Restricting Access via User Groups

So I have created some user groups via the Administration page in APEX. I would like to use these groups to control access to various tabs in my database application. Can someone please tell me how I might go about doing this? I can't seem to locate a good example.
Thanks,
Mark

Hi Mark,
You can e.g. create an authorization scheme (shared components) - pl/sql function returning boolean.
You can use some functions in apex_util to determine if they should have access. e.g. apex_util.current_user_in_group(p_group_name in varchar2); http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21676/apex_util.htm#BABHCBEG
Then just apply that authorization scheme to the tab and consequent pages associated to the tab.

Similar Messages

  • SQ00 Restrict Access By User Group

    Hi all,
    I've just created a BOM Overview Report (Query) in SQ00 by using a logical database. I've assigned user's to the User group for the Z_BOM info set to run the report.   
    In Production client nobody has permissions to run SQ00 at this time. My question is if I put transaction SQ00 or SQ01 in a role and assign to users will they be able to run for any info set, or try and create new queries on thier own in there?   I don't want my production floor folks being able to see financial queries.....how do I set this up from a security standpoint...so these users only see the new SQ00 BOM Overview Report?  Thanks for your Input!!

    Let me tell you a better way of doing this for all users...
    Steps:
    1. Remove authorizations for tcodes SQ00, SQ01, SQ03, SQVI.
    2. If possible remove authorization for SA38, SE38. This is to prevent users by copying the program name from other queries (menu >> system >> status) and executing.
    3. Note down the report name for a particular query. In SQ01 you can do this by clicking In background button or following the menu path Query >> More functions >> Display Report name
    4. Create a custom authorization object e.g. Y_SHOP_FLOOR in tcode SU21 (similarly for financials etc if you want) and assign it to relevant users.
    4. Create a Z or Y transaction code in SE93 (of type report), assign the step 4 custom authorization object to this tcode and enter the report name from step 3.
    Edited by: Jeevan Sagar on Feb 5, 2012 1:18 AM

  • Restricting access via user agent

    I was wondering if someone could point me in the right direction, I remember my instructor on my course saying that restricting by User Agent was possible by adding a few lines to the obj.
    I have a problem whereby people are scrapping our site but it seems a D.I.Y application with a non standard user agent. Any replies greatly appreciated
    Regards
    LL

    See <Client> in
    http://docs.sun.com/source/817-1835-10/npgobjcn.html#wp1041206
    And also SAF docs in:
    http://docs.sun.com/source/817-1834-10/crobjsaf.html
    Probably many ways of accomplishing it depending on details of desired behavior. Here's one possible variant.
    <Client browser="*bad-client*">
    PathCheck fn=deny-existence
    </Client>
    That all said, unless those requests are part of some firehose attack which doesn't really care whether any individual requests work, it's trivial for the client to adjust what it sends.

  • ASA WebVPN - restrict access to users in an AD group via ACS

    Hi folks.
    I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")
    Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.
    Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.
    I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?

    Try using the following to tie users to certain group policies:
    Using a RADIUS Server
    Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
    Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
    policy.
    Step 2 Set the class attribute to the group policy name in the format OU=group_name
    For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
    of OU=SSL_VPN; (Do not omit the semicolon.)

  • ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

    Hi All,
    I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.
    The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
    There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.
    The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
    I can only do an all or nothing scenario.
    It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.
    Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.
    Scenario 2 would be an ideal longer term solution.
    Any thoughts, ideas or assitance would be greatly appreciated.
    Cheers

    This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
    assert(function()
       if ( (type(aaa.ldap.distinguishedName) == "string") and
            (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
    then
           return true
       end
       return false
    end)()
    from the debug dap you can see what Users relates to;
    DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
    My admin account fails to get me in to the same profile:
    DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
    Thanks
    Andrew

  • HT4798 How do I gain access to Users & Groups preferences when I cannot even log in.

    I only have one apple ID linked and I cannot reset my password via the pop up box and cannot access the user groups as I cannot even log in.
    Can anyone help.
    Thanks
    Matt

    Reset Password
    OS X 10.6 Snow Leopard
    Follow the instructions in  second and third boxes.
    Reset Password using Recovery HD
    OS X 10.7 Lion /10.8 Mountain Lion
    Follow the instructions in the first and third boxes.
    http://pondini.org/OSX/Password.html
    Note
    Keychain
    I don't remember my original (former) account password
    https://support.apple.com/kb/HT1631

  • TC with Access via User Accounts

    Hi all folks,
    I start using a new TC (2TB with 7.5.1) with access via User Accounts switched on, but it confuses me a little. In general I'm interesting in storing some more data to the TC, also I'm interesting in using seperate folder/mountpoints.
    I add some User Accounts (I used the short names from my Mac, for example lutz, test, work, gast and admin) and every User can logon/connect to the TC, with a User Folder and a "Data" Folder, but admin can't connect to the User Folder.
    All the time I try to logon/connect with the admin User, I can mount the "Data" Folder, but I can't mount the "admin" Folder (but the folder is shown).
    In the Mac Syslog I find,
    /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder[111]:
    NetworkNode::handleMountCallBack returned -6602
    I got a box with,
    The operation cannot be completed because the original item for "admin" cannot be found.
    And in the TC Syslog I find,
    Syslog Protocol 6 - All Information
    Nov 18 00:16:54 Gewichtung: 5 AFP login OK from [email protected].
    Nov 18 00:16:57 Gewichtung: 5 AFP session from [email protected] closing.
    Nov 18 00:16:58 Gewichtung: 5 AFP login OK from [email protected].
    Nov 18 00:18:03 Gewichtung: 3 No Address for NTP server time.euro.apple.com.
    I got folders like this, "lutz" and "Data" and both are empty.
    From the admin Point of view the "Data" Folder looks like this and the "admin" folder can't connect too.
    "Data"
    "Data/Shared"
    "Data/Users"
    "Data/Users/lutz"
    "Data/Users/test"
    "Data/Users/gast"
    "Data/Users/work"
    "Data/MacBook.sparesbundle"
    "Data/PowerBook.sparesbundle"
    My question, is "admin" an TC internal User too?
    What's the reason I can't mount the "admin" Folder and why I got a complete view to the TC filesystem with the "admin" User only?
    It's nice to see this, but what's the reason!
    How to add some more Shared folder for data exchange?!
    Any idea what's happend,
    thanks for any help, I can't find any information about this behavior,
    Lutz
    p.s.
    The password from the User Account definitions are ignored for the "admin" user, the TC Password is used all the time.
    p.s.
    I read "http://web.me.com/pondini/Time_Machine/FAQ.html", too.

    Hi all folks,
    anyone who spend some time to add an User Account named "admin" to a TC and try to logon/connect to the TC with this user.
    If someone try to do this, don't use the same password for "admin" and the TC itself, but try to logon/connect with "admin" to the TC with the defined passwords, both. I can connect "admin" to the TC with the TC password only, not with the password defined via User Account.
    Thanks for any help,
    Lutz

  • Restrict access to users in customer line item display FBL5N

    Hi all,
    We got a requirement from my client that, they want to restrict access of their users to view details of few customers  only. The user has a right to view FBL5N transaction code, but he cannot view all customers details.
    we created 4 customer account groups,we created like .. SD customers1
                                 SD customers2
                                 Onetime customers
                                 FI customers
    These FI customers cannot be viewed by all users except who has authorization in Tcode  FBL5N, we need to restrict to display only SD and one time customers details.
    we have tried with Basis but its not working and its blocking to view all customers.
    anyone got this kind of requirement , Is it possible to restrict....please help me.
    Thanks
    Nagesh
    Edited by: nag on Dec 27, 2011 5:26 PM

    It is standard behaviour that the authorization object F_KNA1_GRP(account group authroization) is not checked
    in the transacion FBL5N. You can confirm this functionality in trans. SE24.
    As a workaround, I would suggest you to use the authorization object F_KNA1_BED Customer: Account Authorization
    If you assign an authorization group as the accouting group, perhaps you can get a similar functionality.
    Please note that for the 'drill-down' or direct call of FBL5N these objects are checked:
      F_BKPF_BLA Accounting Document: Authorization for Document Types
      F_BKPF_BUK Accounting Document: Authorization for Company Codes
      F_BKPF_GSB Accounting Document: Authorization for Business Areas
      F_BKPF_KOA Accounting Document: Authorization for Account Types
      F_BKPF_BED Accounting Document: Account Authorization for Customers
      F_KNA1_BED Customer: Account Authorization
      F_KNA1_BUK Customer: Authorization for Company Codes
    Kind Regards
    Soumya

  • Restricted access for user in SU01

    Hi All
    How can we give authorisation to a User to modify access (Create/Delete/Password Change/Role assign /Role Delete..etc) for other user IDs but that user should have only display access for his User ID.
    Please Help me in this.

    Hi,
    I have worked with many clients, and the requirement of handling the user Administration and Role Administration is different from each client to other client.
    Some client may ask for the same person should handle both User and Role ADministration, but some client may ask for separating the tasks.
    In your case, if you want to restric the person to maintain the other users but not the own user id, this can be achieved by doing the following:
    Create a separate user group who is doing the administration part and create other user groups for other users.
    Create a role with SU01 and restrict the Standard objects with all user groups except the administation one and add S_USER_GRP authorization object manually into the same role and provide only 03 with the administration object.
    The above will solve the problem of administration not able to update the own user id, but the other users.
    Regards
    Anandm

  • Custom Access Level/User groups in BOBJ XI

    Experts,
    We are currently implementing BOBJ XI 3.1. Up on go-live, it will be handled by the Operations team from BOBJ CMC. We do not want to give administrator group for the operations users in CMC. Instead, we want to create custom groups with custom access levels.
    Ex. one for basis who will set up authentication, licenses etc
          one for the functional folks to maintain universes, export universes and set up security.
    Is there a way to set up user groups like this. We were able to successfully restrrict access just to folders, universes by creating a custom access level. But we were not able to do it on other items listed in CMC. Has anyone done this level of access before for the operations or even with in the development team instead of using administrator group>
    Appreciate your response
    Thanks
    Kee

    Hi,
    We can assign different rights to a group by creating custom access levels.
    Create a new group ,and also create custom access level and assign it to the new group.
    you can provide access to different objects to the group by adding rights to the access level.
    Under the access level > click  Included Rights > Add and Remove Rights > Under the Rights Collection > click on System.
    You  could find all the CMC object access rights can be assigned.
    Regards,
    Rameez

  • Restricting access via MAC address?

    Hello,
    Could someone please tell me how to restrict access to my wireless network (and internet sharing) by only allowing computers with a certain MAC address to join?
    I'm kinda stumbling around here
    Thanks,
    Jonny

    Sorry if I wasn't being specific enough...
    I have my eMac set up as a Software Base Station, which streams internet & Airtunes to an Airport Express. I have it set up this way, because my ADSL modem is connected via USB (so it's a bit of a workaround). As a result, I have Internet Sharing switched on, so I can access it from all my other macs.
    What I want to do is to stop other people from accessing my eMac's internet connection. If I set up a WEP password for Internet Sharing, I lose my Airtunes facility... so I was thinking another way might be to restrict access to the connection via MAC address. I only want my other airport card-equipped macs to access the internet connection and network generally.
    Surely it's possible?

  • Anyconnect IKEV2 restricting access via AAA auth Group

    Hi Everyone,
    I have ASA config with 2 connection groups
    Say Group  1 and 2.
    Currently both are assigned to Same Auth AAA group
    One of our external vendor has access to both XM files of connection group 1 and 2..
    If i want Vendor should connect only to  Connection Group 2 should i change the AAA auth group for connection group 2?
    Then even if he tries to connection group 1 it should not work as AAA Auth group will be only assigned to Group 2 right?
    Regards
    Mahesh

    Hi Rick,
    There is info
    Our ASA is configured with two connection groups.Our Vendor has XML files of both the
    Connection groups say                                      1 and 2.
    AAA Authentication group  called ----------------- RSA  ----Two servers are there in RSA group.
    We are using 2 factor Authentication.
    We want vendor to connect to connection group 2 only.
    We have two RSA Authentication  servers they are in HA mode so if one dies other can do the authentication.ASA has only 1 authentication  group called say RSA and both connection groups 1 and 2 are tied to the same Authentication group called RSA.
    If i configure new AAA server group say RSA2 for connection group 2 but it has same 2 servers will
    it restrict the vendors connection to connection group 2 only?
    Also when you say --- authentication server can differentiate between the vendor users and other users and supply a group membership ID in the authentication response?
    Need to know how i can do this?
    Regards
    MAhesh

  • Restricting SM30 via auth. groups, any flaws in thinking?

    Hi,
    I got a request to assign SM30 to a role as table J_1IEWT_ACKN_N needs to be maintained monthly. I checked an earlier thread regarding this table, and in this case maintaining table in DEV + transport is also not accepted.
    This role also includes other table maintenance activities (period opening/closing, exchange rate maintenance), but for these SM30 is not required. As this role would now include SM30, it would possibly grant access to quite a bunch of tables (through S_TABU_DIS, DICBERCLS values KC and FC31).  User with this role would not have any other roles.
    I created a Zxxx-authorization group in SE54, assigned it to the J-table and then included this auth group to S_TABU_DIS object.
    As this role only needs access to a few tables, I was thinking of changing the authorization group assignments of these tables from KC/FC31 to Zxxx and then giving only DICBERCLS value Zxxx to the role.
    Does this sound like a reasonable solution? Can I just change the auth group assignments of the tables in SE54 or does this have any consequences that should be acknowledged and that I'm not aware of?

    You should try to find an existing group which contains data with the same classification as this one, and use SE54 to assign the value to it. Possibly, if the correct set of users are already classified for that group then you don't need to change anything inthe roles.
    If nothing which already exists matches the classification of the data, then classify it yourself by creating the Zxxx group and assign it via Se54.
    If Z-groups already exist, as for the documentation on the concept so that the one you create or use is conform with the intended concept and naming conventions.
    There is nothing wrong with a Z-table authorization group.
    Cheers,
    Julius

  • How do I restrict access so users can only visit certain sites?

    At work we are setting up a laptop in order to do only one thing - use one particular website. I'd like to make sure nobody can visit any other sites.

    Your secure computer has a piece of unpleasant software - My Web Search. Remove any signs of it in Add-ons>Extensions and Plug-ins. Also check in Add/Remove Programs(Programs and Features in Win7). Also make sure you don't have any entries for Fun Web Products.
    You are showing Fx3.5.8. If that is so, it is high time you updated. Chances are, though, that My Web Search has frozen your User Agent String.
    Google for further information but don't accept advice from people behind these products. You can also look in the Search Firefox Help box above.

  • Access denied errors in domain logs after configuring Ldap and restricting access to users

    Hi Experts,
    I'm getting access denied errors in my domain logs , this log is written continiously ..Has any one encountered the same issue and fixed this?
    ####<Sep 2, 2014 2:30:07 PM EDT> <Error> <Default> <ftizsldmwapp001.ftdc.cummins.com> <AdminServer> <[ACTIVE] ExecuteThread: '27' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <096a131bdb6c126e:6cecae89:14834848020:-8000-0000000000009bc8> <1409682607304> <J2EE JMX-46335> <MBean attribute access denied.
      MBean: EMDomain:EMTargetType=j2ee_application,name=em,type=EMIntegration,Application=em
      Getter for attribute HostName
      Detail: Access denied. Required roles: Admin, Operator, Monitor, executing subject: principals=[]
    TIA,
    -Karthik

    Hi Experts,
    I'm getting access denied errors in my domain logs , this log is written continiously ..Has any one encountered the same issue and fixed this?
    ####<Sep 2, 2014 2:30:07 PM EDT> <Error> <Default> <ftizsldmwapp001.ftdc.cummins.com> <AdminServer> <[ACTIVE] ExecuteThread: '27' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <096a131bdb6c126e:6cecae89:14834848020:-8000-0000000000009bc8> <1409682607304> <J2EE JMX-46335> <MBean attribute access denied.
      MBean: EMDomain:EMTargetType=j2ee_application,name=em,type=EMIntegration,Application=em
      Getter for attribute HostName
      Detail: Access denied. Required roles: Admin, Operator, Monitor, executing subject: principals=[]
    TIA,
    -Karthik

Maybe you are looking for

  • Activex question in labview

    Hello, I am trying to controll an 8753ES with the agilent intulink through labview using activex.  I have read about activex in labview, and and help file for intulink, which says: In order to use the Agilent IntuiLink VNA Automation Server, a Visual

  • New browser window from CRM Web UI causes problems

    Hi Experts, We have several links to internal web sites that CRM users can access from the web UI.  Problem is, whenever one of these links are selected, the user looses whatever it was they were doing in CRM and the main window displays the followin

  • How does one "join" a community?

    I'm trying to personalize my home page, and to add to my "Places," it says to "Join a community." How do I accomplish that?

  • How can my iPhone 5 can be unlocked since i just now got it 2days before from vodafone contract?

    i have got a brand new iphone  5 from a contract with vodafone , just 2 days old . i would like to know how to unlock it to all networks , i.e factory unlocked mobile. i want to do this unlcoking soon like in 3days or so , not waiting for long time l

  • Windows Explorer: access to network drive is denied

    Hello When I open Windows explorer and type in  the address bar a location that points to a drive (local or networkdrive), I get the error message:  access to drive is denied. The network drives points to an DFS location. The personal user drive is a