Security:  authorized vs not authorized

I created two new authorizations that contain the same fields.  The values within two authorization fields are the only difference (company code and MRA are the fields).  In one authorization, company code = 100 and MRA=* and in the other authorization, company code =* and MRA=100.  In s_rs_auth, the user has both authorizations. When the query is executed with MRA=100, the query will fail with an authorization error.  I look in the 'main check' section of the log and and see that several of the sets fail, but one does not.  Why does the query receive an authorization error, when one of the checks is successful?  Shouldn't data be displayed?

Hi Klaus,
I have sent you the authorization trace.  Here's a little background on what I've done and what is not working:
I want to secure the cube zcopa20 by company code and mra (this is a characteristic we created).  If the user enters a company code they have access to, they should see all records - no matter the mra.  If the user enters a mra they have access to, they should see all records - no matter the company code.  I created the authorization 'zccmradefaul' to contain all the auth relevant objects, except company code and mra, that are needed to execute a query against this cube.  I then created 'zccmra1' to secure on company code and mra.  In this authorization, mra has a value of 100.  When I ran a query against this cube and specified the mra of 100 and did not specify a company code, the query ran without errors - just as I expected.  I then made a copy of 'zccmra1' and named it 'zccmra2' and gave it to the user by updating the authorization object s_rs_auth in their role group.  In this authorization, I put the value of 100 for company code and * for mra.  When I execute the query with a mra of 100, I get the log.  The log shows that when 'zccmra2' is checked, the check was successful, which I expect.  The check against authorization 'zccmra1' fails, which I expect.  I would expect the records with a mra of 100 to be displayed and they are not.
In the 3.0 security design, we were able to create an authorization object and enter it into a role group twice, configure it in the above manner and the end user would be able to see all records with a mra of 100 when running the query with the mra of 100.
We use the ability of being able to enter an authorization object twice into a role group and configure the entries differently in quite a few places in our system.  We do this with characteristics and key figures.  (I've done some testing in the 2004S with how we would configure key figures and I'm having the same problem as I'm having with company code and mra.)
Thanks for your help.

Similar Messages

  • There is a problem with the server's security certificate. The security certificate is not from a trusted certifying authority. SAP Business One is unable to connect to the server

    Hello,
    I have an issue with connecting client SB1H on Windows, the scenario is as follows:
    1.- Server:
         Suse Linux Enterprise Server 11.3 kernel version: 3.0.76-0.11 IBM
         NDB and Server are review 69 SP06
    2.- Client:
         Windows 8 Pro Virtual Machine on Microsoft Hyper-V
         SB1H PL 11 version 32bits    
         SAP HANA Studio version 1.0.60
    When I run SB1H the following message appears:
    There is a problem with the server's security certificate. The security certificate is not from a trusted certifying authority. SAP Business One is unable to connect to the server.
    Any idea what could be the solution?

    Hi,
    Please check SAP notes:
       1993392 - Server components setup wizard: New default values for certificates and single sign-on option
    1929288 - Do not configure SSL for XApp during installation or upgrade if XApp is installed on a different machine than the SAP HANA server
    Thanks & Regards,
    Nagarajan

  • ID3242: The security token could not be authenticated or authorized?

    Hi,
    we are getting an error when SSIS Package is writing the data into CRM 2013 Application using CRM 2013 SDK.
    Please find the error log as below.
    [Update Contact into CRM [792]] Error: System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException:
    ID3242: The security token could not be authenticated or authorized.
       --- End of inner exception stack trace ---
    Server stack trace: 
       at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
       at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
    Exception rethrown at [0]: 
       at Microsoft.SqlServer.Dts.Pipeline.ScriptComponentHost.HandleUserException(Exception e)
       at Microsoft.SqlServer.Dts.Pipeline.ScriptComponentHost.ProcessInput(Int32 inputID, PipelineBuffer buffer)
       at Microsoft.SqlServer.Dts.Pipeline.ManagedComponentHost.HostProcessInput(IDTSManagedComponentWrapper100 wrapper, Int32 inputID, IDTSBuffer100 pDTSBuffer, IntPtr bufferWirePacket)
    Can you please suggest us how to proceed on this isssue.
    Thanks & Regards, Anil

    Hi JBlaesk,
    Thanks for your reply and Sorry as i didn't mention that, The Package was running till 1 hour and after 1hour it was getting failed and giving the error "Security token couldn't be authenticated or authorized".
    and this package was scheduled in Sqlserver Agent and user is System.
    i have seen there is no logs in CRM 2013 application and ADFS server for this issue.
    Thanks & Regards, Anil

  • The security token could not be authenticated or authorized

    Hi All,
    I have an issue with Oracle Migration Tool On Demand.
    I run the following command to backup the AccessProfile:
    Oracle Migration Tool On Demand:
    migrationtool -u <user> -s https://secure-ausomxefa.crmondemand.com ReadAll AccessProfile
    Unfortunately i get the following error:
    On the dos window:
    Please enter your CRM On Demand password: Your request has been sent to Oracle
    CRM On Demand Server.
    A response to the SOAP request sent to the CRM On Demand server has been receiv
    ed An error occurred. Please review the logs for details
    And in the log file:
    13-apr-2011 16.09.40 com.siebel.occam.odesa.cte.ODESAResponseHandler writeToLog
    GRAVE: <Fault xmlns="http://schemas.xmlsoap.org/soap/envelope/"><faultcode>wsse:FailedAuthentication</faultcode><faultstring>The security token could not be authenticated or authorized</faultstring><faultactor></faultactor></Fault>
    Please could you help me?
    Regards
    Alessandro
    Edited by: user3889450 on 13-apr-2011 7.16
    Edited by: user3889450 on 13-apr-2011 7.17
    Edited by: user3889450 on 13-apr-2011 7.18

    Alessandro, I would recommend that you submit a SR to CRM On Demand customer care in reference to this issue.

  • 2008 r2 RDP SSL NLA problem "Local Security Authority cannot be contacted"

    Hi!
    I have run into an issue with RDP settings for 2008 R2 servers (all of them) whenever I enable NLA. That happens on user accounts that do NOT enforce password expiration (and so passwords are not expired) and MSTSC supporting NLA (client computers are win7
    or win8).
    In fact those same clients can use NLA just fine for connections to other win7/win8 workstations (domain members) using NLA, no probs!
    SSL certificates are automatically issued by enterprise CA. All computers/servers have current and valid Computer certificates.
    For some strange reason, I cannot enable NLA on RDP settings for any of 2008 R2 servers (various roles, ranging from physical DC running multiple roles, through dedicated virtual DC or dedicated virtual Print Servers up to dedicated Remote Desktop Services
    host), because all of them at once stop accepting RDP connections, always with same error message:
    An authentication error has occurred.
    The Local Security Authority cannot be contacted
    Remote computer: server.domain.local
    This could be due to an expired password.
    Please update your password if it has expired.
    For assistance, contact your administrator or technical support.
    That same message also appears on DC (2008 R2) running the enterprise CA role ... irony ...
    Please keep in mind that domain member computers running windows 7 x64 or windows 8.1 x64 can accept NLA enabled and SSL encrypted RDP traffic at same time without issues while using the same user accounts to connect.
    To make it even funnier, I can set RDP on 2008 R2 acting as Remote Desktop Services server to accept only SSL RDP traffic and keep NLA disabled and all works just fine. So, it is strictly the NLA causing trouble here, but why? WS 2008 R2 unable to use Kerberos
    authentication for RDP?
    WS 2012 R2 can accept NLA/SSL RDP connections without trouble, just as win7/win8 workstations can, so issue is narrowed down to only 2008 R2 servers (physical or virtual).
    Is there a hotfix for this problem on 2008 R2? sounds to me like it is a bug in 2008 r2 regarding Kerberos authentication for RDP... is MS ever planning to fix it or we have to upgrade all servers to 2012R2 to "fix it" ...

    In case this is of use to anyone, I traced this issue down to some group policy settings restricting the use of NTLM. If you're connecting to a server from a Windows client within the same domain, this won't be an issue, as Kerberos is used for authentication.
    However, when connecting from a machine outside the domain, or from a non Windows client (e.g. Wyse ThinOS terminal as we were), it seems NTLM is used for authentication.
    Since we have quite a secure environment setup, the following group policy had been set throughout the domain:
    Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
    Network security: Restrict NTLM: Incoming NTLM traffic - Deny all domain accounts
    Network security: Restrict NTLM: NTLM authentication in this domain
    - Deny for domain accounts to domain servers
    What was needed was to apply a new policy to the RDS servers being connected to from outside the domain with the following settings and so that the new GPO took precedence over the standard GPO applying the above:
    Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
    Network security: Restrict NTLM: Incoming NTLM traffic - Allow all
    Network security: Restrict NTLM: NTLM authentication in this domain - Disable
    In addition, the domain controller policy had to be updated with these settings:
    Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
    Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication -
    Enabled with either all RDS servers listed, or use a wildcard name which will capture all RDS servers
    Network security: Restrict NTLM: Add server exceptions in this domain - Enabled with either all RDS servers listed, or use a wildcard name which will capture all RDS servers
    Took me a while to figure this one, so hopefully it will help someone somewhere :)

  • Export/Import Error: The security token could not be authenticated

    We currently are working in PLM 6.1.1 and users are experiencing Export/Import Issues, the error appears frequently with several users.
    Steps:
    1. A new token is generated from our QA environment
    2. The user logs into Dev and transfers the token
    3. In the export ADMIN area the user selects a section
    4. In the QA environment the user schedules the import
    5. The import is scheduled however the error is received after a few mins
    Error Message:
    The security token could not be authenticated or authorized ---> The directory service is unavailable.
    at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
    at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
    at Xeno.Prodika.XenoDoc.Handlers.DRL.DrlService.GetAttachment(tIdentifier Identifier)
    at Xeno.Prodika.XenoDoc.Handlers.DRL.DrlWebServiceLifecycleHandler.Load(IXDocument xdoc, String pkid)
    at Xeno.Prodika.XenoDoc.BaseLibraryManager.LoadDocumentPhaseII(IXLibraryConfiguration libConfig, IXDocument xdoc, String pkid)
    at Xeno.Prodika.XenoDoc.BaseLibraryManager.LoadDocument(String pkid)
    at Xeno.Prodika.ExportImport.DataExchange.ImportRequestProcessor.ProcessRequest(IApplicationManager applicationManager, IImportRequestQueue request)
    This error can be difficult to reproduce but occurs periodically.

    This is likely a DRL issue. verify DRL is configured correctly and a valid PLM4P user is setup in the setup assistant. in addition, make sure you added the new app in IIS for DRLService (this is a doc bug we are correcting that we failed to include in the 611 guide). verify you can attach and then open an attachment on a material spec.

  • What Are the Security Implications of not Completely Signing Database?

    Hello everyone,
    What are the security implications of not completely signing the database?
    From http://www.archlinux.org/pacman/ ,
    The following quote implies that the database exists merely just in case hand tweaking is necessary:
    maintains a text-based package database (more of a hierarchy), just in case some hand tweaking is necessary.
    However, considering that there are cases that pacman's local database needs to be restored, there are implications that the database is essential for pacman to function properly.
    From https://wiki.archlinux.org/index.php/Ho … l_Database :
    Restore pacman's local database
    Signs that pacman needs a local database restoration:
    - pacman -Q gives absolutely no output, and pacman -Syu erroneously reports that the system is up to date.
    - When trying to install a package using pacman -S package, and it outputs a list of already satisfied dependencies.
    - When testdb (part of pacman) reports database inconsistency.
    Most likely, pacman's database of installed software, /var/lib/pacman/local, has been corrupted or deleted. While this is a serious problem, it can be restored by following the instructions below.
    I know that all official packages (from core, extra, community, etc.) are signed so that all files should be safe, but I'm just paranoid.
    What if the database was hacked?  Will this lead to installation of harmful software?
    Sincerely,
    Cylinder57
    Last edited by Cylinder57 (2012-10-15 03:42:31)

    Cylinder57 wrote:
    From this quote:
    Allan wrote:But, the OP (also?) talks about the local package database on his computer.  That is not signed at all as there is no point.  If someone can modify that, then they can regenerate the signature, or just modify any other piece of software on your computer.
    Is it going to be easy for anyone other than the authorized user to modify the local package database?
    Allan basically answered that with the quote above already as I understand it. Someone who has access to the installation, e.g. is able chrooting your PC via USB, is not held back by any ACLs. However, modifying the local database only makes limited sense because the packages are already installed. Pacman would only recheck, if you re-install a package. The only really relevant attack vector for the package database is
    (1) installing an older package with a vulnerability,
    (2) re-placing the up-to-date package sig in the local database with the older one and
    (3) modifying the system, e.g. via pacman.conf excludes, to not update that.
    then also re-installing would not create a sig-error and you get stuck with the bogus old package.
    With a signed database this would not be possible. However, as Allan wrote earlier also with a signed database that criminal can manually install (totally leaving pacman & package cache) whatever it needs in this scenario. So, if you are -really- paranoid about that, you probably want to spend (a lot of configuring) time with something like the "aide" package.
    Cylinder57 wrote:
    And, are the following statements correct:
    If the repository databases are modified, the hacker might be able to modify the packages on the server (Considering that if someone can modify the local package database, that person can modify any other piece of software on that particular computer.)
    However, pacman won't let users from installing the modified packages (due to package signing,) unless at one person with access is bribed (at least, for an individual package.)
    I don't know the intricacies of the server infrastructure - only saw they have great names :-), but I am pretty certain your statements assume that correctly. It is pretty unlikely that someone able to modify the central repository database fails at placing a bogus package for shipping with those access rights at this time. Yet it does no harm not to post any details of such a scenario here imo. In any case: A compromised mirror would be enough for that - and easier to achieve (hacked anywhere or e.g. in a non-democratic state). Plus you also answered it yourself. The keys are key for our safety there. Which keeps me hoping that no criminal lawnmover salesmen frequent the Brisbane area.
    As you put up a thread about this, one question you can ask yourself is:
    Have you always checked on updates new signatures keys which pacman asks about? If you ever pressed "accept/enter" without checking them out-of-band (e.g. the webserver), that compromised mirror database might have just created a "legitimate" key .. user error, but another attack vector the database signing would catch.
    edit: Re-thinking the last paragraph just after posting, I now believe it would not be that easy as implied - simply because the bogus key is not trusted by one of the master keys. The pacman pgp trust model should catch that without database signing. At least it would if only the official repositories are activated, but that's a pre-requisite to the whole thread.
    Last edited by Strike0 (2012-10-20 23:01:26)

  • TS3297 My 2nd generation ipod touch is giving me the following error when I try accessing Itunes or the app store. "Cannot connect to the Store. A secure connection could not be established. Please check your date & time settings"  I am on a secure networ

    My 2nd generation ipod touch is giving me the following error when I try accessing Itunes or the app store. "Cannot connect to the Store. A secure connection could not be established. Please check your date & time settings"  I am on a secure networkl.

    Can't connect to the iTunes Store
    Make sure that time zone is correct in addition to date and time

  • HT204053 i want to change my icloud id on my iPhone, but it won't let me now that i have upgraded.  I no longer have the password and the problem is It is using an old id which the email isn't valid and the security question does not think my birthday is

    I want to change my icloud id on my iPhone, but it won't let me now that i have upgraded.  I no longer have the password and the problem is It is using an old id which the email isn't valid and the security question does not think my birthday is valid.  I cannnot delete the account because "find my iphone" wants the password linked to this old account.  But when i go into the find my iphone app it is using my corect Apple ID.  How do i fix this?

    If you still have access to your old email address, go to https//appleid.apple.com, click Manage my Apple ID and sign in with your iCloud ID.  Tap edit next to the primary email account, tap Edit, change it back to your old email account and verify it.  Then edit the name of the account to change it back to your old email address.  You can now use your current password to turn off Find My iPhone on your device. Then go to Settings>iCloud, tap Delete Account and choose Delete from My iDevice when prompted (your iCloud data will still be in iCloud).  Next, go back to https//appleid.apple.com and change your primary email address and iCloud ID name back to the way it was.  You can now go to Settings>iCloud and sign in with your correct iCloud ID and password.
    If you don't have access to your old email address, you will have to contact Apple to have them reset the password so you can disable Find My iPhone and sign into your iCloud account.  You can either go to https://expresslane.apple.com, select "More Products and Services", then "Apple ID", then  on the next page select "Other Apple ID Topics", then "Lost or forgotten Apple ID password" and click "Continue"; or you can contact Apple Support (http://www.apple.com/support/icloud/contact/).

  • I have tried to connect and purchase on my iTunes Store, but forgot security questions. Not even Customer service is able to help me. How can I spend the 20 bucks I have on my account now if even the phone assistants can't help me?

    I tried to Purchase on the i Tunes store, but forgot security questions. Not even Customer Service is able to help me. How can I spend the 20 bucks I have on my account now if even the phone assistants can't help me? I can't rememeber any answer to any of mu questions and I can't even register my product (iPod Classic) even though I purchased it 6 months ago. Customer Service held me on the line for 30+ minutes asking me all the time if I rememeber one anwer to my questions (to which I repeatedly said no) and there seems to be no way to circumvent that security system, not even with my second email, also registered on My Itunes. Isn't there any way for me to get those 20 dollars back I already have in your store or at least reset my security questions if I don't rememeber?
    Thank you very much.

    qwerqsr, Please contact 1-800-My-Apple, about this issue. The account security team should be able to assist you. Please have your password and the ability to log into your account via appleid.apple.com.
    Thanks,
                A2Q

  • How do i delete an old iCloud account from phone when I forget my password and I'm not able to reset it because my security questions do not match?! Help!! Currently not able to update any apps or icloud info

    How do i delete an old iCloud account from phone when I forget my password and I'm not able to reset it because my security questions do not match?! Help!! Currently not able to update any apps or icloud info...

    If your device is signed into an old ID of yours that is an earlier version of the ID you want to sign in with, do the following:
    If you are using iMessage and FaceTime, make sure you are signed into these services with your current ID.  If they are signed into the old ID, go to Settings>Messages>Send & Receive and Settings>FaceTime, tap the ID, sign out, then sign back in with your current ID.
    Then temporarily recreate the old ID by going to https://appleid.apple.com, click Manage my Apple ID and sign in with your current iCloud ID.  Click edit next to the primary email account, change it back to your old email address and save the change.  (You should not have to verify the old email account so it doesn’t matter if you no longer have access to it.)  Now go to Settings>iCloud, turn off Find My iDevice and enter your current password when prompted (even though it prompts you for the password for your old ID).  Then save any photo stream photos that you wish to keep to your camera roll (unless you are using iCloud Photo Library).  When finished go to Settings>iCloud, tap Sign Out (or Delete Account if you are not running iOS 8) and choose Delete from My iDevice when prompted (your iCloud data will still be in iCloud).  Next, go back to https://appleid.apple.com and change your primary email address back to the way it was.  Now you can go to Settings>iCloud and sign back in with your current iCloud ID and password (your data will download back to your device).

  • HT5624 I need to reset my Apple ID password, but it says that my security questions are not correct and I no longer have access to the email it sends the correct information to. Please help!

    I need to reset my Apple ID password, but it says that my security questions were not answered correctly.  The email address associated with the questions to reset the answers is no longer available to me. It is my old college email.  Does anyone know how to change this email? The unavailable email is not in my list of emails approved in my Apple ID settings.

    You cannot and need to ask Apple to reset your security questions; ways of contacting them include clicking here and picking a method for your country, phoning AppleCare and asking for the Account Security team, and filling out and submitting this form.
    (98417)

  • Lookout 6.6 - Logon Error: Security file does not exist

    I'm trying to run Lookout 6.6 evaluation. It loads fine, I get a message saying that it's running evaluation version. I press OK to clear that box and a logon window opens. It's filled in with the default settings, Administator, local doman, no password. I click Log On and it gives me the error which is in the subject line, security file does not exist.
    I've read on here that the lookout.sec file doesn't exist in the System32 folder. In this case, I've found it and it's there.
    I've trying different user names, I took the .sec file and copied it in various locations: windows folder, and the programs root folder - obviously there was no effect. I tried editing the lookout.ini file to remove the log on information to see if that clears it up (even deleted the file to see if that work), but to no avail. I also tried re-installing the program, but there is no uninstall button - windows program removal tool cannot even remove, modify, or repair the program. I ran the install a couple of times as well.
    Does anyone know what I can do?
    Here's what I'm running:
    (I bought this computer today)
    Windows 7 x64-bit Home Premium
    4gb ram
    500gb hard drive
    It's very minimal, since all the computer is meant to do is run this program and replace the computer Lookout 5.0 was running on (mobo got fried).
    - Please - let me know if you have any suggestions.
    Solved!
    Go to Solution.

    Hi Mike! Thanks for replying!
    I've just tried it in admin mode and it hasn't worked. I've also tried using compatability mode, but to no avail.
    I downloaded the lookout 6.2 version to try and it gives me the same error as well.
    Another thing to note, I tried uninstalling it (either lookout 6.6 or 6.2 doesn't matter), but all options it gives (modify, repair, and uninstall) are all greyed out.
    Any thoughts/ideas?

  • The secLDAP security plugin is not available.

    some of my clients when they logon to Infoview
    get the following error...
    The secLDAP security plugin is not available. Please contact your system administrator for details
    The authentication mode is Enterprise. Windows/AD/LDAP all are unchecked (disabled).We are currently using BOE XI R2.
    This happens when user logins and authenticates to a different intranet site and then tries to login to Infoview.  If the user comes and launches infoview, they doesn't encounter this issue.
    Any help in this regard would be greatly apprciated.
    Matt

    you should post a new thread but that error is very generic, it could be anything. When posting try to add as many details about your workflow.
    It may be best to open an incedent with support. At this point it could be workflow, config, bug, external config, anything really..
    Also post in the [Admin forum|BI Platform;
    There should be much LDAP expertise there.
    Regards,
    Tim
    Edited by: Tim Ziemba on Aug 26, 2008 10:01 PM

  • Axis bank net secure with webpin not working on ipad2

    Hi,
    Axis bank net secure with webpin not working on ipad2
    Lt me know how to proceed

    Try using their App:
    https://itunes.apple.com/in/app/axis-bank-mobile-application/id517266358?mt=8

  • I've forgot my security questions, and security email is not my. :(

    i've forgot my secu questions, and Security email also not my. How can I change my security question?

    You need to ask Apple to reset your security questions. To do this, click here and pick a method; if that page doesn't list one for your country or you're unable to call, fill out and submit this form.
    (126736)

Maybe you are looking for