Restrict requester/approvers from viewing/editing an object form field
Dear All,
We implemented 5 levels of approval workflow. The requirements is to configure the following permission on OIM:
1. Requester is only able to view,insert dan modify 5 field out of 10 field on object form. The other 5 fields he can not view/insert/modify.
2. The 1st until the 4th approvers can view only the 5 field the requester can view,insert and modify
3. The last (5th) approver can view only the 5 field the requester can view,insert and modify but able to view/insert/edit the other 5 field that the requester and other approvers can not view.
Any body know how to enable this configuration on OIM? basically this is to set the Object form field level permission.
Your response is highly appreciated.
Thank you
You could have the final request process auto provision the final object and populate just the process form with the listed values as you pass them from one object form to another.
You could use the API's to cancel each request as it gets approved which triggers the next resource object to be provisioned and populate the object form. Then the final approval would get completed and you could map those values to the process form for the final object. Then the user would only have one resource object on their profile. You could also limit which objects were viewable when the request was made by making them available to the organization as a generic object, then set it to system so it would be displayed in the list of availabel resources.
-Kevin
Similar Messages
-
Restrict HR admin from viewing another HR admins infotypes
Hi
How can I restrict one HR admin from viewing the basic pay of his college? Should I implement an user exit so everytime a pa30 is executed, i remove all pernrs from my org unit? Please help...
ThanksHi there,
I saw you have closed this post, but I thought I'd see if I could add to it anyway.
One I've seen implemented is to have a user exit that, every time a transaction that checks HR info is run, checks the value of field PA0001-SACHA. If the field is populated, then the user exit is called and depending on the values, will or will not show HR related information. e.g.
HR manager has H1, HR team have H2, regular employee has blank.
If the HR team goes to look at an employee, it checks to see if the employee has anything populated. If there's nothing, it goes ahead. If the field has something in it (H1 or H2) then the check looks to see what the HR team member has. If that member has H2, it will fail.
then...
If the HR manager goes to look at an employee the checks pass for the employee, if it looks at another HR team member, then there is a check to see if the field is populated. If the field is, it checks what the HR manager has against their personnel record (H2). users with H2 can see the values.
I've also read something once where they solved this using structural authorisations and wrote a structural auth function module that, after running and building the structural authorisation listings, it completes a removal of specific (HR team related) objects from the lists via the customised FM.
http://sap.ittoolbox.com/groups/technical-functional/sap-security/view-the-whole-org-but-not-hr-912916 is where I read about this.
I know you can also use context sensitive HR auths depending on your SAP version.
Good luck,
Cheers,
Dianne -
How to restrict some users from viewing a screen of standard transaction
Hi All,
I need to restrict certain user ids from viewing the 'Payment Transactions' screen for the below mentioned transactions.
FK01, FK02, FK03, MK01, MK02, MK03, XK01, XK02, XK03
The Basis consultant has tried to configure it. However its not working. So need to find other solution.
For all transactions other than FK01, MK01, XK01 (create vendor), the BAdi GOS_SRV_SELECT is called before the payment transaction screen appears. But for transactions FK01, MK01and XK0, no such BAdi is there.
Also I'm not able to figure out how to restrict that particular screen using Badi GOS_SRV_SELECT. What will be the service name for this?
Please help !!!
Thanks in advance,
Radhikahi,
u can do this using user exits.
identify the appropriate exit for ur transaction and thn put condition like
if username = ...
loop at screen.
hide..
endloop.
i was just trying to give u some hint .make it to ur best.
reward if hlpful. -
Regular Expression Validator - want to edit an object acct field
The field is a character field. But the field must be editted as follows:
Field must either be 4 numeric numbers with the first position always an 8 so it could be a range from 8000 to 8999
But I must also allow them to enter "8%" or "8n%" or "8nn%" where n represents a number. They want me to allow wild cards.
How would I define this edit on the same field.
1) First Validation: If it has a "%" then the first digit must be an 8 then I can have any of the wild card combinations given above.
2) Second Validation: If no wild card then the field must be in the range from 8000-8999
Is this validation a candidate for Regular Expression Validator or for my own custom method.
If I can code this as a regular expression validator how would I code it. I spent the last day looking on the web for Regular Expression Validator examples.I get the following errors that occur. I can key 8% or 8ddd but when I try these combinations 8d% or 8dd% then the following errors pop up. It gives multiple error but I am just keying on a single line. I can add multiple object lines but just one at a time.
java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
- JBO-ObjectCode_Rule_1: Object must be in range 8000-8999 or object must be in form of 8%, 8n%, 8nn% where n represents a number.
- JBO-27008: Attribute set for ObjectCode in view object AccountsecuritygroupobjView2 failed
- JBO-ObjectCode_Rule_1: Object must be in range 8000-8999 or object must be in form of 8%, 8n%, 8nn% where n represents a number.
- JBO-ObjectCode_Rule_1: Object must be in range 8000-8999 or object must be in form of 8%, 8n%, 8nn% where n represents a number.
- JBO-27008: Attribute set for ObjectCode in view object AccountsecuritygroupobjView2 failed
- JBO-ObjectCode_Rule_1: Object must be in range 8000-8999 or object must be in form of 8%, 8n%, 8nn% where n represents a number. -
How to restrict two employees from viewing each others' activities in a particular account?
Dear Experts,
I have a scenario here and request your kind input to bring a solution to it.
I have two sales org. in one company. One is SO1 and other one is SO2. I want to restrict the sales employee of SO1 and SO2. Both of them are working in the same national account. I don’t want the SO1 sales employee to see what the SO2 sales employee does in that particular account; and the vice versa. So, it’s just restricting the view of particular account for both of them. Is it possible in CRM? If yes, how do you do that?
Looking forward to the right solution.
Thanks & Regards,
SMTPHi SMTP,
This can be done by using authorization profiles. Here we need to crete two Authorization objects separately such a way that each of them should be allowed to one sales organization. And then assign these Authorization objects to users, based on their sales organization(Your requirement).
You need to reach your Basis Consultant and explain the scenario.Basis people can easily do this.
Thanks & Regards
Ravi -
How to restrict payroll users from viewing IT0002 or other personnel data?
Hi,
We need to device a authorization for payroll users in such a way, that they are allowed to access and edit IT 0014, IT0015, IT0580 to IT591 but they are not even allowed to view infotype IT0000 to IT0007.
They will still be allowed to do payroll processing of all employees.
Problem is - if we disable PA20 to PA40 transaction for these users, then they will not be able edit IT 14, 15 etc and vice-versa.
Please advice how can we do this.
Effective solutions will rewardedAm just wondering like this -
for a User who will update IT8 etc infotypes and run payroll for all employees:
Allow infotype access to all Infotypes via P_ORGIN/P_ORGINCON and then
exclude Infotype access to IT0000 to IT0007 via P_ORGIN/P_ORGINCON
Does Payroll run after the above if executed by this employee? because in my view the user has access to IT08 and other payroll related infotypes and hence should run (but I think IT0, IT1 &2 might also be required for for various reasons for payroll to run - not sure);
Or probably you might need to think of executing/triggering the Payroll process via Batch process (thru a batch user Id which has access to all)...because it wont be a best practice to have manually initiate the Payroll process...
Regards
Chandra
Message was edited by:
Chandramouly V -
Request.getParameter() from same page as HTML form
I have a jsp page with a form. form contains a textfield, once the user submits the form, i want jsp scriptlet to get the
value of the user input and carry out processing on it within the same page and give a result.
problem is the first time the page is loaded, there is an error in the request.getParameter() statement since no form has
yet been submitted i guess ....
if i use another page ... it works ... but i want to display the information in the same page ...
thanksI'd like to see an example where you'd get a NullPointerException from the line
if(request.getParameter("foo") == null)
but not one from
if(null == request.getParameter("foo"))
In either case, the only possibility for a NullPointerException would be if your request variable were null (but this would cause a NullPointerException in either method). Otherwise request.getParameter() returns a null value if the parameter does not exist, but will not throw a NullPointerException. -
Reader-enabled form from Acrobat is retaining interactive form fields when user saves the form
This is an issue that has only recently come up. In the past it was not a problem to take a pdf, add interactive form fields to it in LiveCycle, then open the form in Acrobat and enable usage rights for Reader users.
This allowed Reader users to fill out the form and save the results. With the most recent versions of Acrobat and Reader the user saves the form and the data AND the interactive form fields are saved in the resulting file - meaning that the data is still there to be changed. Clearly not what we want and not what Acrobat and Reader were doing previously.
The form does properly display "You can save data typed in this form" when opened in Reader.
I have got no response to this issue in the LiveCycle forum, and nothing shows up in a search. I would very much like to fix this, as it is affecting our entire library of pdf forms.In most instances the form is linked on the website, so the original form will cannot be overwritten.
In some cases we have to supply an interactive pdf for a department that they will then distribute by email to various groups who are expected to fill the form out on submit on an ongoing basis. That is what I was meaning by the user filling out the form, printing it, and then being prompted to save changes.
The bigger issue is that most of our users expect to take a form hosted on the website, fill it out, and then save a pdf copy of their responses for reference. The reference copy is retaining the interactive fields rather than printing as a static pdf.
If I could force the action of printing as a pdf (rather than saving as a pdf) on submission I think that would solve the issue. The script for most of the forms in the library is xfa.host.print(1, "0", (xfa.host.numPages -1).toString(), 0, 0, 0, 0, 0); and I am not aware of a way to force the print to only be to the pdf print driver. -
Can we call a prepop adapter from object form ?
Hi,
I have written a prepop adapter in object form which will take the valus of one attribute from object form field , in prepop adapter Im giving that field as the input parameter for one procedure and the output I should get in the process form.If I am giving the attribute value in the adapter mapping as literal it is workin fine. But I want to input that filed in object form. I have given "ObjectData" in the map to field and "attribute name" in the Qualifier. But it is not picking up the value.help me out please..What I am doing wrong?
ThanksThe functionality of pre-population, as the name suggests, is that the form field gets populated at the time of form is loaded onto the browser. The functionality you are looking for somewhat sounds like auto-fill at the keystroke event. This is not possible using pre-pop adapter; rather you can look for something like javascript based solution.
-
Populate object form with already provsioned resource object's data
OIM Version:
9102 BP19
Scenario:
We have to pre-populate resource object (ModifyObject) form fields with already provisioned resource object (ProvisionedObject) form fields which can be multi-instance resource.
This provided data will be used modify the already Provisioned resource object data (same ProvisionedObject). And this needs to be handled with approval workflow.
Approach:
We will use selected ProvisionedObject’s process instance key on web page in resource object pre-populate adapters. And using that process instance key we will fetch already provisioned resource (ProvisionedObject) object’s data.
Issue:
Not sure how can we pass the process instance key from WEB_PAGE to OIM_RESOURCE_OBJECT’s pre-populate adapter.
Any pointers towards the solution will be appreciated.My suggestion is...
At the time of raising the request, use userKey and in the code use getObjects() to retrieve the provisioned resource object information. Here you can retrieve Process Instance Key of the Provisioned resource and then retrieve the process data. So at this point you will have all the required data of the provisioned resource which can be returned to the object form field.
This is one approach. Experts may throw more pointers. -
I have seen mutiple ways for implmeneting forms for creating entities. What is the best practice. I have some attributes that are exposed in the form and the rest need to be set programatically. I need to navigate away to 2 different pages depending on the outcome of the create.
I am thinking of having data binding to a view iterator for the form fields, using "actionListner" handler to set attributes programatically and using an "action" handler to commit the transaction, which will return strings depending on the outcome. Both the handers will be in app module and bound to the submit button through execution binding.
PranabHi,
I would keep the navigation handling in the managed bean so it stay independent of what exactly the Am returns. The managed bean basically maps the return value of the AM to the desired navigation case. Its always better practice not to couple the view layer with the business service
Frank -
Creating vecor art from a single form field.
How do I create vector art from a single form field within a pdf that has serveral form fields in it?
Thanks
ChrisI need to create vector art from text within one form field on a page with several form fields on it.
1- single form field
2- create vector art from text within the single form field mentioned above
3- if possible export to a file
4- if not possible how can I create vector art from a pdf automatically?
5- if possible, create a button that will allow users to create vector art from text in a single form field
Thank you,
Chris -
Using EL to get values from View Objects
Hello again!
I' m using jdev 11.1.1.4.0, with adf and business components
Is there any way i can get a value to an af:outputText from a view object's field without
a) having to expose all fields that I need in bindings tab?
b) having to declare all fields to a backing bean
I have a statistical table with about 30 numbers in a record and it would make my project impossible to follow!
Some EL on the af:outputText with a parameter to a function on my backing bean, would sound perfect, but I've read that it's impossible...
Any clues?
Thank you for your efforts!
NikosI did not understand you.
will the drag and drop your attribute on your page will solve your problem?
or do you need to create attributeValues biding for single attribute? if yes do the following:
1- From your page, right click and select Go to Page Definition.
2- From the binding section, click the plus green icon to create a new control biding, and choose attributeValues from the list.
3- select your data source from the list or create a new one, then select the attribute you need.
4- now you have a biding, and you can set the value for your output text.
value =#{biding.yourAttribute.inputValue} -
How to get first row from View Object cache.
hi,
I am using Jdeveloper 11.1.1.6
can we get first row from View Object cache??
Thanks in Advance.
Best
ShashidharHi Frank,
Thanks for reply!!
My case is:
I have a Query based ViewObject.
One of the field is LOV and remaining fields are in ADF table. the LOV field is out side ADF table when i insert first record in ADF table and i choose LOV filed the value is selected.
when i create second row LOV value got refreshed because both are in same VO.
I need to get the LOV value of first row and set same value to second Row.
Shashidhar -
I have created numerous forms in Designer and for some reason, "Edit in Designer" from PDF, I cannot edit any of the fields in Design View.
Is it possible you accidentally put the fields on the master page?
Maybe you are looking for
-
a update version of firefox came up.. tellingme to update to new version of firefox. So I did.. it loaded the current version. I always have my 'history' showing. (in the VIEW title on top of screen I go to SIDEBAR, and have history showing. It is on
-
How can you view your keynote presentation on the IPOD?
Hi, I would just like an alternate way of placing my powerpoint presentations on my ipod. Okay, I work extra hours and I do not have time to study, so I found it useful to create a powerpoint slideshow of the vocabulary I needed to learn and put it o
-
Can I have automatic e-mail setting for ADDM and AWR reports??
Can I have Automatic e-mail settings for all my AWR and ADDM reports so I don;t have to run the reports all the time but they can be sent over to my mailbox and I can review them, if at all I can do that then can I bound them to a particular time fra
-
Inactivation error in Declaring Fault Message type.
Hi all, when iam trying to create a message type with refering to data type "ExchangeFaultdata" , and when iam activating the corresponding message interface it says the the Message type that iam using is reffering to a inactive message type. i tri
-
When I try to print an image I sometimes want it to be scaled to fit the page. I don't see these options however.