Restrict password resets to certain user groups in UME

Similar Messages

• CUP Password Reset funtionality requires users to login using password

  Hi All,
  CUP Password Reset is requiring users to enter user ID and password before resetting the password. Basically, if a user forgets his password, he needs to enter his password to reset it (in other words, it doesn't work).
  Anyone have thoughts on how to resolve this?
  I'm running GRC AC 5.3 SP12.
  CUP is only password reset functionality.
  No LDAP is connected.
  User Master Source is SAP UME.
  Authentication Source is SAP UME.
  Thanks,
  Pete

  Why not?
  You can configure CUP not to require login and use challenge response for resets.
  In my opinion this is the least preferrable option, as it requires every user to register and will move support effort from resetting passwords to resetting password questions, which users tend to forget just as often.
  It also leaves the possibility for imposters to register (as you don't require a login...) which allows you to reset any password if you're fast enough...
  I'm sticking to my recommendation - LDAP authentication is the best option.
  Frank.

• Restricting certain users groups to read only for certain folders

  Hi
  I'm not sure if this is the correct forum, but hey, hopefully someone might now the answer or direct me to the correct one.
  I'm writing a VB program to amend ACLs for specific user groups.
  Effectively, I make all prior year folders read only, whereas the default for the group is Modify, Delete etc.  This means they can continue to work in the "new year folders", but historic years is List/read only.
  I've got to the point the program does everything I want, i.e. stops folder creation7deletion, file & folder name changes, copying for the historic years, but does not prevent deletion of files in the folder.  Effectively I set Deny access on the
  historic folders.
  Testing using the Windows GUI would appear to resolve the problem is I change the Deny Special Permission (for the group) from "This folder only" to "This folder & files".
  Question then is how to I set this in VB, the default appearing to be "This folder only"
  Here's extract of my code
  Thanks
  IfvarDirectoryName.IndexOf("\"&
  Date.Now.Year) = -1
  Then
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.Modify,
  AccessControlType.Deny))
              FileAcl3.AddAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.DeleteSubdirectoriesAndFiles,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ReadAndExecute,
  AccessControlType.Deny))
              FileAcl3.RemoveAccessRule(
  NewFileSystemAccessRule(GroupAdmin(0),
  FileSystemRights.ListDirectory,
  AccessControlType.Deny))
  Dim FileInfo3 As IO.FileInfo = New IO.FileInfo(varDirectoryName)
  Dim FileAcl3 As New FileSecurity
  If varDirectoryName.IndexOf("\" & Date.Now.Year) = -1 Then
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.Modify, AccessControlType.Deny))
  FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.DeleteSubdirectoriesAndFiles, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ReadAndExecute, AccessControlType.Deny))
  FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ListDirectory, AccessControlType.Deny))
  FileInfo3.SetAccessControl(FileAcl3)
  End If

  Ho Rohn
  Your right, when I added the flags I got the following error at execution
  {"No flags can be set. Parameter name: inheritanceFlags"}
  I've developed a work around, which gives me exactly - subject to further testing - what I want.  I simply mark each file in the relevant folders with a Deny Delete option.
  I will however explore the DirectorySecurity class option, but initial review of the www seems a little shy on VB examples.
  Thanks
  Perry
  You should be able to use FileSecurity and DirectorySecurity the same way (they have identical methods). Since this is a scripting forum, I'll provide a PowerShell example (which is fairly close to C# and VB; they all use the exact same classes):
  $varDirectoryName = "c:\folder"
  $GroupAdmin = "Admin Group"
  $FileInfo3 = New-Object System.IO.DirectoryInfo $varDirectoryName
  $FileAcl3 = $FileInfo3.GetAccessControl()
  $FileAcl3.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule (
  $GroupAdmin,
  [System.Security.AccessControl.FileSystemRights]::Modify,
  ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
  [System.Security.AccessControl.PropagationFlags]::None,
  [System.Security.AccessControl.AccessControlType]::Allow
  $FileInfo3.SetAccessControl($FileAcl3)
  I could have taken a lot of shortcuts when using the enumerations, but I think keeping it verbose helps show how similar the code can be.
  Does that make sense?

• Generating RAR Alerts for just certain user groups

  Is there any way to limit a RAR Critical Actions Alert to just certain users?  Or, only if these users access certain data?
  We've had a request to monitor and send out a notification for some transactions, but only for certain users.  These transactions are available to many employees, but it is only a concern if someone from a certain group uses them.  Even then, it's only a concern if they access certain data.
  As an example (this is not the actual request), you have a transaction like say XD 03 (Customer Display) and its available to most everyone in the company.  You also have customers assigned to different company codes.  The issue then is that you have a certain group of users that are only supposed to look at customers for just one specific company code.  Ideally, you would want to be notified if they use this transaction to look at customers for other company codes.  At the very least, you want to know when they use this transaction so you would know to check on their usage.
  If this can't be done using the RAR Alerts, is there maybe another way to perform this montoring/notification?
  Thanks.

  Hi Bob,
  GRC RAR would not help you in this case. However you can restrict the Users through Roles which are assigned to them.
  For example : for tcode XD03 check maintain the authorization object F_KNA1_BUK with Activity 03 and Company code 1000 (depending upon your requirement). Assign the Role to User who require the access to view the Customers for the company 1000.
  Hopefully this may meet your expectations.
  Regards,
  Nikita Sharma.

• SAPGUI - Auto password reset option for users

  Hi
  We currently have R3 ECC 5.0 implemented across our locations. We have very high calls registered to our support team for password reset.
  we want to know whether there is a option available wherein users can select a option "Forgot password / Reset password" based on which system should auto generate the password and send the same through e-mail to the user. This will be a kind of self service for the users.
  Regards
  Sanjay
  Hindustan Unilever Limited
  Bangalore, India
  Mobile: 9341968501

  Hi Sanjay,
  As far as i know that kind of option doesnt exist as an SAP standard, Maybe theres a 3rd party software around....
  Regards
  Juan

• New users with Global Password Policy requiring password "reset on first user login" are still prompted to reset password after entering incorrect password

  The setup:
  We have the option "Password must: be reset on first user login" enabled in the Global Password Policy on our 10.9 / Mavericks server. We import new user accounts into Open Directory via a delimited text file and include a default password for each user.
  What I've observed and tested:
  When a user attempts to log into a computer that's bound to our Open Directory for the first time, they can enter anything in the password field and still receive the prompt to reset their password. They are never notified that they entered their default password incorrectly. The password reset will then fail (as it should), but they still aren't notified that this is the reason for the password reset failure. To put it another way: Seeing the prompt to reset your password would reasonably imply that you entered the default password correctly, but that's not the case at all.
  The question:
  Is this expected behavior? If it is, it doesn't seem logical. If this was the case in OS X Server 10.3 through 10.7 I never noticed it. Can anyone corroborate this with their own setup? Thanks in advance.
  -- Steve

  Some follow up questions:
  - How did you migrate (dsmig ldif or binary import)
  - Did the accounts in .x have any custom password policies set?
  For a "new" and a migrated entry, can you check if a passwordpolicysubentry is configured?
  (search as directory manager and fetch the attribute)

• Password Reset and vanishing user account

  Here's the situation.
  My friend did not know the password to her iMac, so using the install DVD that came with my iBook I booted her machine and did the password reset as per article 106156. However I not only changed the password to her user account, but also to the root account. (I did not actually see the article until afterward which says not to touch root). After both user and root passwords were successfully changed, I rebooted only to find that the user account was missing from the log in menu! Also unfortunate is that I don't have any other boot/repairs disks aside from my system install disk.
  I can't quite figure out why that might happen and how to resolve it. The install disk had 10.3 and her machine had 10.2, but I don't think that is the issue.
  How do I get the missing user account to reappear?
  If worse comes to worse I might try booting the iMac up in target disk mode and try to retrieve the user data if its possible to do so.

  Andrew,
  This link might help explain what is possible with SAP Portal in terms of allowing the user to reset their password from the logon screen.
  http://help.sap.com/saphelp_nw04s/helpdata/en/45/7e6313d8780dece10000000a11466f/frameset.htm
  As for allowing a user to unlock their account from the logon page, there is no such functionality that I know of.  This would need to be developed.  We are doing something similar.  In our case, we are developing a module that allows user to retreive their user ID if they forget it.  This also is not functionality that SAP provides.  The user can specify their email address, and it emails them their user ID.  This is being developed in Web Dynpro for Java utilizing the UME APIs.
  - Andrew Castillo

• Enabling Password Reset for end users

  Dear all,
  I have enabled the "Get Support" Link in the Logon Page Password reset. We are in EP 7.0 SP12.
  I followed the below link
  [Enabling users to reset their own password|http://help.sap.com/saphelp_nw2004s/helpdata/en/45/7e6313d8780dece10000000a11466f/frameset.htm]
  We want to use the WD Application. I have assigned the action "UME.Logon_Help" to the Anonymous users.
  But after the user gives the User id and the email and submits, control stays there itself. No messages are shown.No mails are also sent
  Has anyone faced this problem before? Please help.
  Best Regards,
  Aparnna

  Hi,
  All those are done. If we enter a wrong mail id we are getting the message "Invalid User Information"
  But when we enter the correct user information, the control stays in the same page. And the password is not reset.
  In the default trace I saw the following exception
  [SAPEngine_Application_Thread[impl:3]_23##0#0#Error#1#/
  System/Security/Usermanagement#Java#An exception was thrown in the UME/ABAP user management connector. Message: {0}.
  ##An exception was thrown in the UME/ABAP user management connector. Message: {0}.
  [EXCEPTION]
  {1}#2#BAPI_USER_CHANGE@SIDCLNT100: ID=01, NUMBER=514,
  MESSAGE=You are not authorized to change passwords in user
  We have a dual stack implementation. We are on EP 7.0 SP 12
  Which user's authorization should I change? The communication user id(SAPJSF) or any other id.
  Best Regards,
  Aparnna

• Automatic Password Reset for end users

  Hello Experts,
  I am looking for a password reset facility, where end-users can reset their own password without depending on basis.
  we can trigger an password recovery question or trigger to authorised email id to simplify our basis efforts.
  Please let me know if you need more clarification about my requirement. I would greatly appreciate your help.
  Regards,
  Sarvesh

  Hi Rao,
  There is a good document on this.
  Have a look : http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/502c39b9-02e8-2d10-18a7-d32fade7b18b?QuickLink=index&…
  Also, if it's ABAP, why not give access SU3 to them. Only when the user gets locked or forgets password comes to your team.
  Divyanshu

• Portal: Password reset and unlock User via UME?

  I'm new to Portal and SAP.  I'm trying to find options to have a username unlocked and password sent to user based on a userid from our Portal logon page.
  The end user needs only to know their user ID, and based on this user ID I need their username to be unlocked, and a temporary password to be emailed to them (Looked up from their user ID via Database) 
  From what I've been reading UME can do this, but when I look into configuration of it I'm not seeing anything that can define this to show up on the Portal logon page.  Does this have to be developed and built in or linked as a separate page or is there a prefab one made already(nothing I could find showed evidence of this, although the documentation regarding UME hinted at this)?
  The end user doesn't need to answer security questions because to get access to the portal they already have to be on my secured network. 
  Any help would be great!
  Edited by: Andrew Urban on Aug 7, 2008 12:09 AM
  Edited by: Andrew Urban on Aug 7, 2008 12:10 AM
  Edited by: Andrew Urban on Aug 7, 2008 12:16 AM

  Andrew,
  This link might help explain what is possible with SAP Portal in terms of allowing the user to reset their password from the logon screen.
  http://help.sap.com/saphelp_nw04s/helpdata/en/45/7e6313d8780dece10000000a11466f/frameset.htm
  As for allowing a user to unlock their account from the logon page, there is no such functionality that I know of.  This would need to be developed.  We are doing something similar.  In our case, we are developing a module that allows user to retreive their user ID if they forget it.  This also is not functionality that SAP provides.  The user can specify their email address, and it emails them their user ID.  This is being developed in Web Dynpro for Java utilizing the UME APIs.
  - Andrew Castillo

• Restricting UserDefined Fields for certain users

  I want to restrict some of my users from viewing the contents of certain UDFs. Is there a way of doing this?

  Hi Raghu,
  Please check the following link which could be of help in your case :
  Re: User Defined Fields
  Also, a Note No. 913442 can be referred for the same.
  Regards,
  Jitin

• Password reset for mass users

  Hi
  Please could you suggest whether can we reset password for mass users?

  Hi,
  No it not Possible through SU10.
  you can Do it through Script.
  Activate the scripting in you System .
  then you need to record the script by doing it for one user and then after the script is done for one user u need to create script for many user by adding a for loop and then play the script.
  Thanks
  Rishi Abrol

• Password reset issue for users

  Ok this is driving me nuts and hopefully there is a simple answer.
  I am running a new fully update 10.8 server. I have setup open directory and have profile manager running. From the server app I go into the users pane, i select a standard user (non admin) and right click to choose reset password. I enter a new password in and verify and click ok. To test this I goto the my devices page from the web and it gives me an invalid password message. I know its right. I have reset it and restarted the server to no avail. What can be going wrong here?

  Sean,
  I would stop every service and then lauching only:
  1. DNS
  2. Open Directory
  3. File Sharing
  and then: "last time" (hopefully) reboot of the machine.
  This is to reduce the sideeffects.
  After the reboot I would check the logs of all those services after the reboot and check if they writing errors into.
  What is happening then?
  ~ Markus
  P.S.: Anyway, how is your server installed? Is this server available from the internet or only in a local network?

• Different Password Policy for Different User Groups in ACS 4.2

  Hi All,
  Can some one provide a solution for the below requirement?
  We do have ACS 4.2 appliance managing firewalls of different clients. The users are common i.e, helpdesk administrators. One of the client came up with setting different password policy for managing their devices i.e, the client wants to have min 15 characters as password length. We do have currently 8 characters as min password length. Can we change the password policy to min 15 characters only for managing the firewalls of this client whereas for all other client firewalls we feel better to have 8 characters as min password length?
  It seems that these password policies are global & affects all the users.
  This is something like, having two sets of password (for each user) policy depending on the client which he is going to manage.
  For my knowledge, i think that this is not possible. But, thought to cross-check with experts!
  -Jags.

  Hi jags,
  Yor're correct. Password policy on ACS will affect all internal user. We can't create different password policies for diferent clients/connections/set_of_users
  Password validation options apply only to user passwords that are stored in the ACS internal database. They do not apply to passwords in user records in external user databases; nor do they apply to enable or admin passwords for Cisco IOS network devices.
  HTH
  Regards,
  JK

• Integration - Windows Server 2003/2008R2: Creating a login script that attaches programs to a certain user group. Upgrading to Windows 7/8

  We are currently running a windows server 2003 environment with a 2003 server being the DC. We have a couple of 2008 r2 servers that are member servers.
  OK...
  Our users are primarily operating off of windows xp clients/workstations in which they use RDP to connect to the newer member servers that are windows 2008. With their base profile in xp I am using roaming profiles via server 2003. I am looking to begin
  upgrading all of the workstations to all-in-one windows7/8 boxes partially because of cosmetic reasons(#weird) and partially because we will eventually begin using the camera options that are in the all-in-one's.
  Also..I must do this one at a time as we don't have the money to do a complete overhaul of all client workstations..If that was the case, I could just redo the network and make those members servers the DC and backup DC as well as add a virtual server
  in which everyone can access those legacy programs that are still needed...
  As you guys know windows 7/8 boxes will not work with server 2003 and roaming profiles. The reason we don't completely upgrade to 2008 r2 environment is because we are still holding on to a legacy program that requires server 2003 and these programs are
  vital to our operation.
  So..broken down even further...
  A: User is part of a 'LocalAdmins' group that makes them automatically a local admin upon any system within our domain.
  B: User  logs in to windows xp with credentials in which a tailored made per user roaming profile comes up from server 2003
  C: User then logs into one of the two terminal servers via RDP with same credentials and accesses new primary application. To access the legacy applications, they merely minimize their RDP session to get back to the windows xp session.
  Ultimately..
  1. I'd like to begin replacing option B: with windows 7/8 all-in-ones and and have the RDP saved sessions,that talk to the 2008 member servers, as well as, a few vital ie shortcuts automatically come to all users that are apart of that "LocalAdmins
  group period.
  2. Setup 1 server 2003 box that runs that legacy program and allow everyone access via a Virtual Environment..
  3. If they log into a windows xp box, or a windows 7/8 box, I want them to have access to the same icons.
  I guess this is a lot to digest, but my question is, what script could I make that would essentially allow uniformity for both my xp workstations and newly added windows 7/8 boxes? What script could I create that would,I guess reside on server 2003, that
  brings all the neccessary icons to the users that are apart of that "LocalAdmins" group despite having a windows xp, 7, or 8 workstation?

  " I don't see what the issue is because a logon script will still be managed by Group Policy and will have to be applied using GP rules.  In the end you still have to write the script."
  You basically contradicted the smug part of your rant and multiple answers with this statement!!! You just recognized that some sort of script would be necessary if I chose to use it via group policy. 
  But according to you..
  "It is not and has never been done via a script."
  Clearly it has a section per user for a "profile path" and a "logon SCRIPT". Which warrants my creation of this post since I have currentely implemented
  roaming profiles. That is how I am manipulating what users can have on their desktop because of course, we have different users that have different needs. But out of all the users, there are programs that need to be laced and seen upon immediate login.I
  will consult other people as this is only preliminary planning but about half of your statements are completely unwarranted and UNNECESSARY!
  This statement also proves your additional inaccuracies...
  "All of the profile things are handled by Windows and have nothing to do with scripts.  You define all of that in Group Policy."
  That's just silly talk. I told you in my initial break down of my scenario in an entirety that I am using "tailored made per user roaming profiles" to control desktop environments not group policies in this case. But you just made an absolute statement in
  saying "You define all of that in Group policy" which is completely wrong...
  Do me a favor, please don't respond to this post anymore. I'd love to see if any other partner, staff or whatever mind responding. Thank you for your help anyway. I will use what is useful in your post and discard the rest.
  Thanks