Restricted access for user in SU01

Similar Messages

• Restricting  Access for SQ01 User Group

  Hi ,
  Please let me how to Restrict  Access for a   User Group  to only some of  the specific users?
  Thank you
  Edited by: Vibhor Arora on Apr 12, 2010 7:29 AM

  Hi,
  Can you please clarify what exactly you want to know, your request can be interpreted in a few different ways.
  If you are concerned that people have access to all user groups, then you need to remove access to S_QUERY activity 02 and I think activity 23.  They will lose access to all user groups that they are not assigned to via SQ03.

• Restrict access for Vendor Master Data

  Hi all.
  Our company structure is like below:
  Single instance, just one mandant.
  Company codes like 1001, 3001, 6002, 6006, etc... over the world.
  At some companies just the central administration can create vendor for the companies using the transaction XK01.
  Now we need to give access to users from one of our company from other country but we can´t give access to transaction XK01 because just the central administration can create the master data for the vendors.
  I already read about the object F_LFA1_AEN that is possible to create some field groups and give access just for the rigth groups. I also read that this authorization groups don´t have effect on the vendor master data like address.
  How can I restrict access for the vendor master data? I´m thinking to give access to transaction FK01 and MK01 and restrict access for create a new vendor, I only want that the users can create the data for a new company or new purchase organization.
  Thank you
  Darlei Friedel

  among many other authorization objects, you find following three:
  F_LFA1_GEN general data
  F_LFA1_BUK company code data
  M_LFM1_EKO purchasing org data.
  If the user does not have authorization for F_LFA1_GEN , then he cannot maintain general data.

• ASA WebVPN - restrict access to users in an AD group via ACS

  Hi folks.
  I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")
  Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.
  Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.
  I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?

  Try using the following to tie users to certain group policies:
  Using a RADIUS Server
  Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
  Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
  policy.
  Step 2 Set the class attribute to the group policy name in the format OU=group_name
  For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
  of OU=SSL_VPN; (Do not omit the semicolon.)

• Unable to provision Business Rules access for users

  Hi all,
  Our analytic server is properly configured in Shared Services : we can correctly create users, provision Essbase access for those users, change password, etc...
  An application business rules is visible in the left pane of shared services, but we are not able to provision Business rules access for users.
  When we try to provision access for a user, we have only access to the Analytic properties.
  What's going wrong ?

  It sounds like the user you login to HSS with hasn't been assigned with "Provisioning Mgr" rights to business rules.
  Get the HSS admin user to grant you these rights and you should then be able to provision users to use Business RUles.
  Gee

• Restrict Access for Asset with Ubuntu

  Hello guys,
  now i have a problem for you and i hope, that you could help me.
  The ArtBox have some problems on my ubuntu system. The error message shows me "Restrict Access for Asset".
  Can somebody give me some tips, how the error could be recognize or how i can fix it?
  Thanks for the help.

  Hi,
  After you finish installing Artbox , you must now make sure that samba is setup correctly. I just plan to try ArtBox and ubuntu using virtualbox, hope it can work fine.

• Restricting access for servlet

  Hi,
  I've two servlet urls:
  http://mymachine/servlet/f60servlet?config=One
  and
  http://mymachine/servlet/f60servlet?config=Two
  I want One to be open for internet and Two only open for intranet. With:
  <Location /servlet >
  order deny,allow
  deny from all
  allow from mynetwork
  </Location>
  in jserv.conf I can restrict access to my intranet but this restriction is applyied to both my applications.
  How can I restrict access for Two but not for One?
  I use iAS 1.0.2.2 on a Sun Solaris 8 machine and Forms6i patch 10.
  kind regards,
  Ivan

  Hi,
  I did open a tar with Oracle and the problem is solved by
  1) creating an alias for /servlet/f60servlet in zone.properties:
  servlet.f60listener.code=oracle.forms.servlet.ListenerServlet
  servlet.f60servlet.code=oracle.forms.servlet.FormsServlet
  servlet.f60servlet.initArgs=configFileName=/u01/app/oracle/product/8.0.6/forms60/server/formsweb.cfg
  servlet.f60listener1.code=oracle.forms.servlet.ListenerServlet
  servlet.f60servlet1.code=oracle.forms.servlet.FormsServlet
  servlet.f60servlet1.initArgs=configFileName=/u01/app/oracle/product/8.0.6/forms60/server/formsweb_internet.cfg
  In formsweb_internet.cfg is only the web-form app defined that should be open for internet
  2) in jserv.conf :
  <Location /servlet/f60servlet>
  order deny,allow
  deny from all
  allow from <mynetwork>
  </Location>
  <Location /servlet/f60servlet1>
  order deny,allow
  deny from all
  allow from all
  </Location>
  See also Doc ID: 180741.996 on metalink.
  Hi,
  I've two servlet urls:
  http://mymachine/servlet/f60servlet?config=One
  and
  http://mymachine/servlet/f60servlet?config=Two
  I want One to be open for internet and Two only open
  for intranet. With:
  <Location /servlet >
  order deny,allow
  deny from all
  allow from mynetwork
  </Location>
  in jserv.conf I can restrict access to my intranet
  but this restriction is applyied to both my
  applications.
  How can I restrict access for Two but not for One?
  I use iAS 1.0.2.2 on a Sun Solaris 8 machine and
  Forms6i patch 10.
  kind regards,
  Ivan

• ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

  Hi All,
  I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.
  The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
  There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.
  The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
  I can only do an all or nothing scenario.
  It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.
  Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.
  Scenario 2 would be an ideal longer term solution.
  Any thoughts, ideas or assitance would be greatly appreciated.
  Cheers

  This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
  assert(function()
     if ( (type(aaa.ldap.distinguishedName) == "string") and
          (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
  then
         return true
     end
     return false
  end)()
  from the debug dap you can see what Users relates to;
  DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
  My admin account fails to get me in to the same profile:
  DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
  Thanks
  Andrew

• Ssrs security access for users on a different domain

  Hi
  We are using ssrs 2008 r2 and have added a new domain to our network as we are working with another company.
  Our original domain was say "DomainA" which can access all our reports, how do we give access to the new domain "DomainB" access to our reports?
  We are unable to add DomainB users to our AD security groups so I have created a windows groups called SSRS_DomainB_Users and given them access to our parent folder and also added them into site settings as a system user.
  What is the best way to deal with this?
  Users in DomainB will eventually be added to DomainA and DomainB will then be deleted.
  One of the users I am testing with gets an error message :
  User 'Domain name/user' does not have the required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
  Thanks

  Hi Nasa1999,
  According to your description, you want your reports can be accessed by user from different domain. Right?
  In this scenario, we should do Internet Deployment for your reports so that users from different domain can access the reports. Please the articles below:
  Planning for Extranet or Internet Deployment
  Using Reporting Services in an Internet/Extranet Environment
  SQL Server 2008 Reporting Services
  for Internet deployment
  Reference:
  SSRS reports
  global access
  If you have any question, please feel free to ask.
  Best Regards,
  Simon Hou

• Restrict access to users in customer line item display FBL5N

  Hi all,
  We got a requirement from my client that, they want to restrict access of their users to view details of few customers  only. The user has a right to view FBL5N transaction code, but he cannot view all customers details.
  we created 4 customer account groups,we created like .. SD customers1
                               SD customers2
                               Onetime customers
                               FI customers
  These FI customers cannot be viewed by all users except who has authorization in Tcode  FBL5N, we need to restrict to display only SD and one time customers details.
  we have tried with Basis but its not working and its blocking to view all customers.
  anyone got this kind of requirement , Is it possible to restrict....please help me.
  Thanks
  Nagesh
  Edited by: nag on Dec 27, 2011 5:26 PM

  It is standard behaviour that the authorization object F_KNA1_GRP(account group authroization) is not checked
  in the transacion FBL5N. You can confirm this functionality in trans. SE24.
  As a workaround, I would suggest you to use the authorization object F_KNA1_BED Customer: Account Authorization
  If you assign an authorization group as the accouting group, perhaps you can get a similar functionality.
  Please note that for the 'drill-down' or direct call of FBL5N these objects are checked:
    F_BKPF_BLA Accounting Document: Authorization for Document Types
    F_BKPF_BUK Accounting Document: Authorization for Company Codes
    F_BKPF_GSB Accounting Document: Authorization for Business Areas
    F_BKPF_KOA Accounting Document: Authorization for Account Types
    F_BKPF_BED Accounting Document: Account Authorization for Customers
    F_KNA1_BED Customer: Account Authorization
    F_KNA1_BUK Customer: Authorization for Company Codes
  Kind Regards
  Soumya

• FERC Code of Conduct - Restricting access for employees

  hello - I am project lead for an effort to separate market and transmission data from certain employees in our company. I'm finding this to be a monumental task, since we have a large SAP implementation. FI/CO, MM, HR (postion-based security), Customer (IS-U-CCS), PM, PS, xRPM. We have implemented SOD for SOx compliance, but this is an entirely different effort. Unlike SOx, we need to totally restrict transactions that could contain non-public market and transmission data, so we need to separate the data behind the transactions. Does anyone have experience with this? Would love to hear what approach you took and swap ideas.
  Annette M Alboreo, FirstEnergy Corp.

  Hi Annette,
  First of all, good luck! Data segregation is always a tricky one to manage and needs to be carefully thought out.  This sort of activity has a large security and functional overhead and you need to make sure you have access to them.
  When I've worked on this sort of thing in the past, there are a few things that you need to identify
  - What data is sensitive?  The business should ID <b>all</b> sensitive data and the functional team translate that into fields etc.  What data needs to be legally segregated, what data is nice to have segregated.  A set of rules should be drawn up to say who get's what in which circumstances.
  - How are people accessing data? What transactions give access to sensitive data? Standard SAP tx, custom tx (which may need auth checks changing), access to SE38/SA38, SQ01, SQVI etc.  All of the routes to the data need to be identified.
  Once it is known what data needs to be restricted then it is possible to address how to restrict access to it.  A reasonable amount of it should be able to be catered for in the standard auth concept.  It's also likely that there will be the requirement for additional config & customising (e.g hide fields, change screens, user exits) to meet these new control needs.  I think it goes without saying that the more that you can fix with the standard auth concept, the easier it tends to be.  If this means removing some transactions from users then in some cases it may be less costly than knocking up a whole load of custom code to solve the problem - of course this is dependent on the situation.
  Hope that is of some use
  Cheers
  Alex

• Restricting access for condition types in VK11

  Hi
  ZWX1 and ZWX2 are SD discount condition types, I should use these condition types  only for sales deal , hence , I will create condition record only in VB21 with reference to sales deal.
  Some other users may create condition records in VK11 mistakenly, I need to avoid it, so these condition types should not be accessible to create condition records in VK11 or anywhere except  VB21.
  Any thought ? how can I achieve this ?   
  thanks

  Hi
  If you want to restrict the access for the condition types then you give the authorization for VK11 for maritaining  the condition records only to those users who has  to maintain the condition records for that condition types.So you have to take the help of BASIS team
  Regards
  Srinath

• Ver 8.8 Restricted access for BP and activities

  Currently, I am not aware of a way to restrict access to certain BP accounts, including the related activities for a BP. For example, our bank, HR consultants, etc. where I would like to limit the access to these BP accounts and related attachments to certain users, such as our management group.
  Primary importance would be to limit access to related activities where sensitive information may be stored in the form of emails, attachments, etc.
  Our previous CRM allowed us to flag BP accounts as restricted and set up permissions to authorized users.
  Is anyone aware of a way to limit access to these activities?
  If not, this is a great enhancement for future releases.

  Current system design has only set up confidential GL Account but not for BP. You probably need to post it on the R&D forum here:
  /community [original link is broken]
  Thanks,
  Gordon

• Restricting access for top Hierarchy in queries

  Hello all,
  Since we have a top hierarchy that comes from R/3 in which every company from our organization is attached, is there any way to restrict users access in the queries and authorizations so that when a user runs a query and tries to access nodes (cost or profit centers or other companies) that are restricted for him/her the "Authorization Not allowed" message displays.  We know that the companies can not be treated as 0co_code but as nodes and We also know that in the Role modification we can put all this detail, but this will increase in a manual maintenace process, because everytime there's a new cost or profit center a manual maintenance must be done.
  We want to have an automatic process since the hierarchy comes from R/3.
  Thanks for your help!!
  Mrs. Eyda Muñoz

  Hi,
  You can try look at transaction RSSM and at the very bottom there is a button "fr. hierarchy".  This is where you can specify the levels and nodes to restrict to.  Then you have to set up a profile in PFCG to provide the restriction.
  http://help.sap.com/saphelp_nw04/helpdata/en/80/1a689ae07211d2acb80000e829fbfe/content.htm - this should be able to provide some form of basic understanding.
  Hope this helps.
  Cheers,
  Gim

• Sales Partner Functions - Restricted access for assigned partners

  Sales Department would like to use a partner function to assign a responsible salesman to a customer.  They would also like to restrict the access of the salesman to only those customers (and their associated sales orders/deliveries) that are assigned to him.
  How is this done from an authorization perspective?

  Hi,
  This can be achieved thru user exit.  You might need to create the authorization objects for document type, partner function and this has to be assigned to the concerned user.  The validation can be done with the field ERNAM and SYUNAME. 
  Thanks
  Krish.