Role Authorization using DSO

Similar Messages

• T-code CJ88 role authorization  using company code?

  Hi expert!
  who can tell me how to control  CJ88 T-code using company code .
  the business is below:
  1, the user have 10 company code  and only one control ares.
  2, one employee cannot use CJ88 to settlement the project of the other company code.
  can any one tell me how can i control
  Please explain me all the steps to be required.
  Thanks in advance!

  I am not sure about CoCode wise authorization for CJ88...you said you have 10Cocodes, if the Person Responsible of the projects are different for each cocode, then use authorization object C_PROJ_VNR (Project Manager for Proj Def) or C_PRPS_VNR(project manager for WBSE) for running CJ88, so that person repsonsible of other company code project cannot run settlement of other projects.

• Web Authorization using Jrun 4 Updater 7

  Hi
  I'm trying to implement Web Security Authorization using JRUN 4 updater 7. When I start the server, I'm getting an error.
  06/03 15:46:24 error An exception was thrown when initializing the security filters.
  java.lang.NullPointerException
  at jrun.servlet.security.StandardSecurityFilter.<init>(StandardSecurityFilter.java:59)
  at jrun.servlet.security.WebAppSecurityService.createSecurityFilters(WebAppSecurityService.java:462)
  at jrun.servlet.security.WebAppSecurityService.start(WebAppSecurityService.java:95)
  at jrun.servlet.WebApplicationService.start(WebApplicationService.java:223)
  at jrun.ea.EnterpriseApplication.start(EnterpriseApplication.java:194)
  at jrun.deployment.DeployerService.initModules(DeployerService.java:708)
  at jrun.deployment.DeployerService.createWatchedDeployment(DeployerService.java:243)
  at jrun.deployment.DeployerService.deploy(DeployerService.java:428)
  at jrun.deployment.DeployerService.handleEvent(DeployerService.java:382)
  at jrunx.kernel.JRunServiceDeployer.fireEvent(JRunServiceDeployer.java:710)
  at jrunx.kernel.JRunServiceDeployer.deployServices(JRunServiceDeployer.java:111)
  at jrunx.kernel.DeploymentService.loadServices(DeploymentService.java:46)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)
  at com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
  at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
  at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
  at jrunx.kernel.JRun.startServer(JRun.java:575)
  at jrunx.kernel.JRun.<init>(JRun.java:493)
  at jrunx.kernel.JRun$1.run(JRun.java:346)
  at java.security.AccessController.doPrivileged(Native Method)
  Code:
  ===========
  My Web.xml has the configuration
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>mywebapp</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>viewer</role-name>
  </auth-constraint>
  </security-constraint>
  <security-role>
  <role-name>editor</role-name>
  <role-name>manager</role-name>
  <role-name>supereditor</role-name>
  <role-name>viewer</role-name>
  </security-role>
  </web-app>

  CFMX 7.0.2 is a separate application from JRun. If you have
  the multiserver or j2ee install of CFMX on JRun then you should
  install Updater 6. Also there are hot fixes on top of U6 that you
  might want to install. The following is a link to the JRun 4 hot
  fixes:
  http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_18526
  You should check each one individually to see if it applies
  to Updater 6.
  Ted Zimmerman

• Role authorization for product selection

  Hi All,
  i have a requirement for which i need your help. Now my Account Manager can see all products while placing an order. I want to restrict his selection to only 5* and 6* products. That means when he will look for placing an order in the next time, he should only see 5* and 6* products not all products. Can you please tell me how to go about this role authorization. 
  your valuable inputs will be appreciated.
  Regards,
  Sasmita

  Hi,
  I feel Access Control Engine would be the most elegant and futuristic solution.
  However, you need to review all the solutions suggested. Solution suggested by Shalini and Ashish are more practical. However, generally partner product range is used in case of Sold-to parties.
  Please review all the solutions suggested and take decision based on circumstances at your client's end.
  You can get more information about Access Control Engine at
  http://help.sap.com/saphelp_crm40/helpdata/en/04/0177f9bb67ac4cafb84bb4d4c1d8fc/frameset.htm.
  Also there are several guides and cookbooks on ACE at service market place.
  Regards,
  Deepak

• Restricting the ATP user for GATP - corrrect roles/authorizations

  Hi:
  If the dialog user that is used for the ATP check (from ECC to GATP) has more authorizations than needed and this is going to be a problem in production. The user can run SCM transactions from the results screen of ECC and this is not desirable.
  Therefore, the ATP user should be a restricted user that has only authorizations for this specific task. If you know what are the exact roles/authorizations to give to the ATP user, could you share them?
  Thanks in advance.
  Satish

  For R/3 please check OSS  Note 447543 - APO: Authorizations too comprehensive/not user-specific.
  "If it is necessary to have different authorization profiles in APO for different R/3 users when calling in APO, the following solution applies:
  Activate the setting in SM59 that is used for the RFC connection CURRENT USER.
  In the APO system, create the respective users and assign authorization profiles. This is necessary in order to achieve the necessary flexibility concerning authorizations in the APO system."
  For APO :
  AuthorizationsObject   C_APO_ATP in APO .
  please chose activity as per  user role.
  01       Create or generate
  02       Change
  03       Display
  04       Print, edit message
  06       Delete
  16       Execute
  39       Check
  Manish
  Edited by: Manish Kumar Rathi on Oct 21, 2008 1:24 PM

• Indirect role assignment using HR-ORG, any concern

  May someone share their view or experience on indirect role assignment using HR-ORG, i.e. assign role to HR position or org unit instead of user.
  Here are some of my concerns:
  1. HR data is maintain by HR staff and their task should be separate from authorization/user assignment.
  2. When using with CUA, distribute HR structure to CUA parent system is not acceptable because HR data is sensitive.

  Well I think the Position and User are created by the functional consultant, but the authorization you are talking about is taken care by the BASIS consultant.

• SAP BI : Roles & Authorizations

  Hi,
  I am working on roles & authorizations for SAP BI 7.0 How can I create authorization for a scenario mentioned below:
  One user (userid ALAN) has two vendors under him viz V001 & V001A.
  V001 has access to plant A001, A002 and
  V001A has access to plant A002, A003, F002.
  The data is created in SAP R3 and brought into SRM using criteria based on document type say ELEM. Even though V001 does not have access to plant A003, it can create documents of type ELEM. The business does not want this document to appear for V001.
  The business needs documents to be displayed as follows, irrespective of documents existing in SAP R3:
  Plants A001, A002 for V001 and
  Plants A002, A003, F002 for V001A.
  Please confirm if the following approach will work:
  Create vendor - plant role
  Role 1
  Vendor = V001
  Plants = A001, A002
  Role 2
  Vendor = V001A
  Plants = A002, A003, F002
  Assign User ALAN both roles Role 1 and Role 2.
  Please suggest a solution as I have to deliver about 2000+ roles by end of week.
  Thanks in advance.

  Hi,
  Seems that you are looking for a merge of the authorization. Please take a look in the note 1000004 where you are going to see the explanation about the merging.
  1000004 - Merging and optimizing analysis authorizations
  This documentation should help you.
  Regards,
  Rafael

• Role Creation using CAT Scripts

  Hi,
  Step by step procedure needed.
  I need role creation using scripts(SECATT),org values that needs to maintain
  is full authorization.
  pls help me.
  ram

  Hi Ram,
  There is a SECATT tutorial here: http://www.*********************/tutorials/secatt_user_create.html
  If you learn that & the principles associated with SECATT then you can apply that to creating and populating roles.
  In my opinion SCAT is much easier to use, though less flexible,

• Nexus, command authorization using TACACS.

  Hello.
  Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
  Thanks.
  Regards.
  Andrea

  Hi Andrea,
  We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
  username admin password role network-admin ; local admin user
  feature tacacs+ ; enable the tacacs feature
  tacacs-server host key ; define key for tacacs server
  aaa group server tacacs+ tacacs ; create group called 'tacacs'
      server ;define tacacs server IP
      use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
      source-interface mgmt0 ; ...and send them from the mgmt interface
  aaa authentication login default group tacacs ; use tacacs for login auth
  aaa authentication login console group tacacs  ; use tacacs for console login auth
  aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
  aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
  aaa accounting default group tacacs ; send accounting records to tacacs
  Hope that works for you!
  (That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
  Rob...

• AAA Authorization Using Local Database

  Hi Guys,
  I'm planning to use AAA authorization using local database. I have read already about it, I have configured the AAA new-model command and I have setup user's already. But I'm stuck at the part where I will already give certain user access to certain commands using local database. Hope you can help on this.
  FYI: I know using ACS/TACACS+/RADIUS is much more easy and powerful but my company will most likely only use local database.

  For allowing limited read only access , use this example,
  We need these commands on the switch
  Switch(config)#do sh run | in priv
  username admin privilege 15 password 0 cisco123!
  username test privilege 0 password 0 cisco
  privilege exec level 0 show ip interface brief
  privilege exec level 0 show ip interface
  privilege exec level 0 show interface
  privilege exec level 0 show switch
  No need for user to login to enable mode. All priv 0 commands are now there in the user mode. See below
  User Access Verification
  Username: test
  Password:
  Switch>show ?
  diagnostic Show command for diagnostic
  flash1: display information about flash1: file system
  flash: display information about flash: file system
  interfaces Interface status and configuration
  ip IP information
  switch show information about the stack ring
  Switch>show switch
  Switch/Stack Mac Address : 0015.f9c1.ca80
  H/W Current
  Switch# Role Mac Address Priority Version State
  *1 Master 0015.f9c1.ca80 1 0 Ready
  Switch>show run
  ^
  % Invalid input detected at '^' marker.
  Switch>show aaa server
  ^
  % Invalid input detected at '^' marker.
  Switch>show inter
  Switch>show interfaces
  Vlan1 is up, line protocol is up
  Hardware is EtherSVI, address is 0015.f9c1.cac0 (bia 0015.f9c1.cac0)
  Internet address is 192.168.26.3/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Switch>
  Please check this link,
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Role design: use of billing block

  Role design: use of billing block
  Billing block should be applied automatically after the net total hit a certain $ value.
  For example, any credit memo request above $1,000 would automatically get a billing block. 
  User ID #12345 can release a billing block up to $1,000.
  User ID #67890 can release a billing block up to $10,000.

  Which transaction(s) are the user ID´s designed to use for this?
  Can it be assumed that the "billing" is resulting from the "dispatching" (Warenausgang) or a milestone of some project?
  Where is the user and the role?
  Sorry I dont understand the question. Perhaps you should first ask functional questions about this in the Sales and Distribution type of forums to get a real technical feasability answer, then attempt an authorization (role) to enable it.

• Role Authorization Vs ACL in cProjects

  We do not want to use ACL (Authorization at the Project level) to grant authorization. We are looking for a way to have this authorization by roles. Not too sure if the minutest of details can be controlled by authorization objects.
  Of the few requirements that we have, one goes as follows:
  1. We need a role of "Resource Manager" to be able to view all projects. However, this role must not be able to edit the project structure. This is possible. However, another requirement that we have is that this role must have all "admin" level access at the "Resources" level. Which means, this role must be able to staff roles and assign tasks to roles and resources, but must have read-only access to the project structure.
  Can this be done?
  2. Another requirement is with regard to status management. We want a role to have the authorization to set only select statusses. We have a combination of standard and custom stasusses in the status profile that we are using. We look to control the access for roles by which one role can only set a few of these statusses.
  Can this be done?
  Thanks and Regards...

  Hi Peter,
  We have exactly the same need, and unfortunately everything is not solved yet.
  1/ In standard, there is no distinction between project and role authorizations. This means you need 'admin' auth at project level if you want to manage the roles. We created an OSS message for this, and SAP answer was to create a development request --> Until then, and if we get a positive answer, nothing can be done to separate project & role authorizations. So there is no solution today.
  2/ For the statuses, we add to enhance class CL_DPR_STATUS_MANAGEMENT, methods GET_PERMITTED_USER_STATUS and/or GET_PERMITTED_ACTIVITIES. Thanks to this, we are now able to filter the status list that is populated in the screen.
  Regards,
  Matthias

• Hierarchy Authorization using Variable via Customer Exit

  Hi experts,
  I am wondering if I can do Hierarchy Authorization using Variable via Customer Exit? I know it can be done on normal value authorization by putting $+(the variable name). So can we do the same for Hierarchy authorization?
  For my case I have a 0ORGUNIT and I would allow the role to access anything below its node. So do I put $VARORGUNIT in Technical Node Name and Hierarchy name as ORGEH, Type of authorization = 1 and Area of Validity = 3.
  Points will be given!
  Thanx!

  Hello Chee Jason,
  Are you working with version 3.5 or 7.0
  How do you specify Hierarchy variable?
  Any advise you can share is very much appreciated.
  Thanks,
  Patrick

• How to trace the missing authorizations using NWBC at object level

  Hi all,
  In SAP R/3 any authorization issue can be tracked down till authorization object level using SU53 tcode and ST01 tcode.
  1 - I have a super user who has all the roles in Solution manager system and test user which I created with just 1 role Incident management role. But when I login with Super user ID I can see in tcode (WDY_APPLICATION - Incident Management ) I have 4 tabs (Overview,Messages,Reports and Queries) but when I execute the same tcode using test ID I can only see Overview and Messages tab. Report and Query tab were missing . Please advice on how to trace the missing authorizations using NWBC at object level? or how to solve this issue......
  2 - How to add a Web dynpro Transaction code (example WDY_APPLICATION - Incident Management )while building a role in PFCG?
  Thanks
  LAK

  Hi Gurus,
  Can anyone please help me with my questions.
  In addition here are few more info that I need
  How to bring in the new authorizations without logiing off and logging in back in NWBC ( Equivalent to Menu-->Refresh in SAP GUI)
  Thanks
  LAK

• Necessary Roles/authorizations required to Userid for workflow assignment.

  Hi all,
  Am working on a Custom workflow assignment.
  This is the first time, customer is working on workflows in this system.
  Henceforth, we need to do basic setup/configuration, before starting actual work.
  I want to know, what all Roles/authorizations are required for my userid throughout the assignment.
  Currently, we have got,
  EXX_BC_SAP_ALL_RESTRICTED :: All authorization without basis
  SAP_BC_BMT_WFM_ADMIN::Administrator for Business Workflow
  SAP_BC_BMT_WFM_DEVELOPER::Developer for Business Workflow
  SAP_SWFMOD_ADMIN::Workflow Modeler Administrator
  Are these sufficient or do we need any other roles?
  With above authorizations, i am unable to access below mentioned t-codes,
  SWNCONFIG                     Extended notifications for business workflow
  SWU3                             Automatic Workflow Customizing
  SWWCOND_INSERT     Schedule background job for work item deadline monitoring
  SWWCLEAR_INSERT     Schedule background job for clearing tasks
  Pls let me know the role, i need to get for above t-codes.
  Kindly go thru your SU01 t-code & let me know what all roles are used in your workflow system.
  cheers.
  santosh.

  Hi,
  I recommend you to have roles related to SWLD tcode (SAP menu Workflow). The basis must know what are the exact names.
  These are some roles:
  SAP_BC_BMT_WFM_ADMIN                    --> Administrator for Business Workflow
  SAP_BC_BMT_WFM_CONTROLLER         --> Process Controller for Business Workflow
  SAP_BC_BMT_WFM_DEVELOPER                --> Developer for Business Workflow
  SAP_BC_BMT_WFM_GP_ADMIN                --> Role for Guided Procedure Business Workflow Administrators
  SAP_BC_BMT_WFM_GP_SERVICE_USER -->Service User for Guided Procedures Business Workflow API
  SAP_BC_BMT_WFM_PROCESS              --> Business Workflow Implementation Team
  SAP_BC_BMT_WFM_UWL_ADMIN              --> UWL: Administrator for Workflow Functionality
  SAP_BC_BMT_WFM_UWL_END_USER         --> UWL: End User for Workflow Functionality
  SAP_SWFMOD_ADMIN                              --> Workflow Modeler Administrator
  SAP_SWFMOD_TRANSPORT                         --> Access to transport manager
  SAP_SWFMOD_USER                              --> Workflow Modeler Administrator
  SAP_WF_ADMINISTRATION                         --> Business Workflow: Work for administrator
  SAP_WF_CONTROLLER                              --> Business Workflow:Work for process controller
  SAP_WF_EVERYONE                              --> Business Workflow: Work for Everyone
  SAP_WF_IMPLEMENTATION                         --> Business Workflow: Work for Implementation Team
  Regards,