Role Access

Similar Messages

• BPM user role access

  Hi Experts,
  Who all can access the BPM process? Is it possible to set the userrole access to the BPM process?
  Scenario :
  Through webservice, I have to call BPM process..But the BPM process should be accessed by particular user.
  For example, Manager related BPM process should not be accessable to the Developers.
  How to set/give the BPM user role access?
  Regards
  Sara

  It is not possible, if sender application has an athorization to send the message to XI the process will be instantiated using Receive step.
  Thanks
  Farooq.

• RoleEntityACL|Role Access List | no values, guest and authenticated not shown

  All,
  I enabled RoleEntityACL from configuration manager. Role access list field shows up, but when I type **, there are no values at all. Not even guest and authenticated, OOTB values.
  I added UseEntitySecurity=true, I am able to see add Users and Groups when i type ** in the input field.
  Any pointers here?
  Thanks
  ~

  Srinath,
  I need to see the guest and authenticated values by default after enabling the "RoleEntityACL". Am i missing something here. I have Roles text box enabled, but it is not giving any values even if type **, g or a.
  If i get those values, i can go to configuration manager applet and then add more values.
  However, I did all those u mentioned. Added a new role in ExternalRoleView, Published Schema and Schema Base. Restarted UCM server. But i see null results.
  In General Configuration:
  UseEntitySecurity=true
  SpecialAuthGroups=TestGroup,Public
  In Advanced Component Manager:
  Enabled RoleEntityACL.
  I am able to add users and groups(aliases) in the access control list at the folder level. but not any roles. Am i missing something here?

• Hyper-V 2012 R2 roles, access denied, failed to connect to service, AzMan....

  Hi All,
  I have followed dozens of tutorials to set up roles for Hyper-V, but I keep coming up short. I have no problem managing the five domain-joined 2012 R2 Core Hyper-V servers we have remotely from my Windows 8.1 PC, but I have a lab box I would like to grant
  specific permissions to some Help Desk users on.
  The key tutorial I have followed is from John Howard (http://blogs.technet.com/b/jhoward/archive/2008/04/01/part-4-domain-joined-environment-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx),
  but it still does not allow a non-admin account to use Hyper-V Manager remotely. Without his tutorial, I get access denied with my "TestUser" account. After following his steps, Hyper-V Manager appears to connect to the server, but says "The
  Virtual Machine Management service is not available." Even using his HVRemote with the /show flag, everything shows as PASSED.
  Digging deeper, I see dozens of failed audit Event Viewer logs saying "TestUser" is requesting READ to Service Control Manager. That sent me searching, and I found
  http://arnoutboer.nl/weblog/?p=300 and http://msdn.microsoft.com/en-us/library/windows/desktop/aa374928(v=vs.85).aspx.
  After granting "AU" (Authenticated Users) every permission resembling "read", Hyper-V Manager now shows "There are no virtual machines to show" (or something along those lines); even though I know there are about 30 VMs on this
  host. I try to create a new VM (out of curiosity, and now that those options actually appear), and I get permission denied immediately after the create VM wizard pops up.
  Why is this such a convoluted process? I would appreciate any help creating Roles for Hyper-V 2012.
  Thank you in advance!

  Hi Eric (cool name BTW!)
  Putting them in Hyper-V Administrators is definitely not an option.
  I absolutely believe Microsoft would do something to push you into buying their software; just as we had to purchase Windows 8.1 Pro to remotely manage our 2012 R2 servers. However, as far as I am seeing, AzMan is still in 2012 R2. Whether it works or not
  is another story, but AzMan.msc is still there and I can run it on any of our 2012 R2 GUI installs.
  Actually just found this:
  http://technet.microsoft.com/en-us/library/dn303411.aspx. According to that, it has not yet been removed, but it has been deprecated. From what I am seeing, the Hyper-V portion of it is definitely broken.
  I will look into the remote endpoints solution you mentioned. Thank you for the suggestion. I just recently took the plunge into learning C++, so maybe a Hyper-V manager of sorts will be an app to
  attempt to write, haha.
  Eric Christensen

• Role Access : SS Provision Report vs Workspace Security Extract

  Is this normal, we are using EPM 11.1.2 Classic Metadata.
  I Setup a user 123049, provisioned him HFM access to "Reserved" only.
  I also add the same user to a native group called FM_Loc_Reviewer which has provision access to 7 Roles: Approve JE ,Consolidate,Create JE, Load Excel Data, Post JE, Reviewer 1 and Save System Report on Server.
  When i extract security from workspace it has user, 123049 showing up with the combined provision of his id and the group he belongs to. Is this a te way it is suppose to be? In HFM 4.02 it would only show his access
  Thanks
  From Shared Services:
  User@Directory     Role     Inheritance Information
  123049@CompanyA     Approve Journals     FM_Loc_Reviewer
  123049@CompanyA     Consolidate     FM_Loc_Reviewer
  123049@CompanyA     Create Journals     FM_Loc_Reviewer
  123049@CompanyA     Load Excel Data     FM_Loc_Reviewer
  123049@CompanyA     Post Journals     FM_Loc_Reviewer
  123049@CompanyA     Reserved     -
  123049@CompanyA     Reviewer 1     FM_Loc_Reviewer
  123049@CompanyA     Save System Report On Server     FM_Loc_Reviewer
  From Security Extract:
  !ROLE_ACCESS     
  Reviewer 1     123049@CompanyA
  Reserved     123049@CompanyA
  Save System Report On Server 123049@CompanyA
  Create Journals     123049@CompanyA
  Approve Journals     123049@CompanyA
  Load Excel Data     123049@CompanyA
  Consolidate     123049@CompanyA
  Post Journals     123049@CompanyA
  Edited by: user13116744 on Nov 17, 2010 9:58 AM

  This is a sample on the way it looks in mine.... we are using EPM 11.1.3 Classic Metadata
  !ROLE_ACCESS
  Provisioning Manager;admin@mycompany
  Application Administrator;admin@mycompany
  Reviewer 1;myuser@Native Directory
  Reviewer 2;myuser@Native Directory
  Reviewer 1;myuser2@Native Directory
  Reviewer 3;myuser2@Native Directory
  Read Journals;myuser3@Native Directory

• IP Address determination based Portal Roles Access

  Dear Experts,
  Current Scenario - SAP Portal is accessible directly and via Citrix (VPN).
  Based on the URL alias - we have implemented Desktop Filtering.
  eg if the URL ends with / internet - You get restricted roles
  eg if the URL ends with / intranet - You get wider roles
  In Production, we also have Netscaler Reverse Proxy and HTTPs settings in place for External (outside firewall) access.
  New Requirement (Example) - Based on the IP address of the client, determine which subnet it falls under and based on that -
  If used within Citrix - Provide certain roles
  If not used within Citrix - Restricted access / Redirect to a different URL on the redirect server.
  Questions - With the current desktop filtering in place based on URL determination and no specific restriction for inside/outside Citrix access -
  I believe tweaking SAP Portal Logon logic can get very painful and overtly complicated for such scenarios.
  Please suggest which would be a good way to crack this? eg using admin settings at these levels - eg Citrix, Network OS Exit, Reverse Proxy etc based on Best Practise ?
  Thanks for your inputs ~ Dhanz

  Hi Dhanz,
  You are right, it's a complicated scenario.
  Unfortunately I am not expert on Citrix, Network OS Exit, Reverse Proxy, etc. But I have discussed this issue with web dispatcher expert colleagues and I believe you can use the IP address as distinguishing criterion / mapping table. Please see the documentation below:
  http://help.sap.com/saphelp_nw04/helpdata/en/de/89023c59698908e10000000a11402f/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/24/62c6bacba12442a869a599149227ab/frameset.htm
  I hope it helps,
  Kind regards,
  Lisandro Magnus

• BO authorization model with sap roles / access tot folders, functionalities

  Hi Specialists,
  As authorization cunsultant in BI, I have little knowledge of the security setup in Business Objects.
  I have to setup an authorization model were the authorizations are assigned via sap roles in the backend BI system. These roles are imported in BO were they can serv as 'user groups' and access to folders, functionalities.
  Can anyone provide me a overview, guide, training document... on how the authorizations are managed in BO and best practice when they are linked to sap backend roles.
  The goal will be to user the sap BI backend roles and user them to grant users in BO specific access to specific folders. Eg; User A can access folders 1 as "refresher only", User B is able to publish reports in folder 2, User C has only view access in folder 2...
  Any help would be great!
  Thanks very much in advance.
  rgrds
  Kristof

  Hello,
  this is the best approach you mentioned here.
  I prefer to create roles serverd as functionalities in the Backend. For Example you have a "View" role, a "Refresh" role and so on.
  On the other hand i saw some setups where there is only on role in the Backend with all the BO Users. Then you have to create you functional groups in BO and have to assign the Users there to the Groups.
  Check the Adminguide of BO XI 3.1 for more Informations.
  Regards
  -Seb.

• BW Role Access

  Hi Gurus,
           I want to know if we can restrict BW Users to create "Workbooks" only.  I mean the Business users should not be able to create new queries even though they can create "Workbooks".
  Thanks,
  S

  Hi Sid,
  Be default the users should not have the access to create queries. You can check for the following auth in their roles:
  http://help.sap.com/saphelp_nw04/helpdata/en/80/1a68a7e07211d2acb80000e829fbfe/content.htm
  Hope this helps...

• Role Access when Invisible in Navigation Areas = Yes

  Hi,
  I have created a role called home which has some links. When i click on any links say link1(role), i can navigate to that screen.
  So now i have assigned all the roles to an end user.
  So as usual it shows all the roles as tabs. But now i shud not show link1, link2....etc as tabs.
  I shud hide those roles. When i click on Link1 in home(role) page, then i shud access that particular role.
  Can anyone help me in these prob.
  i tried this options
  1. Invisible in Navigation Areas = "Yes".
  2. Entry Point = NO
  Regards,
  Raju
  Edited by: V R K Raju P on Jun 30, 2009 12:20 PM

  Yes I tried and works, but the situation is that we have a program that helps you to create the users and assign the roles that you want to the users (it's a list and you can assign the roles available on the list).
  But the developer guy ask me for a quicklink to have a special funcionality but they don't want to have on the roles tabs, so because the roles are not always the same I can't assign it to a specific role.
  Thanks for your help

• When granting a user or a role access to a group of pages, it is best practise to grant that access to what type of file or component?

  My question is same while granting user or role in the application, what is the best practise? How to decide the level of applying role to pagedef's, xml files, or some other file that i have missed out.

  As for my concern I would go for page definition files.

• How to create Cross system role - Access Enforcer

  Hi,
  What is mean by cross system composite role, how should we create that.
  Thanks&Regards,
  Vijay

  This would be a reference to CUA.  You can define a composite role in the CUA system that contains single roles from the child systems.  When a user is assigned the composite role, CUA automatically provisions the user and appropriate single role assignments to the appropriate child systems.
  This simplifies things for the AE end user.  Rather than having to select multiple single roles from multiple systems in the request, they can select one role from the CUA system (representing their job).  CUA takes care of the rest.

• Username and role access via EL

  Hi,
  I'm using form-based authentication via a plain old JSP.
  Once the user is logged in I'd like to display their user name and role on each page.
  In JSP I can do this via EL with something like: ${pageContext.request.remoteUser}
  What is the equivalent expression in JSF based EL?
  Same question for the role.
  Thanks

  Judging by the lack of response, I guess this must have been a really dumb question?
  I ended up creating a backing bean and using:
  FacesContext context = FacesContext.getCurrentInstance();
  username = context.getExternalContext().getRemoteUser();
  Where username is a bean property
  I couldn't get the JSF EL version of the above to work.
  The EL version seems suprisingly convoluted given that getting the username and role is a pretty common task.

• Accessing shared database throws exception from one of 2 web roles

  Setup:
  Shared database
  Main site and "admin site" each using separate web roles accessing shared database.
  I had things working and running correctly until about 2 days ago.  Then, only the "admin site" stopped working.  I am using the same code to access the database across both sites but am getting the following exception when trying to access the
  database in the admin site:
  Message: Unable to open connection to "Microsoft SQL Server, provider V2.0.0.0 in framework .NET V2.0".
  Stack Trace: at IBatisNet.DataMapper.SqlMapSession.OpenConnection(String connectionString) at IBatisNet.DataMapper.SqlMapSession.OpenConnection() at IBatisNet.DataMapper.Commands.DbCommandDecorator.System.Data.IDbCommand.ExecuteReader() at IBatisNet.DataMapper.MappedStatements.MappedStatement.RunQueryForObject[T](RequestScope
  request, ISqlMapSession session, Object parameterObject, T resultObject) at IBatisNet.DataMapper.MappedStatements.MappedStatement.ExecuteQueryForObject[T](ISqlMapSession session, Object parameterObject, T resultObject) at IBatisNet.DataMapper.MappedStatements.MappedStatement.ExecuteQueryForObject[T](ISqlMapSession
  session, Object parameterObject) at IBatisNet.DataMapper.SqlMapper.QueryForObject[T](String statementName, Object parameterObject) at AutoOffers.Persistence.SqlMapperWrapper.QueryForObject[T](String statementName, Object parameter) at AutoOffers.Persistence.Mappers.DbUserMapper.FindByEmailAddress(String
  emailAddress) at AutoOffers.Persistence.Repositories.UserRepository.FindByEmailAddress(String emailAddress) at AutoOffers.Core.Domain.Services.Authentication.MembershipService.ValidateUser(String username, String password) at Admin.AutoOffers.Web.Controllers.HomeController.Login(LoginModel
  model, String returnUrl) at lambda_method(Closure , ControllerBase , Object[] ) at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext,
  IDictionary`2 parameters) at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass42.<BeginInvokeSynchronousActionMethod>b__41()
  at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.End() at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult
  asyncResult) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass37.<>c__DisplayClass39.<BeginInvokeActionMethodWithFilters>b__33() at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49()
  at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass37.<BeginInvokeActionMethodWithFilters>b__36(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.End() at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult
  asyncResult) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass25.<>c__DisplayClass2a.<BeginInvokeAction>b__20() at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult
  asyncResult)
  NOTE: I've tried to go to the v4 provider but get the same error (except with v4 in place of v4).  I would suspect something amiss with my application if I didn't have a working one using shared code...though I'm still not ruling out that I'm doing
  something wrong, just waiting for input from here.
  Thanks in advance.

  Hey there, and apologies for the lack of response.  Are you still having this issue and still needing help?  If so can you tell me a little more.  Where is the application running (web/worker rolls)? what are the details on the SQL Database?
  Thanks Guy

• Role Based Access Control in Java

  Hi,
  we are designing a software solution that makes use of the Role Based Access Control pattern to control access of functions, EJBs, Servlets to certain users based on their "role".
  I have not been able to understand clearly how that pattern can be implemented in Java. In addition, I stumbled on the java.security.acl and I wondering how will the package work together with RBAC pattern (Or is the pattern already implemented in some package)?
  Does any1 have any comments on this? Thnx
  Dave

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• Allowing Airwatch MDM access to the Captive-Portal guest users in pre-auth role for android and BB?

  Requirement:
  How to allow Airwatch MDM access to the Captive-Portal guest users in pre-authentication role for Android and Blackberry devices?
  What is Airwatch MDM?
  Airwatch MDM is Mobile Device Management. The Airwatch is an enterprise which helps to manage and secure data traveling through the mobile devices like Laptops, Tablets, Android, iPhones, iPads etc.
  Solution:
  Why we need to allow access to Airwatch MDM?
  The network administrator can force the guest users to register to Airwatch MDM before they get authenticated and access the internet. So that the network administrator could manage the guest devices through Airwatch Management tool. This can be achieved by CPPM server. To download the Airwatch MDM app and register with the Airwatch MDM server certain domains should be permitted in the captive portal pre-authentication role. This KB provides the configuration steps to allow the guest users to download the Airwatch MDM app and register with the Airwatch MDM server.
  Configuration:
  Below is the configuration
  Configuration steps:
  1. Create the following netdestinations
  netdestination Airwatch
    name *.awagent.com
    name *.awmdm.com
    name air-watch.com
  netdestination Google-Play
    name android.clients.google.com
    name .ggpht.com
    name gstatic.com
    name accounts.google.com
    name clients1.google.com
    name clients2.google.com
    name clients3.google.com
    name clients4.google.com
    name i.ytimg.com
    name google-analytics.com
    name .1e100.net
    name android.l.google.com
    name mtalk.google.com
    name clients.l.google.com
    name googleapis.com
    name gvt1.com
  netdestination BlackBerry
    name *.blackberry.com
  2. Now define the rules in the session acl and map it to the pre-authentication Role of the captive portal.
  ip access-list session Airwatch_Access
    any   alias Airwatch svc-http  permit
    any   alias Airwatch svc-https  permit
  ip access-list session Google-Play-Store
                 any   alias Google-Play any permit
  ip access-list session BlackBerry-Access
                 any   alias BlackBerry any permit
  3. Now map the session ACLs to captive-portal pre-authentication Role as follows
  user-role Guest-Pre-Auth-Role
   access-list session Airwatch_Access
   access-list session Google-Play-Store
   access-list session BlackBerry-Access
   access-list session logon-control
   access-list session captiveportal
  4. Now whitelist the list of domain names in the Captive Portal profle
  aaa authentication captive-portal Airwatch-Captive-Portal-Profile
  white-list Airwatch
  white-list Google-Play                                                                                ------------>Netdestinations where you defined the Domains.
  white-list BlackBerry
  Verification
  Now the user will be placed under the "Guest-Pre-Auth-Role" before the authentication. The user can now go the Google Play-Store or BlackBerry Appworld to download the Airwatch MDM and register to Airwatch Management Server.

  Thanks so much getting these names listed out. I have been working on this very issue for a few weeks and was basing my firewall rules on IP's. It was not going well. Now access is working and testing can commence!  Thanks,Chris