Restrict user to execute just 1 variant

Similar Messages

• Restrict users to change value in user id field in SM36

  Hi,
  Our users are currently given authorization objects S_BTCH_NAM, S_BTCH_ADM and S_TCH_JOB in order to be able create background jobs and execute using batch admin userid, and not under their own userid.
  I like to know is there way to restrict users to execute transaction SM35, SM36, SM37 to create a job under another person's userid.
  I am looking at grey off the userid field in SM35, SM36, SM37 when users execute these t-code in online mode. I want to restrict them from schedule job to run under another person userid.
  However, if users perform a transaction and call a customised program to create a batch job in background to be executed under batch_admin userid, without failing the job.
  How can it be achieved? Does SAP allows configuration to grey off userid field?

  The problem is that our customized program will first create a job under user "X" userid for audit trail purpose. Because user "X"does not have necessary authorization to perform full update of all other transactions or tables update, in the job, the program will indicate a non-user account with SAP_ALL authorization to perform the update.
  Since your custom program check for S_BTCH_ADM and S_BTCH_NAM from User's authorization we cannot put S_BTCH_ADM=N there and in that case, users would be able to create jobs with other user ID by executing SM36 directly.
  Option 1: Discuss with your developer if it is possible to create a custom exit in the Sm36 program to perform the above authorization check in your Batch user ID's authorization instead of your dialog users. In that case your custom program would run as expected as long as your Batch user ID has proper authorizations for S_BTCH_ADM and S_BTCH_NAM and your dialog users can be restricted to S_BTCH_ADM= N
  Option2: Create a transaction variant for SM36 in tcode SHD0 and make field "User" invisible and then link the transaction variant to a custom tcode which is to be created with start type "Transaction with Variant (variant transaction)".
  Please refer to an SDN article for process of [creation of a transaction variant and linking it to a variant transaction|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40d1443e-0184-2c10-c68d-c612f771fe6f?quicklink=index&overridelayout=true]
  Then have your custom program updated to call the custom tcode instead of SM36 and modify your user's roles to replace SM36 authorization with ZSM36 (Check indicator values of SM36 are pulled into the role). This will ensure your custom program can create jobs under a different user whereas when your user executes SM36 online, the field to change 'user' will not be visible and by default they would be forced to create jobs under their own IDs inspite of having S_BTCH_ADM=Y and S_BTCH_NAM= <your Batch user ID>
  Hope this helps!
  Sandipan

• How to restrict user at selection screen while executing in background mode

  hi all,
  how to restrict user at selection screen while executing in background mode
  Regards
  Deepak

  Hi,
  We can get the Program whether this is running in background or not then we need to use SY-BATCH, if the SY-BATCH is set to X then the program is running in Background,
  so in the INITIALIZATION event, you can use this SY-BATCH and check the User names, and give the error messsage which you want to restrict
  Regards
  Sudheer

• Execute script as restricted user

  I'm trying to execute a script that works under an administrator account but not under our student accounts, access is denied. The script changes some keys/values in the registry. I've tried several different options in ConsoleOne and Group Policy, but nothing seems to work, I might be missing something though. Is there anyway to get this to run and change the registry under a restricted user account? We are running Windows XP at the moment on our machines. I would greatly appreciate any help and getting this to work. If you need anymore information I'll be glad to provide. Thanks.

  Originally Posted by brpwll
  I'm trying to execute a script that works under an administrator account but not under our student accounts, access is denied. The script changes some keys/values in the registry. I've tried several different options in ConsoleOne and Group Policy, but nothing seems to work, I might be missing something though. Is there anyway to get this to run and change the registry under a restricted user account? We are running Windows XP at the moment on our machines. I would greatly appreciate any help and getting this to work. If you need anymore information I'll be glad to provide. Thanks.
  Simply set it to run as secure or unsecure sytem user.
  Thomas

• How to restrict the display of report variants

  Hello All,
  I want t know how to restrict the display of report variants.
  I mean, when a user saves a variant for his/her purpuse on some report program, only he/she can refer the variant while other users cannot.
  I know that by setting the attribute of the variant ("Protect Variant ", "Only Display in Catalog"), this would be possible, but I want to know another way, without this setting.
  Thank you for your help in advance.
  Regards,

  Hi,
  Can you just try this
  DATA:it_varid TYPE TABLE OF varid.
  DATA:wa_varid TYPE varid.
  INITIALIZATION.
    SELECT * FROM varid INTO TABLE it_varid
        WHERE report = sy-repid
        and ename = sy-uname.
    IF sy-subrc = 0.
      LOOP AT it_varid INTO wa_varid .
        CALL FUNCTION 'RS_SUPPORT_SELECTIONS'
          EXPORTING
            report               = sy-repid
            variant              = wa_varid-variant
          EXCEPTIONS
            variant_not_existent = 1
            variant_obsolete     = 2
            OTHERS               = 3.
        IF sy-subrc <> 0.
          MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
                  WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
        ENDIF.
      ENDLOOP.
    ENDIF.

• Retrieving ALL values from a single restricted user property

  How can I retrieve ALL values of a single restricted user property from within
  a .jpf file?
  I want to display a dropdown list within a form in a JSP which should contain
  all the locations listed in the property 'locations'. I ever get just the default
  value when I access the property via
  ProfileWrapper pw = userprofile.getProfileForUser(user);
  Object prop = pw.getProperty("ClockSetup", "Locations");

  Well, the code you've got will retrieve the single value of the property
  for the current user. You're getting the default value because the
  current user doesn't have Locations property set, so the ProfileWrapper
  returns the default value from the property set.
  I assume you want to get the list of available values that you entered
  into the .usr file in Workshop. If so, I've attached a
  SetColorController.jpf, index.jsp, and GeneralInfo.usr (put in
  META-INF/data/userprofiles) I wrote for an example that does just this.
  It uses the PropertySetManagerControl to retrieve the restricted values
  for a property, and the jsp uses data-binding to create a list from that
  pageflow method.
  For a just-jsps solution, you can also use the
  <ps:getRestrictedPropertyValues/> tag. I've attached a setcolor-tags.jsp
  that does the same thing.
  Greg
  Dirk wrote:
  How can I retrieve ALL values of a single restricted user property from within
  a .jpf file?
  I want to display a dropdown list within a form in a JSP which should contain
  all the locations listed in the property 'locations'. I ever get just the default
  value when I access the property via
  ProfileWrapper pw = userprofile.getProfileForUser(user);
  Object prop = pw.getProperty("ClockSetup", "Locations");
  [att1.html]
  package users.setcolor;
  import com.bea.p13n.controls.exceptions.P13nControlException;
  import com.bea.p13n.property.PropertyDefinition;
  import com.bea.p13n.property.PropertySet;
  import com.bea.p13n.usermgmt.profile.ProfileWrapper;
  import com.bea.wlw.netui.pageflow.FormData;
  import com.bea.wlw.netui.pageflow.Forward;
  import com.bea.wlw.netui.pageflow.PageFlowController;
  import java.util.Collection;
  import java.util.Iterator;
  * @jpf:controller
  * @jpf:view-properties view-properties::
  * <!-- This data is auto-generated. Hand-editing this section is not recommended. -->
  * <view-properties>
  * <pageflow-object id="pageflow:/users/setcolor/SetColorController.jpf"/>
  * <pageflow-object id="action:begin.do">
  * <property value="80" name="x"/>
  * <property value="100" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="action:setColor.do#users.setcolor.SetColorController.ColorFormBean">
  * <property value="240" name="x"/>
  * <property value="220" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="action-call:@page:index.jsp@#@action:setColor.do#users.setcolor.SetColorController.ColorFormBean@">
  * <property value="240,240,240,240" name="elbowsX"/>
  * <property value="144,160,160,176" name="elbowsY"/>
  * <property value="South_1" name="fromPort"/>
  * <property value="North_1" name="toPort"/>
  * </pageflow-object>
  * <pageflow-object id="page:index.jsp">
  * <property value="240" name="x"/>
  * <property value="100" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="forward:path#success#index.jsp#@action:begin.do@">
  * <property value="116,160,160,204" name="elbowsX"/>
  * <property value="92,92,92,92" name="elbowsY"/>
  * <property value="East_1" name="fromPort"/>
  * <property value="West_1" name="toPort"/>
  * <property value="success" name="label"/>
  * </pageflow-object>
  * <pageflow-object id="forward:path#success#begin.do#@action:setColor.do#users.setcolor.SetColorController.ColorFormBean@">
  * <property value="204,160,160,116" name="elbowsX"/>
  * <property value="201,201,103,103" name="elbowsY"/>
  * <property value="West_0" name="fromPort"/>
  * <property value="East_2" name="toPort"/>
  * <property value="success" name="label"/>
  * </pageflow-object>
  * <pageflow-object id="control:com.bea.p13n.controls.ejb.property.PropertySetManager#propSetMgr">
  * <property value="31" name="x"/>
  * <property value="34" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="control:com.bea.p13n.controls.profile.UserProfileControl#profileControl">
  * <property value="37" name="x"/>
  * <property value="34" name="y"/>
  * </pageflow-object>
  * <pageflow-object id="formbeanprop:users.setcolor.SetColorController.ColorFormBean#color#java.lang.String"/>
  * <pageflow-object id="formbean:users.setcolor.SetColorController.ColorFormBean"/>
  * </view-properties>
  public class SetColorController extends PageFlowController
  * @common:control
  private com.bea.p13n.controls.ejb.property.PropertySetManager propSetMgr;
  * @common:control
  private com.bea.p13n.controls.profile.UserProfileControl profileControl;
  /** Cached possible colors from the User Profile Property Set definition.
  private String[] possibleColors = null;
  /** Get the possible colors, based upon the User Profile Property Set.
  public String[] getPossibleColors()
  if (possibleColors != null)
  return possibleColors;
  try
  PropertySet ps = propSetMgr.getPropertySet("USER", "GeneralInfo");
  PropertyDefinition pd = ps.getPropertyDefinition("FavoriteColor");
  Collection l = pd.getRestrictedValues();
  String[] s = new String[l.size()];
  Iterator it = l.iterator();
  for (int i = 0; it.hasNext(); i++)
  s[i] = it.next().toString();
  possibleColors = s;
  catch (P13nControlException ex)
  ex.printStackTrace();
  possibleColors = new String[0];
  return possibleColors;
  /** Get the user's favorite color from their profile.
  public String getUsersColor()
  try
  ProfileWrapper profile = profileControl.getProfileFromRequest(getRequest());
  return profileControl.getProperty(profile, "GeneralInfo", "FavoriteColor").toString();
  catch (P13nControlException ex)
  ex.printStackTrace();
  return null;
  // Uncomment this declaration to access Global.app.
  // protected global.Global globalApp;
  // For an example of page flow exception handling see the example "catch" and "exception-handler"
  // annotations in {project}/WEB-INF/src/global/Global.app
  * This method represents the point of entry into the pageflow
  * @jpf:action
  * @jpf:forward name="success" path="index.jsp"
  protected Forward begin()
  return new Forward("success");
  * @jpf:action
  * @jpf:forward name="success" path="begin.do"
  protected Forward setColor(ColorFormBean form)
  // set the color in the user's profile
  try
  ProfileWrapper profile = profileControl.getProfileFromRequest(getRequest());
  profileControl.setProperty(profile, "GeneralInfo", "FavoriteColor", form.getColor());
  catch (P13nControlException ex)
  ex.printStackTrace();
  return new Forward("success");
  * FormData get and set methods may be overwritten by the Form Bean editor.
  public static class ColorFormBean extends FormData
  private String color;
  public void setColor(String color)
  this.color = color;
  public String getColor()
  return this.color;
  [GeneralInfo.usr]
  [att1.html]

• How to restrict users from creation of varients in report transaction

  Hi All,
  I have a requirement where buisness wants to restrict users in creating varients in report transactions.because of create options users will be creating more screen varients which will be disturbing for the other users to select a particular standard varient.Kindly give ur input regarding this
  With regards
  Girish A

  Hi,
  First edit the role assigned to users using PFCG.
  Then go to Authorization tab and click on "Change Authorization Data".
  It will opened up the profile of the role. now find the authorization object "S_PROGRAM".
  In that edit "User action ABAP/4 program" object.
  Remove "VARIANT" check box if it was checked and save. Now press
  Generate button or "Shift+F5".
  That's it.
  You can ask for this to your basis team. They can perform this task  easily.

• How can i restrict user to access database object (procedure) or JSP

  Hi
  I have 9ias infrastructure 902, on win2k box with 9i DB.
  and I have one PL/SQL web application and another J2EE application both are hosted by 9ias 902.
  Now we are looking forward to couple both with SSO.
  I have deloyed samples of both and works fine.
  Each application have different set of users, i mean there is no common user.
  How can i restrict user not to view the web page which is not authorised to them.
  as far as i understand from the Grocery demo is pick the role (which is a string only) from OID and programaticall apply security via if else endif construct.
  can any one through light upto my concern.
  regards
  [email protected]

  Hey Mary
  No i haven't try to do that via pl/sql....
  as the our application is j2ee app... deployed in oc4j.. with sso and ldap....
  still finding to do so....
  what i have realized that LDAP is just to store user information in inverted tree... and one have to build separated access security mechnisum that will be applicable to j2ee system....
  thanx...
  samir....

• How to restrict users from printing documents and exporting to local file

  Hi SAP gurus,
  I have two questions.
  1. How can I restrict users from printing a document? i.e. billdoc? I would like to know if I could block it though authorization. If yes, what auth obj to use?
  2. How to restrict certain users from exporting to local file? the System> List>Save-->Local File. I have tried restricting it using auth object S_GUI but it seems it is only applicable to older versions of SAP. im on ecc6.
  Thank you in advance.

  Hi,
  Check this:
  Create your own gui status and attach it to the list in the event START-OF-SELECTION.
  In the menu painter extra -> adjust template.
  Make it a list status and you will see all the standard list options appear including list->download
  Deactivate the ones you don't want. 
  If you just want to prevent users from downloading the list you can achieve this with authorization object S_GUI, activity 61. Menu option will still be there though.
  Please note that if you remove authorisation for S_GUI activity 61 then all downloads will not be possible. 
  If you just want to disable downloads only for a particular report, you can try this test program:
  Code:
  REPORT ztest. 
    DATA: PROGNAME LIKE SY-CPROG value 'Z_CHECK_AUTH', 
          FORMNAME LIKE SY-XFORM value 'F_CHECK_AUTH'.
  START-OF-SELECTION. 
      CALL FUNCTION 'SET_DOWNLOAD_AUTHORITY' 
           EXPORTING 
                FORM    = FORMNAME 
                PROG    = PROGNAME 
           EXCEPTIONS 
                OTHERS  = 1.
    WRITE: / 'TEST'.
  You also need this:
  Code:
  PROGRAM z_check_auth.
  FORM f_check_auth USING pe_result TYPE i. 
    pe_result = 5. 
  ENDFORM.
  Also have a look at the exit SGRPDL00.
  Hope this helps you.
  Rgds,
  Raghu

• Restrict user to see the contents of a transparent table

  Hi fnds,
  i want to restrict users in seeing the contents of a database table..
  ithat is, when they go to se16 and hit enter.. and try to execute F8 button.. it should not show any records and no access should be available to that user...
  Can this be possible with auth object - whoever is authorizeed they only shoud see the contents..
  how to do this.. this table doenst not have table maintanence -- no SM30 data maintancne..
  help me,
  thanks
  Niraja

  This is part of the table definition in the data dictionary (not sure with what release that was introduced, but if you're not on an old system you should probably have it). I.e. in the data dictionary (SE11) on the Delivery and Maintenance tab for the table you have a field Data Browser/Table View Main., which you should set to N Display/Maintenance not allowed. If you check the F1 help on the field you'll get a nice long explanation.
  If you don't have this option (on an old release) check out OSS note [26909 - SE16 - Security|https://service.sap.com/sap/support/notes/26909], which explains your other option via authorization object S_TABU_DIS (access control might be a bit too coarse). See also OSS note [546797 - FAQ Data Browser (SE16)|https://service.sap.com/sap/support/notes/546797].
  Cheers, harald

• !!!How to restrict user for making  changes in Sales order , partner level

  Hi all,
  Can anybody tell me how to restrict user for making  changes in Sales order  at partner level, is it through user exit?

  Hi Ruchi
  I hope u had gone to the screen fields which u want them not to be editable. So there u select all the fields contents which u do not want to to be changed and check the boxes with W.content and Display and save it. Once evrything is done u have to activate the particular transcation going in to the standard variants and put the name and click the activate button.
  Hope its clear
  Reward if help ful
  Sri

• Not able to restrict users from using SU01

  Hi ALL,
  We are working on roles related to SECURITY ADMINISTRATOR.
  The role has been given a transaction SU01D and not SU01.
  But the users are able to enter into SU01 through SUIM.
  I will illustrate this situation more:
  SUIM->USERS->BY LOGON DATE AND PASSWORD CHANGE
  Then I entered the user id.Executed.
  From the result, I was able to enter into su01 .i.e was able to use the change button of su01.
  Please tell me how do I restrict this situation.?
  Reagrds,
  Ajit.

  Access to user administration is not only limited to SU01.
  Most likely, the threads of this search term will explain why the users can access the transaction screens of user administration: https://forums.sdn.sap.com/search.jspa?objID=f208&dateRange=all&numResults=15&rankBy=10001&threadID=&q=SU01_NAV
  Whether the user can complete the transaction is a different story... for that you need to use the application authorization objects (S_USER* objects are a good start - see transaction SU21 for more infos on the application security concept for these objects)
  Cheers,
  Julius
  PS: A troublesom object is S_USER_GRP, because it is important. When the user ID does not have a user group assigned, then the effectivness of this authorization object is weak, which can impact your security (depending on the access of the user without an authorization group)...

• Restrict Users for  Deletion of Components  in MFBF

  Dear All,
  How to restrict users from deleting components in post with correction screen in MFBF in REM?
  Regards,
  Tejas

  Dear Tejas,
  Check this link
  [Deleting components in MFBF|Deleting BOM components, while backflushing in REM]
  Apart from this you can go for a screen variant,as per to my knowledge i dont think you can restrict
  through an user exit.
  Regards
  Mangalraj.S

• How to restrict user to process own company code data in z program

  Hi All,
  I have this issue. in asset management I would like to restrict user to process its own company data.
  for example A who works in company 0123 only can process comp code 0123 data whereas X who is manager can process all company code data.
  In the abap program, how can i achive this? by authority object? if yes what asset management authority object to use?
  i have company code in selection screen. so may i know what method i can achive so that A can only execute co 0123 whereas X can do for all company code.
  thanks

  Hi,
  One way would be:
  For all persons for whom you would like to 'control' the access to a specific company, SU01-->Parameters--->Give some parameter ID say XXX, & in PArameter Value key in the compnay code whose data it can process.
  Please note that this is only one time process which has to be carried out for all the users. Then in your z-program  in SELECTIO-SCREEN OUTPUT use GET PARAMETER ID 'XXX" Field w_value. If GET PARAMETER ID returns su-subrc = 0 then move w_value to your company code on the selection screen. Then Use LOOP AT SCREEN & make SCREEN-INPUT = '0' for company code so that company code will be displayed but protected thus not allowing the user to change the company code.
  I hope this helps,
  Regards
  Raju Chitale

• Can't open AI VIs when logged in as a restricted user

  I have a VI that does simultaneuos analog I/O (LabVIEW 6.1, Windows XP). This VI works fine when I am logged in as administrator, but when I try to run this VI from a restricted user account LabVIEW can't find the AI VIs (AI Config, Start, Clear and Read). All AO VIs can be found. I have changed the restricted user's permissions to the National Instruments folder to full control, as described in http://digital.ni.com/public.nsf/allkb/BB393E7B361E939886256EFD007AC591 but I still can't run my VI.
  Does anybody know how to solve this problem?

  Thank you for your answer.
  Unfortunately I can't try your solution on the computer where the problem occurred because it is used in another course for the moment and is therefore not available. But I tried to recreate the problem on another computer. I created a restricted account and when logged in on that account I opened my VI and it worked fine... (all subVI:s were found). By default, the restricted account had Read & Execute, List Folder Contents and Read permissions for the MAX folder. So, I then unchecked the Allow-boxes in an attempt to recreate the problem, but the VI still worked on the restricted account. Then I checked the Deny-boxes for the permissions mentioned above, but the VI still worked. Since I couldn't recreate the problem I don't know if your solution is the right one, but at least I can draw the conclusion that it is possible to run my VI from a restricted account.
  But I will try your solution on the computer where the problem occurred when it is available and I will let you know whether the problem was solved or not.