Restricting access of a query in BI Authorization

Similar Messages

• OIM 11g R1 (11.1.1.5.0) Restricting access to Modify resources by field.

  Is there a way to restrict the access to modify specific fields on a resource, based on roles? In design console you have the options of, "Allow Insert", "Allow Update", "Allow Delete" on the form associated with different roles. Is there any way you can restrict this access specifically to fields in the way you can restrict access to user attributes based on authorization policies?

  You are failing to utilize the product then.  You don't have to utilize a soa-composite for this.  They can be set to auto-approve anyway.  But you should not just grant admin access to the user and all their resources so easily.
  Not sure what kind of event handler you can even use.  You could try and explicitly deny access to those roles by adding them to the form permissions and unchecking all the values.
  -Kevin

• Restricting Users access to BW Query based on Criteria

  Hello  ,
  Haven't found much help with the security implementation documents , i have been given a objective to create Profiles/roles and which would be used only for reporting on 1 single Cube by users from multiple departments. 
  Create profile/Roles and provide access to users for Query ZREP_C0_1 .
  User belonging to comp_code1 & region4 & plant6 should be able to view only his data and none other  even if the user wishes to see Compcode2 & region3 & plant4. 
  ( Reporting with restrictions over the User authorizations  on Region/Compcode )
  Creating the Role has been the easy as it was just to provide access to the infoarea , cubes, infobjects , query and authorization objects to execute query.   However i am stuck on how to proceed further on the above scenario  regarding restricting the users.
  Your help is much appreciated .
  Regards
  Raja

  Hi Pratheesh,
  If you are going to use client authentication in SSL and if client authentication fails since not all users will have client cert provided by you, SSL handshake will not complete and hence no access. But this is a performance impacting option. Restricting access on FW would be a good option.
  During the flow of a normal SSL handshake, the server sends its certificate to the client. The client verifies the identity of the server through the certificate. However, the client does not send any identification of its own to the server. When you enable the client authentication feature on the ACE, the ACE requires that the client sends a certificate to the server. The server then verifies the following information on the certificate:
  The CA has not revoked the certificate.The certificate signature is valid. The valid period of the certificate is still in effect. A recognized CA issued the certificate.
  You can specify the certificate authentication group that the ACE uses during the SSL handshake and enable client authentication on this SSL proxy service by using the  authgroup command in SSL proxy configuration mode. The ACE includes the certificates configured in the group with the certificate that you specified for the SSL proxy service
  Regards,
  Kanwal

• ACS Shell Command Authorization Set + restricted Access

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi  ,
  I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side
  Thanks in Advance
  Regards
  Vineeth

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi Jatin ,
  first of all Thank you very much . It startted working after aaa authorization config-commands
  here I was trying to achive one  specfic  thing .
  I want to stop  the following commands  on ACS “switchport trunk allowed vlan 103” . I only want allow “add”  after “vlan” and block rest all arguments
  But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
  Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
  Thanks and Regards
  Vineeth

• Restrict access to Query Builder component in SQL Workshop

  Hello folks,
  Can someone tell me if it is possible for an end-user to have access to the Query Builder component only?
  End-users on our site are currently using the stand alone version of the old Query Builder (OBE60.EXE), which is not supported any longer, and have compatibility issues when used against a 10g database.
  I'm looking for an alternative (query-only) tool, and came across the Query Builder component in Oracle Application Express. But couldn't find anything there that would allow me to limit access to this component for an end-user.
  Please let me know if this can be achieved, and if not, is anyone aware of an equivalent tool that would do the job?
  Many Thanks,
  Praveen

  Hello,
  No, that functionality does not exist currently, you would need to build your own.
  If you search this forum there are a few threads which detail how you can install the Application Builder and SQL Workshop applications into the APEX environment itself so you can see how they (meaning the Oracle team) have built those apps.
  Hope this helps,
  John.
  http://jes.blogs.shellprompt.net
  http://apex-evangelists.com

• Restrict access to buttons, regions, etc. on a per user basis?

  My application restricts access to buttons, regions, etc. on a per user basis.
  Here is my application logic...
  1. A User can only edit items they own.
  2. A Super-User can edit all items
  So, when a user logs in, I use a post-authentication process to set the user ID to an application level item.
  Now, for example, to have an edit button display on a page, I need to check the item's owner ID against the application level user ID...and check to see if this user is on the Super User list via a query.(which could be set to another application level item upon login...I guess)
  Question...What is the best way to do this? Conditional display? Authorization scheme?
  Would something like the following work for a Conditional Display?
  Condition: SQL Expression
  &USER_ID.=&P6_ITEM_OWNER_ID. OR USER_ID in (select USER_ID from table where USER_ID=&USER_ID.)
  How would I do this with an Authorization Scheme? (I like the idea of updating the logic in single location...but I'm not sure if it is possible because I have to check PX_OWNER_ID would be different on each page.)

  Hi Denes,
  Thanks for your code which allows user to edit (if authorized) and view (if not).
  But some how - I do not get the image to show up - instead it show a small underline.
  From SQL point of view - here is what I get - when i run the sql
  '<img src="/i/ed-item.gif">',2,CR TEST,,,,dune2.cit.cornell.edu,CRDMTEST.CIT.CORNELL.EDU,PSPROD,,,CRDMTEST
  Here is my wrap_image function
  create or replace function wrap_image(p_user_name in varchar2,p_dm_name_id in number)
  return varchar2 IS
  v boolean := False;
  ret_val varchar2(1000);
  begin
  dbms_output.put_line('user='||p_user_name);
  dbms_output.put_line('dm_name='||p_dm_name_id);
  -- Check authorization if the user is super user - return true, else if he has edit priv on dm_name_id - return true - else false
  v:=ACL_DMTOOLS_DM_PRIV(p_user_name,p_dm_name_id);
  if v then
  ret_val := '<img src="/i/ed-item.gif">';
  ret_val := ''''||ret_val||'''';
  dbms_output.put_line('TRUE');
  else
  ret_val := '';
  dbms_output.put_line('FALSE');
  end if;
  return ret_val;
  end;
  Thanks for your great educational site.
  Regards
  atul

• Restricting access to Queries via Search

  Does anyone have any ideas on restricting access to queries from the Bex search. We have folks that are using the search functionality of Bex and are finding queries that we have not been published to a reporting role. We instruct our query writers that when devloping queries, do not publish them to a reporting role until they are finalized and tested. We are finding that folks are using search in Bex and finding these queries that may be in the middle of development and trying ot use them. In other words, we would like to restrict the Bex search to just queries published to reporting roles.

  Hi Diago,
       Our dilema is that restricting access of the search by query name (via the role) requires the query writer, when finished with the development of their query, to do a savas with a different technical name that falls into the role restrictions of the authorization. This then leaves two versions of the query out there until the original gets deleted, if the query writer happens to remember to do that. It would be great to limit the search mechanism to just published queries. What are other folks doing to get around this issue. It seems that everyone would be running into it unless the search could be restricted in such a manner.

• Restricting access to system queries

  Hi experts!
  Is it possible to restrict access to system queries (in SAP reports) for a particular user?
  Also, can we restrict inventory reports generated to a certain item group only for a particular user? example: item groups available are Spare Parts, Raw Mat, WIP & FG. The user should only be able to generate inventory reports concerning Spare Parts.
  thanks.
  regards,
  tessa

  Hi Tessa
  You can restrict Access to System Queries by providing NO AUTHORIZATION to the option Saved Query - System.
  The same can be set under
  Administration --> System Initialization --> Authorizations --> General Authorizations --> Reports --> Query Generator --> Saved Queries - System
  Hope this helps.
  Regards
  Rohan S. Kamble

• Restrict access to rows in tables using S_TABU_LIN

  Hello
  Is it possible to use this authorization object to restrict access to rows in data tables, based on role?
  Namely, a query is created for table holding financial documents data, and I would like users in charge of one company code, to only be able to see rows relating to that company code when they execute the query.
  I have defined and activated an organization criteria, and included it in the role authorization data restricted to only one company code value, but the user is still able to see all rows in the table.
  The system trace doesn't show a check for the S_TABU_LIN Object while the user is executing the query.
  Can anyone tell me what I'm missing?
  Thanks in advance
  A.

  If you activate S_TABU_LIN, whenever that org criterion is hit with table data being retrieved then the check will be performed.  If it is a standard SAP table field then that could potentially become problematic depending how you set it up.
  By extending the security in the infoset query you are turning the query from a quick and dirty tool to extract data into something that you can control as you would a bespoke report.  Once your dev team have worked out what they need to do, you can apply the standard auth concept to queries with relative ease and without impacting other parts of your security.
  Another thing to mention is that if your developers use logical databases to retrieve query data then there is usually auth checks incorporated in there (which don't show up in SU53 or ST01).

• Restricted access to attachments in SRM 7.0 web applications

  Hi,
  We have a very specific problem regarding the handling of attachments with SRM 7.0 web applications. The system is configured to use ArchiveLink for storing documents on a remote content server, which is working fine.
  Now we have a requirement which should restrict access to certain documents to specific user groups. As an example you could say that a Purchase order has (besides others) two documents attached, e.g.
  - signed contract
  - meeting minutes
  The contract should only be visible to a limited number of people, whereas the Meeting Minutes are accessible to everybody.
  Our problem is that apparently only one Content Category ("BBPFILESYS") is used by the SRM web applications for an upload. When granting authorizations on this content category, we cannot distinguish between contracts and meeting minutes anymore.
  Comparing this with the config in ECC we can freely define document types which can be used in AUTH profiles. Is there any similar solution that can be used in SRM 7.0?
  Any help would be greatly appreciated.
  Cheers,
  Mark

  Hello,
  Have a look at note 1334202. It provides some inputs.
  Regards,
  Ricardo

• Restrict access to users in customer line item display FBL5N

  Hi all,
  We got a requirement from my client that, they want to restrict access of their users to view details of few customers  only. The user has a right to view FBL5N transaction code, but he cannot view all customers details.
  we created 4 customer account groups,we created like .. SD customers1
                               SD customers2
                               Onetime customers
                               FI customers
  These FI customers cannot be viewed by all users except who has authorization in Tcode  FBL5N, we need to restrict to display only SD and one time customers details.
  we have tried with Basis but its not working and its blocking to view all customers.
  anyone got this kind of requirement , Is it possible to restrict....please help me.
  Thanks
  Nagesh
  Edited by: nag on Dec 27, 2011 5:26 PM

  It is standard behaviour that the authorization object F_KNA1_GRP(account group authroization) is not checked
  in the transacion FBL5N. You can confirm this functionality in trans. SE24.
  As a workaround, I would suggest you to use the authorization object F_KNA1_BED Customer: Account Authorization
  If you assign an authorization group as the accouting group, perhaps you can get a similar functionality.
  Please note that for the 'drill-down' or direct call of FBL5N these objects are checked:
    F_BKPF_BLA Accounting Document: Authorization for Document Types
    F_BKPF_BUK Accounting Document: Authorization for Company Codes
    F_BKPF_GSB Accounting Document: Authorization for Business Areas
    F_BKPF_KOA Accounting Document: Authorization for Account Types
    F_BKPF_BED Accounting Document: Account Authorization for Customers
    F_KNA1_BED Customer: Account Authorization
    F_KNA1_BUK Customer: Authorization for Company Codes
  Kind Regards
  Soumya

• Restrict access for Vendor Master Data

  Hi all.
  Our company structure is like below:
  Single instance, just one mandant.
  Company codes like 1001, 3001, 6002, 6006, etc... over the world.
  At some companies just the central administration can create vendor for the companies using the transaction XK01.
  Now we need to give access to users from one of our company from other country but we can´t give access to transaction XK01 because just the central administration can create the master data for the vendors.
  I already read about the object F_LFA1_AEN that is possible to create some field groups and give access just for the rigth groups. I also read that this authorization groups don´t have effect on the vendor master data like address.
  How can I restrict access for the vendor master data? I´m thinking to give access to transaction FK01 and MK01 and restrict access for create a new vendor, I only want that the users can create the data for a new company or new purchase organization.
  Thank you
  Darlei Friedel

  among many other authorization objects, you find following three:
  F_LFA1_GEN general data
  F_LFA1_BUK company code data
  M_LFM1_EKO purchasing org data.
  If the user does not have authorization for F_LFA1_GEN , then he cannot maintain general data.

• Restrict Access to Page Using a password.php Instead of Server Behavior

  I previously used "log in" and "restrict access to page" server behaviors for my client portal when I only had one client. I had my username and password stored in mySQL database. I recently have gained more clients that all needed to be redirected to their own customized landing page when logged in. Because of this, I used a password.php to store the usernames and passwords and to redirect to different pages. Now, I am wondering how I can restrict access to these pages (i.e. someone won't be able to access the pages by typing the url) since I will not be connecting to a database anymore.

  I'm also confused by your statements.
  >Now, I am wondering how I can restrict access to these pages
  >(i.e.  someone won't be able to access the pages by typing the url)
  >since I  will not be connecting to a database anymore.
  It doesn't matter where you store the credentials - database or php file - the techniques for restricting access will be similar. I really don't understand why you moved away from the database when you got more clients. The more data you need to manage, the more reason to store it in a database.
  After logging in, most sites direct users to the same page, yet pull user specific data from the database. If for some reason you can't do this and need to built individual pages for each client, then store the 'landing' page for the client in the php file or database. Restrict access to each page by comparing the logged in name with an allowed login name. Or a more dynamic approach would be to dynamically pass the page name to a database query that validates that it's ok for the logged in user to access.
  Also, these questions are more appropriate for the app dev forum.

• Restrict access with object F_LFA1_BEK - problem with F4 search

  Hello,
  we want to restrict access to some vendor accounts, which can be shown with transaction FK03 for example.
  There is an authorization object F_LFA1_BEK, which can be maintained in the special vendor accounts in field authorization group.
  A user with authorization for vendor account with authorization group ZZZZ in it can see all vendors with authorization group ZZZZ and all vendors with no authorization group. But he can't see vendor accounts with authorization group YYYY. To this point, it's ok.
  If the user uses the F4 search help he is able to see the vendor accounts with authorization group YYYY too. And this is the problem - the user should not see these vendor accounts. With this option user is able to see address data of a vendor account he should not see.
  Is there any possiblity to solve this problem?
  Regards,
  Julia

  I don't know the current status, but this is being looked into generally as it is not only limited to the F4 on LFA/B/M1.
  As you only access the name and some attribute data which you can display, it is not necessarily critical and there is no transaction data involved.
  Good news is that the BAPIs for search help make these same granular checks which you are expecting.
  If I hear something further about these developments I will let you know.
  Cheers,
  Julius

• Problems with Serv.Behav. Restrict Access Level

  Hi,
  I hope you can help - can't find an answer to this one. Been
  going nuts on this! Thank you very much for anything help you can
  provide.
  1) Using DW 8.0, PHP 4.4.7, MySQL 4.1.22
  2) Set up log in page, everything works if the LogIn Server
  Behavior is set to "Restrict Access" to only Username &
  Password. If set to Username, Password & Access Level get a
  MySQL error page:
  "You have an error in your SQL syntax; check the manual that
  corresponds to your MySQL server version for the right syntax to
  use near 'Privileges FROM tbl_users WHERE Username=%s AND
  Password=%s' at line 1"
  3) Here's the code:
  <?php require_once('Connections/conn_MemberList.php');
  ?>
  <?php
  if (!function_exists("GetSQLValueString")) {
  function GetSQLValueString($theValue, $theType,
  $theDefinedValue = "", $theNotDefinedValue = "")
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue)
  : $theValue;
  $theValue = function_exists("mysql_real_escape_string") ?
  mysql_real_escape_string($theValue) :
  mysql_escape_string($theValue);
  switch ($theType) {
  case "text":
  $theValue = ($theValue != "") ? "'" . $theValue . "'" :
  "NULL";
  break;
  case "long":
  case "int":
  $theValue = ($theValue != "") ? intval($theValue) : "NULL";
  break;
  case "double":
  $theValue = ($theValue != "") ? "'" . doubleval($theValue) .
  "'" : "NULL";
  break;
  case "date":
  $theValue = ($theValue != "") ? "'" . $theValue . "'" :
  "NULL";
  break;
  case "defined":
  $theValue = ($theValue != "") ? $theDefinedValue :
  $theNotDefinedValue;
  break;
  return $theValue;
  ?>
  <?php
  // *** Validate request to login to this site.
  if (!isset($_SESSION)) {
  session_start();
  $loginFormAction = $_SERVER['PHP_SELF'];
  if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
  if (isset($_POST['textfield'])) {
  $loginUsername=$_POST['textfield'];
  $password=$_POST['textfield2'];
  $MM_fldUserAuthorization = "Privileges";
  $MM_redirectLoginSuccess = "MemberList.php";
  $MM_redirectLoginFailed = "MemberDeny.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_conn_MemberList, $conn_MemberList);
  $LoginRS__query=sprintf("SELECT Username, Password,
  Privileges FROM tbl_users WHERE Username=%s AND Password=%s",
  GetSQLValueString($loginUsername, "text"),
  GetSQLValueString($password, "text"));
  $LoginRS = mysql_query($LoginRS__query, $conn_MemberList) or
  die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
  $loginStrGroup = mysql_result($LoginRS,0,'Privileges');
  //declare two session variables and assign them
  $_SESSION['MM_Username'] = $loginUsername;
  $_SESSION['MM_UserGroup'] = $loginStrGroup;
  if (isset($_SESSION['PrevUrl']) && false) {
  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
  header("Location: " . $MM_redirectLoginSuccess );
  else {
  header("Location: ". $MM_redirectLoginFailed );
  ?>
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
  Transitional//EN" "
  http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="
  http://www.w3.org/1999/xhtml">
  <head>
  <meta http-equiv="Content-Type" content="text/html;
  charset=iso-8859-1" />
  <title>Untitled Document</title>
  <style type="text/css">
  <!--
  .style3 {font-family: Verdana, Arial, Helvetica, sans-serif;
  font-size: small; }
  -->
  </style>
  </head>
  <body>
  <p> </p>
  <form id="LogOn" name="LogOn" method="POST"
  action="<?php echo $loginFormAction; ?>">
  <table width="100%" border="0" cellspacing="2"
  cellpadding="2">
  <tr>
  <th scope="col"><div align="right"><span
  class="style3">User:</span></div></th>
  <th scope="col"><label>
  <div align="left">
  <input type="text" name="textfield" />
  </div>
  </label></th>
  </tr>
  <tr>
  <td><div align="right"><span
  class="style3">Password:</span></div></td>
  <td><label>
  <div align="left">
  <input type="text" name="textfield2" />
  </div>
  </label></td>
  </tr>
  <tr>
  <td> </td>
  <td><label>
  <input type="submit" name="Submit" value="Submit" />
  </label></td>
  </tr>
  </table>
  </form>
  <p> </p>
  </body>
  </html>
  Thank you

  I tried this and get the same error message.
  ERROR at line 1:
  ORA-28545: error diagnosed by Net8 when connecting to an agent
  NCRO: Failed to make RSLV connection
  ORA-02063: preceding 2 lines from ALPACWOBF
  listener.ora:
  LISTENER =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = TCP)(HOST = spruce)(PORT = 1521))
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
  SID_LIST_LISTENER =
  (SID_LIST =
  (SID_DESC =
  (SID_NAME = alpacwobf)
  (ORACLE_HOME = C:\oracle\ora92)
  (PROGRAM = hsodbc)
  tnsnames.ora
  alpacwobf.3LOG.COM =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = TCP)(HOST = SPRUCE)(PORT = 1521))
  (CONNECT_DATA =
  (SID_NAME = alpacwobf)
  (HS=ok)
  initalpacwobf.ora:
  HS_FDS_CONNECT_INFO = AlpacWOBF
  HS_FDS_TRACE_LEVEL = 4
  HS_FDS_TRACE_FILE_NAME = alpacwobf.log
  ODBC setting is ok. odbc name is alpacwobf, db is access 2000.
  restart the listener.
  tnsping alpacwobf is ok.
  database link creating is ok.
  but when query,I got error.
  alpac > create database link alpacwobf using 'alpacwobf';
  Database link created.
  alpac > select count(*) from test@alpacwobf;
  select count(*) from test@alpacwobf
  ERROR at line 1:
  ORA-28545: error diagnosed by Net8 when connecting to an agent
  NCRO: Failed to make RSLV connection
  ORA-02063: preceding 2 lines from ALPACWOBF
  Any help will be appreciated.
  Thanks a lot.
  Richard