Restrict access on login to some users

Hi
I'm building an appllication for internal use and i need to restrict access to some users... Is it possible to do that during login, considering that the authentication scheme selected is "Database Account"...?
I thank in advance all your replies!

Hi
Thank you for your reply.
I liked your suggestion of setting a condition on the login process on logon page and it's exactly what i want... But it's not working... If i set the condition when the login button is pressed, no one enters the application... If i don't set it that way, all users enter, including the ones on the "exclude list"... I'm using condition type ="SQL Expression".
What might i be doing wrong?
Best regards

Similar Messages

How to restrict access to views for some users in the app?

Hi SDN!
I have an WD application wich embedded in the portal. Appication has 2 iViews (and 2 pages respectively). These iViews consist several views connected with each other (e.g. one view provide list data, second view is add/edit form for this data). I need to restrict access for some users for view with add/edit form. I can't make separate page for this view.
What I've done:
1) create yet another UIContainer for this view in main window and embed view to this container. It was be done for create separate iView for form.
2) in the portal I create iView for this form but don't embedd in any page.
When I try to call my form from list data (that is one iView from another) I get exception:
com.sap.tc.webdynpro.services.exceptions.WDRuntimeException: duplicate usage of view .MyCarRentalAddCity
Is there a way to get needed functional?
Thanks,
Lev

Hi,
do you need to remove the IView from the portal menu or do you just want to make a View container in your WD application invisible if the user doesn't have the rights to see it.
If so, you could create your own roles on the app server:
You need to create a new class that extends NamePermission like:
import com.sap.security.api.permissions.NamePermission;
public class ApplicationAccessPermission extends NamePermission {
 * @param name
 public ApplicationAccessPermission(String name) {
 super(name);
 * @param name
 * @param action
 public ApplicationAccessPermission(String name, String action) {
 super(name, action);
Also, you have to create an Action.XML file that looks like this:
<BUSINESSSERVICE
 NAME="com.vendor.administration">
 <DESCRIPTION
 LOCALE="en"
 VALUE="actions view usage"/>
 <ACTION
 NAME="View Permission">
 <DESCRIPTION
 LOCALE="en"
 VALUE="Show view"
 />
 <PERMISSION
 CLASS="com.vendor.utilities.ApplicationAccessPermission"
 NAME="ShowView"
 />
 </ACTION>
</BUSINESSSERVICE>
If you have created these to files in your packages, you can access this function like:
IUser user ;
try {
 user = WDClientUser.getCurrentUser().getSAPUser();
 if(user.hasPermission(new ApplicationAccessPermission("Show view"))){
 wdContext.currentV_UIElement().setViewVisibility(WDVisibility.VISIBLE);
 }else{
 wdContext.currentV_UIElement().setViewVisibility(WDVisibility.NONE);
 }catch (WDUMException e1) {
 wdContext.currentV_UIElement().setViewVisibility(WDVisibility.NONE);
 e1.printStacktrace();
You have to bind the ViewVisibility attribute of the context to the View Container you want to hide.
The applicationAccessPermission you defined in the XML File will be visible in the UME Manager of you J2EE engine. With this action you can create a new role and group that you can map to the users that should see you view.
But, the exception you get is because you have embedded one view twice, which is not possible.
Hope this helps.
Regards,
Dennis

Taking long time on First login for some users

Dears,
We are facing very strange issue in our ECC6 server.
For some users when they login put userid and password it takes 15-20 min to login and sometimes give time out.
but after first login it works fine.
If I remove roles from those user and assign them SAP_ALL or one or two roles,they also work fine.
One more thing some other users having same authorization are working fine.
One solution of this issue I found to delete the user having problem and copy it with user who is working fine.
But not getting root cause of the issue and permanent solution of the issue.
Please suggest.
Shivam

We just experienced the same problem after updating our SP-Stack.
Some users were experiencing a long logon time, and a long time to return to the Session Manager screen. Changing to the SAP Menu instead of the User Menu cleared the problem for those users, but they no longer had quick access to transactions that were in the User Menu, and not in the Favourites.
Note 203617 was not the answer for our problem, but it did point us in the right direction.
After upgrading our SP Stack last Friday, it appeared that some of the roles in the Customer Namespace (ie, zRoleName001) had inherited a copy of the Logistics or Accounting SAP menu trees. This meant that users with those roles ended up with a User Menu which contained the 10 or so transactions that are assigned to their roles, and additionally, the entire Logistics or Accounting Tree which contain 35,000+ items. In transaction SM66, users who are waiting for their logon to complete are shown doing a sequential read of table AGR_HIERT.
To correct this, I removed the Logistics and Accounting menu trees as appropriate from the User menu of those roles in PFCG. Users that use the User Menu can now logon normally.
This is what I did to troubleshoot:
* Pick one user that is experiencing long login times, and have them change to the SAP Menu instead of the User Menu. If their logon time improves, open transaction SE38, and run the program EASY_ACCESS_NUMBER_OF_NODES.
* Specify the user's account and click on Execute.
* If the program times out, chances are that they have an enormous number of items in their User Menu - continue with the next step.
* If the program finishes, look at the number of Menu Nodes for that user - Note 203617 says that a User Menu with 1000 or more items is considered "large" and will degrade logon performace as the User Menu buffer is constantly swapping in and out.
* Note each of their each of the user's roles from SU01, then check the Menu tab for each of those roles in PFCG to see if any roles are adding large sections of the SAP menu.
* If necessary, maintain the Role's Menu items in DEV, and transport to TEST, then Production. BE CAREFUL to ensure that the Users list is not modified when transporting the changes into Production, or the Role will become de-assigned from your Production users, and your users will hate you when they become unauthorised to open transactions.
* Once the User Menu is back to normal, the user can change back to the User Menu and everyone should be able to logon normally.
Hope this helps.
Edited by: Chris Pope on Apr 21, 2010 1:09 PM

Restricting access to reports for certain users

Hi,
We have few reports on a Multicube with Reporting unit authorization object. A certain group of users has this authorization. Now, we want a few of these users not to have access to one particular report on this multiprovider.
Can anyone suggest a way to achieve this?
Thanks,
Abhishek.

Abhishek,
Use S_RS_COMP authorization object to restrict by queries. You can create 2 roles based on this object, one role with access to all the queries. The second one will have access to all but one. You can assign this role to relevant people.
Although, this is slightly more maintenance intensive as every time a new query is created, someone has to add the query to one fo the roles based on security required.
-Saket

Restrict Access to certain users based on if a variable in the SQL database is set to 1

Hey guys,
I am quite new to PHP and MySQL and I have a question concerning access restriction. For a website project I am experimenting with Dreamweaver's login and restrict access behavior, which works fine. However, on the website I would like to restrict access for users that only have a 1 set in the corresponding MySQL database (which means that e.g. each page has a different variable in the database that can be set to 1, which would allow me to personify access beyond the level of the out-of-the box option, where each user can only have one access level). So it is quite similiar to the out-of-the-box restrict access to page based on user group, but just depending on another variable in the database.
I guess it can be done with an if condition that checks in the database if the logged in user has a 1 in this variable, and if yes give her/him access if not redirect to another page. However, I could not figure out how to implement that.
Your help is highly appreciated!
Thanks in advance!

Hello guys,
I spend quite some time on the internet reseaching my wish and redefined my need: I would basically like to have the possibility to assign a user multiple access levels. There would be e.g. 10 pages for each I create an access level. Then a user with e.g. access to pages 2 and 8 can only access these two pages. So my basic question is if and if yes how I can assign a user muliple access levels at a time and store these values in the MySQL database.
Thanks a lot for your help!!

Access control - Restricted access not working

Hi
I have an application I have created an Access Control administration page in. I have set the application mode to 'Restricted access. Only users defined in the access control list are allowed'. I have defined two users one with administrator and one with edit privileges. I have a third workspace user who is not listed on the access control page.
I have added the authorisation scheme to the tabs, pages and page items I require. This appears to work fine if I change the privilege of one of the listed users to 'view' the items disappear and cannot be accessed.
The issue I have is that the workspace user who is not listed can still log into the application, and has the same access as 'view' privilege. My understanding is that the 'Restricted Access' application mode should prevent this user from accessing this application as they are not explicitly listed?
Have I missed some set-up, misunderstood the meaning of 'restricted access' or is it some sort of bug? I am assuming I have missed some set-up somewhere.
PS This is APEX 4.0.2 on 11g
Edited by: tlane on 15/02/2011 19:43

I have set the application up on apex.Oracle.com
http://apex.oracle.com/pls/apex/f?p=48123:101:506666493527664
four users have been defined :
control_admin
control_edit
control_view
control_na
The first 3 are defined on the access control page available on the user_admin tab when you login as control_admin user.
user control_na is not listed but can still access the application.
password for all users is : demo1234
Thanks in advance for all help with this issue.

Restrict Access to Page Issue...

Hi this is my first time on Adobe forums, im regard myself as
new to web design, im making my first proper website, for portfolio
purposes. www.imaginationwebdesign.co.uk/port2 is the website..
I am using Dreamweaver CS3 coding with HTML / PHP / MySQL
My Issue:
I have implemented Restrict Access to Page dependant upon
User / Pass / Access Level.
Access Levels are 1 and 3 and are stored on my MySQL
Database.
3 = Full Admin Rights
1 = Minimal Admin Rights.
Now, Whilst the Restrict access works, when Access Level 1
attempts to display page only for Access Level 3, It's not
redirecting to the "AccessDenied.php" page... instead a blank white
page is being displayed and unless i press Back, it just stays
blank and doesnt redirect.
I have used the Server Behaviour Panel so the code is
automatically generated but the source is:
<?php
if (!isset($_SESSION)) {
session_start();
$MM_authorizedUsers = "3";
$MM_donotCheckaccess = "false";
// *** Restrict Access To Page: Grant or deny access to this
page
function isAuthorized($strUsers, $strGroups, $UserName,
$UserGroup) {
// For security, start by assuming the visitor is NOT
authorized.
$isValid = False;
// When a visitor has logged into this site, the Session
variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that
Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only
certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
// Or, you may restrict access to only certain users based
on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
if (($strUsers == "") && false) {
$isValid = true;
return $isValid;
$MM_restrictGoTo = "AccessDeniedAdmin.php";
if (!((isset($_SESSION['MM_Username'])) &&
(isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'],
$_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($QUERY_STRING) && strlen($QUERY_STRING)
> 0)
$MM_referrer .= "?" . $QUERY_STRING;
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar .
"accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
?>
any help would be great to get the redirection working...
I've tried this on several pages and it still doesnt work.
Thank you and sorry if this is posted in the wrong area.
David.

Davidbirkin wrote:
> I finally managed to solve the issue.. although, to me
it was a rather strange
> issue..
Strange to you, perhaps, but it's a very common issue.
> Before the Validation to check for Access level i had
this line of code...
>
> <?php require_once('Connections/con1.php'); ?>
>
> No, i have moved that line of code to appear AFTER the
access level validation
> check, and it's all working fine... maybe it's the order
i added the dynamic
> functions to the Page, but now it is working...
As I said in my original reply, the problem was almost
certainly caused
by an error that you couldn't see because the display of
errors is
turned off for security reasons. The Restrict Access to Page
server
behavior uses session_start(), which must come before there
is any
output to the browser. "Output" includes new lines or
whitespace outside
PHP tags. There is almost certainly an extra line at the end
of
con1.php, which would prevent the session from starting. In
turn, that
would generate an error, resulting in your blank page.
The problem is closely related to the "headers already sent"
error
message that confuses most PHP beginners. Read about it here:
http://docs.php.net/manual/en/function.header.php
By the way, it sounds as though you are testing everything on
a remote
server, rather than testing locally before deploying to a
remote server.
That's a very bad idea, particularly if the display of errors
is turned
off. You should test files in a safe, local environment with
error
reporting turned to the highest level, and eliminate all
errors before
deploying to a live server. If you're testing locally, make
sure that
error_reporting in php.ini is set to E_ALL, and that
display_errors is on.
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS3" (friends of
ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

Restrict access to buttons, regions, etc. on a per user basis?

My application restricts access to buttons, regions, etc. on a per user basis.
Here is my application logic...
1. A User can only edit items they own.
2. A Super-User can edit all items
So, when a user logs in, I use a post-authentication process to set the user ID to an application level item.
Now, for example, to have an edit button display on a page, I need to check the item's owner ID against the application level user ID...and check to see if this user is on the Super User list via a query.(which could be set to another application level item upon login...I guess)
Question...What is the best way to do this? Conditional display? Authorization scheme?
Would something like the following work for a Conditional Display?
Condition: SQL Expression
&USER_ID.=&P6_ITEM_OWNER_ID. OR USER_ID in (select USER_ID from table where USER_ID=&USER_ID.)
How would I do this with an Authorization Scheme? (I like the idea of updating the logic in single location...but I'm not sure if it is possible because I have to check PX_OWNER_ID would be different on each page.)

Hi Denes,
Thanks for your code which allows user to edit (if authorized) and view (if not).
But some how - I do not get the image to show up - instead it show a small underline.
From SQL point of view - here is what I get - when i run the sql
'<img src="/i/ed-item.gif">',2,CR TEST,,,,dune2.cit.cornell.edu,CRDMTEST.CIT.CORNELL.EDU,PSPROD,,,CRDMTEST
Here is my wrap_image function
create or replace function wrap_image(p_user_name in varchar2,p_dm_name_id in number)
return varchar2 IS
v boolean := False;
ret_val varchar2(1000);
begin
dbms_output.put_line('user='||p_user_name);
dbms_output.put_line('dm_name='||p_dm_name_id);
-- Check authorization if the user is super user - return true, else if he has edit priv on dm_name_id - return true - else false
v:=ACL_DMTOOLS_DM_PRIV(p_user_name,p_dm_name_id);
if v then
ret_val := '<img src="/i/ed-item.gif">';
ret_val := ''''||ret_val||'''';
dbms_output.put_line('TRUE');
else
ret_val := '';
dbms_output.put_line('FALSE');
end if;
return ret_val;
end;
Thanks for your great educational site.
Regards
atul

Best way to give restricted execute access on pssession to remote user on a server

we have some windows 2008 R2 development environment servers. On these servers we are planning to provide access to developers via PSremoting. We want to restrict the users in such a way that they can only run .bat files present in a certain UNC path. What
is the best way to achieve the same. Can we create a PSSession Configuration for this?
Please note that we are planning to enable WSmanCredSSP on client (it is already enabled on server).
Also, is it possible to give such an access where user can only login to server using powershell's PSsession and not through interactive remote desktop connection.
ApoorvaW

Hi ApoorvaW,
If you want to setup a restricted pssession, please try to set the session configuration with the cmdlet:
Register-PSSessionConfiguration
Securing Session Configurations
You can assign session configurations to users automatically. For example, you may want to restrict the commands in a session that are available to some users. This is done in a two-step-process:
1. Create a new session configuration that restricts the session to only a subset of commands.
2. Change security access permissions so that the intended users can only access the new session configuration.
For more detailed information about restricted session and paremoting security, please refer to these articles:
PowerShell Remoting: How to Restrict User Commands
Restrict Session
If there is anything else regarding ths issue, please feel free to pst back.
Best Regards,
Anna Wang

Restricting access to link based on a user's accesslevel

I've gotten the DW login feature working for restricting
access to pages based on a user's successful login and associated
accesslevel. However, I have some links that open an Excel
spreadsheet and an Outlook calendar. Is there an easy way to
restrict access to a link so that an unauthorized user can't
navigate to the link? Here's my code for the link:
<td height="19" colspan="3"
valign="top"><a
href="STI-Intranet/XLS/PROD_SCHED.xls" title="Current Production
Schedule (Read Only)">STI Production Schedule
</a></td>
<td height="4%" valign="top"><a href="
http://server_3/public/cal_engineering/"
title="FROM INTRANET">INT</a></td>

What server side language are you using? Do the links need to
be restricted
to just one access level, or multiple levels? Should it be
blocked for only
one level or multiple?
Bryan Ashcraft (remove brain to reply)
Web Application Developer
Wright Medical Technologies, Inc.
=============================
Macromedia Certified Dreamweaver Developer
Adobe Community Expert (DW) ::
http://www.adobe.com/communities/experts/
"mslee1965" <[email protected]> wrote in
message
news:e52o7e$3ak$[email protected]..
> I've gotten the DW login feature working for restricting
access to pages
> based
> on a user's successful login and associated accesslevel.
However, I have
> some
> links that open an Excel spreadsheet and an Outlook
calendar. Is there an
> easy
> way to restrict access to a link so that an unauthorized
user can't
> navigate to
> the link? Here's my code for the link:
>
> <td height="19" colspan="3"
valign="top"><a
> href="STI-Intranet/XLS/PROD_SCHED.xls" title="Current
Production Schedule
> (Read
> Only)">STI Production Schedule
</a></td>
>
> <td height="4%" valign="top"><a
href="<a target=_blank
> class=ftalternatingbarlinklarge
> href="
http://server_3/public/cal_engineering/"">http://server_3/public/cal_engin
> eering/"</a> title="FROM INTRANET"> Helvetica,
sans-serif">INT</a></td>
>
>

Restrict access of "domain user" to specific computer

I need to restrict access of "domain user" to a specific computer in the domain/
I try to Do it by using "Active Directory Administrative Center"
In Computers\Computer name\Properties\Extensions\Security
I add the name of user and I marked deny to all and I canceled inheritance
And yet the user can login to the computer
I searched Policy that contradicts the security and I not found.
With the "gpo" I was able to block, but I need necessarily used the Security
Because of Security can be partial restriction.

Hi,
Based on your description, I understand that you want to allow some certain users to access specific domain
computers.
Please open ADUC (Activity Directory Users and Computers) and click User container. Then select that specific
user account, open its Properties and navigate to Account tab. Please click
“Log On To…” option to open Logon Workstations panel. In Logon Workstations panel, please change
This user can log on to: All computers to The following computers. Then type the specific computer names. Please check if this can help you to achieve target.
If anything I misunderstand or any update, please don’t hesitate to let me know.
Hope this helps.
Best regards,
Justin Gu

ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

Hi All,
I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership. This has been very difficult, even though I beleive it should be easy.
The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
There are two other portals that I would like to restrict access to based on AD group membership. I have set these up to be selected by URL.
The biggest problem is, I have no way of knowing how to go about this. The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
I can only do an all or nothing scenario.
It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use. So how do I go about using them in this scenario? Turning off the aliases or URLs is not really an option right now.
Scenario 1 would work the best for me. Restrict access to profiles/groups based on AD group membership using LDAP.
Scenario 2 would be an ideal longer term solution.
Any thoughts, ideas or assitance would be greatly appreciated.
Cheers

This is exactly what i was looking for, and Nelson is correct. When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression. The guide (ther is a button to access this) is really helpful, with a couple of examples. This is what i used:
assert(function()
   if ( (type(aaa.ldap.distinguishedName) == "string") and
        (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
then
       return true
   end
   return false
end)()
from the debug dap you can see what Users relates to;
DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
My admin account fails to get me in to the same profile:
DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
Thanks
Andrew

SSH login- how do I restrict access to a shared folder?

I have created Shares in WGM for SMB and AFP access on my OS X 10.4.8 Server. However when I connect via SSH it's not restricting access to the folder based on the User Name I login with- I see the entire volume! How do I restrict access to a specific folder based on a user name setup in WGM? ACL's?

Hey George,
It sounds like you are trying to limit ssh/sftp users to a specific area, aka jails. The FTP server lets you 'chroot' users to a certain area making it appear as the root thus preventing them from navigating up the hierarchy, which is what I think you, and me and many others are trying to accomplish.
The ssh compiled into OS X is missing this very needed feature. There have been a few documented workarounds, but they've either been too insecure or too clunky for me.
I've dealt with the fact that my users can get to the root of the hard drive, and have just been very careful about my privileges (by using ACLs), thus preventing them from getting inside areas they shouldn't.
There's a good write up here: http://www.schwie.com/brad/macosxsftpchroot/ and if you include the term 'chroot' in your searches, you should find a bit about it here too.
And Roger, I think George meant the file sharing protocol used by ssh. man sftp.

How to see, if some user has done multiple login at the same time

Hi,
i'm looking for a tcode to see, if some user has done multiple login in a date-range.
Regards, Dieter

It is also dependent on your license type, as it is populated at logon - prior to any Z-coding option - which will cause a lockout if attempted an access that way.
I recently found a cool way to detect DB triggers and updates - very obscure...
However I also "move around" during support in projects and don't always want to kick myself out. I guess SAP can "work-it-out" from the various fields of the table to map the user behaviour.
Personally I dont believe that all of such information is appropriate for public domain, as all the SAP_ALLers out there combined with the types of authentication options are not always responsible with the information either.
Thankfully, SAP has added a "salt" to the password hashes now. They offer RZ11 login/password_downwards_compatibility as a workaround...
Take a look in your system!
Cheers,
Julius

HT201304 Is it possible to restrict access to specific IOS apps based on the WIFI profile that a user has connected to?

Is it possible to restrict access to specific IOS apps based on the WIFI profile that a user has connected to?

you might be able to block it if the app uses Internet access
and depending on your wireless you might be able to block a specific user
accessing the backend host that the app uses
some firewalls offer application filtering but I'm not aware of any that work with ios apps

Restrict access on login to some users

Similar Messages

Maybe you are looking for