Restrict data for a user profile

Similar Messages

• Restrict Data for a user without VPD

  I have read some posts, and maybe there are no better solutions, but I will try.
  For a particular user (User_A) I have to limit the data the user can see by Data_ID.
  Data_ID avialbe to User_A is 1, 2, 3.
  I know I can create a View for each Table and create a folder based on that for this purpose.
  Howevere I am wondering if there is something I can do through Discoverer Admin to accomplish this, so that I won't have to duplicate the folders.
  What I want to do is create a set of Folders in the main Business are and create "Filtered Folders" in a different Business Area.
  Any suggestions except VPD would be appreciated.

  Hi
  To follow up on what Rod has said, yes this solution will work.
  When I do it I add a mandatory condition to my folder which restricts the data to only what the user can see.
  Here's a workflow for Row-level security without a VPD:
  1. Create a security table
  2. Create a security index
  3. Grant the select rights
  4. Populate the table
  5. Create a function
  6. Import the function into Discoverer
  7. Create mandatory condition using embedded calculation
  8. Test
  Here's a simple table script:
  CREATE TABLE GEN_SECR(
  USERNAME VARCHAR2(8) NOT NULL,
  SEC_TYPE VARCHAR2(32) NOT NULL,
  SEC_IND INTEGER NOT NULL);
  In the above table, the three columns are used as follows:
  USERNAME     Oracle username
  SEC_TYPE     An identifier for the item to secure.
  SEC_IND     Use 0 for no access, 1 for access
  Create an index:
  CREATE UNIQUE INDEX GEN_SECR_PK ON GEN_SECR(USERNAME, SEC_TYPE);
  Grant access
  GRANT SELECT ON GEN_SECR TO PUBLIC;
  Populate the table:
  INSERT INTO GEN_SECR VALUES
  ('DRAKE', SALES', 1);
  INSERT INTO GEN_SECR VALUES
  ('MSMITH', ‘SALES', 0);
  Here's my function:
  CREATE OR REPLACE FUNCTION F_GEN_SEC
  (SEC_TYPE_IN VARCHAR2)
  RETURN NUMBER IS
  GEN_ACCESS NUMBER := 0;
  BEGIN
  USER is a system variable and contains the Oracle user id of the currently logged in user
  SELECT SEC_IND INTO GEN_ACCESS
  FROM
  GEN_SECR A
  WHERE
  A.USERNAME = USER
  AND A.SEC_TYPE = SEC_TYPE_IN;
  RETURN (GEN_ACCESS);
  EXCEPTION
  WHEN NO_DATA_FOUND THEN
  RETURN (GEN_ACCESS);
  WHEN OTHERS THEN
  RETURN (GEN_ACCESS);
  END F_GEN_SEC;
  Here's a workflow to import function into Discoverer Admin:
  1. Use Tools | Import PL/SQL functions
  2. Click the Import button
  3. Locate the function to be imported
  4. Click the OK button
  5. Click the Validate button – the function should be valid
  6. Check the Arguments button - all should be fine
  7. Click the OK button
  Use this workflow to create a mandatory condition using embedded calculation
  1. Navigate to folder to be protected
  2. Right-click in folder, on any item, and from pop-up select New Condition
  3. Under Item: select Create Calculation
  F_GEN_SEC('SALES') = 1
  4. Click the OK button
  5. Test using Discoverer Plus
  Here's a methodology for Item-level security:
  We will use the same table, but rather than secure a whole table, we will secure an individual item
  Let’s secure the Credit column and prevent user MSMITH from seeing the content of that item
  Populate the table:
  INSERT INTO GEN_SECR VALUES
  ('DRAKE', CREDIT', 1);
  INSERT INTO GEN_SECR VALUES
  ('MSMITH', ‘CREDIT', 0);
  Here's the rest of the workflow:
  1. Locate and right-click on the item you want to secure
  2. From the pop-up menu select Properties
  3. Rename the item by adding the characters OLD to the end of the name.
  4. Change the Visible to user property to No
  5. Click the OK button to close the Item Properties dialog box.
  6. Right-click on the item again, and from the pop-up menu select New Item.
  7. The New Item dialog box will open.
  8. Give this new item exactly the same name as the item you renamed in step 3
  9. Check the Functions radio button. The Show box will display a list of the function folders. Functions that have been imported into Discoverer are located in the Database folder.
  10. Expand the Database folder and select the function you imported earlier
  11. Click Paste. The function specification will be pasted into the Calculation.
  12. Complete the calculation using DECODE:
  DECODE(F_GEN_SEC('CREDIT'),1,
  Credit OLD,NULL)
  13. Click the OK button to close the New Item dialog box
  14. Move the item to its correct location by placing it immediately above the original item
  15. Test using Plus
  I hope this helps
  Regards
  Michael

• How to restrict data for certain users (brokers) in CRM

  Hi Team,
  We need to restrict brokers on their ability to 'see' and create trade promotions for only a given set of customers.
  Example:
  Broker Joe Smith can only see through t-code BP 3 customers, even though their are 10 customers created in the CRM system.
  Same goes for the t-code CRM_MKTPL (trade promotions), how do we restrict Joe Smith from creating promotions for only those 3 customer and not the other 7 customers?
  Any help is appreciated.
  Has anyone restricted any transaction like this before?
  Does it need ABAP programming? or does it need additional security roles?
  Thanks,

  The access control engine in CRM, is probably your best bet for this option.  I have not used it, but we did evaluate the use of the product.  I know this product works in BP, but I have not looked to see whether it hooks in CRM_MKTPL.
  Do a search on ACE in this forums or in the CRM help documentation.  Try this link for some basic information
  http://help.sap.com/saphelp_crm40sr1/helpdata/en/a9/04c42a9e207545b47a32d1d05f53c3/frameset.htm
  Good luck,
  Stephen

• MB5B showing diff data for diff users

  Dear All,
  At my client side in standard report MB5B for one user data for particular material is coming while for another user
  it is showing no data.
  I have checked authorization object in SU53 but it is having no problem.
  Roles,parameters and profiles are correct in both.
  Also i have checked all materials in MB5B for both users and found the materials which are having nil stock in current
  date are not showing data for that user while for other user it is showing data.
  What could be the reason and what changes are required in user profiles??
  Thanks,
  Naren

  Thanks Ajit....in category it was not tick..
  Naren

• Is there any object in labview that contains a list of data for the user to select (selection one at a time) or add a new data?

  Is there any object in labview that contains a list of data for the user to select (selection one at a time) or add a new data?

  List and table controls -> listbox..is that what you are thinking of?
  The listbox presents the user with a list of options, and you can set it to only accept one selection at a time...Adding new data to the list can not be done directly by the user but if you make e.g. a text control and a button you can programatically insert new objects described in the text box when the button is pressed...(see example).
  If you need more than one column you have the multicolumn listbox. If you want the users to write new entries directly yu can use a table and read selected cells using it's selection start property to read what cell has been selected.
  MTO
  Attachments:
  Listbox_example.vi ‏34 KB

• Windows 7 very slow logon, Waiting for the User Profile Service, winlogon event 6006

  Hello,
  Every so often one of our Windows 7 clients which is not normally having any delay at logon will take a very long time to login. This may be 10 or 20 minutes or up to an hour in some cases.
  Typically the event log will contain entries like
  The winlogon notification subscriber <Profiles> took 572 second(s) to handle the notification event (Logon).
  There is no further information available from Event Log Online Help, nor any additional detail as to why the logon event was so slow. During the delay the user will just see "Waiting for the User Profile Service" on their screen.
  We first started seeing this problem with Windows Vista and if anything the situation has not improved since then. It has never happened with any of our Windows XP users.
  We are currently planning a migration of computers to Windows 7 but stuff like this which has not been resolved in Windows over a 2 year period will stall that migration. The least improvement is to increase the event notification to give a lot more
  information on why the user profile processing has stalled.

  Hi,
  When did the issue begin to occur? Did it occur after installing certain application or applying certain policy?
  To troubleshoot the issue, please perform the following step.
  1. Restart the machine in Safe Mode with Networking to check whether the system can login quicker.
  2. Type “gpedit.msc” in Search box and press Enter. Navigate to the following location:
  Computer Configuration->Administrative Templates->System->Logon
  Please double click “Always wait for the network at computer startup and logon” policy and disable it.
  3. Perform a
  Clean Boot to check the result.
  Thanks,
  Novak

• Win7 and Reader X - default settings for ALL users/profiles

  I have a custom browser/app that opens PDF's within the app which can sometimes cause issues. I found that if I set Reader X to not open in the browser (Edit>Preferences>Internet - uncheck "Display PDF in Browser") that this does resolve most issues. My problem...when changed this only affects the current user/profile that's logged in. Potentially there can be dozens of users on these laptops. The other setting is when opening a PDF, I get the warning about Protected Mode not being able to be used due to the current configuration. I can select "Always open with Protected Mode disabled" and I no longer get the message; but again, current user/profile only.
  Is there a way to set these settings for ALL users/profiles? Running Win7 (32bit) with Reader X.

  I do not know why you experience this; what exactly happens when a non-admin users attempts to highlight something?
  You are talking about highlighting in the same document?

• "Please Wait For The User Profile Service" message when logging on to TS 2008

  I have a Windows 2008 AD Domain with 2 Windows 2008 Terminal Servers.  Both are configured identically.  I have the TS Roaming profiles stored on a 3rd server and a GPO pointing all users to the roaming profiles.  On one of the servers everything works perfectly.  On the second server the users, after they input their credentials, get the following message "Please Wait For The User Profile Service".  The message can stay there for up to 3 minutes, then they are logged innormall with the correct profile.  This problem does not occur on log off.  Any help would be appreciated 

   99% of the times I had this problem it was caused by either DNS issues or network bindings.
  Are your servers multihomed? In other words: do you have multiple network cards? If so, make sure your "production" card is on top in the network connections -> advanced settings -> adapters and bindings.
  You could also enable user env logging (search microsoft how to do that)

• Save persistents data for all users

  Hi
  The persistent datas are save for one specified user, the user logged in into the system (e.g. Windows).
  Is it possible to save persistent data for ALL users?
  If yes how?
  Thanks
  Hans

  Hi Hans
  IMO it might be a bit tricky. As you know - Persistence objects are stored in databases. I presume you're not asking about document database. Second database is stored in SavedData file which is located in per user data directory. I.E. on mac in ~/Library/Caches/Adobe Indesign/Version 6.0/en_US/Indesign SavedData
  Probably you need to create your own implementation of persistence or take a look on relations between file system and IDataBase interface.
  Regards
  Bartek

• Restricting  Access for SQ01 User Group

  Hi ,
  Please let me how to Restrict  Access for a   User Group  to only some of  the specific users?
  Thank you
  Edited by: Vibhor Arora on Apr 12, 2010 7:29 AM

  Hi,
  Can you please clarify what exactly you want to know, your request can be interpreted in a few different ways.
  If you are concerned that people have access to all user groups, then you need to remove access to S_QUERY activity 02 and I think activity 23.  They will lose access to all user groups that they are not assigned to via SQ03.

• Regd : How to find Validity date for a user in central user system

  Hi Experts;
  I want to get the list of users with profile SAP_ALL  with following details like validity ,user type ,user name ,user id..
  I can get through SUIM for each individual systems.Its very difficult to login to each system ,generate the report.So I prefered to go for Central system
  But if I use central user system I have no option to find validity and user type for the system ( SUIM - > Cross system application )
  I have also tried to the table USRO2 ( which gives only the list of users in the central system )
  So is there any possible ways to find the Users with profile SAP _ALL with validity date in the central user system. So that I can easily generate it as one report instead of logging to each and every system
  Regards
  Sanjeev.S

  Hi Ruchit
  Thanks for your reply. I want to find the validity date of all users having SAP_ALL
  profile of all child system connected through central user system .So it is possible
  to do that in Centrals System by executing the report?
  If I execute that report in Central user system will it give the details of all child
  system connected to central system
  I think it will give only the result of Central system and not the child system connected to Central system.Please clarify me.
  I can execute the report by logging to each child system ,but it takes very long hours for me since there are many system in my landscape.
  Awaiting for your reply.'
  Thanks
  Sanjeev.S

• Date modified of user profile can be considered as date the user last accessed the server?

  Hi,
  I have a terminal server with large number of old profiles.what is the Microsoft way to clear these?
  Is the last modified date of user profile can be considered as date the user last logged in to this server?
  Regards,
  Arun
  Best Regards, Arun http://whynotsql.blogspot.com/

  Hi Arun,
  For deleting old profiles please test the following group policy setting using gpedit.msc:
  Computer Configuration\ Administrative Templates\ System\ User Profiles\
  Delete user profiles older than a specified number of days on system restart     Enabled
  Delete user profiles older than (days)     30
  It is applicable to Windows Server 2008 and later.  You may need the following hotfix if you are running Server 2008 R2 (no SP1):
  http://support.microsoft.com/kb/983544
  Thanks.
  -TP

• Restricting data for selected GL accounts

  Resolved
  Edited by: Khaled McGonnell on Jan 29, 2010 2:55 PM

  Hello Rama,
  It is a little late but maybe this answer will be helpful for someone else...
  Something like this happened to me when I executed "Data Reconciliation", the thing that was happening is that the job didn't finish so it could just erase data but was not able to get data back, what I did was consult the log of the job through System --> Services --> Jobs --> Job Overview or transaction SM37, then I searched for my jobs and I saw that they were all canceled and the log said "The name of the printer ' ' doesn't exist" so what I did was add a new printer in system --> user profile --> Own data --> Defaults --> OutputDevice and I added a local printer like "LP01"; after this, I executed Data Reconciliation again and the job was succesful and it got data back.
  I hope this can help.
  Regards
  Erika Zagal de la Luz

• Use one profile for all user profiles in Server 2012 R2

  Hi
  I am setting up an Windows Server 2012 R2 Template on VMware. 
  I will do som changes with the local admin user, and want all user that will log in to servers made from this Template, get the user profile I have set up for the admin account.
  How to I do that?
  Regards
  StigKSand

  the way I used to do this was to create a new profile the way I wanted with any shortcuts applications etc installed. then I would create another user account on the PC and make it an admin.
  reboot the pc to ensure it hasn't got the pre-configured profile loaded and login with your newly created admin account.
  then right click This PC in windows explorer and select properties, then select advanced system settings, and select user profiles on the advanced tab. You can then select the profile you made all the configuration to, and click copy and then select default
  profile.
  this should then mean any new users who login get this default profile on this server.
  hopefully that is what you were referring to.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn:

• How to restrict login for multiple users having same Role

  Our Web Application is deployed on Tomcat 5.5
  The requirement is ?
  There are roles in application like "operator", "admin"?
  There are multiple users created for each of the above role.
  When one user of "operator" role is logged in, then
  It should not allow to login for another user of "operator" role.
  Also, if user did not log out & application gets close, then
  It should not allow to login for another user of "operator" role.
  Also, it should not allow to login for multiple requests of same user
  (using another browser instance...)
  Is it possible using session object?
  But, using session object, it will create separate objects for different users,
  So here I will not be able to restrict session object creation rolewise.
  Also, how to retrieve these multiple session objects created for different users on server?
  If anyone is having the solution please reply as soon as possible,
  Thank you.

  To tell you the truth, this is a stupid requirement. It must be an extremely fragile application.
  In any case, you will have to write your stuff for that. Probably a filter that on login, logout, and session expiration checks, makes, or removes entries in a DB (using a synchronized resource to prevent race conditions) or possibly even simply in an application context object.