Scope of rights - Authorizations/Security in BO

Similar Messages

• Rights & authorizations on the Visual admin tool SP13

  if some one can tell me if rights and authorizations can be managed around the Visual administrator tool in order to manage accesses and users use and this tool.
  Thanks in advance,
  Eric.

  Hi Daniel,
  yes agree with you and thank; but what i want to know is if i can assign other "group" (rights and / or authorizations) to some users in order to avoid access to this tool to users except in visualisation that means without possibility of modify items.
  Eric.

• Authorizations-Security based on BP relationships

  Dear Experts,
  In a generic sense We could control which BP could be maintained using Authorization Groups (Obj:B_BUPA_GRP), which is not sufficient for us.
  We have a situation,Users should be able to view and modify those BPs who are in some relationship with the current user.For ex: The User should be able to edit those BPs to which they are contact persons or something like that.
  Can anyone throw some light on this, pls.
  Thanks
  Senthil

  You cannot protect Business Partners based on relationships object.There is no corresponding auth object for relatiosnhips.
  The best approach would be using auth object 'B_BUPA_GRP' for authorization group .
  In your business scenario contact persons with the same relationship need to have same authorization group maintained.
  You find the authorization group field unsed control tab of BP transaction.
  But the problem with this approach is to define seperate user role and assign it the user profiles of contact persons with the same relationship.It may lead to creating lot of user roles which is not good if you have thousands of BP's.
  Usually BP's are protected using auth objects B_BUPA_GRP(Authorization group) & B_BUPA_RLT(BP Role)
  Thanks,
  Thirumala.

• Is it really necessary not to have admin rights for security reasons

  I was told that i need to create a second admin account then log into that, then from there take away my admin privileges.. so I would not be an admin so computer will be much safer.
  Which i did
  But then so many passwords all the time.. need to insert the admin password for so many things and it is annoying it is like vista which i don't like at all.
  is this really important to keep computer secure?
  what are your leopard security tips?

  anteros27 wrote:
  I was told that i need to create a second admin account then log into that, then from there take away my admin privileges.. so I would not be an admin so computer will be much safer.
  Which i did
  But then so many passwords all the time.. need to insert the admin password for so many things and it is annoying it is like vista which i don't like at all.
  what are your leopard security tips?
  You should have left your original account alone and created a second non-admin user account for day-to-day use. Any non-system apps you need, etc, you can install in the new account.
  It's not easy switching horses in mid-stream so to speak, but it is safer than always using the computer as an administrator.
  If you use Fast Switching, you can quickly access the original account anytime you wish.
  is this really important to keep computer secure?
  Yes. Security should come before convenience.
  Again, you are getting all this requests for passwords because you changed you main account rather than creating a new one.
  Browse this thread
  http://discussions.apple.com/thread.jspa?threadID=1798675&tstart=0
  Message was edited by: nerowolfe

• Cmc rights to use Security Query Export functionalities

  In Cmc when I create a Security Query  it shows the list of rights a user has on Business Objects objects, and that's fine, however when I try to export those results I get a message like this:
  You don't have rights to 'Schedule document to run' (id:21) for Security Query Export (ID: 1074)
  On which folder or object in Cmc should I set that right? I have no idea! I'm using the Admiistrator account so I don't understand why I don't have rights to export the results of the query. I'm using BusinessObjects xi r3.
  Edited by: PadawanGirl on Feb 1, 2012 5:09 PM

  Hello Erika,
  In your CMC > Folders > Administration Tools, make sure Administrators group has Full Control, in particular make sure that the right "schedule Document to run" is granted. If it looks fine, check the same right on Security Query Export object itself.
  Frederique

• MSS Authorizations

  Hi Walter,
  What authorizations need ot be given to MSS users in ECC6.0 backend system?
  I got a note: 844639. Is this relevent? If yes, then:
  1. There are so many WD applications based services for MSS. Do I have to get a list of each Authorization Object assigned to all the services and then consolidate it under one single ZMSS role in PFCG?
  2. What about the default values of the sub objects of all Authorization Objects?
  3. Similar to the ESS composite role SAP_EMPLOYEE_ERP with all the necessary authorizations, dont we have a standard MSS composite role which we can activate directly?
  Appreciate any help on the matter.
  Thanks,
  Shobhit

  Sounds like SSO is not working or the user does not have the right authorization on the R/3 side.
  Users need to have the S_SERVICE authorization object on their R/3 role. Take a look at this document for Self-Service security details:
  https://websmp204.sap-ag.de/~form/sapnet?_FRAME=CONTAINER&_OBJECT=011000358700000566812005E

• Best practices for securely storing environment properties

  Hi All,
  We have a legacy security module that is included in many
  different applications. Historically the settings (such as
  database/ldap username and password) was stored directly in the
  files that use them. I'm trying to move towards a more centralized
  and secure method of storing this information, but need some help.
  First of all, i'm struggling a little bit with proper scoping
  of these variables. If another application does a cfinclude on one
  of the assets in this module, these environment settings must be
  visible to the asset, but preferrably not visible to the 'calling'
  application.
  Second i'm struggling with the proper way to initialize these
  settings. If other applications run a cfinclude on these assets,
  the application.cfm in the local directory of the script that's
  included does not get processed. I'm left with running an include
  statement in every file, which i would prefer to avoid if at all
  possible.
  There are a ton (>50) applications using this code, so i
  can't really change the external interface. Should i create a
  component that returns the private settings and then set the
  'public' settings with Server scope? Right now i'm using
  application scope for everything because of a basic
  misunderstanding of how the application.cfm's are processed, and
  that's a mess.
  We're on ColdFusion 7.
  Thanks!

  Hi,
  Thank you for posting in Windows Server Forum.
  As per my research, we can create some script for patching the server and you have 2 servers for each role. If this is primary and backup server respectively then you can manage to update each server separately and bypass the traffic to other server. After
  completing once for 1 server you can just perform the same step for other server. Because as I know we need to restart the server once for successful patching update to the server.
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Authorization object in zee report

  Dear experts,
  How to restrict a user from viewing ohter sales office.
  What are the steps to be followed.
  Who will create authorization 0bject or authorization group abaper or functional person.
  I am using AUTHORITY-CHECK in my report for a authorization object which is already created but
  it is not giving the correct results.
  Do I have to make a new authorization object and class for this.
  How should I control my zee transaction which is attached to this report.

  Hi,
  How to restrict a user from viewing ohter sales office.
  What are the steps to be followed.
  Who will create authorization 0bject or authorization group abaper or functional person.
  You need to identify the correct authorization object. BASIS team can help you in this.
  Usually all security related activities is taken care by the BASIS team. It depends on project to project.
  I am using AUTHORITY-CHECK in my report for a authorization object which is already created but
  it is not giving the correct results.
  What do you mean by not giving correct results. You might be having access to the sales areas you are trying to execute. That why check is successful.
  Do I have to make a new authorization object and class for this.
  Not required i hope as you already got the reply for this.
  How should I control my zee transaction which is attached to this report.
  Give the right authorization group in T-code as well (SE93). Even if you don't give, since you already have the check in the program, no issues i hope. But it is always advised to control this through BASIS at user role level rather than at ABAP level.
  Please note that authorization check statement won't give any error. You need to through the error if sy-subrc NE 0
  after the AUTHORITY-CHECK statement.
  Hope you are clear now:)
  Thanks,
  Vinod.

• Security BAM stopped working

  I have done the following security configuartion to provide authentication and authorization for BAM reports.
  1) Create a user called 'ausreport' in weblogic admin console default realm 'myrealm'
  2) Create a group called 'AABViewers' and add the user 'ausreport' to that group in WL Console.
  3) Next in the SOA 11g Enterprise Manager console, the following configuration has been done. Go to domain--> BAM -->oracle BAM server, right click Security--> Application Roles. Select Report Viewer Role and edit to add Groups 'AABViewers and below add user 'ausreport'.
  This same configuration is working on Sandpit environment and not on Development environment. The same configuration was working in the Development environment a day ago. Nothing has changed since then. Please advise.
  Test Scenario. Should be able to login to BAM console using 'ausreport' user and have access to Active Viewer button only
  ### Steps to Reproduce Problem ###
  I have done the following security configuartion to provide authentication and authorization for BAM reports.
  1) Create a user called 'ausreport' in weblogic admin console default realm 'myrealm'
  2) Create a group called 'AABViewers' and add the user 'ausreport' to that group in WL Console.
  3) Next in the SOA 11g Enterprise Manager console, the following configuration has been done. Go to domain--> BAM -->oracle BAM server, right click Security--> Application Roles. Select Report Viewer Role and edit to add Groups 'AABViewers and below add user 'ausreport'.
  This same configuration is working on Sandpit environment and not on Development environment. The same configuration was working in the Development environment a day ago. Nothing has changed since then. Please advise.

  Did anybody else face this issue. How do I debug this now?
  Thanks

• Query Edit Security Settings

  I have a system in which some users are frequently creating and editing queries in BW production.  These queries were mostly transported from BWD --> BWP.
  They seem to have the ability to copy and query and then edit and save those changes BUT when they then try to make further changes to the new query they are told that they dont have security authorization.  It also seems that they are unable to delete queries even if they created them.
  Any ideas on what rights I need to give them or what transport settings I need to make?

  Hi Will,
  If your production system is closed for development (in SCC4), you should first allow the creation of queries. You do that in the transport connection, with the button 'object changeability'. Set ELEM (query element) to 'everything changeable'.
  Then you have to make shure that the key-users that should be able to make the copy of the query's have a role with the right authorizations.
  They need to have object S_RS_COMP with the sub-items:
  ACTVT: 01, 02, 03, 06, 16
  RSINFOAREA: authorized info-arease (or *)
  RSINFOCUBE: authorized infoCubes (or *)
  RSZCOMPID: SU_*  (in your case)
  RSZCOMPTP: REP
  Based on your system setting, it could also be that you need the autorization objects S_TRANSPRT, S_CTS_ADMI
  and S_DATASEt. You can check that by performaing an authorization trace in trx. ST01.
  Good luck!
  Daniel

• BI-IP Authorizations: Accessing own Cost Center only

  Hi,
  We are currently implementing BI-IP in our company. We have created the ready-input templates and we are prepared for roll-out.
  There is still one concern though which I haven't resolved. I am currently looking for an AUTHORIZATION that will let users access their respective COST CENTERS only. For example, if I am part of the Marketing Group, then I will only be able to access the budget of my respective cost center.
  Can anyone lead me to the right AUTHORIZATION OBJECT in BI-IP to implement this restriction.
  Your reply is much appreciated. Thanks.
  Regards,
  Ramon

  Hi Ramon,
  authorizations for transaction data in BI (and therefore in BI-IP) are not based on authorization objects. You have to make the cost center InfoObject authorization relevant and then create so called Analysis Authorizations for it. Please see the online help:
  http://help.sap.com/saphelp_nw70/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm
  BTW, you can upload the cost center authorizations from SAP R/3 or ERP.
  http://help.sap.com/saphelp_nw70/helpdata/en/59/fd8b41b5b3b45fe10000000a1550b0/frameset.htm
  Regards,
  Marc
  SAP NetWeaver RIG

• IDOC Scenario - User  has no RFC authorization for function group EDIN

  Hi all,
  I'm trying to configure an IDOC scenario from ECC to XI.
  RFC's, ports and destinations already configured. On WE19 I'm creating an IDOC for testing the scenario. The IDOC is sent successfully, and it stops on TRFC Monitor with error "User PIRFCUSER has no RFC authorization for function group EDIN." .
  Some of you knows what authorization is needed? Basis team said the roles are the same at DEV environment, and there this scenario works fine.
  Thanks for your help.
  regards.
  Roberti

  Hi,
  Check with PIRFCUSER user , that is having the right authorization or not ..
  And make sure that this user is present in the system & it should  not locked.
  to check that user is present or not-----goto su01 of the system & check
  Regards
  Seshagiri

• How can I sync security between Plannig, HSS and EAS?

  Hi,
  I think that I've trouble with security. Many answers at this forum contain that I need to sync security between Plannig, HSS and EAS?
  How can I do it on EPM11.1.1.3?

  Hi,
  If you feel that Shared Services is not in sync with Planning then you can use the [provisonusers |http://download.oracle.com/docs/cd/E12825_01/epm.111/hp_admin/ch03s13.html] utility.
  If you want to sync essbase with Shared Services you can either right click security in EAS and refresh from HSS or use Maxl.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Check authorization after selection in navigation bar

  Hi,
  there is a standard entry in the navigation bar "Create service ticket" that calls the view set SrvTViewSet for creation of service tickets. The viewset contains of four standard view areas, SrvtHead, SrvtBus, SrvtPartner, SrvtSLA. We have not modified the views themselves, only the IMPL- class for the SrvtHead since we have modfied methods in the class. The problem occurs when the user do not have the right authorization to create service tickets at all (after she has selected Create service ticket in the navigation bar), then an error message is created saying "Wrong authorization" but the four screens also dumps with message cx_sf_ref_is initial or an exemption has occurred in cx_bsp_element_exception.
  First I tried to take care of the authorization check myself in each view of the four but then I thougt that this would not be the correct solution. Instead the user would get an error message when she selects "Create service ticket" in the navigation bar and an error message would appear before showing the Create service ticket view at all. Is this possible? There is two authorization objects created but the standard does not seem to work regarding the authorization check.
  Is there anyone having any ideas?
  Thank you and goodbye,
  Lena

  I think what you can do is , replace the Controller for the Navbar view CL_CRM_IC_NAVBARVIEW with your own Custom Class ( do a controller replacement in the Framework Profile )
  Then Redefine the Method PROCESS_NAVIGATION_REQUEST
  Inside this method , you can check what is the current Nav Link Clicked , if it is 'Create Service Ticket' , perform the Authorization check or whatever you want and if it not successful , raise a Error Message using below Code and have a RETURN statement . 
  data : lv_msgsrv type ref to cl_bsp_wd_message_service.
  lv_msgsrv =  cl_bsp_wd_message_service=>get_instance( ).
  lv_msgsrv->add_message( ..... ) .

• Authorization check for links on a page

  We are trying to control whether links on a JSP page are displayed or hidden based on an authorization check.
  We've already got the checks working on individual pages but not for the links within a page, because the security framework does not list links as their own Resource.
  Is there a way to call the Authorization security provider ourselves, for each link on our JSPs? This call would be outside of the initial security check for the main JSP.

  It's not going to be easy without DOM. Parsing HTML is a real pain, since there's all kinds of optional tags and quotation marks (pre-XHTML, that is). That makes any kind of ad-hoc parsing using regular expressions difficult, and less accurate than pulling the entire file into a DOM representation.
  Why don't you want to use DOM? Are you just making up silly requirements?
  EDIT:
  I guess you could use an event-based HTML parser (HTML::Parser in Perl works this way. Is there a Java equivalent?) Set up an event for IMG and A start tags, and extract the href/src attributes there. Finding out if they are valid or not will require either:
  1) Simply validate that the URL is well-formed by creating a URL object from it. This won't tell you if the link is active or not
  2) Validate the URL by connecting to it with an URLConnection. However, the URL will be marked invalid if the server is down or the URL is otherwise unavailable.
  Brian
  Message was edited by:
  [email protected]