Setting access rights at component level

I have created a component. The business wants to restrict its use to a certain group of users.
If a user is part of that group, ONLY then the coomponent should be available in sidekick at time of page creation.
How is setting access rights at component level being achieved?

As Jorg stated, Group ACL settings are meant to control access at a page
level.  As he also stated is possible to control access even further, but
with additional effort and difficulty. But, nearly every client wants this
done down to the component level and on a group by group basis.  So, what
I've found, over the years that works is the following:
- Configure the available components per template type per parsys
- Further configure the available components at the group level
For the custom built components, you can remove them at the group level by
un-checking the 'read' ACL on the dialogs for the given component.  You
don't want to un-check read for the whole component because then the users
of that group experience random 'holes' in the content.  But, if you
un-check 'read' for the dialogs, then the component will not display in
Side-kick (at least on 5.4 and prior this is the case).
The only caveat to this is the OOB components.  That is where you will run
into a lot more difficulty.  Those should mostly be enabled/disabled at the
design level for the entire page/parsys.
Hope this helps.
Todd

Similar Messages

  • FSL-02007  Unable to set access rights of saploc.

    Hello,
    I am performing an installation of SAP ERP 6.0 EHP4 on Windows 2008 Server R2 along with MS SQL Server 2005 SP3 on a High Availability cluster.
    I have completed the MS SQL Server 2005 into the first Cluster of MSCS. Performed the moving the MSCS groups of database, SAP and Cluster groups with success.
    I created a shared file: sapmnt under the directory: E:\usr\sap for Everyone, & administrator with full access. The shared file was created as
    SAPCLUSTER\sapmnt.
    Then I started to execute the installation of Central Services Instance for ABAP (ASCS).
    I logged as DECORCENTER.administrator, executed the command sapinst SAPINST_USE_HOST=DECORSAP
    The installation has stopped after an error: 
    WARNING[E] 2010-10-25 16:59:51.285 [synxcfsexp.cpp:158]
               CSyFSExportImpl::setACL(acl)
    FSL-02007  Unable to set access rights of saploc. SetNamedSecurityInfo: This shared resource does not exist.
    Physical hostname of cluster is: SRVSAP01 y SRVSAP02
    The cluster has three group resources:
    ClusterGroup  -> hostname: CLUSTERGROUP
    ClusterSAP     -> hostname:CLUSTERSAP
    ClusterDB       -> hostname: DECCENSAP
    VIRTUAL SERVER -> hostname: DECORSAP
    Let me know what I am doing wrong with this
    Regards,
    Rodolfo
    Edited by: Rodolfo Neuhaus Wiese on Oct 25, 2010 7:26 PM

    Ivan Bronner wrote:
    Hi
    >
    > We tried the installation already with or without sapinst SAPINST_USE_HOSTNAME= "virtual hostname".
    >
    > Ivan
    Hi,
    Could you try to create "saploc" share manually and set share permissions to "Administrators, sap_localadmin" group, with full access? If you tried this before, did you face with a problem?
    You should perform this activity with the same user that you've executed SAPINST
    Best regards,
    Orkun Gedik
    Edited by: Orkun Gedik on Aug 24, 2011 11:33 AM

  • FSL-02007  Unable to set access rights of services.SAPtmp

    Hello everybody,
    I receive this error message(in the subject) when I am trying to install the WAS640 on my Windows XP sp2.
    I tried to start the installation with the "Administrator" account and I receive the same error (I saw in another post that this is a possible solution). My account also has the administrator rights.
    Please help me,
    Thank you very much,
    Doru Sular

    Hi Doru,
    Check that the user that you are performing the installation with has full administration privileges and the following policy privileges:
    Act as part of the operating system
    Increase quotas
    Replace a process level token.
    Another trick can be to take ownership of the file system with the account you are using.
    Regards
    Daniel

  • Access Right for Minimum stock level

    Hi all,
    I would like to know if there is a way to set access right to enalbe or disable user from modify the minimum stock level in the item master data.
    Thank you.
    Regards

    I would like to know if there is a way to set access right to enalbe or disable user from modify the minimum stock level in the item master data.
    as I have said, you can use SP_TN to disable some certain users to modify the minimum inventory level value. here is an example:
    IF @transaction_type IN ('A', 'U') AND
    @Object_type = '4'
    begin
    if exists (SELECT distinct t0.docentry FROM oitm T0 INNER JOIN oUSR T1 ON T1.internal_k
    = t0.usersign
    WHERE isnull(t0.minlevel,'') <> '0' and t1.user_code = 'manager')
    begin
    select @Error = 10, @error_message = 'Min level can not be updated by user manager'
    end
    end
    but I also said that you can use SDK code i.e. SAP B1 addon to disable the users to modify the minimum inventory level field. It is more complicated because you need to use programming language e.g. VB.Net to do that. The programming language will use the B1 DI API as project reference.
    You must have SDK development license to develop such addon.
    JimM

  • How to set user security on dimension levels?

    Hi, there. I am considering setting use access right to specific levels on the branch dimension.
    Suppose there are four companies on level 1 of the branch dimension. I would like to limit users only access their own company.
    How should it be done in share service? Thanks.

    Thanks both.
    However, I encountered another problem. After created users in shared service, I could not see it in
    application even after refresh secutiry.
    Another problem is that I could not apply filters by Essbase administration console. The Edit User/Group access function is disabled.
    Therefore, even I selected a user I could not apply the filter. Does anyone know how to enable the function?
    Thanks in advance.

  • Bpf - package access rights

    Dear Xperts,
    i have created a bpf templete say bpf1 & created instance say my process.
    there are 5 companies for consolidation,for specific user say user1 i have given right of comapny xyz only.
    bpf runs correctly by showing only company xyz in bpf web main menu for user1.
    problem is when i run a package,in criteria selection box requiring to select entity,time,category etc details for running package,it shows all 5 company in entity selection box. so user1 is in position to run package for other company for which it does not have right.
    so can anyone tell me how to greyout entity selection box so that user1 can run only company xyz or is there any way i can set access rights while running package in criteria selection box.also i m working on nw 7.5 version
    thanks
    kashyap.

    Dear Raju,
    i have given secondry admin rights to user1 with bpf excution tasks .
    i was able to allow access to this user only to one company by mentioning his domain name in owner property of entity dimension.
    do i need to make any further changes?
    thanks
    kashyap.

  • Setting Item level access rights on sharepoint list item in ItemAdding event handler

    Hi ,
    I am using sharepoint 2013. I am trying to set item level access rights when a list item is added using the following code snippet,
    public override void ItemAdding(SPItemEventProperties properties)
    base.ItemAdding(properties);
    ConfigureItemSecurity(properties);
    private void ConfigureItemSecurity(SPItemEventProperties properties)
    var item=properties.ListItem;
    SPSecurity.RunWithElevatedPrivileges(delegate()
    using (SPSite site = new SPSite(properties.SiteId))
    using (SPWeb oWeb = site.OpenWeb())
    item.ParentList.BreakRoleInheritance(true);
    oWeb.AllowUnsafeUpdates = true;
    var guestRole = oWeb.RoleDefinitions.GetByType(SPRoleType.Reader);
    var editRole = oWeb.RoleDefinitions.GetByType(SPRoleType.Editor);
    SPGroup HRGroup = oWeb.SiteGroups.Cast<SPGroup>().AsQueryable().FirstOrDefault(g => g.LoginName=="HR Team");
    SPRoleAssignment groupRoleAssignment = new SPRoleAssignment(HRGroup);
    groupRoleAssignment.RoleDefinitionBindings.Add(guestRole);
    SPUserCollection users = oWeb.Users;
    SPFieldUserValueCollection hm = (SPFieldUserValueCollection)item["HiringManager"];
    SPFieldUserValueCollection pm = (SPFieldUserValueCollection)item["ProjectManager"];
    SPFieldUserValueCollection pmChiefs = (SPFieldUserValueCollection)item["ProjectManagerChief"];
    item.BreakRoleInheritance(true);
    item.RoleAssignments.Add(groupRoleAssignment);
    foreach (SPFieldUserValue staffMember in hm)
    SetRightsOnItem(item, staffMember, editRole);
    foreach (SPFieldUserValue staffMember in pm)
    SetRightsOnItem(item, staffMember, guestRole);
    foreach (SPFieldUserValue staffMember in pmChiefs)
    SetRightsOnItem(item, staffMember, guestRole);
    item.Update();
    private void SetRightsOnItem(SPListItem item, SPFieldUserValue staffMember, SPRoleDefinition role)
    SPUser employeeUser = staffMember.User;
    var userRoleAssignment = new SPRoleAssignment(employeeUser);
    userRoleAssignment.RoleDefinitionBindings.Add(role);
    item.RoleAssignments.Add(userRoleAssignment);
    Nothing is happening though... Is the event handler the right place to do this?
    thank you

    Hi ,
    You can refer to the code working in my environment:
    using System;
    using System.Security.Permissions;
    using Microsoft.SharePoint;
    using Microsoft.SharePoint.Utilities;
    using Microsoft.SharePoint.Workflow;
    namespace ItemLevelSecurity.ItemSecurity
    /// <summary>
    /// List Item Events
    /// </summary>
    public class ItemSecurity : SPItemEventReceiver
    /// <summary>
    /// An item was added.
    /// </summary>
    public override void ItemAdded(SPItemEventProperties properties)
    SPSecurity.RunWithElevatedPrivileges(delegate()
    try
    using (SPSite oSPSite = new SPSite(properties.SiteId))
    using (SPWeb oSPWeb = oSPSite.OpenWeb(properties.RelativeWebUrl))
    //get the list item that was created
    SPListItem item = oSPWeb.Lists[properties.ListId].GetItemById(properties.ListItem.ID);
    //get the author user who created the item
    SPFieldUserValue valAuthor = new SPFieldUserValue(properties.Web, item["Created By"].ToString());
    SPUser oAuthor = valAuthor.User;
    //assign read permission to item author
    AssignPermissionsToItem(item,oAuthor,SPRoleType.Reader);
    //update the item
    item.Update();
    base.ItemAdded(properties);
    catch (Exception ex)
    properties.ErrorMessage = ex.Message; properties.Status = SPEventReceiverStatus.CancelWithError;
    properties.Cancel = true;
    public static void AssignPermissionsToItem(SPListItem item, SPPrincipal obj, SPRoleType roleType)
    if (!item.HasUniqueRoleAssignments)
    item.BreakRoleInheritance(false, true);
    SPRoleAssignment roleAssignment = new SPRoleAssignment(obj);
    SPRoleDefinition roleDefinition = item.Web.RoleDefinitions.GetByType(roleType);
    roleAssignment.RoleDefinitionBindings.Add(roleDefinition);
    item.RoleAssignments.Add(roleAssignment);
    Thanks,
    Eric
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected].
    Eric Tao
    TechNet Community Support

  • Using PowerShell to set Custom Access Rights on a Calendar Does not set Free/Busy Permissions

    We recently discovered an issue where, if you use Exchange Management Shell to configure custom access rights, the Free/Busy permissions do not get set at all (they remain as "None"):
    $temp = [Microsoft.Exchange.Management.StoreTasks.MailboxFolderAccessRight[]]("ReadItems","EditOwnedItems","DeleteOwnedItems","EditAllItems","DeleteAllItems","FolderVisible")
    Add-MailboxFolderPermission -Identity "conf-company-test:\calendar" -User "Company Calendar Management" -AccessRights $temp
    Add-MailboxFolderPermission -Identity "conf-company-test:\calendar" -User "mpinkston" -AccessRights Editor
    If you use a pre-defined "role" such as Editor given to mpinkston6 in the above example it sets the Free/Busy permission to Full Details. It would appear that using Add-MailboxFolderPermission or Set-MailboxFolderPermission is generic for folder
    objects, and doesn't explicitly set the Free/Busy permissions. In the case of the pre-defined roles either the command is doing something special/different, or the permission checks later accept pre-defined roles for determining Free/Busy permissions. No idea
    which is going on. If Free/Busy permissions can be fixed through PowerShell by some other mechanism/command, that would be great. If not, how do we go about requesting a fix/feature change in Exchange?
    http://technet.microsoft.com/en-us/library/dd298062%28v=exchg.150%29.aspx
    (Please expand Parameters and read AccessRights to get a better understanding for what I'm describing.)

    Did you try adding AvailabilityOnly or LimitedDetails in your $temp variable for Calendar folder? These would set it to "Free/Busy time, subject, location" or "Free/Busy time" respectively....
    Add-MailboxFolderPermission - http://technet.microsoft.com/en-us/library/dd298062(v=exchg.150).aspx
    The following roles apply specifically to calendar folders:
    AvailabilityOnly   View only availability data
    LimitedDetails   View availability data with subject and location
    Amit Tank | Exchange - MVP | Blog:
    exchangeshare.wordpress.com 

  • AD - SunDS 5.2 minumal access rights required to set passwords in DS

    Hi,
    I am doing Identity Integration for one of our clients with MIIS 2003.
    Among other connections we will have:
    MS Active Directory -> Sun DS 5.2
    I have already set up password synchronization pushed out from AD to DS and it works just fine.
    What I need to accomplish though, is to state minimum access requirements for access to DS.
    Client will not give us a user with administrative priveleges so we need to recommend a user with minumum access rights.
    Obviously this user must have a 'write' for userPassword.
    What else?

    I found out the answer:
    Basic access rights resulting from standard SunDS behaviour (from Sun manuals):
    All users have anonymous access to the directory for search, compare, and read operations.
    Bound users can modify their own entry in the directory, but not delete it. They cannot modify the aci, nsroledn,and passwordPolicySubentry attributes, nor any of their resource limit attributes, password policy state attributes or account lockout state attributes.
    In order to be able to synchronize passwords we must have (in addition to standard access rights):
    �Write� access right for �userPassword� attribute for a particular dc.
    In order to make password synchronization more secure, we can limit workstations (by selecting IP pool), which can originate password synchronization.

  • How can we set Admin rights to access all user mailboxes in IMAP server exchange 2010?

    Hi,
    IMAP is in exchange 2010..
    as per guide:
    http://technet.microsoft.com/en-us/library/jj200730%28v=exchg.150%29.aspx
    CSV Files for IMAP Migration Batches`
    Use super-user or administrator credentials.   This requires that you use an account in your IMAP messaging system that has the necessary rights to access all user mailboxes.
    In the CSV file, you use the credentials for this account for each row. To learn whether your IMAP server supports this approach and how to enable it, see the documentation for your IMAP server.
    How can we set Admin rights to access all user mailboxes in IMAP server exchange 2010?
    thanks?

    Hi,
    Do you mean assigning a user full access permission to all other mailboxes? If so, we can try the following command:
    Get-Mailbox -Server “Exchange 2010” | Add-MailboxPermission -User AdminUserName -AccessRights FullAccess
    Thanks,
    Winnie Liang
    TechNet Community Support

  • I'm getting a very low signal from my Blackbird interface. The fire wire connection is selected properly and track recording sliders set. However the recording level slider in the lower right corner is grayed out. How can I get better signal?

    I'm getting a very low signal from my Blackbird interface. The fire wire connection is selected properly and track recording sliders set. However the recording level slider in the lower right corner is grayed out. How can I get better signal?

    If it's slow on startup it would be extensions loading or LaunchDaemons starting up. 
    You should have a look in:
    /Library/LaunchDaemons
    /Library/Extensions
    You can count out anything in your home folder and it shouldn't put anything in /System as that's reserved for Apple. 

  • Set-aduser : Insufficient access rights to perform the operation

    I am a domain admin, enterprise admin, exchange admin, domain user, and others.
    While running a PS on a DC as the administrator, The commands I'm running are ...
    $expdate = get-date -date '01/01/2014'
    set-aduser -identity testmail5 -accountexpirationdate $expdate
    I get the following error ...
    set-aduser : Insufficient access rights to perform the operation
    At line:1 char:1
    + set-aduser -identity testmail5 -accountexpirationdate $expdate
        + CategoryInfo          : NotSpecified: (testmail5:ADUser) [Set-ADUser], ADException
        + FullyQualifiedErrorId : Insufficient access rights to perform the operation,Microsoft.ActiveDirectory.Management.Comm
       ands.SetADUser
    I then switch to a different DC, the command 'might' work once, but will never run again in the same window.
    Then I tried this ...
    start-process powershell -verb runas
    That gave me an additional PS window, and I then tried running the commands again.
    Same error message.
    So I tried the following command ...
    $expdate = get-date -date '01/01/2014'
    set-aduser -server XXDC03 -identity testmail5 -accountexpirationdate $expdate
    Same error message.
    Is there any way that I can get around this problem?
    Please help.

    Keep in mind that the account used to open the PowerShell session must be the same account you're using to open ADUC. The error message means that Set-ADUser is trying to set the attribute for the account, but it's failing. Make sure to test with multiple
    different accounts, in case the access control list of the object you're trying to modify is the cause of the problem.
    Your PowerShell syntax is valid, so this isn't really a scripting question but a security/directory services question.
    -- Bill Stewart [Bill_Stewart]

  • Set Article which control batch and serial number at component level

    Dear experts,
    I have some concern about set article as  the requirement for sale set my company would like to control inventory at component level and at the component level we required to control batch and serial number.
    So, when posting GR of sale set article system will auto split material to control inventory at component level with MVT 319 and in this step should possible to manual define serial number for component.
    Example
    Header Sale Set A  (Activate valuation type)
    Comp1 : B (Activate serial number and control serial number during GR ref PO , control Batch)
    Comp2 : C (Control Batch)
    GR : Header Sale Set A
    Expected Solution : System should automatic to split to comp1 and comp2 , for Comp1 B will require to input serial number.
    Fact : During testing, system auto split to comp1 and comp2 for comp1 I can input serial number but after save the serial number that I input are gone.
    I 'm not sure that for set article can we control serial number at component level? If anyone have the expereince in this. Please help ?
    Best Regards,
    Kate

    Dear experts,
    I have some concern about set article as  the requirement for sale set my company would like to control inventory at component level and at the component level we required to control batch and serial number.
    So, when posting GR of sale set article system will auto split material to control inventory at component level with MVT 319 and in this step should possible to manual define serial number for component.
    Example
    Header Sale Set A  (Activate valuation type)
    Comp1 : B (Activate serial number and control serial number during GR ref PO , control Batch)
    Comp2 : C (Control Batch)
    GR : Header Sale Set A
    Expected Solution : System should automatic to split to comp1 and comp2 , for Comp1 B will require to input serial number.
    Fact : During testing, system auto split to comp1 and comp2 for comp1 I can input serial number but after save the serial number that I input are gone.
    I 'm not sure that for set article can we control serial number at component level? If anyone have the expereince in this. Please help ?
    Best Regards,
    Kate

  • Change component level special stock indicator for Purchase Ord-through CIF

    Hai,
    my requirement is to change the the spoecial stock indicator at the component level for the PO .
    The purchase reqqusition is available in APO system.At the time converiosn to PO, the PO will get created in R/3 through CIF.
    When the Purchase Order is getting saved in R/3 then I need to check the component level Special stock indicator(SOBKZ) & I need change its value.
    I am currently using the user exit 'EXIT_SAPLCPUR_001' to change the same.in this user exit, I am changing the component level SOBKZ in the table IT_INPUT & I am also setting X in IT_INPUTX table.
    But the changes are not reflecting in the newly created PO.It always shows the value 'E' for SOBKZ.
    can any one tell me is this the right user exit to change the above value? if yes please expalin me in rdetail on how to change this.
    Thanks,
    Bhaskar.

    Hai Saurabh,
    I have tried changing the CP_POSITION-SOBKZ field in the user exit EXIT_SAPLMEPI_006.This one changes the SOBKZ of the item of PO i.e, the change reflects in EKPO table.
    What I am looking for is to change the Component level SOBKZ of the ITEM of the PO.The change reflects in RESB-sobkz table.
    I think,  In the User exit EXIT_SAPLCPUR_001, the field IT_INPUT-SP_STK_IND is meant for this.But this is not working.
    Please inform me how the RESB-SOBKZ can be changed?
    Thanks,
    Bhaskar

  • How do I grant non-logged in user access to application component?

    I want to make the customization page for a report available on
    our portal available to users without them having to log on to
    our portal. I thought I set up the access rights to the
    application component correctly, but the link takes them to the
    login screen instead of the customization page. Can anyone give
    me an idea of what I may have set wrong?

    Hi Greggor,
    You say they are still logged in after a restart?? if you open task manager and look under users are the session aside yours listed?
    Thanks,
    Adam

Maybe you are looking for

  • Can't get it working - just want to view another desktop on my home network

    I need to be able to view (not control) the desktop of my PowerMac that is connected to my Zoom DSL modem in another room. I want to view that desktop from my MacBook Pro connected wirelessly to the modem. The PowerMac is running Mac OS X 10.3.9. The

  • My Apple ID and password are not being accepted by my iphone?  I have reset and reset these items but to no avail!  Thanks

    I have tried and tried to reset my Apple ID and password and on each web page (under Itunes) it has shown that the information was completely reset and no problems were noticed.  When I have put this information into my iphone 4 in order to download

  • Found IDoc documentation : which IDoc will made what I need ?

    Hello all, I know that the Idoc DEBMAS06 can be used to create a customer. But if I haven't this IDOC name ? If I need to create customers and I want find if an IDoc exists : where can I get this information ? I  searched in help.sap.com, sap marketp

  • Copy-paste not proper

    When I copy paste objects as a block (not one by one) in UI it paste all objects into the left top corner as a pile and lose the location data of the original objects. Is it normal or, do I mis anything. thanks;

  • Oops in abap

    •     Create an ABAP program (e.g. an executable program). •     Define a (local) class CL_FLIGHT_DATA that cannot be instantiated outside the class and contains a private internal table attribute of line type SPFLI, which is filled during instance c