Security tables...

Hello,
I have requirement where I have to scan a role in SAP which has certain combination
of T-Code, Object, Field and value.
For example:
I need to write a query which will find all roles in SAP which has following combination of T-Code, Object, Field and Value:
T-CODE.......... Object...............Field......Value
F-02...........F_BKPF_BUK......... ACTVT.......01
What are the tables on which I can write query to fetch these kind of details ?
Thanks.
Regards,
Rajesh.

When you talk about
T-CODE.......... Object...............Field......Value
F-02...........F_BKPF_BUK......... ACTVT.......01  ,
I understand that you need the values that are maintained for a tcode in su24.
Please refer to table USOBT_C for these values.
sorry, I guess I interpreted the question wrongly earlier. You can refer to SUIM -> Roles by complex selection criteria for that.. but that also will not give a correct idea about the tcode if that is actually checking for that object in its program..
Edited by: Hemant Raj on Jun 17, 2008 3:05 PM

Similar Messages

  • Securing table group SS / transaction SCC1 and table CCCFLOW

    Hello all,
    I'm relatively new to this forum, please be kind.
    Situation sketch:
    In an SAP landscape, in Development environment, I have 3 clients, in which 500 is the ECC golden client, 510 is for sandboxing and 520 is for testing.
    Problem:
    Developers use tcode SCC1 to transport customizations to another client to be tested again and put on transports eventually.
    For changes they make using SCC1 they require Change (02) authorization on table CCCFLOW (client-copy report logs).
    However this CCCFLOW table is classed under the SS table group, in which all my other important security tables are as well
    (AGR_* etc).
    Question:
    How have you guys secured the SS table group when you still want to provide developers the use of SCC1?
    Regards,

    How about this idea?  Your thoughts and suggestions are appreciated.
    1.  Clone SCC1 to ZSCC1 (SE93)
    2.  For ZSCC1 Remove S_TABU_DIS Auth Check on ACTVT 02(SU24)
    3.  For ZSCC1 Insert S_TABU_NAM Auth Check on CCCFLOW  ACTVT 02(SU24)
    4.  test with a role that allows S_TABU_NAM to CCCFLOW and does not allow S_TABU_DIS to auth grp SS
    This should separate out CCCFLOW from the rest of the SS Auth Group tables.
    Has anyone tried this approach?
    Optionally, Do steps 2 and 3 directly on SCC1, depending on your SAP shop's policy for modifying auth checks on SAP-delivered tcodes.
    BSnow

  • Fire fighter security table download

    Dear Experts,
    After downloading the Fire fighter Security table(/n/virsa/vfat -> Utilities -> Download) this can be opened in excel and see all the passwords. This is a potential risk in Security and authorization. Kindly suggest me is there any note or corrections to get the data downloaded as encrypted itself ?
    Or any other suggestions welcome please.
    Thanks and Regards,
    Shiju

    Hello Shiju,
    Just wanted to ask you what role (s) does the user have, who is downloading and changing the passwords. Are they standard SAP provided or are they custom?
    Role "/VIRSA/VFAT_ROLE_ADMINISTRATOR" has access to "Export" the list and role "/VIRSA/Z_VFAT_ADMINISTRATOR" has access to "change" the password.
    Also, in case you do not want the export function to be available to any user, you may chosse not to use these SAP default roles for Firefighter but create your own roles and assign them to the users, where you can define the table maintenence for "/VIRSA/ZVIRFFPWD" table, not to be available to anyone to restrict this.
    Regards,
    Hersh.

  • Dynamic security using Security table in SSAS Tabular model

    Hi, 
    Platform : SSAS Tabular model (VS 2010)
    I need to apply Dynamic security using Security table(manually created) in Tabular model, Need to apply filter for 2 tables. I am able to
    create roles in Tabular model using USERNAME() and LOOKUP() function it worked fine. But the problem is when i am trying to give full access for a particular column and limit the access in other column, it is not working properly.
    Please find below table and guide me where i am falling short. In the Security table wherever you find ALL it means full access.
    Security table
    Login Name
    Dim_Country
    Dim_Customer
    DOMAIN\User1
    ALL
    2
    User1 should see all countries but Only 2,4 Customers
    DOMAIN\User1
    ALL
    4
    DOMAIN\User2
    2
    ALL
    User2 should see all customers but Only 2,3 countries
    DOMAIN\User2
    3
    ALL
    DOMAIN\User3
    ALL
    ALL
    User3 should see all Customers and Countries
    DOMAIN\User4
    1
    3
    User4 should see 1 Country and 3 Customer
    ALL - means NO restriction
    Numeric values indicate the Dimension IDs
    Do let me know if further explanations required.
    Thanks,
    Sundar

    Hi Sundar,
    According to your description, you want to implement dynamic security using Security table in SQL Server Analysis Services Tabular model, right?
    It is very common to have data security implementation in BI projects either at databases or Cubes and sometimes this security implementation and maintenance goes out of control due to the dynamic flow of business information. Here are some links which describe
    dynamic security implementation at SSAS tabular model using an external security table, please see:
    http://bipassion.wordpress.com/2012/10/01/ssas-tabular-dynamic-security/
    http://www.bidn.com/blogs/ChrisSchmidt/ssas/4332/dynamic-security-in-tabular
    Regards,
    Charlie Liao
    TechNet Community Support

  • HR Secured Tables

    Dear All,
    Actually i have to provide table level security only for all those hr tables which have restricted data and should only be view by responsible persons wihich hve reqiuerd authorization.
    So if i restricted all tables started with PA,PB,HRP, HRT,PCLn will this cover my requirement?
    Reagrds,
    Anuj jain

    Hi Anuj
    PT* you can add up to your list. However, is there a reason for restricting authorizations at table level instead of INFTY level? Normally in HR module to restrict users accessing some spcific data we restrict at INFTY level but not at table level (Authorization Object P_ORGIN)
    For example, if you want user to restrict for table PA0001, you would have to restrict authorization for INFTY 0001.
    Hope this helps
    Best Regards
    Reddy

  • 5.3 Firefighter Security Table "New" Comments Field

    Since upgrading from 5.2 to 5.3, I noticed that there are new "comments" and sometimes "decription" fields throughout the different FF tables.  I decided to test entering data in these fields.  After doing so in the "comments" area of the "Security" section firefighter, I noticed that the encrypted FF password changed to something else (which was also encrypted).  I tried to invoke the ID where the password had changed and sure enough I received an error that the passord was incorrect.  I changed the password back to what it was supposed to be and it appeared to look just like the other encrypted fields (back to normal).  However, now when I use the ID, a message stating that the ID does not exist appears.
    Why did entering data in the "comments" field change the password?  Why do I now get a message that the ID doesn't exist after setting the correct password back up? Has anyone else seen this and is there a fix?
    Greg
    After entering this message, IE gave an error message "Mismatched address - The security certificate presented to you by this website was issued for a different websites address. This problem may indicate an attempt to fool you or intercept any data that you send to the server".  That's why there are three messages for the same posting.
    Edited by: Gregory Cook on Oct 8, 2009 2:58 PM

    There is a problem with the site at the moment, the other 2 copies are deleted. The system automatically sends a nasty mail, don't take it personally
    Back to the real question...
    The reason for this is that the approach to managing the password has changed, but it appears that some misleading error messages are still in the coding.
    The password is no longer set once and decrypted to modify the RFC connection on the fly, but rather at each successfull request a new password is generated (albeit using a wrong legacy function module) and used "on the fly" via BAPI_USER_CHANGE and the RFC connection as well.
    This makes it look as if the "Comments" field which is immediately before this generation is changing the password hash... but it's not.
    This prevents the problem of the admin knowing the password - as you have also stated - and the algorithm being reversed (which is generally possible when using two way encryption / decryption functions, as opposed to one-way-hashes on the server side which are more secure).
    The catch is that you now need to set the user's password at each request after successfully generating the password. This procedure in BAPI_USER_CHANGE checks activity '05' of object S_USER_GRP for the FF user's group assignment. If you do not have this authorization yourself, the "on the fly" logon presents a new password to the RFC login screen (the check is remotely disabled so nothing can go wrong...) but the SU01 password has not changed.
    The "fix" is to assign this S_USER_GRP authority very carefully and ensure that the requesting user preferably does not have direct access to SU01, SU01_NAV and BAPI_USER_CHANGE themselves. Also make sure that they do not have authority for the debugger (object S_DEVELOP, even is display mode).
    Cheers,
    Julius

  • Security tables to find T-code, object, field and value combination..

    Hello,
    I have requirement where I have to scan a role in SAP which has certain combination
    of T-Code, Object, Field and value.
    For example:
    I need to find all roles in SAP which has following combination of T-Code, Object, Field and Value:
    T-CODE..........  Object...............Field......Value
    F-02...........F_BKPF_BUK......... ACTVT.......01
    What are the tables on which I can write query to fetch these kind of details ?
    Thanks.
    Regards,
    Rajesh.

    Hello,
    Please see this: [https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e944e133-0b01-0010-caa2-be2cb240f657].
    Hope this helps.
    Regards.

  • Standard SQL security tables

    Dear all,
      I am using SAP BPC 7.0 MS SP6.
      Can anyone provide reasons how the "IsATeam" column can have a "N" entry in dbo.UserTeamProfileAssign, and how the "Inheritance" column can have a "N" entry in dbo.UserProfile ?
    Cheers,
    Lip Chean

    Hi Lip,
    The table, dbo.UserTeamProfileAssign, gives you the list of user IDs and team IDs. If the name is a user ID, then the field, IsATeam, will be N. If the name is team ID, then the field will have a value of Y.
    Hope this helps.

  • Security - Table authorizaton group

    Hello
    The table BF24 and BF34 are SAP standard transcation which access the table TBE24 and TBE34 respectively ( these are Business transcation event table used for FI and workflow module).
    By SAP standard these table TB24 and TB34 are the &NC& authorization group,
    My question is : - Is it OK to change the authorization group from &NC& to BTE( which i created new auth group for these tables)
    and I can do this using SE54. Please advice and let me know your recommendations
    Thanks
    Damodar

    Hello Alex,
    As you stated it is Ok to change auth gorup &NC& to BTE ( for table TBF24 and TBF34 )
    BTE auth group - whcih I created for this scenario.
    In SE54 - I clcik on assign auth group for table TBF24  - clcik on change and check auth group option and in from area type BTE and To area type will be blank and finaly click on green check mark,
    Is there anything else I need to do - or is there anything else I am missing here  . please advice and let me know your recommendations
    Damodar

  • External Table Authentication in OBIEE 11g

    Hi ,
    I have a security table, which contains userid,displayname,group . I have imported Security table in Physical Layer. I'm creating session variables based on condition.
    When am trying to logging into analytic s getting an error, invalid username and password . I'm using 11.1.1.6.0 version
    How to handle external table authentication in OBIEE 11g version.
    Regards,
    Malli

    Hi fiaz,
    That links talks about 10g version.
    Step1: We have imported a secutiry table in Physical layer.
    Step2: Creating a session variable by selecting initilazation block.
    Select user_name,group from security_table where user_id=':USER' and pwd=':password';
    step3: created DISPLAYNAME,GROUP & USER VARIABLES in edit target window
    After these modifications i was trying to logging with new user, which is there in security table.
    I am getting an error that is invalid user or password.
    Is there any other changes does it required here.
    Regards,
    Malli
    Edited by: user10675696 on Dec 26, 2012 9:39 PM

  • How to implement row level security?

    Hi all,
    There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
    Many Thanks
    Amy

    Here are two options to achieve what you want.
    A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
    1. create a security codes table. Say for example
    001 - company a
    002 - company b
    2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
    3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
    4. update all data in the tables according to which company they belong to.
    5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
    With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
    B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
    Table name = Employee.
    Create a view employee_a on employee
    create a view employee_b on employee
    Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
    create synonym employee on employee_a in x schema.
    create synonym employee on employee_b on y schema.
    This i have not tried but believe should work.
    Hope one of these options serve your purpose.

  • Can you create a javascript dynamic menu based on security data in oracleDB

    I am looking for a dynamic javascript menu that is generated based on the user role... basically i get the user role from ldap and then I have a Security table in oracle data base that has the permission info and i want to generate my dynamic menu based on the data in the database table.... the table has the following columns
    private String userId;
    private String security_level; // page level , field level
    private String permission; //CRUD
    private String permissionType; //ALLOW, DENY

    Hello Suzie,
    It is possible but you have "many" ways to do it, since what will happen is the javascript will be generated by an application.
    Are you developing a J2EE application? with or without JSF?
    The best way will be to Google to find a good Javascript menu library, and adapt the generation of it based on the content of your database.
    Regards
    Tugdual Grall

  • Is it possible to edit the table that contains sites with the passwords?

    for certain sites Firefox does not ask to remember the password, therefore this site will not appear in the security-table. By editing the table this problem could be bypassed.

    *Saved Password Editor: https://addons.mozilla.org/firefox/addon/saved-password-editor/

  • DB Adapter wizard – WHERE clause on parent and child tables not working.

    I have two tables, SECURITY and SECURITY_POSITIONS, where SECURITY has a 1:M relationship with SECURITY_POSITIONS. I used the DB-adapter wizard to create the relationship and the following WHERE clause expression which is looking at both the parent and the child tables;
    The expression builder looks like this:
    AND
    |--- 1. partitionKey EQUAL p_SearchKey
    |--- 2. securityType EQUAL “DBT”
    |--- 3. securityPositionsCollection.dealReference EQUAL “NA”
    The primary key on SECURITY = PARTITION_KEY and SECURITY_REFERENCE
    The foreign key from SECURITY_POSITIONS to SECURITY = PARTITION_KEY and SECURITY_REFERENCE
    securityType is on SECURITY table (master)
    securityPositionsCollection.dealReference is on SECURITY_POSITIONS table (child)
    The invoke on the database adapter is selecting a row in securityPositionsCollection for each child row, rather than just those with dealReference = “NA”!
    I turned on DEBUG logging in the BPEL console and I can see that there are 2 SELECT queries run (guess this is how Toplink does it!), where the 1st query appears to select the parent rows and the 2nd query selects the child rows.
    However the 2nd query is not working because it is failing to select only those child rows where dealReference = “NA”. Also, don’t know why the 2nd SELECT query needs to specify the child SECURITY_POSITIONS table twice in the FROM clause, because that seems to be causing the problem.
    1st query executed is as follows;
    SELECT DISTINCT t0.PARTITION_KEY, t0.SECURITY_REFERENCE, t0.SECURITY_TYPE
    FROM CENTRAL.SECURITY t0, CENTRAL.SECURITY_POSITIONS t1
    WHERE ((((t0.PARTITION_KEY = ?) AND (t0.SECURITY_TYPE = ?)) AND (t1.DEAL_REFERENCE = ?)) AND ((t1.SECURITY_REFERENCE = t0.SECURITY_REFERENCE) AND (t1.PARTIT
    ION_KEY = t0.PARTITION_KEY)))
    bind => [200706200000, DBT, NA]
    2nd query executed is as follows, where child table appears twice! ;
    SELECT DISTINCT t0.DEAL_REFERENCE, t0.PARTITION_KEY, t0.SECURITY_REFERENCE
    FROM CENTRAL.SECURITY_POSITIONS t0,
    CENTRAL.SECURITY_POSITIONS t2,
    CENTRAL.SECURITY t1
    WHERE ((((t0.SECURITY_REFERENCE = t1.SECURITY_REFERENCE) AND (t0.PARTITION_KEY = t1.PARTITION_KEY)) AND
    (((t1.PARTITION_KEY = ?) AND (t1.SECURITY_TYPE = ?)) AND
    (t2.DEAL_REFERENCE = ?))) AND
    ((t2.SECURITY_REFERENCE = t1.SECURITY_REFERENCE) AND
    (t2.PARTITION_KEY = t1.PARTITION_KEY)))
    bind => [200706200000, DBT, NA]
    Anyone experienced the same problem e.g. why is toplink making the query more complicated that it needs to be, because the query only needs to reference the SECURITY_POSITIONS table once, as follows;
    SELECT DISTINCT t0.DEAL_REFERENCE, t0.PARTITION_KEY, t0.SECURITY_REFERENCE
    FROM CENTRAL.SECURITY_POSITIONS t0,
    CENTRAL.SECURITY t1
    WHERE ((((t0.SECURITY_REFERENCE = t1.SECURITY_REFERENCE) AND (t0.PARTITION_KEY = t1.PARTITION_KEY)) AND
    (((t1.PARTITION_KEY = '200706200000') AND (t1.SECURITY_TYPE = 'DBT')) AND
    (t0.DEAL_REFERENCE = 'NA'))) AND
    ((t0.SECURITY_REFERENCE = t1.SECURITY_REFERENCE) AND
    (t0.PARTITION_KEY = t1.PARTITION_KEY)))

    Hello,
    It looks like you have configured your 1:M relationship to use batch reading. This causes the query to bring in the Security_Position table's objects to use the same selection criteria as was used on the initial query, with a join statement. This is more efficient in most cases as it ensures only the Security_positions needed for the Security objects to be fully built are read, in a single query.
    The selection criteria added is only used to filter out the Security objects. All referenced Security_Positions must be read in for the returned Security objects so that the data matches what is in the database. If you do not want the Security_Positions, you might try using indirection on the mapping which will delay the second query until you need the Security_Positions. Or, if you want only the Security_Positions with dealReference EQUAL “NA", you could do a query specifically to filter on them.
    Best Regards,
    Chris

  • Dynamic where clause, user/row security

    I haev two tables:
    create table table1(
    First_name varchar2(12),
    Last_Name varchar2(17),
    Middle_name varchar2(1),
    Cabinet varchar2(2),
    Department varchar2(3),
    Division varchar2(2),
    branch varchar2(2),
    section varchar2(2),
    unit varchar2(2),
    serial varchar2(3),
    job_title varchar2(13),
    other fields......
    create table security(
    USERname VARCHAR2(14),
    FIRST_NAME VARCHAR2(20),
    PER_CABINET VARCHAR2(2),
    PER_DEPT VARCHAR2(3),
    PER_DIVISION VARCHAR2(2),
    PER_BRANCH VARCHAR2(2),
    PER_SECTION VARCHAR2(2),
    PER_UNIT VARCHAR2(2),
    PER_SERIAL VARCHAR2(2),
    other fields....
    ****security table sample data****
    username first_name cabinet dept division branch section unit serial
    username1 firstname1 10 785 05 01 02
    username2 firstname2 32 527 02 03
    username3 firstname3 32 527 02 01
    username4 firstname4 46 546 22 06 05
    username5 firstname5 46 546 27 15 01
    username6 firstname6 10 005 01 01 01 01
    username7 firstname7 10 005 01 01 01 01
    username8 firstname8 10
    username9 firstname9 10 005
    username10 firstname10 10 005 01
    What I would like to do is, based on the values assigned to user in security table, the records from table1 should be fetched.
    For example: (lets say there are 1000 records in table 1 for cabinet 10)
    username8 should be able to see all records pertaining to cabinet 10. (record count=1000)
    Username9 should be able to see all records pertaining to cabinet 10 and dept 005 (record count=800)
    username10 should be able to see all records pertaining to cabinet 10 and dept 005 and division 01 (record count=600)
    username1 should be able to see all records pertaining to cabinet 10 and dept 785 and division 05 and branch 01 and unit 02 (record count=10)
    ....and so on
    To summarize I have to narrow down the number of records a user can see.
    I tried to implement this using set_context each for cabinet, department etc... the problem is some users may not have all the values. so my where clause fails and returns 0 rows.
    example:
    select count(1) from table1 where cabinet=(select per_cabinet from security where username='username1') and department=(select per_dept from security where username='username1') and division=(select per_division from security where username='username1') and branch=(select per_branch from security where username='username1') and section=(select per_section from security where username='username1') and unit=(select per_unit from security where username='username1');
    I would get 0 rwos because username1 does not have any value for section.
    I point to keep in mind is that not all users have same values.
    Any thoughts or ideas on how to resolve my problem? Thanks.

    By set_context, I hope you mean you are using sys_context and VPD/RLS for this filtering. For the filter condition, how about modifying each part in the form:
    unit = nvl((select per_unit from security where username = :username), unit)or
    unit = (select nvl(per_unit, unit) from security where username = :username)

Maybe you are looking for