RunWithElevatedPrivileges ignoring the currentUsers rights ?
  Any help would be highly appreciated.

  Thank you all for the replies.
  Meanwhile i was able to figure out myself what the problem was.
  Both of your replies actually didn't solve my problem. I kept getting ACCESS_DENIED exceptions.
  But the problem is that all of this happened inside of a
  public override void ItemAdded(SPItemEventProperties properties)
  of a SPItemEventReceiver class.
  The root of the problem was that i was still trying to modify the initial "properties" object.
  After i made a complete copy and re-retrieved the item from the list INSIDE of the elevatedPrivilege method i was finally able to make my desired modifications.
  So for everyone who runs into this problem too:
  Make sure you re-retrieve EVERYTHING(ListItem,DocumentItem etc) you want to modify with elevated privileges inside of the 
  SPSecurity.RunWithElevatedPrivileges(delegate()
  Thank you again,
  Ralf

• "Make proxy settings per-machine (rather than per user)" Group Policy setting not applied until login as a local Administrator

  We want to deploy to all our desktop the pac file to configure proxy. We have a Windows 2008 R2 server, and i've enabled the GPO "Make proxy settings per-machine (rather than per user)", and i've add a registry key AutoConfigURL in "HKLM\Software\Microsoft\Windows\Current
  Version\Internet Settings" with the pac file link.
  I've tested on my pc, and all was configured without any problem. I've try to login to my computer with another user (without admin rights) and the automatic configuration proxy was compiled and not modificable. It's seems that all works.
  But, our users are not local admin, so i've tried to deploy the GPO in a collegue computer. I've forced the update of GPO, checked on registry that all new keys are added, and i've reboot the pc. When i've check on IE settings, autoconfig URL was empty and
  grey. I'm disconnected from user and i've login to the pc with a local admin. With my surprise, the IE settings was compiled. When i'm come bac to the user profile the IE settings was compiled and not modificable.
  The problem is: i've over 750 users in 3 countries, and i don't want grant them the local admin permissions. How can i configure proxy settings via GPO without login to every machine at least one time?

  > have a Windows 2008 R2 server, and i've enabled the GPO "Make proxy
  > settings per-machine (rather than per user)", and i've add a registry
  > key AutoConfigURL in "HKLM\Software\Microsoft\Windows\Current
  > Version\Internet Settings" with the pac file link.
  In the past, we experienced various issues with machine proxy settings,
  so we don't use them anymore. The simple approach:
  Block access to the connections page through ADM template settings and
  deploy the proxy through GPP Internet Settings.
  This is what we do (with a pac file, too), and it works well :)
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• VLAN assignement per user group with WDS

  I have configured an EAP-TLS wlan. I have configured the radius server to assign a vlan to the user depending of the user group.
  In this way I avoid that an user with a valid certificate that discover another SSID can change the VLAN changing his SSID (so I control what vlan connects every user)
  But when I have configured WDS in the wlan it stops to work. Because (I suppose) when the user reauthenticates (not the firt time) the WDS don't ask the radius server (it uses his cache) so it doesn't use the radius configuration and applies the vlan deppending of the user SSID.
  How can I resolve this problem?
  Thanks

  I think that the WDS configuration is not working as intended. Thats the reason the WDS is not caching the credentials and authenticating the user. Under Wireless Services > WDS status tab do you see the the infrastructure devices as Registered. if not check the authentication server for authentication stats. The first thing is that the WDS AP should register the infrasrtructure devices. Only then things will work.

• Report links by user group

  hi, is it possible to set the "report links" per user group
  for example, the report links are Download, Refresh for user group Sales.
  the report links are Download, Refresh and Modify for user group Sales Admin.
  Just wanna know whether this can be done.
  thanks!

  If "Sales" doesn't have the Answers privilege, then the "Modfiy" link won't be rendered even if specified for the request. So you can just keep it in and all users having access to Answers will see it. Read-only users (i.e. no Answers) won't.
  Cheers,
  C.

• Bandwidth VPN 3000 user groups

  I would like to graph bandwidth usage per user group. Does anyone know what MIB will give this information?

  I have been looking at this for a few days now. Thought possibly I might be missing something. Guess not...

• How to create secutiry filters and users, groups in system 9

  HI,
  Could you please help me how to create security filters and groups, users in system 9. I need it very ugent. i am very much thankful to you.. if you respond immediatly.
  Thanks,
  sudhakar.

  In short here's how I did it in 9.3.1 but there are multiple ways to do it.
  I'm using MSAD external authentication.
  Using EAS right click on database, Edit, Filters. Create your filters.
  Then go to Shared Services.
  Find the MSAD user/group and provision them to the Essbase database that you have your filters on. Access level is "Filter".
  Then go back to EAS and Refresh Security From Shared Services.
  Then go back to Shared Services.
  Navigate to Projects & then your Essbase server. Find your Essbase database and click on it. To the right it'll populate a list of all the users/groups you provisioned to above. Select all of them and click Next.
  Now you should see a drop down at the top showing your filter(s). Click the checkbox(s) next to the users/groups you want to apply that filter to. Click the green checkmark to apply the filter, and repeat for your various filters that you want to apply. Only 1 filter per user/group.
  Then go back to EAS and Refresh Security From Shared Services again.
  Good luck, hope this helps.

• Assigning Material Group per User

  Hi SAP Experts! =)
  Pls Help! does anybody have an idea how can I assign a Material Group per User. This is for authorization purposes. What I just know, is to Assign just one Material Group per user through Parameter ID MKL. This will only solve my problem if a User will only have access for a Single Material Group.
  Do you know a way how to Assign access for Multiple Material Groups? I would want to use this for the PR/PO process, so a User will only purchase Materials under his/her assigned Material Groups. =)
  Mik

  HI,
  Usually we give a star symbol for the authorisation object of material groups means the user is authorised for all the material groups.
  In case if you want to give multiple material groups for the user then we have to specify the material groups instaed of the star symbol.
  You can check the users authorisaion against the user ID in tcode SUIM.(Users with complex selection)
  Thanks & Regards,
  Kiran

• Need to create userdefined groups on per user basis in LMS 4.2 .

  Hi all,
  I am having some 20 nos switches that are monitored by LMS and I have created  2 users and 2 user defined device groups in LMS .
  I have allocated 10 switches to one user defined group and remaining to another group.
  And Is it possible to assign a user defined group to a particular user .
  I want user A to monitor devices only user group A .
  Is it possible ? Any comment will be highly appreciated.
  Thanks in advance
  Selva

  Unfortunately LMS doesn't have this option where it can send approval request to only that approvar who is also in the same group of the Job initiator.
  Currently all Approvers on the Approver list receive an automatic email notification where the job Approvers approve or reject the job.
  You can check this under Job Approval Workflow.
  -Thanks

• TFS says {oldaccount} is not a member of the Team Foundation Valid Users group, but I am

  I'm trying to check in changes to TFS using VS2013. When I hit the submit button, TFS returns the following error, "TF14002: The identity {domain} \ {oldaccount} is not a member of the Team Foundation Valid Users group."
  Background: my account name has been changed to {newaccount} from {oldaccount}.  And when the sys-admins changed my account name they did not update my computer itself, so I'm still using C:\Users\{oldaccount}. I can't believe that would make a difference
  but you never know....
  When I first started working at this company I'm almost certain I set up my TFS Workspace with my old account. But I thought I deleted all that stuff related to my old account and reset everything to my new account (Workspaces and TFS server). My lead tech
  has even shown me the account mgmnt screen with my new account name. And I've been able to check out items with my new account name.
  I performed the following steps to try to "clean out" TFS:
  • I copied all of my changed files to a back-up location.
  • I undid all changes in TFS (note that TFS has been allowing me to check out files to edit).
  • I deleted the TFS entry in Credential Manager per a suggestion online.
  • I deleted my Workspace.
  • I even deleted my TFS server.
  • I Rebooted my computer.
  • I reconnected to the TFS server.
  • I rebuilt my Workspace.
  • I restored my changed files from my back-up location.
  At this point I tried checking-in my changes again but got the same error message as above.
  Next, I deleted everything in this folder:
  C:\Users\ ...\AppData\Local\Microsoft\Team Foundation\5.0\Cache
  ... but I'm still seeing the error.
  Also, we'd been informed that a number of us need to downgrade from "Ultimate" to "Professional".  I did my downgrade to VS2013 Pro (after the steps above) but I am still seeing the same error.
  A comment on another question
  here suggested that I shelve my changes without preserving changes locally, then un-shelve and attempt to check-in.  This also did not work, I could shelve my changes and un-shelve, but doing so did not fix the original problem.
  Note that I do NOT have access to the TFS server itself - much less permissions to perform any sort of admin on it (and I don't know the person who would) - but might there be a table in the TFS database that still has an entry for my old account that could
  be joining to my computer name &/or new account name when TFS goes to look up my account info when I check in my changes? I am getting desperate for an answer!
  Any suggestions?
  Thanks,
  D. Kelley

  Hi D. Kelley,
  Thanks for the details. Based on your description, you might need to change or update the SID for users. Try identity command to change the username if you never use the new username in TFS. Check this page for more information about
  identities command in this
  page.
  You can also check the table "tbl_Identity" in the tfs_configuration database to see if the new user exists, or it has the old user. Another option is have a check on other machines to see if it works fine. Refer to links below for more information:
  https://social.msdn.microsoft.com/Forums/en-US/93568425-a877-4d21-8497-1adc4561b6d3/unable-to-check-in-code-to-tfs-due-to-tf14002-the-identity-old-user-name-is-not-a-member-of-the?forum=tfsversioncontrol
  https://social.msdn.microsoft.com/Forums/en-US/acc56859-624f-41bc-b698-cbb5e0b8f525/cant-check-in-code-the-identity-devoldusername-is-not-a-member-of-the-team-foundation-valid?forum=tfsversioncontrol
  Best regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• What is the Advantage of creation of user group through SUGR?

  Hello Masters,
  As per audit requirement I have maintained user groups for different sets of users through SUGR, but I am not getting except differenciating users (based on group), is there any other advantage? Can we assign role to a user group instead of assigning to list of users  or can we do any mass changes to an user group by giving only user group name.
  Regards,
  Nilutpal.

  Dear Neels,
  Apart from maintaining user group for Differnciation purpose you can also take the advantage on the following sectors:
  1. Follow the http://help.sap.com/saphelp_nw04/helpdata/en/ce/17533e5ff4d064e10000000a114084/content.htm link . From this you will come to know the use of user group in the authorisation area.
  2. User Groups also allow segregation of user maintenance, this is especially useful in a large organisation as you can control who your user admin team can maintain - an example would be giving a team leader the authority to change passwords for users in their team. 
  3. The authorization user group is used in conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in group SUPER, etc... 
  In case any issue, please feel free to reply.
  Regards,
  Nilutpal.

• Integration - Windows Server 2003/2008R2: Creating a login script that attaches programs to a certain user group. Upgrading to Windows 7/8

  We are currently running a windows server 2003 environment with a 2003 server being the DC. We have a couple of 2008 r2 servers that are member servers.
  OK...
  Our users are primarily operating off of windows xp clients/workstations in which they use RDP to connect to the newer member servers that are windows 2008. With their base profile in xp I am using roaming profiles via server 2003. I am looking to begin
  upgrading all of the workstations to all-in-one windows7/8 boxes partially because of cosmetic reasons(#weird) and partially because we will eventually begin using the camera options that are in the all-in-one's.
  Also..I must do this one at a time as we don't have the money to do a complete overhaul of all client workstations..If that was the case, I could just redo the network and make those members servers the DC and backup DC as well as add a virtual server
  in which everyone can access those legacy programs that are still needed...
  As you guys know windows 7/8 boxes will not work with server 2003 and roaming profiles. The reason we don't completely upgrade to 2008 r2 environment is because we are still holding on to a legacy program that requires server 2003 and these programs are
  vital to our operation.
  So..broken down even further...
  A: User is part of a 'LocalAdmins' group that makes them automatically a local admin upon any system within our domain.
  B: User  logs in to windows xp with credentials in which a tailored made per user roaming profile comes up from server 2003
  C: User then logs into one of the two terminal servers via RDP with same credentials and accesses new primary application. To access the legacy applications, they merely minimize their RDP session to get back to the windows xp session.
  Ultimately..
  1. I'd like to begin replacing option B: with windows 7/8 all-in-ones and and have the RDP saved sessions,that talk to the 2008 member servers, as well as, a few vital ie shortcuts automatically come to all users that are apart of that "LocalAdmins
  group period.
  2. Setup 1 server 2003 box that runs that legacy program and allow everyone access via a Virtual Environment..
  3. If they log into a windows xp box, or a windows 7/8 box, I want them to have access to the same icons.
  I guess this is a lot to digest, but my question is, what script could I make that would essentially allow uniformity for both my xp workstations and newly added windows 7/8 boxes? What script could I create that would,I guess reside on server 2003, that
  brings all the neccessary icons to the users that are apart of that "LocalAdmins" group despite having a windows xp, 7, or 8 workstation?

  " I don't see what the issue is because a logon script will still be managed by Group Policy and will have to be applied using GP rules.  In the end you still have to write the script."
  You basically contradicted the smug part of your rant and multiple answers with this statement!!! You just recognized that some sort of script would be necessary if I chose to use it via group policy. 
  But according to you..
  "It is not and has never been done via a script."
  Clearly it has a section per user for a "profile path" and a "logon SCRIPT". Which warrants my creation of this post since I have currentely implemented
  roaming profiles. That is how I am manipulating what users can have on their desktop because of course, we have different users that have different needs. But out of all the users, there are programs that need to be laced and seen upon immediate login.I
  will consult other people as this is only preliminary planning but about half of your statements are completely unwarranted and UNNECESSARY!
  This statement also proves your additional inaccuracies...
  "All of the profile things are handled by Windows and have nothing to do with scripts.  You define all of that in Group Policy."
  That's just silly talk. I told you in my initial break down of my scenario in an entirety that I am using "tailored made per user roaming profiles" to control desktop environments not group policies in this case. But you just made an absolute statement in
  saying "You define all of that in Group policy" which is completely wrong...
  Do me a favor, please don't respond to this post anymore. I'd love to see if any other partner, staff or whatever mind responding. Thank you for your help anyway. I will use what is useful in your post and discard the rest.
  Thanks