Security - Indirect access to transaction for user

User is processing SM35 line and gets and authorization error because has no access to KB51N.  We want to grant access to the transaction needed, but not give direct access (via Transaction Window) to the user. Is this possible, and if yes, how?

As this discussion leads into the wrong direction, I simply reply to the initial question now.
Please note that using SYSTEM for administrative purposes is highly discouraged and directly granting privileges to any single user will invariantly lead to massive problems once you try to manage permissions in a production environment.
Instead take the small additional effort and create roles with the appropriate privileges for their use cases.
In How to Define Standard Roles for SAP HANA Systems Richard Bremer provides samples for how to create roles that are transportable and that split the privileges in a reasonable way for many multi-user scenarios.
Whatever you do: disable SYSTEM user after setting up your privilege management. It's not the god-like user you seem to want anyway. So, when you need to grant privileges anyhow, you can do it in a sustainable way from the start.
- Lars

Similar Messages

  • Integrated Security results in Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' after code deployment

    Sometimes, when we deploy new code to the server, we're getting the following error:
    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
    we're using windows authentication and in our connectionstring use integrated security.
    Only after restarting the server, the application can connect to the DB again. restarting IIS or recycling the application pool doesn't help.
    Our application pool is configured using ApplicationPoolIdentity and we would like to keep it as such.
    Any idea what we can do to prevent this error from occurring almost every time we deploy code?
    Thanks

    Hi amisol,
    Thanks for your post here.
    For your issue is related with asp.net security ,i suggest that you can post your issue to the link below:
    http://forums.asp.net/25.aspx/1?Security
    Best Regards,
    Kevin Shen.

  • Open a transaction for user using RFC

    Hi all,
    Is it possible to open a transaction (I mean to actualy open a gui for the user) using a RFC that is called from my Web Server?
    For example:
    I have a web application (written in some language) that presents some list of transaction codes. When a user hit some transaction code, I want my application to open the SAP application in the exact transaction.
    I assume that my application should call some RFC that is able to open and present the SAP application in the required transaction. E.g. if in my web application the list contains the transaction code "ME24" and a user click on it I want the SAP application to open and after providing user+password direct to "Maintain Purchase Order"
    Is it possible?
    Thanks for the help,
    Roy

    Hi Rainer,
    Please assume that I do not need any graphical output within my web-application.
    I will try to re-explain the architecture:
    1. Web server where my web application is installed
    2. SAP system (not portal)
    3. Client with access to SAP trough a standard SAP Logon and access to my web application
    Client tries to open a transaction (in a new standard SAP window) by clicking on some link in my application. My application calls a RFC and I wish that this RFC will be able to open that SAP window.
    Thanks,
    Roy

  • Windows 10: new security features make PCs safer for users and businesses

    Windows 10 doesn't only deliver various visual and functional updates.
    The latest and most advanced OS from Microsoft has an abundance of new security features under the hood which ensure safer computing for consumers and businesses. 

    there is a new windows service installed with this beta vrsion of the console launcher
    why the hell do you?need to add a new serivce all the time. First you added CTAudSVC.exe with the?latest drivers... and now there is some sort?of ct engine licensing service..... We?need fixes not?memory hogging services.

  • Error in Application log SCOM mgmt server 25934 Credentials are null for user

    Hi,   We recently started getting errors like the one shown below on one of our SCOM management servers.
    Any thoughts on what might be causing this and why this shows on a scom server.   There is no VMM stuff installed on this SCOM server.
    Thanks in advance.
    System
    Provider
    [ Name]
    Microsoft.SystemCenter.VirtualMachineManager.2012.Report.VMUsageCollection
    EventID
    25934
    [ Qualifiers]
    0
    Level
    2
    Task
    0
    Keywords
    0x80000000000000
    TimeCreated
    [ SystemTime]
    2014-01-28T18:08:24.000000000Z
    EventRecordID
    287618
    Channel
    Application
    Computer
    XXXX
    Security
    EventData
    Credentials are null for user:
    Thanks Lance

    Hi,
    If agent is installed on the VMM server, it will collect the information and send it to SCOM server. The event indicates the SCOM agent tried to access the registry key that was included in the User Profile but failed.
    Please specify a local account or domain account as the SCOM action account for a test.
    Niki Han
    TechNet Community Support

  • How to apply security to access procurement dashboard in RPD (BI Security)

    Hi All,
    How can I apply Security to access in RPD for Procurement dashboards only.
    Regards,
    Kumar
    Edited by: user597882 on Sep 13, 2009 2:20 AM

    Hi,
    If you want to apply security to a dashboard (object level security so that some people can see the dashboard and other can't), then you don't do this in the RPD but through the administration screens after logging into OBIEE. Here you can defined which webgroups can see a dashboard.
    Regards,
    Matt

  • SharePoint site is asking for user/password

    I just created a new web application on port 80 with anonymous access enabled.
    Web application is using host header "portal" which is also defined in IIS under "Bindings" (this was done by SharePoint automatically when I created web application). I have also created a site collection under this web application.
    In AAM, default zone is defined as http://portal
    I have created "A Record" in DNS (this is single server farm for testing) with name "portal" and using same IP which is assigned to this server which is 192.168.137.121.
    Problem is when I try to open http://portal in browser, it asks me to enter user/password even though I am logged in as site collection administrator. And no matter how many times I give user/password it keeps asking me to login again and again.
    Even if I disable anonymous access, it asks for user/password. I have reset IIS several times.
    What am I doing wrong?

    The first thing to check is whether you configured the SuperUser and SuperReader accounts for this Web Application correctly.  I've seen this kind of behavior if the accounts are not set in PowerShell or if the accounts are set using NTLM names instead
    of Claims.  Take a look at the following for more information:
    http://technet.microsoft.com/en-us/library/ff758656(v=office.15).aspx
    Paul Stork SharePoint Server MVP
    Principal Architect: Blue Chip Consulting Group
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

  • How to implement Oracle user/role security with Access front end?

    Hi,
    We have successfully migrated our Access database tables to Oracle 10g using SQL developer. We've recreated all the users and roles(i.e., access groups) in Oracle and granted rights to tables.
    In the Access front end database, in the Database window we have saved linked Oracle tables which replaced the Access tables. The forms, reports, queries run fine with the linked Oracle tables. All the linked table use one ODBC DSN to the Oracle database with the same Oracle user id.
    We need to be able to authenticate users into the Oracle database and RE-link the tables based on their own unique user id. By during so we can allow users to use the Oracle standard user id/role and system privileges to control select, update, ect. rights to the database.
    I've been able to use the VB code within Access to logon into the database with a unique id, but I have not been able to find out how to RE-link the tables to the unique user id using VB. There should be some way to relink tables dynamically, based on users login into the Access front end.
    I don't know a great deal about Access projects, but I do know with SQL server allows login into your Access project and link tables dynamically.
    Can someone give me some assistance or point me in the right direction?
    Thanks in advance,
    Larry

    We had one of our programmers here come up with a VB code solution for re-linking table within Access. However the relinking takes 3-4 minutes for 100+ tables.
    In an effort to help you understand the situation better, I will attempt to elaborate on the problem:
    We have an Access 2003 application which currently has a front end using Access(forms, reports, queries, & VB code) and a MS Access 2003 backend.
    We have migrated the backend tables to Oracle. However, we still have a need to maintain the front end in Access, since we have over 60 forms, 40 reports, 200+ queries in Access. Its easy to understand, we have a significant investment in the front end(Obviously, the plan is to migrate the front end also at some future date).
    In order to utilized the existing front end, we have to validate and modify the current front end connections to the new Oracle backend. One of the features of Access is that you can "link" tables and save the link for runtime. Each Access table can have its own link which is a separate ODBC/JET connection. As such, each separate link has its own userid/database information.
    The other issue with using the Access front-end is that Access utilizes a workgroup file to implement user and group security. The workgroup file contains all the users and which groups the users belong to in Access. Then within Access, you allow users access to object(tables, queries, ect) by their userid and or group. When users open an Access database with Access security enabled, they are required to log into Access. The login is authenticated by the workgroup file. Once, logged into Access, users have rights to Access objects based on their rights granted to their userid and groups they belong. The problem here is that when you remove the linked Access tables and replace them with linked Oracle tables, Access has knowledge about Oracle table rights granted to users; nor would you expect it to.
    The dilema is the disconnect between Access and the fact Oracle utilizes a similar but much more sophisticated security model. It creates users and roles(which are similar to Access groups), and again this is independent of Access security.
    Our solution was to still use the Access workgroup file security along with the Oracle security model. By using the Access userid and then creating a similar Oracle userid with similar table rights granted in Access, you could apply security within Access and also with the Oracle database.
    For example, a user BOB logs into Access via the workgroup file, using VB code, Access then establishes a Oracle connection logining into Oracle using the same unique userid BOB into Oracle.
    After connecting and validating user BOB into Oracle, then the Access tables are relinked to Oracle using the user BOB userid and table rights.
    This Oracle userid has been granted table rights specific for this userid.This allows the user BOB to use the Access application and still be authenticated into the Oracle database.
    The problem with this solution is that the relinking of the saved Access tables takes 3-7 minutes for about 100+ tables. This is not acceptable for users each time they log into the application.
    Our current alternative is to use one Oracle userid to login each user, and use Access form restrictions/security to allow/prevent users from updating/viewing data. Obviously, this is not the optimal solution in respect to security, but it at least allows us to control access to the data(via the forms) by using one logon required for each user, and quick startup time for the application.
    I understand SQL server does a better job in integration, but we use Oracle which is what I am trying to work with.
    Larry

  • End User Transaction for Mass Change Sales Orders

    Hello,
    Transaction MASS can be used to change sales orders using object type BUS2032, however, end users are not allowed access to MASS.
    In most other cases, the object types can be accessed by individual transactions, for example, MEMASSPO for BUS2012 and XD99 for KNA1.
    But I cannot seem to find a similar transaction for object type BUS2032, does anyone know whether one exists or how to create such a shortcut.
    Thanks,
    Jake.

    Hi
    See SAP Note 483303 - BUS2032: Only sales orders of category VBAK-VBTYP = 'C'
    Regards
    Eduardo

  • RECEIVER: ERROR: Access to requested resource is not authorized for user

    Hi,
    I installed two instances of COREid Federation in my machine. Also installed SiteMinder and LDAP. Source Domain of COREid (8101) uses LDAP as IdMBridge and Destination Domain (9101) uses SiteMinder as IdMBridge. I am trying to access the resource protected by the SiteMinder from the source domain using the URL which is constructed using the pattern given in the PDF:
    http://mymachine.domain.com:8101/shareid/saml/ObSAMLTransferService?DOMAIN=DestinationDomain&method=POST&TARGET=http://mymachine.domain.com:8887/Source/Source.html
    Assertions are generated and I can see the assertion in the Source domain and transferred to the Destination Domain.
    when i try to access the Source.html protected with siteminder, I get the following error in the Destination Domain Shareid Log file:
    ERROR - [http10113-Processor3] - RECEIVER: ERROR: Access to the requested resource is not authorized for user uid=username, ou=People, dc=xyz,dc=com
    Please help me to solve this issue?
    Note: When the resource is accessed directly, siteminder authorizes the same user.

    We also occationaly have this error.  See my log for an example :
    Transaction completed successfuly for DocEntry = 54358 : In company FIXTHISPLEASE on 3/2/2010 9:48:49 AM
    Transaction completed successfuly for DocEntry = 54365 : In company FIXTHISPLEASE on 3/2/2010 10:24:55 AM
    Transaction completed successfuly for DocEntry = 54403 : In company FIXTHISPLEASE on 3/2/2010 12:14:53 PM
    -5006 - The requested action is not supported for this object. for DocEntry = 0 : In company FIXTHISPLEASE on 3/2/2010 1:38:45 PM
    Transaction completed successfuly for DocEntry = 54424 : In company FIXTHISPLEASE on 3/2/2010 2:40:44 PM
    Transaction completed successfuly for DocEntry = 54425 : In company FIXTHISPLEASE on 3/2/2010 3:01:51 PM
    Transaction completed successfuly for DocEntry = 54426 : In company FIXTHISPLEASE on 3/2/2010 3:03:41 PM
    Transaction completed successfuly for DocEntry = 54427 : In company FIXTHISPLEASE on 3/2/2010 3:05:12 PM
    As you can see from 9:48am to 3:05pm, one occurance of this error occured.  And they say that the transaction was
    tried a few seconds later and it worked.
    the STARTTRANSACTION() and ENDTRANSACTION() are used by the DI API so I'm really in the blank about this error and it starts to anoy the customer.  Their SAP is 2007 SP01 PL08
    Any concrete ideas about this ?

  • Converting a pre-Access 2000 database w/ user-level security to Access 2010

    Hi -
    An old database was passed down to me and I'm tasked with converting it so that we can use it with Access 2010. Sounds simple. However, I'm blocked in every attempt that I make to convert, export, and, in some cases, modify the database, due to not
    having the "appropriate permissions". We (my manager and I) do not know the original owner, and we do not have the original workgroup file. I've had our IT guy check to make sure I am the system admin on my machine in hopes of that making a
    difference - I was even able to create new workgroups and add and remove users to and from those groups but when I tried to convert (or save) the database, write some vba code behind the database, create and save new forms, or even update certain tables,
    I'm told to contact my system administrator or original owner of the object about giving me the "appropriate permissions" to do either of those things. I'm out of ideas here. I've even had a team of people contribute ideas as to how I can get around
    this. I cannot even convert this old database (which is in .mdb format, fyi) to an MDE. Is there any way that the user-level protection can be removed from this database? I'm hoping for an alternative other than to start over from scratch.

    Hi,
    As you said that the .accdb format does not support replication or user-level security, we need to use the MDB format in Access 2010. Please try to follow the steps to remove the user-level protection:
    1.Start Microsoft Access, and log on as a member of the Admins group.
    This can be the administrator account that you created when you secured the database, or it can be any member of the Admins group. Be sure that you’re using your own security-enhanced workgroup information file when starting Access.
    2.Open the database.
    3.On the Tools menu, point to Security, and then click User And Group Permissions.
    4.In the User And Group Permissions dialog box, assign full permissions to the Users group for the database and all the objects in the database.
    Because all users are automatically part of the Users group, this step has the effect of concealing security again.
    5.Click the Users tab, click Admin in the Name box, and then click Clear Password.
    Clearing the password for the Admin user disables the Logon dialog box that is displayed when you start Access. All users are automatically logged on as the Admin user the next time they start Access. This step disables the Logon dialog box for all databases
    that are using the same workgroup information file.
    6.Restart Access.
    7.Create a new database, and then import all objects from the security-enhanced database.
    You can accomplish this easily by using the Import command (File menu, Get External Data submenu).
    Quote From:
    http://office.microsoft.com/en-ca/office-2000-resource-kit/removing-user-level-security-HA001138118.aspx
    Regards,
    George Zhao
    TechNet Community Support

  • How can I give access to a new user for WebView Reporting Log In //IPCC Enterprise

    Hi All,
    How can I give access to a new user for the WebView Reporting Log In ?
    I have IPCC Enterpise 7
    Thanks
    Andres

    Two options: 1. In configuration manager on the AW, use the user list tool to add the users domain account and select Webview access permissions. 2. Using standard Microsoft Active Directory tools or the Cisco Domain Manager tool, add the desired AD user account into one of the "WebView" security groups created within the Cisco OU.

  • SAP Security: how can i findout any changes for user acess

    hi ,
    How can i check the changes in user access for some transactions?
    i have tried with S_BCE_68001439 transction, but i didn't find any changes in the respective roles which were assigned to the particular user ID.
    is there any other way  to find out changes in user acess?
    Please respond at the earliest. Thanks in advance.
    Ramesh.

    Ramesh,
    You should first look at what as changed with the user master record, you can check this by going to SU01, enter the User ID and goto Information Menu and Change Documents for users, you can then specify no start date and any other criteria you want to see changes to the user master.
    Then if nothing has changed here, or as an extra check you can goto PFCG, open the Role for display and goto Utilities Menu and Display Changes. You can then do the same as before and specify no start date with other criteria to find changes to any Role the user has.
    Hope this helps.
    Regards
    Ashley

  • Error...java.sql.SQLException:Access denied for user

    Hi,
    I am getting the following error message while connecting with the MySQL .(O/S :Sun OS 5.6)
    Error.....java.sql.SQLException: Invalid authorization specification: Access denied for user: 'some_user&password@localhost' (Using password: NO)
    Note that i have given all permission to the user using,
    GRANT ALL PRIVILEGES .......................
    The code i have used to connect with the database is,
    import java.io.*;
    import java.sql.*;
    class test
    public static void main(String a[])
    try
    Connection con;
    Statement stmt;
    ResultSet rs;
    Class.forName("org.gjt.mm.mysql.Driver");
    con=DriverManager.getConnection(jdbc:mysql://localhost/db_name?user=some_user&password=some_pass");
    stmt=con.createStatement();
    //do something with resultset
    catch(Exception e)
    System.out.println("Exception in second try.."+e);
    plese guide me on this problem to solve.
    Thankz,
    Bala.

    Hi friends...
    I've read the last post...
    The problem that I have is as follow....
    1. I have installed on my machine MySQL 5.0 Server running
    1.1 I have a database called "base1"
    1.2 User "root", password "works"
    1.3 I have the following sentence to connect it using JDBC
    Connection con = DriverManager.getConnection("jdbc:mysql://localhost/base1", "root", "works");
    More notes:
    - I use the JDBC 5.0
    - My Machine is a Windows XP SP2 Pentium 3.0 512Mb
    and it connects����
    but I have this environment to develop applications, now that I want to connect to Production Environment happens the following:
    2 The Production database is mounted on a Linux Server with MySQL 3.2.
    2.1 I change the sentences as follow:
    Connection con = DriverManager.getConnection("jdbc:mysql://192.168.0.7/base1", "user", "password");
    2.3 But a message appears when I run the Java Program:
    java.sql.SQLException:Access denied for user: '[email protected]' (Using password: YES)
    2.4 As you can see it changes the IP Address...
    More notes:- I have the MySQL Query Browser and I got connection.
    - The IP that display the Error Message is my Second IP configurated on my Network Properties.
    - Server is a Pentium 4 3.0 GHz 2Gb Linux Red Hat 3.0
    I leave this case for the spider... I hope that somebady has the solution.
    What is the problem? Why the JDBC doesn't respect the IP that I wrote.

  • Transaction an user was running for a given period

    Hi All,
    Can any body tell me ho to get the compleate information what all the transaction executed by an user in a perticular period.
    I have tried STAT and STAD.
    But couldnt get the information required.
    Regards,
    Sekhar.

    Hi,
    Use ST03N. Transaction profile, You will get all the transactions
    for all the users try to filter them out.
    Regards,
    Vamshi.

Maybe you are looking for

  • BW Extraction using DS returning empty records

    Hi I am trying to extract data using BO DS 3.2 into BW 7.0. I am using BW as well as ECC 6.0 as a source in two separate jobs. I have setup a new source system which for BO DS in BW. The RFSserver is up and running However whenever I am running the e

  • CD/DVD DRIVE NO LONGER SEEN ON LAPTOP

    Have a HP dc4223cl with a Mat**bleep**a uj840d. As of today, drive no longer seen by system. Device manager states driver is O.K. but device is not attached? Best way to find drive and re-install?? Thanks

  • How can we capture additional information on interaction Wrap-up screen

    Hi, We need to capture the additional information (for e.g. the contract number created during the interaction) on the call wrap-up screen. But the Doc# field is disabled and there are no DFFs as well. Any suggestions would be very helpful. Thanks an

  • Cenvat posting

    HI sap gurus , I want to know the material documents for which are we have taken part1 but still pending to take part2. Pl help. Thanks in advance. Regards.

  • Getting outlook contacts using java

    hi every body, is anybody know how to get the OutLook contacts using java.