Restricting rights based on MD Group?

Similar Messages

• Restrict printers based on security groups

  We have set up all of our printers on a server and deployed them via group policy.  I am looking for a way to restrict printing based on which security group the user is in.  We have got it working by setting permissions in the printer security tab
  in the server.  But I would like a more elegant solution, since the printers that the user can't print to are greyed out with an X over the icon.  I would like to have the printer not even show up in the printer list if that user isn't allowed to
  print there.
  Is this possible?
  We are running Windows Server 2008 R2 and our clients are all Windows 7.
  Thank you.

  Hi,
  Based on your description, we can use Security Filtering to apply the printer deployment GPO polices to the specific groups.
  Regarding this point, the following articles can be referred to for more information.
  Security filtering using GPMC
  http://technet.microsoft.com/en-us/library/cc781988(v=WS.10).aspx
  Filter using security groups
  http://technet.microsoft.com/en-us/library/cc779291(v=WS.10).aspx
  Besides, we can choose to deploy printers via GPP and use Item-level Targeting to filter out users who don’t need the printers.
  Regarding this point, the following blog can be referred to for more information.
  Deploying Printers with Group Policy Preferences (Complete Guide)
  http://deployhappiness.com/deploying-printers-with-group-policy-preferences/
  Regarding Item-level Targeting, the following articles can be referred to for more information.
  Preference Item-Level Targeting
  http://technet.microsoft.com/en-us/library/cc733022.aspx
  Security Group Targeting
  http://technet.microsoft.com/en-us/library/cc772471.aspx
  Best regards,
  Frank Shen

• Restrict Sales order text based on Sales group

  Hi,
     My requirement is currently 12 different text ID's showing in my sales order text.But I want to restrict certain sales order text ID's based on sales group entered in the sales order header. Is there is any user exit or routines available to restrict sales order text ID's.
  Regards,
  Palani

  Hi,
  This is actually a configuration item.  Transaction VOTXN (VOTX in 4.6C) can be used to configure the text types, text procedures, and access sequences for sales order texts as well as other types of texts.  Part of the configuration procedure allows for some ABAP control over the copying requirements. 
  This is from the online help for data element COPNR (on the VOTXN screen SAPMV80T 800, field TTXZI-COPNR) :
  You can create your own routines for text determination. For example, if you want to send different messages to particular groups of customers, you can create routines that automatically assign different messages to different groups (e.g. wholesalers, retailers).
  Note
  The fields available for determining texts are defined in structure TVCOM, which can be found in the routine under FTVCOM. Generally, however, the fields filled in the structure are only those which are used or recognised for text determination by the caller. Other fields can, for example, be filled during sales document processing via user exits USEREXIT_MOVE_FIELD_TO_TVCOM_H and USEREXIT_MOVE_FIELD_TO_TVCOM_I. The user exits are described in the IMG under Sales and Distribution -> System Modification -> User exits.
  I'm not sure if filtering by sales group is possible, but I don't see why not.
  Regards,
  Jamie

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• Spliting a table in to two table based on the groups in SSRS

  Hi,
  I am trying to a split a rows accross two tables based on a group.
  So far I have added a list and added a row group and grouped it using lineof business
  Inside my list i have two identical tables so i can display the data
  for the first table i have set the row visibility as follows: where LineOfbusiness1 is the  groupname of my list group
  =RowNumber(Nothing) >= (IIf(CountRows("LineOfBusiness1")\2 = 1, CountRows("LineOfBusiness1")/2, (CountRows("LineOfBusiness1")/2)+1))
  and for the second table in the i have set the row visibility as follows
  =RowNumber(Nothing)< (IIf(CountRows("LineOfBusiness1")\2 = 1,CountRows("LineOfBusiness1")/2, (CountRows("LineOfBusiness1")/2)+1))
  this set up works fine for the first group but it doesnt display the data the way i want for the subsequent groups.
  so how do i have the table start over after each group... plus in my group i have specified to do a page break after everygroup...
  Any help will be appreciated.
  Thanks
  Karen

  Visakh,
  Thanks for answering.... a sample for the data will look like
  dataset----
  create table #dataset
  Code varchar(5),
  Name varchar(200),
  Lineofbusiness int,
  Statename varchar(10),
  typed int,
  description varchar(2000)
  insert into #dataset
  select 45111,abc,1,AL,4500,policies
  insert into #dataset
  select 45111,abc,1,AL,2500,vehiles
  insert into #dataset
  select 45111,abc,1,AL,3,drivers
  insert into #dataset
  select 45000,bca,2,AL,4500,policies
  insert into #dataset
  select 45000,bca,2,AL,500,house
  insert into #dataset
  select 45000,bca,2,AL,40,theft
  When i display the data i want it to be
  Line of business 1
  policies 4500 drviers 3
  vehiles 2500
  Line of business 2
  Policies 4500 theft 40
  House 500
  but right now the for lineofbusiness 1 its showing the correct way for but the line 2 everything is being displayed in the right.
  Thanks
  Karen

• PO Qty restruction based on purchase group

  Hi experts
  Can you provide me solution on this requirement that restruction on purchase order qty based on purchase group,
  in detail my user want that if i entered purchase group XYZ ,then for that purchase order po qty system should not allow more than 1 qty for 1234 company code .
  is there any solution for this requirement
  Kumar

  Hi,
  Can you please elaborate? The purchase group is on the Header of the PO. When you say that the quantity needs to be restricted to only 1, does that mean that only one item is allowed on the PO with Qty 1 or multipel items are allowed but each of the items can have quantity as 1?
  Also, the exit ME_PROCESS_PO_CUST is active only in the online mode for ME21N and ME22N. If you have any background jobs generating a PO (Planning ME59N etc.) the exit does not work.
  Regards,
  Naveen

• Shared Calendars / Room Lists and automatically forcing them to users based on Security Group Membership

  Good morning all,
  I need some help achieving the following in our Exchange 2013 Environment.  First off, we have Exchange 2013, but all our clients have Outlook 2010.
  Here's what I would like to be able to do:
  1) create/manage public calendars / rooms in exchange 2013
  2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
  3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
  Any one got any resources they can give to point me in the right direction?
  I have already created two mailbox room resources, and have them set up in a room list in AD.  But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
  membership.
  I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining.  I just want it to show up.
  Any help on this is greatly appreciated, thank you!

  1) I recommend using Room Mailboxes for resource calendars because it just works better.
  2) This is a standard feature of a Room Mailbox.
  3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
  I don't know any way to just make them "show up".  You'll have to teach them.  Well written instructions can work wonders.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• How to Restrict Search based on the Roles for External crawled sites

  I have a situation where the search results have to be restricted based on role
  When External sites are crawled, how can we restrict the search results based on roles,
  I know that we can restrict the search to a group or set of groups that can contain many users but if the group have different roles and if that group has given access to a web repository search, how can we restrict the document/search access based on roles for the same group?
  For Example an Index that has external site as data source and the permissions were set for a group and that group has 2 roles, lets say <b>"Admin" and "user"</b> and the external site have some documents when searched the documents should come up only for the "Admin" role during search, but should not come up for the "user" role
  Is it possible to achieve this? Is there a solution?
  Any advices are greatly appreciated and awarded
  Thanks,
  kk

  Is it possible to restrict on role based?
  Any suggestions are appreciated
  Thanks
  KK

• WLC 5508 LDAP Windows 2008 Server - auth based on AD groups

  hi NG,
  i'm trying to web-authenticate my Wifi user of an WLC 5508 against LDAP.
  Thereby i'm trying to autenticate all users within a GROUP, not an OU within the MS Active Directory based upon an Windows 2008 Server.
  I can authenticate against a user, witch is beeing put into an OU, according to examples based here: https://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
  Checking based upon Users within OUs works fine.
  But i have not got all of those users wihin one single OU!
  Need help for following:    LDAP-Auth based on AD Groups:
  Using:
  MS-Domain:                          MY-DOMAIN.CH
  AD-GROUP:                          VPN-USERS
  AD-Structure:
  MY-DOMAIN.CH
  |
  GROUPS
          |
      Administrative Groups
                        |
                   VPN-USERS
                            (-> Member of this Groups (Wireless1, Wirless2, ...)
  Server Adress:               IP.IP.IP.IP
  Port:                                 389
  Enable Server Stats      YES
  Simple Bind                    Authenticated
  Bind Username              LDAP-USER
  Bind Password               supersecret
  Bind Passw. confirm      supersecret
  User Base DN:               ?-1-?
  User Attribute:                ?-2-?
  User Object Type:          Person
  Server Timeout               2
  What happens for instance, if i put a GROUP within a GROUP regarding the LDAP Authentication.
  I guess i have to authenticate against the "upper" GROUP, or do i have to create an entry on the WLC for every GROUP i'm questoning?
  Could some one provide my with an example, since i have not found documentation regarding this topic.
  Thank you.

  Hi,
  User Base DN : this is in case you want to restrict the search area. If you put "dc=mydomain,dc=CH", you will search your whole AD. Depending on the size, it can be slow ...
  Remember that the User Base DN is also used for the admin user.
  In conclusion, User Base DN should be the most restrictive path that leads to both the admins and the users you want to authenticate.
  Example :
  OU=Employees,OU=Humans,DC=Mydomain,DC=CH
  This would prevent to search in machines or any assets. This implies that the admin you bind with is an employee and you are only authenticating employees. You can have any number of OUs under employees, it doesn't matter
  Attribute : This is the object attribute that the WLC uses to compare with the user name. In general, you would go with sAMAccountName in AD. CN would be another common example for LDAP databases.
  If what you are looking for is to restrict access and only authenticate people who belong to a certain group. Then you need a radius server like ACS.
  That server will be able to make selections and check the "memberOf" attribute to make sure it is in a certain group.
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• FD32 restrict users based on a schedule of authority

  All,
  I have a requirement within FD32 to restrict users based on a schedule of authority.  For example, only allowing credit limits to be changed in a user's authorized dollar range.  I was able to restrict the Credit Limit field (change/display) by using field groups, but I have an extension of the requirement for a schedule of authority.  Can someone please  help?

  You could use F_KNA1_BED, I guess - but that would mean excessive maintenance of both: BEGRU and customers, if I understood your scenario correctly and you really, really want to break that down to single customers.
  It would be even more excessive to utilize F_KNA1_GRP. Can be done, though.
  Both solutions are completely un-elegant and I am not happy proposing them. But I am curious as a cat: what exactly is the business process expecting you to restrict access to customer data down to a single customer?
  Edited by: Mylène Dorias on Mar 24, 2010 8:39 AM

• Restrict users based on Customers

  Hi ,
  In ECC system, we have general requirements to restrict users based on customer account group where customer account group is represented as Site/Store.
  Possible values for Customer Account group -
  - Reference Store
  - Head Store
  - Wholly Owner Store etc.
  Till this point everything is fine. However, Client has few additional External Stores which are represented as one Dummy Site and Customers belonging to that store are actual external Stores.
  Example, we have additional Value for Customer Account Group -
  - Dummy Site
  And now all the Customers part of dummy site is actual stores and we are needed to drill down our restriction to this Customer (So called Stores).
  To restrict used based on customer account group/Stores, we can utilize F_KNA1_GRP with filed KTOKD (Customer Account Group). However, is it possible to create roles based on individual customers of these Stores?
  If yes, how can we do that? 
  P.S. I had a look at authorization object F_KNA1_BED with filed BRGRU. Can this object help us in fulfilling our requirement? Or there is any other SAP provided authorization object which can help us to restrict on Customer values?
  Thanks,
  Sheenam

  You could use F_KNA1_BED, I guess - but that would mean excessive maintenance of both: BEGRU and customers, if I understood your scenario correctly and you really, really want to break that down to single customers.
  It would be even more excessive to utilize F_KNA1_GRP. Can be done, though.
  Both solutions are completely un-elegant and I am not happy proposing them. But I am curious as a cat: what exactly is the business process expecting you to restrict access to customer data down to a single customer?
  Edited by: Mylène Dorias on Mar 24, 2010 8:39 AM

• Restrict permissions to use the groups/users/roles in User Administration

  Hello gurus,
     I want to find out if there is a way we can restrict permissions to use the GROUPS in User administration. We want to assign the user administration role to the users, but do not want the users to have permissions to DELETE groups from User administration page.
  Please also let me know, if we can just have users use the NWA to do the user administration instead of from the Portal?
  Thank you,
  ~~MK

  Hi MariaKutty,
  Koti is right, you need to create custom User administration role from standard role and restric the access in the custom role and assgined to the users.
  >Please also let me know, if we can just have users use the NWA to do the user administration instead of from the Portal?
  Then can to do from NWA also, if the user not required to have the portal access.
  Hope it helps
  Regards
  Arun

• To enable filtering the Purchase Orders based on Purchasing Group in Issue

  Hi All,
  We are facing one issue
  Currently we are working with Extended Classic Scenario with SRM 5.0 and support pack 11
  If the buyer uses Issue PO transaction in SRM, there are POs from all the buyers.
  There is no filter to allow the buyer to display only POs relevant for his/her Purchasing group.
  To enable filtering the Purchase Orders based on Purchasing Group in Issue Purchase Order transction, we found one
  OSS note : 1162884 - BBP_PPF: Purchasing group as search criteria for PO
  But we found that this oss note is not applicable for our system version
  Could you please help me to resolve this issue by any suggestion or by any other oss note?
  Thanks
  Snehal

  Hi Snehal,
  There is a easy way to do that.
  Go to buyer role in PFCG transaction and look for profile and go inside profile ...look for your transaction...
  for Process PO  transaction -  BBP_PD_PO and you have field BBP_PURGRP...using which you can restrict it on purchasing group..
  You may have to copy same role and create new roles based on purchasing group..
  I feel that basis or Security and Authorization team can help you in this matter.
  Regards,Nishant

• How to change the values in custom profiles based on security group ??

  Hi,
  i am facing problem for my requirement, can anybody help me for below scenario...
  i have custom check in profiles , there are content types and sub types. sub type nothing but a categories on for particular content type. For example i have News content type , same in the below subtypes drop down list are press release, events, articles etc.
  what i want to do is, when i open custom checkin profile, subtype values need to be changed( some values in subtype should hide) based on security group changes .
  In the Sub type listed values, some values need to hide only when i choose different security groups.. sub types values should display based on the particular security group only. when ever i change the security group, drop down Values in subtypes needs to change.
  hope understand my requirement.
  How to achieve this task. Any help would be greatly appreciated.
  Thanks,
  yt

  Hi,
  Thanks alot. its working fine
  Can we configure DCL Relation two times in one information filed ??? i should not create not more than fields to this requirement.
  Type -> subtype = DCL already existed
  Now, i want to Create DCL to
  Subtype ---> Security group
  As per my requirement, if i change the security group in checkin form, values should be change in the SubType drop down list.
  Created checkin profile there was DCL relation to " Type and "Sub Type" . now i want to map Relation ( DCL ) for subtype to security group.
  i was trying do for DCL for subtype and security group. but there was already existing DCL created for subtype information field (Relation configuration done for content type). even though i was trying to do for DCL in Security group information field. but, i could not find security group information field in configuration manager.
  Now what should i do ?? how to create DCL to subtype and security group ??
  Help would be appreciated.
  yt

• GL account master data creation control based on Account group

  While creating GL account in FS00 we need to control to select P&L account or Balance sheet account. At present after selecting P&L accunt group it is allowing to check Balance sheet account. If we select account group belongs to Balance sheet but it is allowing to check P&L. How to control to select P&L or Balance based on account group.
  For example: If we select account group beongs to P&L it should allow to check P&L statement account.
  If we select account group belongs to BS it should allow to check Balance sheet account

  I don't there is any control for this at 'Account Group' level, please use userexit EXIT_SAPMF02H_001 for this.
  Regards,
  Ganesh