Restrict users from using Manual series

Similar Messages

• Not able to restrict users from using SU01

  Hi ALL,
  We are working on roles related to SECURITY ADMINISTRATOR.
  The role has been given a transaction SU01D and not SU01.
  But the users are able to enter into SU01 through SUIM.
  I will illustrate this situation more:
  SUIM->USERS->BY LOGON DATE AND PASSWORD CHANGE
  Then I entered the user id.Executed.
  From the result, I was able to enter into su01 .i.e was able to use the change button of su01.
  Please tell me how do I restrict this situation.?
  Reagrds,
  Ajit.

  Access to user administration is not only limited to SU01.
  Most likely, the threads of this search term will explain why the users can access the transaction screens of user administration: https://forums.sdn.sap.com/search.jspa?objID=f208&dateRange=all&numResults=15&rankBy=10001&threadID=&q=SU01_NAV
  Whether the user can complete the transaction is a different story... for that you need to use the application authorization objects (S_USER* objects are a good start - see transaction SU21 for more infos on the application security concept for these objects)
  Cheers,
  Julius
  PS: A troublesom object is S_USER_GRP, because it is important. When the user ID does not have a user group assigned, then the effectivness of this authorization object is weak, which can impact your security (depending on the access of the user without an authorization group)...

• RESTRICT USER FROM USING SAME REQUIREMENT TYPE  WHILE CREATING SALES ORDER

  Hi Friends,
  I Have a requirement to in SD while creating any sales order i want the system sholud throw a error
  message when i am using line items having same requirement type more than one time
  i have tried some customer exits v45a0001 & v45a0003 . but was not successfull .
  kindly somebody help me with elaborated steps  .
  thanks in advance  .
  regards
  digvijay rai

  no reply and i am to close this thread so i am putting it as answered ;(

• Restricting User from creating new records using when-validate-record

  Hi,
  I have a requirement for which I have to restrict he user from creating a record in the Supplier Master form if the suppliier type is 'Affiliate Supplier'.
  I have done the following setups
  Seq 10
  Description Restricting user from creating Affiliate records
  Level Function
  Enabled Yes
  Condition:
  Trigger Event WHEN-VALIDATE-RECORD
  Trigger object VNDR
  Condition "${item.VNDR.VENDOR_TYPE_DISP_MIR.value} is NOT NULL
  and
  ${item.VNDR.VENDOR_TYPE_DISP_MIR.value} LIKE 'Affiliate%'
  Processing Mode BOTH
  Context
  Level User
  Value User Name
  Action Sequence 1
  Type Message
  Action Description Saving Affiliate record
  Language ALL
  Message Type Show
  Message Text You Cannot Create Affiliate records Here
  Action Sequence 2
  Type Builtin
  Action Description Stop Proceesing
  Language ALL
  Action Enabled Yes
  Builtin Type RAISE FORM_TRIGGER_FAILURE;
  This is working good on one instance but when I moved it to another instance
  when I query the form and try to navigate to the bank accounts tab of the form which is based on a differnt block i.e VNDR_USES block, the when-validate-record trigger fires there also and stops the processing.
  Any suggestions on this would be higly appriciated.
  Thanks in Advance.

  Hi Srini,
  Yes, it does work...but in a Form Session if i Create more then one Item, in some cases it fires for the first records and not sleeps for the second.
  Sometimes it doesn't give any response.
  Appreciated if you divert to the link to check the Pacthes for 11.5.10 on Form Personalization.
  Please share any ideas/example if yiou have to achieve the below requirement.
  Requirement:
  Once New record is created , a Custom Procedure should be invoked.
  with out closing Form i am able to create n number of Items, so for every Item it should invoke Custom PLSQL Code on Save.
  Let me know if i can achieve the same in Custom.pll .....as i can use either of Options.(Form Personalization/Custom.pll)
  Thanks & regards,
  Edited by: user632004 on Mar 16, 2010 7:50 PM
  Edited by: user632004 on Mar 16, 2010 8:09 PM

• Restrict users from editing and deleting not owned items

  Hello guys.
  I'm trying to restrict users from editing and deleting items created by other users. I know, that it can be achieved by using SPList.WriteSecurity parameter, but if I change its value to 2 or 4 - nothing happens... 
  May be there are some list permissions that can override this security setting? I tried to combine permissions in different ways but users either cannot modify any items or can edit/delete all of them... 
  By the way, setting ReadSecurity=2 works as it should work regardless of user permissions...
  Please help.

  Hi,
  I understand that you want to change the write security for the document library. You can try the PowerShell script below:
  $web = Get-SPWeb http://serverURL
  $list = $web.Lists["Document library"]
  $list.ReadSecurity = 2
  $list.WriteSecurity =2
  $list.Update()
  $web.Dispose()
  This setting will not affect the site collection administrator, he will always be able to edit the documents. You need to sue another account to have a test. If this still doesn't work, I think you need to manually edit the permission for each documents.
  Thanks,
  EnTan Ming
  Entan Ming
  TechNet Community Support

• How do I restrict users from installing applications?

  Or more specifically, yahoo messenger. I can't seem to figure this one out. Two user settings on our machines (public and admin), public does not have admin priveleges, so cannot make modifications like installing applications, but someone seems to keep installing messenger all the same. I investigated and figured out that it seems like when logged onto the public account, one can still install applications in their user/applications folder without needing to authenticate. or maybe Yahoo Messenger doesn't read as an application, so it doesn't need authetication? I am trying to make it so no one can install any application without admin priveleges.

  "Parental Controls" works on a "white list" principle, so if an app isn't available in the "Accounts" pref pane, it shouldn't be accessible for the "managed" user because the default is to deny everything not on the list.
  But also be aware that the type of "Parental Controls" you have selected may affect the user's ability to use a given programme. For example, if the "Allow supporting programmes" checkbox is selected, it may be possible to launch indirectly a programme that hasn't been approved explicitly.
  Also, note that a "Simple Finder" account doesn't (and isn't intended to) restrict application access at all, whereas a "Some Limits" account does.
  And as "Keith Gaboury1" points out, if a given service allows access through a web interface, restriction of a programme on the local computer won't have any effect.
  "Parental Controls" are somewhat effective in preventing users from using unauthorized programmes, but as far as preventing the installation of apps, that is something that would be fairly difficult to do if the user is to have a functional account. If a user can save files to a directory (such as their home folder or "/Users/Shared" or the "admin" user's "Drop Box"), it would be possible for them to install an application there. There are ways of preventing executables in the user's own "home" from functioning, but then they could always run an app from a CD or a flash drive or a disk image instead (I'm not sure how to block those). So the "white list" approach of controlling application use (as opposed to installation) is probably the best compromise.

• How to restrict users from printing documents and exporting to local file

  Hi SAP gurus,
  I have two questions.
  1. How can I restrict users from printing a document? i.e. billdoc? I would like to know if I could block it though authorization. If yes, what auth obj to use?
  2. How to restrict certain users from exporting to local file? the System> List>Save-->Local File. I have tried restricting it using auth object S_GUI but it seems it is only applicable to older versions of SAP. im on ecc6.
  Thank you in advance.

  Hi,
  Check this:
  Create your own gui status and attach it to the list in the event START-OF-SELECTION.
  In the menu painter extra -> adjust template.
  Make it a list status and you will see all the standard list options appear including list->download
  Deactivate the ones you don't want. 
  If you just want to prevent users from downloading the list you can achieve this with authorization object S_GUI, activity 61. Menu option will still be there though.
  Please note that if you remove authorisation for S_GUI activity 61 then all downloads will not be possible. 
  If you just want to disable downloads only for a particular report, you can try this test program:
  Code:
  REPORT ztest. 
    DATA: PROGNAME LIKE SY-CPROG value 'Z_CHECK_AUTH', 
          FORMNAME LIKE SY-XFORM value 'F_CHECK_AUTH'.
  START-OF-SELECTION. 
      CALL FUNCTION 'SET_DOWNLOAD_AUTHORITY' 
           EXPORTING 
                FORM    = FORMNAME 
                PROG    = PROGNAME 
           EXCEPTIONS 
                OTHERS  = 1.
    WRITE: / 'TEST'.
  You also need this:
  Code:
  PROGRAM z_check_auth.
  FORM f_check_auth USING pe_result TYPE i. 
    pe_result = 5. 
  ENDFORM.
  Also have a look at the exit SGRPDL00.
  Hope this helps you.
  Rgds,
  Raghu

• Need to restrict users from adding or modifying folders or reports

  Requirement: Need to restrict users from adding or modifying folders or reports through Info view and to reflect the modifications only thriough LCM.
  Issue: Customer wants to restrict users from adding or modifying existing reports from Infoview and need to force users to do make the changes through Life cycle manager tool.
  As per my understanding LCM can only be used to to promote folders and objects from one environment to another and to schedule the promotion of these jobs on a daily basis.My query is:
  Can we add or modify existing reports or folders using the LCM tool?
  Could you please help me out in this issue and provide me your suggestions.
  Thanks in advance.
  Prashanthi Rayaprolu.

  You can not restrict that using LCM. Need to modify the rights at the folder level.
  Explicitly remove the following rights for the user group,
  Add objects to the folder
  Edit objects
  Delete objects
  Copy objects to another folder (check this if required)
  Once the above four are denied then users wont be able to Edit/Add/Delete reports in that folder.

• Restrict users from archiving PST to local computer

  Hi all,
  I would like to restrict users from archiving emails in outlook to the local computer. We have a serious problem that users are archiving emails to the local computer and then they can copy those emails to external devices or that they can attach this local
  pst file to their personal outlook profile which they can forward it to external recipients. We have ran into a serious problem now and I am try to resolve this problem by restricting users to archive the emails to their local computer. Is there any way I
  can do this?
  Only designated users should be able to archive the outlook emails (from the support team) and they can save it to a central file server.
  Please share me your thoughts. Thank you all for taking time to read this and for your suggestions.

  Hi Friend,
  Use Group Policy Feature and enable the “DisablePST” Reg value as it will not allow users to create new  PST file or even remove the Archive function from their Outlook interface.
  Registry path to disable PST File authentication (Group policy):
  HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook
  Take a brief explanation about various restrictions over PST File:
  https://www.simple-talk.com/sysadmin/exchange/using-group-policy-to-restrict-the-use-of-pst-files/
  Note: Improve community discussions by marking the answers helpful otherwise respond back for further help.
  Thanks
  Clark Kent

• Restrict users from changing roles

  Is there a way to restrict users from changing roles
  themselves? If a user goes to My Connections and then clicks Edit,
  they could, in theory, change to any group they want--except to the
  administrator group because you have to enter a password. If the
  admin isn't watching the site 24/7, the user can change their roll,
  let's say from a writer to a publisher, and publish something
  before the admin can notice.
  Is there anything that can be done to restrict that?

  You can use connection keys...this will only allow a user to
  change their name and email address (I think...I can check on this
  tomorrow). We use these at my work and it allows for a lot more
  control over who is assigned to the proper groups.

• *Can ARD restrict students from using particular programs?

  I am a new high school digital arts teacher running ARD 3 in my classroom and have trouble with students being distracted with the internet. Is there any way to restrict students from using Explorer and Safari temporarily (and still keep the network connection) so they can focus on their work and not on their social lives?
  Is it possible? If not, any suggestions about what I should do or use?
  Thanks! ___________________UPDATE:
  ____>
  Thankfully, I received the following sugesstion from a helpful user.
  Can someone explain this in layman's terms?
  I've never used UNIX but am willing to try.
  "If you don't mind messing with the firewall settings of your clients, you could try something like this: send (as root) the unix command
  ipfw add 2005 deny tcp from any to any 80 out xmit en0
  This should stop any request being sent via port 80, the most common port for web servers. You might want to check that there is no rule already at 2005 by issuing a 'ipfw all' to get the list of rules in force. If there is, use a different number.
  To reset the firewall, either reboot the clients (which loads the default firewall rules, without your changes) or send (as root)
  ipfw delete 2005
  (or whatever number you used. You could save these two commands as Saved Tasks to have them ready whenever you need them."
  Clarity would be much appreciated. Thanks All!

  Hello Elle,
  I hear you. I'm a Graphic Communications teacher that had the very same problem. I solved it by getting rid of Explorer and turning on the parental controls in Safari within the 10.4 student permissions. Then I entered web sites into Safari that pertain to the subject of my class work. After about a week of student complaining the students accepted the fact their is no personal web surfing and now focus their attention on their work. And once again students that come into my classroom before and after school work on their projects instead of myspace.com, etc. Keep in mind the students still have access to the internet, but only to the web sites you setup.
  Another way of doing it if you want to give student free time to surf the web is to setup two sets of permissions, if you are familar with this. One set gives students access to the browsers and the other does not. The permission file for controlling student access is located in /Library/Managed Preferences/in my case a folder named student/com.apple.applicationaccess.plist. Create two folders on your computer and put a copy of each preference file into them. Using Remote Desktop, logout from each of the student computers and then using the Copy Items command and Place items in: copy the permission file of your choice to: /Library/Managed Preferences/in my case a folder named student. When the students login they will be controlled by the permission file you just sent.
  I'm also very good at altering system files that prevent students from tampering with the way I setup their computers. Let me know if I can assist you with other problems, or the above problem if you should have further questions.
  From a fellow teacher,
  Dennis
    Mac OS X (10.4.6)  

• Restrict Users from saving files on Local PC but forced to Network Shared Location

  Hi,
  We have the Domain in Windows 2003 Standard.
  How can I restrict users from saving files in their Local PC? 
  Also, need to forced them to save the files in Network Location with permissions...
  Thanks.
  ~CoolPra~

  Hi,
  You can create a file screen to prevent users from saving files on a certain volume. File screens are used to block specific types of files from being saved on a volume or in a folder tree. A file screen affects all folders in the designated path. You need
  to update the server to Windows Server 2003 R2 to install the File Server Resource Manager.
  File Screening Management
  http://technet.microsoft.com/en-us/library/cc772675(v=ws.10).aspx
  Best Regards,
  Mandy 
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Is their any way to restrict user from overriding  the graphs in SAP APO?

  Dear All,
  As we know, we can copy the graphs to other users using /n/sapapo/sdp_graph. But is their any way to restrict user from overriding the graph to particular user.
  Scenarios:
  In a project we have super user and semi-super user, whenever super user uses above t-code to copy graph to all users (he has included semi-super user id to target user list) but semi-super user does not want to override his graph by super user.
  Do we have such function in APO to restrict?
  Hope it is clear to understand.
  Regards,
  Pravin Tikar

  Hi Amol,
  thanks,
  I have checked SP Note 400434 - Authorizations in APO demand planning Also.
  Will check the authorization and will update the same.
  regards,
  Pravin Tikar

• Is it possible to prevent users from using the ''Purge'' option from the ''Recover deleted items'' in Office 365?

  Hi,
  After speaking with a Microsoft engineer over the phone, I've been told that there is no way to prevent users to go to their OWA and manually Purge specific items from the ''Recover deleted items''. The Microsoft tech told us to place the desired mailboxes
  on a litigation-hold and that all data will be recoverable... but only from the time you place the mailbox onto Litigation-Hold and previous items, which doesn't take effect for new-coming emails. 
  1- From what I understand, any new items coming in the mailbox after the Litigation-Hold is put in place will still be ''purgeable'', right?
  2- Is there a way (PowerShell, Security group, etc.) that can prevent a user from using the Purge option?
  We are very surprised that there is absolutely no thread that talks about this issue, which in our opinion, is a major legal and security flaw from Office 365. This is a main concern for us to actually go with Office365. For instance, this means that at
  any given time, if a user exchanges emails with a competitor, they can manually purge emails sent and receive as soon as it is sent/received, even after Litigation-Hold is in place.
  Thank you for your reply and let us know if you have more questions.
  Normand Bessette, IT support technician, Newad Media

  Thank you for the reply.
  Is there still a way to prevent users from using the Purge option, like with a Powershell script to disable Purge?

• Hi All, We are in to Release 11.5.10.2.There is a specific requirement to Prevent users from creating Manual Sales Orders in oracle and yet users should be able to book the Sales Orders Imported from CRM system into Orcale.Please advise.

  Hi All, We are in to Release 11.5.10.2.There is a specific requirement to Prevent users from creating Manual Sales Orders in Oracle and  yet users should be able to book the Sales Orders Imported from CRM system into Orcale.Please advise.

  Thanks for your advise.
  However, I missed to mention that we have two set of users  One is for Finished Goods and another for Spares.
  Only Spares users need to be prevented from creating Direct/Manual Sales Orders in Oracle.
  As you suggested, if this will be done at Form level, that may Disallow FG users also to create Manula Sales Orders which should not be the case.
  Further, I tried to test one scenario through Processing Constraints but it did not work.
  Application
  OM
  Validation Type
  Entity
  Temp
  Short Name
  TBL
  Validation Semantics
  Created By
  Equal To
  User(Myself)
  Processing Cosntraint
  Application
  OM
  Entity
  Order Header
  Constraint
  Operation
  User Action
  Create
  Not Allowed
  Conditions
  Group
  Scope
  Validation Entity
  Record Set
  Validation Template
  101
  Any
  Order Header
  Order
  Above Created
  Please advise.