Security/Authorization

Similar Messages

• Best Approach to create Security / Authorization Schema for an APEX Apps

  Hi,
  I am planning to create a Security / Authorization Schema for an APEX Application.
  Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
  I am looking for following features...
  1. users LOGIN and then user's name is stored in APEX_USER...
  2. Based on the user, I want to restrict the Application on following levels.
  - TABS
  - TABS - Page1 (Report
  - Page2 (Form)
  - Page2 (Region1)
  - Page2 (Region1, Button1)
  - Page2 (Region1, Items,....)
  AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
  I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
  My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
  Also what should be the FRONT end, we should have to enter these detail...
  SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
  Thanks,
  Deepak

  Hi Raghu,
  thanks for the detial info.
  so that means..I should have 2 table...
  master table (2 columns - username, password)
          username    password
     user1       xxxx
     user2       xxxx2nd table (2 columns - username, chq_disp_option)
  - In this table, we don't have Y/N Flag you mentioned..
  - If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
  - so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
  - suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
            username    chq_disp_option
     user1       re_region1
     user1       re_region2
     user1       tb_main
     user1       Page1
     user1       Page5
     ----        ----     - how you are defining unique name for Regions..i mean in static ID or the Title
  - is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
  Thanks,
  Deepak

• BW Security/Authorizations

  Hi,
  I am new in the BW authorizations.Where can I find documetation about BW's Security/authorizations?
  please free to forward documents to my mail id
  xxx
  Thanks&Regards
  vamsi
  Message was edited by:
          Frank Koehntopp

  hi Vamsi,
  take a look
  http://help.sap.com/saphelp_bw33/helpdata/en/be/076f3b6c980c3be10000000a11402f/frameset.htm
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/39f29890-0201-0010-1197-f0ed3a0d279f
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/adeac294-0501-0010-5a97-9ac5d562b1be
  hope this helps.

• JDev11 R.1. ADF Security Authorization

  Hi,
  I would like to know if it might be possible to use authenticatication via RDBMS authentication provider of Weblogic App. Server and ADF Security Authorization together in a JDev 11 application?. I am reading documentation and it says that; 'ADF Security relies on the jazn-data.xml file for the policy store whether you are using the XML-based identity store or the LDAP identity store. One could define roles and its access rights in jazn-data.xml and might expect authentication and isUserInRole services coming from the authentication service without defining users (role members) at design time. Is it or will it be possible in future?
  Best Regards.

  Hi
  I think it is too early and I don't know if they will ever build this. ( because they also have to support other app servers). Is RDBMS authentication provider of Weblogic App. Server a JAAS implementation?
  in TP4 you had a db login module , don't know if this is supported in 11g production.
  jps-config.xml
  <serviceInstance provider="jaas.login.provider" name="testlogin">
  <description>Sample LoginModule</description>
  <property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
  <property value="REQUIRED" name="jaas.login.controlFlag"/>
  <property value="ovs_user" name="table"/>
  <property value="jdbc/OVSDS" name="data_source_name"/>
  <property value="role_name" name="groupMembershipGroupFieldName"/>
  <property value="password" name="passwordField"/>
  <property value="ovs_user_role_view" name="groupMembershipTableName"/>
  <property value="role_name" name="usernameField"/>
  <property value="role_name" name="pw_encoding_class"/>
  <property value="oracle.security.jazn.login.module.db.util.DBLoginModuleMD5Encoder" name="groupMembershipGroupFieldName"/>
  </serviceInstance>
  <serviceInstance provider="jaas.login.provider" name="oracledb.loginmodule">
  <property value="true" name="debug"/>
  <property value="true" name="addAllRoles"/>
  <property value="passwd" name="passwordField"/>
  <property value="role_name" name="groupMembershipGroupFieldName"/>
  <property value="jdbc/authschemaDS" name="data_source_name"/>
  <property value="REQUIRED" name="jaas.login.controlFlag"/>
  <property value="application_roles" name="groupMembershipTableName"/>
  <property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
  <property value="FINEST" name="log.level"/>
  <property value="username" name="usernameField"/>
  <property value="application_users" name="table"/>
  <property value="username" name="user_pk_column"/>
  <property value="username" name="roles_fk_column"/>
  <property value="tolower" name="casing"/>
  <property value="oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder" name="pw_encoding_class"/>
  </serviceInstance>
  thanks Edwin
  Edited by: biemond on Oct 19, 2008 10:50 AM

• Role base security & authorization

  hi,
       i want the details about Role based security & authorization for all objects in reporting and the T.codes related to security & authorization (like RSSM ....).
  plz help me with any document and security manual

  Hi,
  I hope search inthese forums would definately hep you.
  My previous postings on the Data level security at the Reporting side:
  https://forums.sdn.sap.com/click.jspa?searchID=966335&messageID=2940809.
  https://forums.sdn.sap.com/click.jspa?searchID=966335&messageID=2783106
  And take a loook on the links:
  https://websmp107.sap-ag.de/~sapidb/011000358700000274062002
  https://websmp107.sap-ag.de/~sapidb/011000358700000972382004
  With rgds,
  Anil Kumar Sharma .P
  Message was edited by:
          Anil Kumar Sharma

• Security Authorizations for IDOC

  can anybody explai me following.
  Roles and responsibility wrt the Security Authorizations the user should have to process the IDOCs at the receiving end and also the monitoring the IDOCs
  Regards,
  Rahul

  Hi Shesha,
  I presume you have the SAP Integration kit intalled and configured, and imported the BW roles in the CMC... you are also login with the SAP user account (User1, User2). This would be a base requirement to make this work.
  In your OLAP universe, you need to set the connection properties of the connection to. Select Use Single Sign On when refreshing reports at view time to allow the user to benefit from SAP SSO.
  You have currently used User1 for the connection and saved the universe with this user id, thus, when the connection is made to BW, it is User1 with its role permissions accessing the data, even if you are logged on as User2, User1 is being authenticated.
  Hope this helps
  Jacques

• Page 0 security: authorization scheme not applied to other pages

  the page 0 security: authorization scheme not applied to other pages (neither as an override for existing pages nor as a default for new pages).
  how is this intended to work?

  mcstock,
  Can you clarify your question please? Can you give specific steps to reproduce this issue that you are inquiring about?
  Thanks.
  Joel

• ADF Security Authorization

  As it's written in Oracle® Application Development Framework Developer’s Guide For Forms/4GL Developers B25947-01 I created file adf-config.xml file like this
  <?xml version="1.0" encoding="windows-1252" ?>
  <adf-config xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation=" http://xmlns.oracle.com/adf/config
  ../../../../../bc4jrt/src/oracle/adf/share/config/schema/config.xsd"
  xmlns=" http://xmlns.oracle.com/adf/config "
  xmlns:sec=" http://xmlns.oracle.com/adf/security/config ">
  <sec:adf-config-child xmlns=" http://xmlns.oracle.com/adf/security/config ">
  <JaasSecurityContext
       initialContextFactoryClass="oracle.adf.share.security.JAASInitialContextFactory"
       authorizationEnforce="true"
       jaasProviderClass="oracle.adf.share.security.providers.jazn.JAZNSecurity Context" >
  </JaasSecurityContext>
  </sec:adf-config-child>
  </adf-config>
  Assigned permissions to my roles in Authorization editior on iterators etc.. But it did get any effect.
  All roles have full access to iterators!
  ADFContext.getCurrent().getSecurityContext().isAuthorizationEnabled() returns false

  Hi,
  here's the adf-config file from my woking app
  <?xml version="1.0" encoding="windows-1252" ?>
  <adf-config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.oracle.com/adf/config ../../../../../bc4jrt/src/oracle/adf/share/config/schema/config.xsd"
  xmlns="http://xmlns.oracle.com/adf/config"
  xmlns:sec="http://xmlns.oracle.com/adf/security/config">
  <sec:adf-config-child xmlns="http://xmlns.oracle.com/adf/security/config">
  <JaasSecurityContext initialContextFactoryClass="oracle.adf.share.security.JAASInitialContextFactory"
  jaasProviderClass="oracle.adf.share.security.providers.jazn.JAZNSecurityContext"
  authorizationEnforce="true"/>
  </sec:adf-config-child>
  </adf-config>
  Note that I don't use debug but run it from JDeveloper and the security settings are enforced. Did you set up the web.xml file - in other words, are you able to authenticate?
  Frank

• Declarative Security, Authorization and SSL

  Hi all, I'm trying to find the most elegant and simple way to restrict access to my web content and I'd like to have your opinion on how to make it better or how other solve similar tasks.
  The situation is:
  My web-site (Tomcat 5.5/JBoss) has 50% of pages with access restricted by declarative security in deployment descriptor.
  I use web container authorization (BASIC or FORM-based).
  Many of my prospective web-clients have old PCs with old web-browsers, so I consider usage of SSL everywhere is not a good idea. Neither DIGEST authentication is.
  Therefore, I want to secure with SSL only the stage of authorization. I realize that in this case the restricted content is not secure, but the information is not confidential. Only user's login and password are.
  How should I do that?
  The problem is that web container intersepts the request to the restricted content and tries to authorize the client via BASIC or FORM methods, but they are not secure, as the page where interception happens may be accessed not via SSL! And, therefore, all authorization interaction with client is not encrypted too.
  I found an ugly trick - in FORM-based authentication I changed the action of my login form to "https://j_security_check" - this ensures that login/password are sent via encrypted channel, but upon successfull authentication Tomcat brings you back not to the page originally requested: "http://mypage.jsp", but to "httpS://mypage.jsp"!!! I.e it does not switch back from SSL to unencrypted connection. In order to avoid this I can assign a special servlet filter to all pages with the restricted, but unencrypted contents, so that this filter will change httpS to http, but this is quite an ugly way, isn't it?
  Can you share some better ideas how to organize this?
  I just don't want to write my own security system while we have one allready.

  Hello,
  I use Tomcat 5.5.4 or 5.5.6 - not sure, home and work... or the other way around.
  Yes you would need to - perhaps it's time to use a header include? They are useful for this kind of thing. Anyway, it does not seem to be flawless; have you tested it on a couple of your pages?
  In my test setup I:
  (1) attempt to access a restricted resource as an unauthenticated user with http
  (2) get redirected to login page which tests for https i.e. isSecure() and redirects to itself with https if test fails
  (3) i login and get redirected to the resource which tests for http and redirects to itself using http if test fails.
  In theory its straightforward... but the redirects that are caused by failed protocol tests don't always 'succeed'; I get left with a blank screen! Of course when omitting these test everything works dandy. Still, hitting refresh a couple times then brings up the page (login or resource) that is expected... which leads me to believe authentication is not failing nor is the attempt to invalidate the session. I say this as I read somewhere that some balls-up causes the browser to get stuck in the j_security_check servlet (or something like that) but I can't remember what causes this. Perhaps you've also read this and can refresh my memory.
  Best regards,
  D

• Security Authorizations in SolMan / ChaRM

  Good Day All;
  I am trying to get a handle on the security settings within Solution Manager / ChaRM.
  Would some be so kind as to point me in the direction of some documentation on this subject.
  Regards
  Don.

  Thanks Roel;
  I am looking at user role authorizations.
  The first thing I want to setup is the Team leader roles.
  I need the team leader to have the ability to do the following
  1.Create Issues
  2.Create change requests
  3.Change the status of a change request to u201CIn Developmentu201D
  4.Create transports and tasks
  5.Release transports
  The Team leader will not have the authorization to u201Capprove u201C change requestsu201D 
  Thanks Again
  Regards
  Don

• Security authorizations assignment

  Hi,
  I'm new to security.
  I want to know the procedure to provide authorization to a single user for a particular transaction code. I know the SU53 or the ST01 trace and how to find the objects being checked. But what I want to know is how you actually add them to the user profile. I do not want other users to get access to the transaction (for eg when I assign it to a role, other users having that role will also get the accesss?)
  I have tried looking at resources, reading notes etc. but haven't found a step-by-step explanation of this.
  Please help.
  Thanks

  Hi Giovanni,
  you should open the role for editiong with transaction PFCG and then switch to Menu. Here you can add the Transaction to the role. Next switch to the tab authorizations. Open the Profile and maintain the missing authorizations. Activate the profile and the role and you should be done.
  Regards
  Gregor

• BI Security Authorization

  Hi Gurus,
  We have just upgraded from BW3.x to BI7. Now we are implementing the BI security in our system.
  I will explain you the scenario, please help me on that:
  Suppose we have given authorization for plant a1 to USER1.
  Now when we are exucuting the query, there in the selection screen for Plant, we give the input as a1 and b1.
  Then in output we are getting as :
  "NO AUTHORIZATION".
  But our requirment is like we want that the data should be displayed for a1 (plant) for USER1. As he has the authorization for plant a1. But this is not happening with BI7 Security.
  Is there solution for that.
  Please help.

  That has already been done.
  As i have said that i m getting "no auth" message when i am executing the query with plant as a1 and b1.
  While i have auth for a1. It shld display for a1 atleast.
  I think, now you shld understand what i m tryin 2 say.

• What is the security/authorization issue with the Newsweek app?

  I have tried for a week to figure out what is going on with this.  No one on either side has any suggestions on how to fix the authorization problem.  All was fine until last Friday.  I don't remember doing any updates, but what a mess.

  Just found this note posted here in 2013:
  <<
  ronaldfromukiah
  Re: I can not sign into my magazine accounts for both Newsweek and Air and Space -All I get it Authentication Failed.  Suggestons??
  Jun 25, 2013 8:19 PM (in response to ronaldfromukiah)
  This is the message I got back from Newsweek!  Good not my iPad!! Thanks every - I will close this when everythign is OK.
  I am sorry for the inconvenience.  When we updated, there was a glitch  with the update, and some subscriptions are not being recognized. We are  working to fix the problem, and I will notify you when this is taken  care of. I am terribly sorry. Thank you for your patience.
  >>

• BW Reporting: Security Authorizations

  I am looking to see if it is possible to create a role in BW that would allow the following:
  -Execute all published queries
  -Create new queries, but only save locally (or to favorites)but not publish globally
  -Modify published queries, but save only locally (or to favorites)
  The role would not have access to create and publish globally new queries or modify and save globally to any existing queries.

  Hi Nathan,
           Create a role using Transaction PFCG and create an Authorization Profile.
  <b>To Execute all published Queries</b>
  Add the Reporting Authorization Objects
  <b>S_RS_COMP</b>: Infoarea, Infoprovider, Reporting Component.
  If you want the user to execute all queries
  Maintain this settings
  <b>Activity: 16 (Execute)</b>
  Infoarea: *
  Infoprovider: *
  Name of Reporting Component: *
  Type of Reporting Component: REP(Query)
  <b>S_RS_COMP1</b>: Reporting Component, Query Owner
  <b>Activity: 16 (Execute)</b>
  Name of Reporting Component: *
  Type of Reporting Component: REP
  Query Owner: * (If you want all users to execute the queries)
  To Create and Change Queries, you've to also include those Activities in the Activity field for the Authorization objects. But I think that will affect globally.
  <b>S_RS_ICUBE or S_RS_ODSO</b>
  This Authorization object grants access to data held in the Infoprovider. For ODS you've to use S_RS_ODSO and for cube you've to use S_RS_ICUBE.
  Maintain the settings.
  For Reporting users, the activities <b>03(Display)</b> and 16(Execute) are the minimum required.
  Infocube Sub Object: DATA
  Infoarea: *
  Infoprovider: *
  <b>To Save Workbooks to Favourites</b>
  For this you've to include the Authorization Objects
  <b>S_GUI</b>: Authorization for GUI Activities.
  Activity: Import and Export(For saving and for opening)
  <b>S_BDS_DS</b>: Authorizations for Document set.
  Activity: 03 and 30.
  Business Document Service: *
  Class: OT
  In addition to these, You've to include the authorization objects S_RFC and S_TCODE(Transaction: RRMX) and maintain the required settings.
  Hope this helps.
  Regards
  Hari
  Message was edited by: Hari Krishnan K

• Security authorizations - batch input session - deleting your own session

  I know that S_BDC_MONI will allow you to delete Batch Input sessions (SM35), but it looks like it will allow you to delete whatever you put in BDCGROUPID, irrespective of whether it's your session or some one elses.
  Is there anything in security, which will allow you to only delete your own sessions, other than having different session names for different people.

  Hi,
  Execute the session in error mode only. If you are still facing the problem, you will have to execute it in foreground.
  Regards,
  Amit