SAP Query, user groups, revoking 'change' rights

Hi,
I have a problem regarding SAP Queries and revoking the change rights. This is what I have done:
1. Created the new user group in SQ03
2. Created the new InfoSet (SQ02), assigned it to the above UG (SQ03)
3. Created the new user, assigned it to the UG in SQ03 and removed the Change checkbox (revoke change rights)
4. Logged on as the new user
5. Started SQ01, switched user group to the new one
6. Created the new SAP query based on the new InfoSet, run the query
As I understand the principles of user groups and queries, I wasn't supposed to be allowed to do the step 6 as the new user, as it was revoked the change rights. Why wasn't I stopped?
I searched for reply in previous posts - everybody agrees on principles, but I didn't find explanation on why it doesn't work.
Thanks in advance!
KR,
Igor

The table AQGDBBN seems to display a mapping of User Group with use rindeed but the results are less than the actual assignment. And the mapping does not have the Z query usergroups that have users assigned in SQ03.
Anything that I may be missing?
Thanks,
Kashif

Similar Messages

  • Assign SQ03 Abap Query User Group to role

    Please advise how to assign SQ03 Abap Query User Group to a role. Thanks.
    Moderator message: please do more research before asking.
    [Rules of engagement|http://wiki.sdn.sap.com/wiki/display/HOME/RulesofEngagement]
    [Asking Good Questions in the Forums to get Good Answers|/people/rob.burbank/blog/2010/05/12/asking-good-questions-in-the-forums-to-get-good-answers]
    Edited by: Thomas Zloch on May 12, 2011 5:40 PM

    Hello Sunil,
    The problem is that I have hundreds of users to maintain user groups.
    found out that it is possible to assign user group to role and role to user groups. implementing hr authorization with in-direct assignment of auth. So if I could use sq10, user groups could also be link to position in the org chart.
    sq10 does allow you to assign a user group to a role but when you assign the role to a user and the user runs a query, it reports that no user group has been assigned.
    Suspect that there must be a parameter or switch that is not turned on
    Regards

  • Querying user groups while using @RunAs on a bean

    Hi,
    I am trying to implement a scenario in which I have three entities:
    - bean A - datastore for all users
    - bean B - implementing logic, filtering results from datastore for specific user based on groups he is in
    - User - calling bean B
    Calling chaing is User -> bean B -> bean A.
    bean B has to query user groups and filter data based on that. I've implemented that using:
    Subject subject = Security.getCurrentSubject();
    for (Principal principal : subject.getPrincipals()) {
    if (principal instanceof WLSGroup) {
    Without any security specified (like @RolesAllowed) it works like charm.
    But I want to add security constraints to the beans:
    @RolesAllowed("admin")
    class A {}
    @RolesAllowed("user")
    class B {}
    The problem is that B cannot acces A methods because it is calling A using 'user' security context.
    I've thought I change it to:
    @RunAs("application")
    @RolesAllowed("user")
    class B {}
    "Application" is an account in group admin.
    Now B can call A. The problem is that security context is switched to "application" on entering B's methods. Inside them I cannot query user groups using method presented above, because I get "application" groups.
    Is there a way to change security context on calling other bean methods? Like using Security.runAs( somehowGetApplicationSubject(), runnable) ??
    Other method I've thought of, but I have no idea how to implement that, is somehow querying weblogic to get groups of SessionContext.getCallerPrincipal(), which returns user account regardless of using RunAs.
    Hope someone made through this problem before,
    Krzysiek

    getBounds() will only generally make sense while the component itself is being rendered. I wouldn't be completely surprised if the framework which gets that component also resets its size once it's done painting the thing.
    If you're calling it from outside the rendering loop, perhaps you could try calling validate() on the component, which should force it to determine its size.
    Failing that, you could possible use getPreferredSize() instead, which will likely obtain a similar result in most cases.

  • SAP DMS User Group

    Hello,
    I have a question, is there any SAP standard table in DMS where i can found out a user name and its user group? table, tocde,program or query will help. really need those two field to be seen. Please help me on how i can extract this in DMS,

    Hi,
    You can navigate following path
    Go to SPRO->cross appln components->Document Management->general data->SAP Easy Document Management->Define user group
    Then in technical information of the screen ( Menu option System -> Status )you shall get the relevant table name.
    Also you can look into Table DRAW field name BEGRU. This field represents Authorization group.
    Regards,
    Deepak Kori
    Edited by: deepakkori on Jan 30, 2012 12:10 PM

  • Giving an OD Network User/Group local admin rights.

    Is there a way to manage workstation admin rights from the server?
    I ran into a problem with Lightroom that requires admin privileges to change the program preferences. We have alot of graphic art students with roaming profiles, spread out across 5 labs, that need to make this change. I would like to be able to add a group or all network users to the local admin group, for a few days, so the students can make the changes.

    This works on 10.5, not sure about 10.6.
    As root on the client.
    Upgrading legacy group for local admin group - this is from 10.4 days, not sure if you still need to do it.
    dseditgroup -o edit -f n -t group -n /Local/Default admin
    Nest OD group in local admin group
    dseditgroup -o edit -a DirectoryAdminGroup -t group -n /Local/Default admin
    Gen

  • User Group Membership change Alert

    As a system administrator, I will like to be alerted when a user's group membership has changed on the domain. Can Spiceworks compare the imported memberships in its database with AD and alert me when they do not match? Below is an image of the information that SW imports which could be used for this comparison.
    This topic first appeared in the Spiceworks Community

    Assuming you know the dn of the groups to remove the person from and add them to, and the dn of the person to move, you should be able to do something similar to:
    Attributes attrs = new BasicAttributes(true);
    Attribute uniquemember = new BasicAttribute("uniquemember");
    uniquemember.add("uid=user,o=domain.com"); //add user to move to attribute
    attrs.put(uniquemember);
    DirContext ctx = //connect to your ldap dir
    try{
         ctx.modifyAttributes(groupToRemoveFromDN, ctx.REMOVE_ATTRIBUTE, attrs);
         ctx.modifyAttributes(groupToAddToDN, ctx.ADD_ATTRIBUTE,attrs);
    catch (NamingException ne) {
         //return error appropriately
    try{
         ctx.close();
    catch (NamingException ne) {
         //do what you want with error
    }You also might want to check out the JNDI tutorial at http://java.sun.com/products/jndi/tutorial/index.html
    --Nicole

  • How to move users, groups and access rights to new envronment

    Hi,
    I have existing 9.3.1 shared services, I created new environment with 9.3.3 .
    Can some one suggesting me how move the existing 9.3.1 users to another server where it has 9.3.3 shared services.
    is there any way move all at a time with some migration or we need to create manually?
    thanks,
    sudhakar

    You can use the cssimportexport utility.
    Even though this link is for 11.1.1.3 and states that its only for native users, you can in fact use the utility to migrate the provisioning of users both native and external: http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_security/ch09s08.html
    FWIW, I prefer the .csv format because its ease of reading and editing.
    Regards,
    Cameron Lackpour
    P.S. The format is really confusing -- use the export functionality to show you what the format needs to be if you change anything (and I think that at least some of the names of the apps/projects you will have in 9.3.3 will be a little different).
    P.P.S. I would imagine there's an upgrade path but that's beyond my expertise.
    Edited by: CL on Mar 30, 2011 7:55 AM
    I wish OTN had an alert system that indicated when JG was posting on the same subject. I would save my energy as I never get the answer out as fast. :)

  • My user group photo changed with out my authorization

    I went to log onto my computer and noticed that the photo of myself which come up on the screen when i type my password in had changed to a picture of an animal.  How did this happen with out my authorisation?

    Some one may have access to your MBP.  I suggest that you change your password.
    Ciao.

  • SQ03 - User Groups missing after Upgrade

    Hi,
    Recently we have upgraded to ECC 6. We have noticed that our SAP Query user groups are missing. We have some reports which we need to access. Any clue?
    Thanks in advance
    Regards
    GB

    http://help.sap.com/saphelp_me52/helpdata/EN/47/1e533e5ff4d064e10000000a114084/frameset.htm

  • SAP query Transport manual activity in Production

    All,
    Do we really need to use manual step to import the query to production system using some program ? will not be automatic as we do it normal reports ?
    Why this manual step needed ?
    Please help me to understand.
    Ram.

    Hello ,
    Please  go through this link
    How to Transport SAP Query(User Group Infoset and Query) to Quality System
    Transporting a SAP Query from DEV to PRD
    Transport of Abap Query

  • Looking for:  UA members with Student SAP User Group

    UA Professors in North America:
    Does your campus have an offical SAP student user group, ERP special interest group or similar?  If you do, please post with a brief description of what that group is / does.
    In the next month I would like to organize a conference call for the schools with these SIGs to understand what member schools are doing, how the groups are organized, how the groups are (or are not) affiliated with your SAP initiative on campus, what works / doesn't work for your students and so on.  Students at member schools have more and more interest in starting these groups - and we'd like to be ready to share best practices!  Our colleagues at ASUG are interested in this topic as well, and will join us for the call. 
    Thanks for sharing!
    Best Regards,
    Heather

    Central Michigan University has remained active since Dr. Andera's last post (9/29/10). We fulfilled our goal of visiting Cargil and 3M this past March 2013 in ST. Paul/ Minneapolis.I attached a couple pictures of our visits to 3M & Cargil. It was a very rewarding experience that allowed us to present our program to each company in depth. This trip taught us as group many things. We have also gone to multiple ASUG meetings including Grand Rapids, and Detroit. We are currently invited to the ASUG-Illinois Meeting on Nov 1 at Harper College, and will be hosting an event in the fall here on CMU's campus in Mt. Pleasant, MI. 
    As a group we have weekly meetings including guest speakers and SAP TERP10 training sessions. Our group has now reached 100+ students and continues to grow each year. There are many things we are doing that attract new students.
    For instance, this past year the Information Management Institute here on campus conducted the 1st annual ERPSim. An annual invitation only competition challenging the best ERPsim teams in a competition to determine which team has developed and implemented the best business strategy for the ERPsim Game.  Twenty teams of four students and one mentor competed head-to-head for the Top Honor of ERPsim Champion. The top five teams were rewarded with scholarship money and plaques.
    So to answer your question, Central Michigan University currently has a very active SAP UASUG , and it only continues to grow!
    If you have any further questions, please do not hesitate to ask, I am the president of the group here at CMU and would love to help you. Just email me at [email protected]

  • SAP query -Security at plant/Comp Code  level

    Hi,
    How can we secure SAP queries on Plant level/Co code level ?
    I developed Query using Sq01.
    Regards
    Pravenn

    Hi,
    GO TO SE93....
    Just create a parameter transaction with reference to START_REPORT transaction. When creating a parameter transaction you have to set the following parameters:
    D_SREPOVARI-REPORTTYPE = AQ
    D_SREPOVARI-REPORT = precisely the first 12 characters - query user group (including trailing spaces), 13-th character is G for global queries
    D_SREPOVARI-EXTDREPORT = Query name as shown in SQ01.
    Do not forget to check the flag "Skip first screen".
    or
    within SQ01 go to "Query>More Functions>Display report name".
    Then you create a t-code from SE93 with the shown report name...
    May be you also use this report, This i have copied from the SDN.
    REPORT ZRUN_QUERY .
    * DECLARACIÓNES *
    DATA:
    REPORTNAME LIKE AQADEF-PGNAME.
    * PANTALLA DE SELECCION *
    SELECTION-SCREEN BEGIN OF BLOCK B0 WITH FRAME TITLE TEXT-001.
    SELECTION-SCREEN BEGIN OF BLOCK B1 WITH FRAME.
    PARAMETERS: P_BGNAME LIKE AQADEF-BGNAME OBLIGATORY,
    P_QUNAME LIKE AQADEF-QUNAME OBLIGATORY.
    SELECTION-SCREEN END OF BLOCK B1.
    SELECTION-SCREEN END OF BLOCK B0.
    * CUERPO DEL PROGRAMA *
    CALL FUNCTION 'RSAQ_REPORT_NAME'
    EXPORTING
    WORKSPACE = SPACE
    USERGROUP = P_BGNAME
    QUERY = P_QUNAME
    IMPORTING
    REPORTNAME = REPORTNAME.
    CALL FUNCTION 'RSAQ_SUBMIT_QUERY_REPORT'
    EXPORTING
    QUERYREPORT = REPORTNAME
    VARIANTE = SPACE
    EXCEPTIONS
    ONLY_WITH_VARIANT = 1
    VARIANT_NOT_EXIST = 2
    OTHERS = 3
    IF SY-SUBRC <> 0.
    MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
    WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
    ENDIF.
    Please search SDN for "transaction AND sq01" you will get lot links , that will give useful info related to creating transaction code to SQ01.
    aRs

  • SAP BW User getting locked by BO RFC calls

    Hi,
    we are encountering a problem with BO RFC calls locking SAP BW users that recently changed their password in BW.
    Description of the problem in the ticket we raised at the SAP support:
    SAP BO 4.1 SP2 Patch 4, linux installation
    Backend: SAP BW 7.01 EHP8
    BICS interface with SAP authentication
    One of our users gets locked again and again in SAP BW (P19). The cause is a RFC connection that the BusinessObjects server (P59) tries to establish. The user used SAP BO last Friday for the last time and had to change his password in P19 this Tuesday. We think that there is some
    process within SAP BO still trying to connect to SAP BW from time to time, using the old password. There is no open session visible for that user in the CMC. User is even getting locked when not in the office and during night time. RFC calls are established almost regualary every hour.
    We already had this behaviour in our test-system. Restarting the BO-Server solved it. However, this is not the solution we want to use
    in the productive environment. There has to be some way to kill the process that uses the old password on the BO server without restarting
    the whole server. We do not understand why BO would still try to connect to BW with the old password - this has to be some kind of a bug.
    Meanwhile the error disappeared for the first user (some days after it started, maybe the BO process ran into a timeout). However, other users started having the same behaviour after changing their password.
    Our basis team tried to check the log files for advanced information on the conversations between BO and BW, but did not find any hints on which BO process might try to establish the connections.
    The SAP support seems to be a little helpless at the moment...
    Has anyone had similar problems?
    Regards,
    Robert

    Hi again,
    additional information: after approximately one week after the error appeared for the first time BO stops trying to establish the rfc connection for this specific user. Almost as if the "old-password-BO-process" ran into a 1 week timeout or something like that.
    The problem is really strange. The SAP support is still not able to tell us how the gather the information they require.
    Regards,
    Robert

  • How to create t.code for a sap query

    i have created a sap query.
    user wants this as a t.code.
    how to assign a t.code for teh sap query.
    kindly explain me.

    hi,
    The other way of doing it.
    1. Instead of creating your queries in SQ01, use SQVI. Create a query in your production system.
    2. Now execute the query. When you have reached the selection screen, go to System > Status.
    3. Copy the program name.
    4. Now create a Z executable program in your development client. Put this one line of code in it:
    submit program_name_copied_fr_production via selection-screen and return.
    5. Create a TCode and assign the Z program to the TCode.
    6. Transport the Z program and TCode over to Production system.
    Hope this works for you, Do reward.

  • RSBBS: Jump From BW Query to SAP Query

    Hi
    I have a cost center analysis report in BW which has an option to jump to R/3. When I type the transaction RSBBS and give the name of the query, the Receiver application is 'QU' (Sap Query) and the receiver object is 'GZ_BW_INTGRTYZISQ_CCA_Q01' which I am presuming is the query to which the Cost Center analysis report in BW is jumping to.
    How do I view this SAP query and if necessary change it. I have tried tcodes SQ01, SQ02, SQ03 and none of these recognise the above mentioned receiver object
    Kindly advise.
    Regards
    Sheily

    the best way to figure out is to ask ur functional guy the Tcode to get there. it could be anything.

Maybe you are looking for