Restrict HR admin from viewing another HR admins infotypes

Similar Messages

• How to restrict some users from viewing a screen of standard transaction

  Hi All,
  I need to restrict certain user ids from viewing the 'Payment Transactions' screen for the below mentioned transactions.
  FK01, FK02, FK03, MK01, MK02, MK03, XK01, XK02, XK03
  The Basis consultant has tried to configure it. However its not working. So need to find other solution.
  For all transactions other than FK01, MK01, XK01 (create vendor), the BAdi GOS_SRV_SELECT is called before the payment transaction screen appears. But for transactions FK01, MK01and XK0, no such BAdi is there.
  Also I'm not able to figure out how to restrict that particular screen using Badi GOS_SRV_SELECT. What will be the service name for this?
  Please help !!!
  Thanks in advance,
  Radhika

  hi,
  u can do this using user exits.
  identify the appropriate exit for ur transaction and thn put condition like
  if username = ...
  loop at screen.
  hide..
  endloop.
  i was just trying to give u some hint .make it to ur best.
  reward if hlpful.

• Preventing admin from viewing other home folders

  Hi
  Iam creating new USERS progrmatically.For each user a home folder gets created under
  "/home" ;example "/home/MyUserFolder" for "MyUser" .But since the information under thode folders is extremely confidential is there a way of preventing the administrator(who logs in with user id "system") also from being able to access those folders ("MyUserFolder" in the above example) ?
  thanks
  srinivas

  An adminsitrator will always have access to everything stored in the repository in the same way that a DBA always have access to everything stored in a Database. You need to treat the Admin role on an production iFS instance in the same way as you treat the DBA role on a production database instance or the root/adminstrator user on a production server.
  It's a fact of life that there has to be some-one in any organization who has 'God-Like' permissions on the systems that manage the most sensitive data. This person has to be someone that can be trusted not to abuse that capability.
  If there are particular features that currently require admin capability but that should be delegated to some lesser super-user role please let us know. In general admin role should not be required to work with a production instance of the iFS on a day-to-day basis.

• Restrict requester/approvers from  viewing/editing an object form field

  Dear All,
  We implemented 5 levels of approval workflow. The requirements is to configure the following permission on OIM:
  1. Requester is only able to view,insert dan modify 5 field out of 10 field on object form. The other 5 fields he can not view/insert/modify.
  2. The 1st until the 4th approvers can view only the 5 field the requester can view,insert and modify
  3. The last (5th) approver can view only the 5 field the requester can view,insert and modify but able to view/insert/edit the other 5 field that the requester and other approvers can not view.
  Any body know how to enable this configuration on OIM? basically this is to set the Object form field level permission.
  Your response is highly appreciated.
  Thank you

  You could have the final request process auto provision the final object and populate just the process form with the listed values as you pass them from one object form to another.
  You could use the API's to cancel each request as it gets approved which triggers the next resource object to be provisioned and populate the object form. Then the final approval would get completed and you could map those values to the process form for the final object. Then the user would only have one resource object on their profile. You could also limit which objects were viewable when the request was made by making them available to the organization as a generic object, then set it to system so it would be displayed in the list of availabel resources.
  -Kevin

• How to restrict two employees from viewing each others' activities in a particular account?

  Dear Experts,
  I have a scenario here and request your kind input to bring a solution to it.
  I have two sales org. in one company. One is SO1 and other one is SO2. I want to restrict the sales employee of SO1 and SO2. Both of them are working in the same national account. I don’t want the SO1 sales employee to see what the SO2 sales employee does in that particular account; and the vice versa. So, it’s just restricting the view of particular account for both of them. Is it possible in CRM? If yes, how do you do that?
  Looking forward to the right solution.
  Thanks & Regards,
  SMTP

  Hi SMTP,
  This can be done by using authorization profiles. Here we need to crete two Authorization objects separately such a way that each of them should be allowed to one sales organization. And then assign these Authorization objects to users, based on their sales organization(Your requirement).
  You need to reach your Basis Consultant and explain the scenario.Basis people can easily do this.
  Thanks & Regards
  Ravi

• How to restrict payroll users from viewing IT0002 or other personnel data?

  Hi,
  We need to device a authorization for payroll users in such a way, that they are allowed to access and edit  IT 0014, IT0015, IT0580 to IT591 but they are not even allowed to view infotype IT0000 to IT0007.
  They will still be allowed to do payroll processing of all employees.
  Problem is - if we disable PA20 to PA40 transaction for these users, then they will not be able edit IT 14, 15 etc and vice-versa.
  Please advice how can we do this.
  Effective solutions will rewarded

  Am just wondering like this -
  for a User who will update IT8 etc infotypes and run payroll for all employees:
  Allow infotype access to all Infotypes via P_ORGIN/P_ORGINCON and then
  exclude Infotype access to IT0000 to IT0007 via P_ORGIN/P_ORGINCON
  Does Payroll run after the above if executed by this employee? because in my view the user has access to IT08 and other payroll related infotypes and hence should run (but I think IT0, IT1 &2 might also be required for for various reasons for payroll to run - not sure);
  Or probably you might need to think of executing/triggering the Payroll process via Batch process (thru a batch user Id which has access to all)...because it wont be a best practice to have manually initiate the Payroll process...
  Regards
  Chandra
  Message was edited by:
          Chandramouly V

• Is it possible to restrict a local admin from accessing/viewing AD accounts on a Domain Controller?

  I am working on determining if I can have a separate administrator group handle patching and performing maintenance on four servers that are DCs of their own AD domain, but restrict these administrators from the ability to see the active directory user
  accounts in that AD domain?

  Hello,
  Since you are talking about domain controllers I have to say there are no Power Users group in them. Actually the local user management will be disabled as soon as you promote a server to a domain controller. The only option which is left here is to grant
  Administrators handle the job. In case of RODC you can go through what Albert suggested.
  However since domain controllers are sensitive and plays a key role in your environment I strongly recommend not to allow non administrators to perform maintanance or other related tasks (At least for domain controllers). 
  Another option you have left for your patch management is to use a member server like WSUS to automatically install updates on your DCs.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• From one day do another server admin don't connect to the server

  I have an Intel XServe with OSX Server 10.4.10.
  From one day do another server admin don't connect to the server locally and remotely. The workgroup admin shows not the sharing button. The other services works correct. (FileService, NetBoot, ping etc ...). In the CrashReporter I've only find a crash from dashboardadvisoryd. I don't want restart the server.
  I there an other solution?
  Thanks Sven

  I found the solution in a message three above:
  http://discussions.apple.com/thread.jspa?threadID=1184552&tstart=0
  With
  sudo kill -HUP `ps aux|grep 'servermgrd'|grep -v 'grep'|awk '{print $2;}'`
  from the terminal ... and after any minute's later the problem was solved
  Sven

• Restrict Standard User from not removing the COM-Addins registered under HKLM with Admin rights.

  Hello,
  I have developed a COM-Addin for word 2013 by VS 2013 and installed it under the HKLM with Admin rights. Now from an non-admin account, ie Standard User I'm able to uncheck that addin from the COM-Addins dialog and remove it also. Previously I have done the
  same thing for word 2007 addins and if a non-admin user tries to uncheck it the warning "The
  connected state of Office Add-ins registered in HKEY_LOCAL_MACHINE cannot be changed" pops
  up. But this is not happening for office 2013 apps(basically word, excel and powerpoint). 
  This is happening for all Add-Ins installed under HKLM.
  How can a Standard User be restricted from unchecking and removing the Office Addins registered under HKEY_LOCAL_MACHINE with same warning "The
  connected state of Office Add-ins registered in HKEY_LOCAL_MACHINE cannot be changed" in
  a pop-up box?
  Regards, Sayan

  Hi,
  The behavior is changed since Office 2010. Office 2010 and Office 2013 allows a standard user to turn a per-machine add-in off by unchecking the add-in in the COM Add-ins dialog.
  To restrict Standard User from not removing the COM Add-ins, we can try to add the add-in to
  the Group Policy option: List of managed add-ins in the Office Group Policy template.
  Word for example, the policy is under:
  User Configuration\Administrative Templates\Microsoft Word 2013\Miscellaneous
  To enable this policy setting, provide the following information for each add-in:
  In "Value name", specify the programmatic identifier (ProgID) for COM add-ins, or specify the file name of Word add-ins.
  To obtain the ProgID for an add-in, use Registry Editor on the client computer where the add-in is installed to locate key names under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins.
  To obtain the file name of an add-in, click the File menu in the application where the add-in is installed. Click Options, click Add-ins, and then use the Location column to determine the file name of the add-in.
  In "Value," specify the value as follows:
  To specify that an add-in is always enabled, type 1.
  Hope this helps.
  Regards,
  Steve Fan
  TechNet Community Support

• New IR's not appearing in Views for non-admins

  We are in pre-production testing for SM 2012 SP1.  We only have a few user roles beside the built in roles.  We have a 'standard' group
  which has access to just about everything except for sensitive items relating to user termination, legal, etc.  We have a group which can see those sensitive items, and then we the built in administrators.  <o:p></o:p>
  When non-admins create an IR or SR, it sometimes takes up to 5 minutes for the item to show up a custom “all open incidents”
  view, or in a custom “my incidents” view.  In a few isolated cases, the work item did not appear for over an hour.  However, admins can see all of these work items immediately in any view that should, by criteria, be displaying it.<o:p></o:p>
  What would cause a work item to display immediately in all appropriate views for admins, but not for non-admins?<o:p></o:p>

  Sorry for the delay in updating.  Our management team got very frustrated with the performance and nearly killed the whole project.  I got them to give SM another chance with R2, hoping that some of issues would be resolved.  This issue was
  not resolved.
  So, I have continued testing.  I cleaned up our Queues, so we only have 4 now in the Queues list.  When I open the properties of the our custom user role, the Queue section displays our 4 queues, plus one called Work Item Group from the System
  Work Item Library.  I started with selecting just 1 Incident queue, for this user role.  I created a new IR as this user, and it took nearly 15 minutes for the IR to appear in the view.  
  I then modified the user role and selected the "All work items can be accessed" radio button.  I created another IR and it appeared in the view immediately.  Now, this is where it gets interesting.   I went back to the user role and set it
  back to display a single queue, and the IR disappeared from the view.  It didn't appear again for another 10 minutes.
  The queue that is this IR should be assigned to is quite simple.  Right now, I want it to display all incidents.  It is not looking at an advanced class, just incident.  Initially, I did not upt any criteria on it at all.  I then tried
  setting it to just Active Incidents, and still the IR's takes 10-15 minutes to appear.
  I still don't understand what an aggressive queue is.  Does my queue sound 'aggressive?'  The view is looking at Incident (typical), not advanced.  I don't see any obvious problems in the Workflow Status section of the Admin pane.  What
  should I be looking for next?  I need to have the ability to filter queues by user roles, but it will cripple productivity if new IRs do not appear for 10-15 minutes.

• Prevent Active Directory Parent Domain Admins from accessing Child Domain

  We want to prevent Parent domain administrators (or a similar profile?) from accessing and/or administering child domains. Is this possible, or do parent domain admins have irrevocable administrative access to any child domain?
  Asked another way, can a restricted profile be configured for administration of the parent domain that does not cross domain boundaries effectively isolating each domain's administrative needs?
  Thanks in advance for input and advice!
  Best regards.

  Sorry, I was replying again after I read your second paragraph. The parent domain is the Forest root. we have parentdomain.com
  parent.parentdomain.com
  child1.parentdomain.com
  child2.parentdomain.com
  child3.parentdomain.com
  We do not want the Domain Administrator for parentdomain.com to be able to administer, or preferably, even access the Child Domains.
  1.) Can we remove that user from "Enterprise Admin" role and assign a different role so that they can only administer parentdomain.com (effectively demoting that user)?
  2.) Promote a Child.parentdomain.com user to Enterprise Admin?
  Thanks sorry for the confusion.
  Ah ok.
  Yes, you can. the answer is the same basically. The group membership is what counts. So in the child domain, remove the enterprise admins group from the child domain admins groups. OR make sure the domain admins of the forest root are not members of the
  enterprise admins group. that way they are still only admins in the parent domain.
  It is really only depending on group members ship and including those groups in the child domain. by default the enterprise group is included for example, but nothing stops you from removing those groups.
  based on the group membership you can also deny them the ability to log on.
  the only thing you cannot prevent is the forest administrator account from doing something.
  One thing I would like to add though: any admin in the forest domain likely has the ability to still get access if he wants to force his way in.

• Exchange Admin Cannot View Full Room Calendar Permissions

  We are a brand new Exchange 2010 SP3 (14.3 build 123.4) shop with Outlook 2010 (14.0.6112.5000), so no older versions of Exchange or Outlook exist in our environment.  I have full Exchange administration access to the system and Full Access to
  all room calendars.
  If I open a room calendar in Outlook and view the Properties, Permissions the Default access only shows two Read options available: None and Full Details. Whereas if another Admin views the permissions it shows all four options.
  So if Admin #2 views the room the Default access will show it has access to Free/Busy time, subject and location, but when I view the same room it shows Default as None since the other options are not available to me. So I am not getting a clear indication
  of the real Default access nor can I set the correct access.  If I view it in PowerShell I can see the correct access.  I have cleared my Outlook cache and I am set in non-cached mode and I have even rebuilt my profile, and yet I still only see the
  two options rather than all four. I can see all four options if I look at the permission of my own Outlook calendar, but if I look at any other calendar, person or room.  Any ideas as to what the problem might be?

  Hi,
  According to your description, we understand that you have Full Access permission to all room calendars folder. If the Default calendar permission is set to Free/Busy time, you cannot view the exact Default permission. Instead, it shows None. It is normal
  phenomenon.
  Based on my test, if the Default access permission of room calendar is set to reviewer or higher permission, you can view the
  corresponding permission in your Outlook.
  I think the reason why Admin #2 can view the real default permission of room calendar is that Admin #2 may have full access permission to the room mailbox instead of room calendar. In other words, you can try to add full access permission to the room mailbox
  for yourself to check whether the issue persists:
  Add-MailboxPermission –Identity RoomA –User “Brit Whittington” –AccessRights FullAccess
  Thanks,
  Winnie Liang
  TechNet Community Support

• Getting other admin consoles onto another admin console

  The admin console is very important.
  I want to be able to access all of my ldap servers admin consoles through all of my other ldap servers consoles.
  I am currently running 5.2, patch 3 on solaris 8. I have about 12 ldap servers in total. I want to be able to administer any server console from any console. In other words, on my ldap01 admin console, i would like to see in the directory tree listings for ldap02...ldap10 and be able to access them in the same manner.
  What does this encompass? I think it has to do with modifying the config dse.ldif. But what portion of the ldif file is responsible for viewing other ldap servers? I am not to sure.
  I hope my description makes some sense. Thanks.
  -Sowser

  The correct way to do it would be to (if you get to do it all over again) choose just one config server when installing additional Directories.
  Next best thing to try is below (I remember getting this to work a long time ago, so you might have to muck around a little)
  1. Export ou=<AdminDomain>.com,o=NetscapeRoot from each of the config branch, merge the files.
  2. You can import this big file into all of the config instances or import it into one config instance and replicate the instance to all other servers.
  Assuming that there is network connectivity from each of the admin server to the other servers in the topology, you should be able to see all the DS/Admin servers on every server. If each of the server has different passwds than what was used to enter the console, you might have to enter the correct one when a particular server is clicked
  Since this is messing with o=NetscapeRoot branch, all precautionary measures are applicable
  HTH

• Remove Admin from Login Screen

  Any thoughts how to remove User: Admin, Password: admin from the logon screen so other users cannot view. Otherwise I just plan to change the password.

  Go to Transaction SE61 and select the document 'General text' (selection via F4 help), and change the text with the name ZLOGIN_SCREEN_INFO in the language defined with profile parameter zcsa/system_language
  SD

• How do I change a primary admin from Teams and remove the original primary admin?

  I have added another admin to Creative Cloud for Teams, and need to change that user to primary admin, and then remove my Adobe account (the original primary admin) from the Teams group.  Is it possible to do this?

  Currently you cannot change the primary admin on a CCT membership. As a workaround, follow these steps:
  Cancel the existing team membership: You can cancel the membership without any penalty. The accounts for team members change to trial mode. Members can still access their saved data in the cloud storage. To cancel the membership, click theChat Now button at the bottom of this page to initiate chat with a live agent.
  Buy a new team membership; use the Adobe ID for the new primary admin.
  Reinvite team members using the new primary admin account.
  The team members have to accept the invitation and log in to the Creative Cloud Desktop app again. Their apps are activated under the new team account. 
  from adobe... basically... suck it up