Security authorizations assignment

Hi,
I'm new to security.
I want to know the procedure to provide authorization to a single user for a particular transaction code. I know the SU53 or the ST01 trace and how to find the objects being checked. But what I want to know is how you actually add them to the user profile. I do not want other users to get access to the transaction (for eg when I assign it to a role, other users having that role will also get the accesss?)
I have tried looking at resources, reading notes etc. but haven't found a step-by-step explanation of this.
Please help.
Thanks

Hi Giovanni,
you should open the role for editiong with transaction PFCG and then switch to Menu. Here you can add the Transaction to the role. Next switch to the tab authorizations. Open the Profile and maintain the missing authorizations. Activate the profile and the role and you should be done.
Regards
Gregor

Similar Messages

Security-role and security-role-assignment not working in WL7.0

Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.com

Below are the screen shots for PFCG:

Authorization Assigned to User

Hi,
According to error message, I can't forward incident to SAP as a processor because of lack of authorization.
Right now, I'm having an issue regarding authorization assigned to each user.
I log on as my own ID and password and try to assign authorization.
There's no more authorization being assigned under user ID I'd like to assign.
I've done with the existing authorization and mark all I can assign.
Can anyone give me a favor for this issue?
Thanks

Hi George,
All related information for the above can be found here:
https://websmp104.sap-ag.de/instguides
 > SAP Components
 > SAP Solution Manager
 > Release 7.1
 > 4. Operations
> choose your SP level for
Security Guide SAP Solution Manager 7.1.
Regards,
Ruth

Projects Contract (R 12.1.3) Security Role Assignment

In Projects Contract (R 12.1.3), is there any way we can have contingent worker(s) in the List of Values for “Employee” in Security Role Assignment window?

Please check the Profile Option - OKE: Allow Contingent Workers
This profile option determines whether contingent workers can be granted access to contracts or not.

Best Approach to create Security / Authorization Schema for an APEX Apps

Hi,
I am planning to create a Security / Authorization Schema for an APEX Application.
Just want to know what is the best approach to create the security feature in APEX, so that it should be re-used in other APEXApplications too..
I am looking for following features...
1. users LOGIN and then user's name is stored in APEX_USER...
2. Based on the user, I want to restrict the Application on following levels.
- TABS
- TABS - Page1 (Report
- Page2 (Form)
- Page2 (Region1)
- Page2 (Region1, Button1)
- Page2 (Region1, Items,....)
AND so on.....basically depending on user....he will have access to certain TABS, Pages, Regions, Buttons, Items...
I know, we have to create the Authorization Schema for this and then attach these Authorization Schema to the different Level we want.
My Question is, what should be the TABLE structure to capture these info for each user...where we will say...this USER will have following access...AND then we create Authorization Schema from this table...
Also what should be the FRONT end, we should have to enter these detail...
SO, wondering, lot of people may already have implemented this feature....so if guys can provide the BEST Approach (re-usable for other APEX Application)....that will be really nice..
Thanks,
Deepak

Hi Raghu,
thanks for the detial info.
so that means..I should have 2 table...
master table (2 columns - username, password)
        username    password
   user1       xxxx
   user2       xxxx2nd table (2 columns - username, chq_disp_option)
- In this table, we don't have Y/N Flag you mentioned..
- If we have to enter all the regions/tabs/pages in the Applications here or just those regions/tabs/pages for which are conditionally diaplayed.
- so that means in all the Pages/Regions/tabs/items in the entire Application, we have to call the Conditionally display..
- suppose we have 3 tabs, 5 pages, 6 regions, 15 items..that means in this table we have to enter (3+5+6+15) = 29 records for each individual users..
          username    chq_disp_option
   user1       re_region1
   user1       re_region2
   user1       tb_main
   user1       Page1
   user1       Page5
   ----        ----     - how you are defining unique name for Regions..i mean in static ID or the Title
- is the unique name for tab & item is same as the TAB_NAME (T_HOME) & Item Name (P1_ITEM1) or you are defining somewhere else.
Thanks,
Deepak

BW Security/Authorizations

Hi,
I am new in the BW authorizations.Where can I find documetation about BW's Security/authorizations?
please free to forward documents to my mail id
xxx
Thanks&Regards
vamsi
Message was edited by:
Frank Koehntopp

hi Vamsi,
take a look
http://help.sap.com/saphelp_bw33/helpdata/en/be/076f3b6c980c3be10000000a11402f/frameset.htm
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/39f29890-0201-0010-1197-f0ed3a0d279f
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/adeac294-0501-0010-5a97-9ac5d562b1be
hope this helps.

The security-role-assignment references an invalid security-role: Certifica

In Oracle Enterprise Pack for Eclipse, I failed to deploy an application in debug mode. The error I noticed in my domain log is:
weblogic.management.DeploymentException: [HTTP:101168]The security-role-assignment references an invalid security-role: Certificate.
 at weblogic.servlet.security.internal.WebAppSecurity.setRoleMapping(WebAppSecurity.java:180)
 at weblogic.servlet.security.internal.WebAppSecurity.registerSecurityRoles(WebAppSecurity.java:155)
 at weblogic.servlet.internal.WebAppServletContext.prepareFromDescriptors(WebAppServletContext.java:1181)
 at weblogic.servlet.internal.WebAppServletContext.prepare(WebAppServletContext.java:1120)
 at weblogic.servlet.internal.HttpServer.doPostContextInit(HttpServer.java:449)
 at weblogic.servlet.internal.HttpServer.loadWebApp(HttpServer.java:424)
 at weblogic.servlet.internal.WebAppModule.registerWebApp(WebAppModule.java:910)
 at weblogic.servlet.internal.WebAppModule.prepare(WebAppModule.java:364)
 at weblogic.application.internal.flow.ScopedModuleDriver.prepare(ScopedModuleDriver.java:176)
 at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(ModuleListenerInvoker.java:93)
 at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:387)
 at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
 at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:58)
 at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:42)
 at weblogic.application.internal.BaseDeployment$1.next(BaseDeployment.java:615)
 at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:37)
 at weblogic.application.internal.BaseDeployment.prepare(BaseDeployment.java:191)
 at weblogic.application.internal.EarDeployment.prepare(EarDeployment.java:16)
 at weblogic.application.internal.DeploymentStateChecker.prepare(DeploymentStateChecker.java:155)
 at weblogic.deploy.internal.targetserver.AppContainerInvoker.prepare(AppContainerInvoker.java:60)
 at weblogic.deploy.internal.targetserver.operations.ActivateOperation.createAndPrepareContainer(ActivateOperation.java:197)
 at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doPrepare(ActivateOperation.java:89)
 at weblogic.deploy.internal.targetserver.operations.AbstractOperation.prepare(AbstractOperation.java:217)
 at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentPrepare(DeploymentManager.java:723)
 at weblogic.deploy.internal.targetserver.DeploymentManager.prepareDeploymentList(DeploymentManager.java:1190)
 at weblogic.deploy.internal.targetserver.DeploymentManager.handlePrepare(DeploymentManager.java:248)
 at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.prepare(DeploymentServiceDispatcher.java:159)
 at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback(DeploymentReceiverCallbackDeliverer.java:157)
 at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$000(DeploymentReceiverCallbackDeliverer.java:12)
 at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$1.run(DeploymentReceiverCallbackDeliverer.java:45)
 at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:516)
 at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
 at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
What I do not understand is that this error remains even though I modified weblogic.xml to remove the following lines:
<wls:security-role-assignment>
<wls:role-name>Certificate</wls:role-name>
<wls:externally-defined/>
</wls:security-role-assignment>
I also deleted <MYDOMAIN_HOME>/servers/AdminServer/cache and <MYDOMAIN_HOME>/servers/AdminServer/tmp but this error still showed up when I attempted to deploy the application in Eclipse.
If I exported the EAR file and deployed it using Admin Console, the application was deployed successfully. But when I deleted it in Admin Console and attempted to deploy it in Eclipse again, the same error occurred and the deployment failed. What could be the reason for this behavior? Is there anything cached somewhere when deploying it in Eclipse? Thanks in advance for your help.

Hi,
I know that is an old thread, but just in case... Maybe you could try setting up the DEBUG_OPTIONS in your startManagedWeblogic script and configure a remote debug in Eclipse:
DEBUG_OPTIONS="-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8003,server=y,suspend=n"
Hope it helps,
Luis

How to handle authorization assignment in MDM console

How can we assign authorization based on different users role? Is there a function in MDM console? Thanks!

Hi Alfred,
Here I am giving you a small pratice case study to get clear picture of user authentication in MDM
Case:
Table A has five fields F1,F2,F3,F4,F5
User X, User Y, User Z are three MDM user with different roles.
Objective:
User X should have read/write access to all the fields in Table A.
User Y should have only read access to all the fields in Table A.
User Z should have read access to F1,F2 and read/write access to F3,F4,F5 of Table A.
Steps:
1. Create a role named For User X. Got to Tables and Fields tab, select Read/Write radio button for Table A.
2. Create user User X assign the role For User X to the user.
3. Create a role named For User Y. Got to Tables and Fields tab, select Read-Only radio button for Table A.
4. Create user User Y assign the role For User Y to the user.
5. Create a role named For User Z. Got to Tables and Fields tab, select Read-Only radio button for fields F1,F2, select Read/Write radio buttons for fields F3,F4,F5.
6. Create user User Z assign the role For User Z to the user.
7. Also go to Functions tab, set the permissions like create, delete to the roles.
Testing:
1. Login to Data Mgr as User X, now you can
2. Login to Data Mgr as User Y, now you can only read the data. If you try adding/updating/deleting any data it will throw warning message.
3. Login to Data Mgr as User Z, now you can edit fields F1,F2 but when try to edit F3 or F4 or F5, system will throw warning message.
Creating Masks and assigning to a role:
1. Login to Data manager as Admin.
2. Create a mask in the mask table.
3. Go to main table, right click on the record(s) and add them to the mask. Or do free form search based on hierarchy and add the records to the mask.
4. Go to Console->Admin->Roles table->select a role say For User X -> tables and fields tab->drill down to mask table->select the mask from constraints field.
Testing:
1. Login to data mgr as User X.
2. Now you can see the masked records only.
3) Is this action of authorization assignment a little bit same with what we usually do in SAP R/3?
 No idea
Thanks,
Arun prabhu S

JDev11 R.1. ADF Security Authorization

Hi,
I would like to know if it might be possible to use authenticatication via RDBMS authentication provider of Weblogic App. Server and ADF Security Authorization together in a JDev 11 application?. I am reading documentation and it says that; 'ADF Security relies on the jazn-data.xml file for the policy store whether you are using the XML-based identity store or the LDAP identity store. One could define roles and its access rights in jazn-data.xml and might expect authentication and isUserInRole services coming from the authentication service without defining users (role members) at design time. Is it or will it be possible in future?
Best Regards.

Hi
I think it is too early and I don't know if they will ever build this. ( because they also have to support other app servers). Is RDBMS authentication provider of Weblogic App. Server a JAAS implementation?
in TP4 you had a db login module , don't know if this is supported in 11g production.
jps-config.xml
<serviceInstance provider="jaas.login.provider" name="testlogin">
<description>Sample LoginModule</description>
<property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
<property value="REQUIRED" name="jaas.login.controlFlag"/>
<property value="ovs_user" name="table"/>
<property value="jdbc/OVSDS" name="data_source_name"/>
<property value="role_name" name="groupMembershipGroupFieldName"/>
<property value="password" name="passwordField"/>
<property value="ovs_user_role_view" name="groupMembershipTableName"/>
<property value="role_name" name="usernameField"/>
<property value="role_name" name="pw_encoding_class"/>
<property value="oracle.security.jazn.login.module.db.util.DBLoginModuleMD5Encoder" name="groupMembershipGroupFieldName"/>
</serviceInstance>
<serviceInstance provider="jaas.login.provider" name="oracledb.loginmodule">
<property value="true" name="debug"/>
<property value="true" name="addAllRoles"/>
<property value="passwd" name="passwordField"/>
<property value="role_name" name="groupMembershipGroupFieldName"/>
<property value="jdbc/authschemaDS" name="data_source_name"/>
<property value="REQUIRED" name="jaas.login.controlFlag"/>
<property value="application_roles" name="groupMembershipTableName"/>
<property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
<property value="FINEST" name="log.level"/>
<property value="username" name="usernameField"/>
<property value="application_users" name="table"/>
<property value="username" name="user_pk_column"/>
<property value="username" name="roles_fk_column"/>
<property value="tolower" name="casing"/>
<property value="oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder" name="pw_encoding_class"/>
</serviceInstance>
thanks Edwin
Edited by: biemond on Oct 19, 2008 10:50 AM

Role base security & authorization

hi,
i want the details about Role based security & authorization for all objects in reporting and the T.codes related to security & authorization (like RSSM ....).
plz help me with any document and security manual

Hi,
I hope search inthese forums would definately hep you.
My previous postings on the Data level security at the Reporting side:
https://forums.sdn.sap.com/click.jspa?searchID=966335&messageID=2940809.
https://forums.sdn.sap.com/click.jspa?searchID=966335&messageID=2783106
And take a loook on the links:
https://websmp107.sap-ag.de/~sapidb/011000358700000274062002
https://websmp107.sap-ag.de/~sapidb/011000358700000972382004
With rgds,
Anil Kumar Sharma .P
Message was edited by:
Anil Kumar Sharma

Security Authorizations for IDOC

can anybody explai me following.
Roles and responsibility wrt the Security Authorizations the user should have to process the IDOCs at the receiving end and also the monitoring the IDOCs
Regards,
Rahul

Hi Shesha,
I presume you have the SAP Integration kit intalled and configured, and imported the BW roles in the CMC... you are also login with the SAP user account (User1, User2). This would be a base requirement to make this work.
In your OLAP universe, you need to set the connection properties of the connection to. Select Use Single Sign On when refreshing reports at view time to allow the user to benefit from SAP SSO.
You have currently used User1 for the connection and saved the universe with this user id, thus, when the connection is made to BW, it is User1 with its role permissions accessing the data, even if you are logged on as User2, User1 is being authenticated.
Hope this helps
Jacques

Page 0 security: authorization scheme not applied to other pages

the page 0 security: authorization scheme not applied to other pages (neither as an override for existing pages nor as a default for new pages).
how is this intended to work?

mcstock,
Can you clarify your question please? Can you give specific steps to reproduce this issue that you are inquiring about?
Thanks.
Joel

Why security-role-assignment is required ?

Hi all.
We develop EJB application which uses:
* declarative security using <method-permission> in ejb-jar.xml
* our own RoleMapper SSP, which take mapping data from DB
(our Mapper doesn't use weblogic-ejb-jar.xml at all)
When I deploy my app without <security-role-assignment>
in weblogic-ejb-jar.xml I receive the deployment exception:
<quote>
The security-role MY_ROLE, defined in ejb-jar.xml,
is not correctly mapped to a security principal.
Make sure the security-role has a corresponding
security-role-assignment element in the
weblogic-ejb-jar.xml descriptor.
</quote>
Yes, this is absolutely correct --
I didn't define the mapping in *.xml advisedly,
because of it is defined in DB and my own Mapper
retrieves data required for role mapping from DB,
not from descriptor *.xml
Questions are:
==============
1. why <security-role-assignment> is so strictly required ? :(
2. is it possible to use declarative security with own RoleMapper ?
3. if `yes` then how to get rid of the exception ?
I have one workaround:
to add to weblogic-ejb-jar.xml fake mapping for
each EJB role used in ejb-jar.xml:
<security-role-assignment>
<role-name>MY_ROLE</role-name>
<principal-name>FaKe_Blah_bLAH</principal-name>
</security-role-assignment>
In this case all works fine,
but workaround smells very very bad :(
Thanks in advance.
Best regards,
Eugene Voytitsky

Hello,
could you provide addition information on the server version and the facets installed in the dynamic web and EAR project ?
thanks
Raj

Authorization Assignment

Hello experts,
I'm trying to use the option "Authorization Assignment" as quoted in the SAP Help for [Creating and Authorizing Users for ESS|http://help.sap.com/saphelp_erp60/helpdata/en/a8/919d0a1ba211d289be0000e8216659/frameset.htm] but the option within the transaction HRUSER is not available even if I only select one employee. The proper option is located in the Menu -> Edit -> Authorization Assignment". It is shown but not chooseable.
Any hints?
Just for the record: My user is "SAP_ALL" and "SAP_NEW"

assignment of employees to users > have you clicked on this?
you selected All employees or Employees with users, you can assign roles to the employees who are already assigned to a user without ESS authorization (role).
       1.      In the Employees With/Without User group box, select the Employees with Users and choose Display.
The number of employees is displayed.
If this number is very large, you can run the job in the background.
The Relate Users with Persons screen appears.
       2.      Select the employees required.
       3.      Choose Authorization assignment.
The Attributes of Users to be Created screen appears.
       4.      Choose Execute.
You have assigned the role to the users of the selected employees.

ADF Security Authorization

As it's written in Oracle® Application Development Framework Developer’s Guide For Forms/4GL Developers B25947-01 I created file adf-config.xml file like this
<?xml version="1.0" encoding="windows-1252" ?>
<adf-config xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" http://xmlns.oracle.com/adf/config
../../../../../bc4jrt/src/oracle/adf/share/config/schema/config.xsd"
xmlns=" http://xmlns.oracle.com/adf/config "
xmlns:sec=" http://xmlns.oracle.com/adf/security/config ">
<sec:adf-config-child xmlns=" http://xmlns.oracle.com/adf/security/config ">
<JaasSecurityContext
 initialContextFactoryClass="oracle.adf.share.security.JAASInitialContextFactory"
 authorizationEnforce="true"
 jaasProviderClass="oracle.adf.share.security.providers.jazn.JAZNSecurity Context" >
</JaasSecurityContext>
</sec:adf-config-child>
</adf-config>
Assigned permissions to my roles in Authorization editior on iterators etc.. But it did get any effect.
All roles have full access to iterators!
ADFContext.getCurrent().getSecurityContext().isAuthorizationEnabled() returns false

Hi,
here's the adf-config file from my woking app
<?xml version="1.0" encoding="windows-1252" ?>
<adf-config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/adf/config ../../../../../bc4jrt/src/oracle/adf/share/config/schema/config.xsd"
xmlns="http://xmlns.oracle.com/adf/config"
xmlns:sec="http://xmlns.oracle.com/adf/security/config">
<sec:adf-config-child xmlns="http://xmlns.oracle.com/adf/security/config">
<JaasSecurityContext initialContextFactoryClass="oracle.adf.share.security.JAASInitialContextFactory"
jaasProviderClass="oracle.adf.share.security.providers.jazn.JAZNSecurityContext"
authorizationEnforce="true"/>
</sec:adf-config-child>
</adf-config>
Note that I don't use debug but run it from JDeveloper and the security settings are enforced. Did you set up the web.xml file - in other words, are you able to authenticate?
Frank

Security authorizations assignment

Similar Messages

Maybe you are looking for