Restriction in roles

Similar Messages

• How to restrict selected Role under a Role???

  Hi Friends,
  I have 3 roles, which are Role-1, Role-2, Role-3.
  Role-2 & Role-3 are Under/Part of Role-1.
  Now, I have assigned Role-1 to a user. By doing this, When he logs in he is able to see the Role-2 and Role-3 also eventhough we havent assigned Role-2&3.
  Now My question is, How to restrict a role under a role. For example, I dont want to show Role-3.
  When i checked the user roles assigned, i see only Role-1 but not 2 other roles.
  Could anyone advice on how to make unwanted role in role. Assuming, no one is going to assign directly with Role-2 & Role-3. They got assigned only Role-1.
  Thanks for u r time!!
  Thanks,
  Raghavendra.P

  Hi Praveen,
  Thanks for important/useful information. I really dont understand is., Inspite of giving the properties to the each of role/workset, How do we call the approprite under the role. for example :
  If we have Role-2 with propery dept=sd,
  and Role-3 with propert dept=xi, etc.
  Now i have Role-1, within which i have Role-2 and Role-3.
  Now, if i want to see only roles with dept=xi then where should i mention and what should i mention.
  I understood till creating the properties, assigning the properties to roles/worksets, giving values to properties.
  Only i doesnt understood is how to activate which we want in the scenario.
  Thanks for your time..!!!
  Thanks,
  Raghavendra Pothula

• Restrict the role of User Administrator

  Hello all,
  I need to know that if it is possible to restrict the Role of an User Administrator to assign only a specific set of Roles to the end user.
  For example : The user administrator should be able to assign only say Managers, Employees Roles to the Users and not any other roles like Super Administrators etc.
  If so, how can we achieve that?
  Regards
  Avik

  There is a authorization object (combined with a parameter) that does this restriction:
  S_SPO_PAGE
  Definition
  Using authorization object S_SPO_PAGE, you can restrict the maximum number of pages of a request that can be printed on a particular printer.
  This authorization check is only active if profile parameter rspo/auth/pagelimit is set to 1.
  Defined fields
  SPODEVICE       Device name for which the restriction is to apply.
  SPOPAGES        Maximum number of pages allowed; enter a range (0 to n) here

• Oim 11g r2: data access restriction using roles instead of organisations

  can i implement data access restriction using roles instead of organisations in oim 11g r2?

  in my use case a particular user can be member of more than one organisation. as far as i know oim does not suoport this use case using organisation, so i decide to use roles to represent my "organizations", but now i loose all the data access restrictions (scope).

• Internet Restriction of Role or Workset in Portal

  Hello SDN'ers
  I have a requirement of restricting one role to the users who are accessing our company portal thru internet...
  How should i go about it....
  Please Help..
  Thanks n Regards...

  Hello Saxena,
  You could have a diferrent desktop for the users accessing your portal
  through internet (probably the easiest way is by configuring a portal rule
  based on User or URL Alias) and within that desktop filter/restrict the role
  in question.
  More details on how to do this:
  - Step 1 - Portal display rules for determining which portal desktop
  http://help.sap.com/saphelp_nw04/helpdata/en/4b/29cf122f414721964269e1b675d62c/frameset.htm
  - Step 2 - Filtering the role
  http://help.sap.com/saphelp_nw70/helpdata/EN/5e/e855a35455458aa4df21a4339722c7/frameset.htm
  good luck!
  Rafael

• Creating Restricted Helpdesk Role

  I am trying to create a helpdesk role in the portal that will only allow the helpdesk to reset password and unlock an id.
  I am almost there. I created a new role then linked the sap provided workset "delegated user Administration".
  I then removed all except search, previous search results, and locked users.
  The problem is, the results pages still have a delete button, copy to new, and the edit page allows the helpdesk to edit all of the user's info.
  How can I remove unwanted buttons? And when in the edit screen they click the pencil (we don't use the automatic password reset) to reassign a new password, all of the user fields are displayed. How can I edit that page to only provide the password fields?
  Thanks.
  Nicole

  Hi Nicole,
  See How to restrict UME-Action-rights to reset password an unlock user ? - discussed there are the possibilities to define a permission set for UME actions. Maybe that would be the best solution, as you could/should use the standard UIs for your concerns. The alternative I suggested was based on the "old" UserAdmin user interfaces (not WD). A third way would be to develop a small applications for your needs - as this is not ver mighty, it should'n be a big problem / task...
  Hope it helps
  Detlev

• Requisition for approval using - Restricted Recruiter role

  Hi,
  We have implemented SAP eRec EHP4. As of EHP3 the restricted recruiter was only able to create requesition in Draft mode and release the requisition for approval.
  We are using WD on SAP EHP4. We have provided SAP_RCF_RES_RECRUITER_ERC_CI_2 role in R3 to one of the user and Recruiter role on the portal. But when I try to create a requisition and try to release it, it gets released instead of going for approval......
  What have we done wrong.....Is there some other way by which the requisition can be sent for approval in EHP4......
  Thanks

  Hi All,
  In the meantime I was testing the BSP application since I had to give a demo to the client.....Here I could run the workflow, but when I launch the recruiter "approval" page it gives me an error
  BSP Exception: Das Objekt default.htm in der URL /sap/bc/bsp/sap/hrrcf_approval/default.htm?objid=90005527&otype=NB&plvar=01&requestdate=20100723&requestedRsncode=01&requestedstatus=1&requester=Mr%2etesttest&SAPWFCBURL=http%3a%2f%2ftcssol%2ehrservicesonline%2ecom%3a8002%2fsap%2fbc%2fwebflow%2fwshandle ist nicht gültig.
  I saw through SE80 there is no page like default.htm how do I resolve this, is this also connected with upgrading our SP level?
  Thanks
  Subbu

• CUP question - Possible to restrict available roles based on the requester?

  Helo all,
  One of our customers wants to put restrictions on the access requester in the CUP module: meaning that some requesters should only be able to request roles assigned to functional area u2018Procurementu2019, while other requesters should only be able to request roles that are assigned to all functional areau2019s except for u2018Procurementu2019.
  Do you know if this is possible or do you see an alternative solution?
  Thanks in advance,

  There is no real way to restrict people from doing that, but you could use the buisness process in role attributes to ensure if the select the correct buisness process only roles listed under a particular buisness process are listed when being searched.
  You could make the buisness process field mandatory on the main screen and than that gets carried over when searching for roles, obviuosly that can always be changed by the user.
  regards,
  Chinmaya

• Restrict Moving roles with user assignment

  Hi There,
  Need your help...
  How to restrict to move roles from dev->QA with user assignment. (want to disable the user assignment restirction)
  Thanks and Regards,
  Gnanaprakasam

  Unfortunately this is not the default installation setting, so you need to go into the security settings customizing and change the USER_REL_IMPORT switch to 'NO'.
  This does however NOT make the checkbox disappear in the transport source system. It prevents the import in the target... so you must set it and transport it there first, then it works.
  Cheers,
  Julius

• Any ideas on restricting userID Role Assigment within the SAP Security Team

  Hello,
  I have gotten a request to look into restriction of assignment of roles to oneself within the company SAP Security Team. Thoughts I have come up with so far involve the use of UserID User Groups, Role Assignment Ranges, and forcing all role assignements for all userIDs through GRC-AC CUP for QA and Prod. Has anyone come up with a workable solution that is outside of these suggestions that they have put into practice?
  Thanks in advance for your help!
  John

  Hi John,
  There can be a manual control in place and individual should not assign role/s to himself / herself.
  Otherwise, security team members can be assigned to a specific group (let say Security) and they shouldn't have access to authorization S_USER_GRP with ACTVT 22 & CLASS - Security.There should be a dedicated power user to assign the role/s to the security team members and this can be auditted (SM20 log for manual super user / FireFighter log for FireFighter user).
  Thanks
  Prasanna

• OIM 11g-How to restrict the role administrator from seeing "other" roles

  Dear All,
  How to restrict Administrator from seeing roles he is not suppose to administer?
  My administrator is suppose to assign only Role A. When he logs in He can see every single role. How to correct it so that he can see only Role A?
  Thank you for your time
  Maria

  Modify "All User Role Management Policy"

• Restricted Backup role

  Hi all
  I am new to MSSQL, so please be patient if my question sounds trivial :-)
  We have an instance of MSSQL for development and the people normally do frequent backup/restore of databases (i.e. for upgrade of customer's production DBs, restore of production databases, etc..) via "sa" login. Note that we don't have a dedicated
  DBA and we would like to avoid to dedicate a resource only for these trivial tasks.
  Now we would like to restrict such security policy, like:
  Remove DBA permissions to all users
  Grant all users a specific role to backup/restore databases ONLY remotely (i.e. to/from \\192.168.xxx.xxx\mySharedFolder)
  Restore only to the database where user is dbOwner
  Would this be possible just by using security restrictions (not with stored procedures)? How?
  I had a quick look to the Media sets config, but I couldn't figure out how to restric only to remote locations, and the dp_backupoperator doesn't seem to be configurable. Also the CREATE DATABASE permission is way to strong as we don't want a user to be
  able to restore to any database, but only to his own.
  Thank you!

  Hello,
  I just tried out Below on SQL Server 2012 where I created a procedure which did backup on local disks. Created a Login and user mapped it to a database gave user DB datareader and BACKUP DATABASE permission. 
  Procedure to backup database
  USE [Database_Name]
  GO
  /****** Object: StoredProcedure [dbo].[BackupDatabase_Proc] Script Date: 10-10-2014 21:29:00 ******/
  DROP PROCEDURE [dbo].[BackupDatabase_Proc]
  GO
  /****** Object: StoredProcedure [dbo].[BackupDatabase_Proc] Script Date: 10-10-2014 21:29:00 ******/
  SET ANSI_NULLS ON
  GO
  SET QUOTED_IDENTIFIER ON
  GO
  create procedure [dbo].[BackupDatabase_Proc]
  @Dbname char(20),
  @Location varchar(20)
  as
  Begin
  declare @SQL NVARCHAR(500)
  SET @SQL = 'BACKUP DATABASE ' + @dbName + ' TO DISK = '''
  + @Location + ''' WITH INIT'
  exec sp_executesql @SQL
  end
  GO
  After This I created Login and then user with same name and gave it data reader for database for which I need to take backup.
  USE DATABASE_NAME
  GO
  CREATE LOGIN backupLogin WITH PASSWORD=N'backup', DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english],
  CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
  GO
  CREATE USER BACKUPLOGINUSER FOR LOGIN [backupLogin] WITH DEFAULT_SCHEMA=[dbo]
  GO
  ALTER ROLE DB_DATAREADER ADD MEMBER BACKUPLOGINUSER
  After that granted execute permission on Procedure to User
  GRANT EXECUTE ON BACKUPDATABASE_PROC TO BACKUPLOGINUSER
  GO
  GRANT BACKUP DATABASE TO BACKUPLOGINUSER
  Well with above user have data reader privilege and can run procedure to take backup. Is this what you are looking for.
  Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it
  My Technet Wiki Article
  MVP

• How to restrict without role

  Hi to every one,
  i want to know one of our user having sap_all &sap_new profile.
  so that is super user .
  if i want to restrict for some tcode like sm12,sm04,st02and etc.
  without assigning any role ....
  means if i create role then it will not be the solution because user eant all authorization except sm12 ,sm04 and st02.
  so guide me what should be the way to do so.
  Regards
  Dik

  Well I know roles like these are clumsy and it is never a good practise to have a role with SAP_ALL and never something like this in Production and however you try to limit it..there may be a way to take advantage of this role.
  So lets try to minimize the access to roles like this because sometimes in dev system functional consultants ask for roles like this.
  "The user could just give themselves the real SAP_ALL or any other role back again"... -> Let us remove SU01, SU10, PFCG ....or better lets us remove SU* and PFCG from this role. So that user do cannot give themselves anyother role or t-code. Also remove S_USER* object
  or skip the tcode check in the debugger... or create a new transaction which does exactly the same... ->
  Let us remove all SE* t-codes like SE38, SE93 ..also SA* .....also remove S_DEVELOP with object type DEBUG, PROG etc ..restrict S_ADMI_FCD, S_SPO_ADMIN, S_BTCH_ADM etc and other S authorization object
  "Another bugger with roles such as these, is that when they are mixed with other roles which are built correctly to control the access of the user when using a certain set of application area transactions (which is different to just starting them...) "  --> Right..so we do not give this role with any other role...lets create a id for it ..something like a super user id and add this role to it. And give it only in the cases when you have approval for it.
  " SAP_ALL has moved on as well (with SP and releases) as it is regenerated from the new SAP_NEW..." -> This role is created from SAP_ALL as template ...I am not sure it means when SAP_ALL changes this custom role will change itself. The Role is created and until you change it yourself, it should not change automatically.

• AE-How can we restrict a role approver to request or approve is own access?

  Currently, in our AE a role approver can submit a request to add a role for which he is the approver and therefore he will be able to approve it as well.
  We would like to not authorize someone to approve his own access request.
  Is that possible and how ?

  Patrick-
  That enhancement is available in Access Control (CUP, formerly AE) 5.3.  It is not available in 5.2.
  Ankur

• How to Restrict Search based on the Roles for External crawled sites

  I have a situation where the search results have to be restricted based on role
  When External sites are crawled, how can we restrict the search results based on roles,
  I know that we can restrict the search to a group or set of groups that can contain many users but if the group have different roles and if that group has given access to a web repository search, how can we restrict the document/search access based on roles for the same group?
  For Example an Index that has external site as data source and the permissions were set for a group and that group has 2 roles, lets say <b>"Admin" and "user"</b> and the external site have some documents when searched the documents should come up only for the "Admin" role during search, but should not come up for the "user" role
  Is it possible to achieve this? Is there a solution?
  Any advices are greatly appreciated and awarded
  Thanks,
  kk

  Is it possible to restrict on role based?
  Any suggestions are appreciated
  Thanks
  KK