SSM KPI Security:Restricting the measures to Users

Similar Messages

• How  we can restrict the Measurements in the Archtecture View

  Hi Experts,
  Ex: In the AV main Object Measurents:              Floor Area 10000 m2 
                                                                         Green Area 10000 m2
        In the subordinate Objects :                         Floor Area above 10000m2 is accepting
                                                                         Green Area above 10000 m2 is accepting
  Please guide me how and where we can restrict the measurements. 
  Thanks in advance,
  Jai

  Hi Jayakar,
  You can try this..
  As per your example,
  Create two measurement type:-
  1. A100    Floor Area
  2. A200    Green Area
  Goto  SPRO
  Architecutral View>Architecutral Object Type->Specifiy Measurement Type per Architecutral Object Type
  For Main Object assign A100 and A200 measurement types
  and For subordinate Objects  assign only A100.
  Or you need to look for BADI's

• How to restrict the EBS end users to run only two same reports at a time?

  Hi,
  We are using EBS 12.0.6 and database 10.2.0.3.
  Is it possible to restrict the end business users to run only two reports at a time?
  OR
  Is it possible to restrict the end business users to run only two same reports at a time?
  Thanks.

  Is it possible to restrict the end business users to run only two same reports at a time?It is not possible.
  You can either make the report "incompatible" to itself (this means only one user in your company can run it at a time)
  Or not make it incompatible. (That means any user can run it any number of times)
  Incompatibility is a way of specifying which requests cannot be run under which circumstances.
  See http://download.oracle.com/docs/cd/A60725_05/html/comnls/us/fnd/incomp.htm
  You can use Hussain's suggestion to use Concurrent: Active Request Limit profile. You can set this profile value at each user level. But if you decide to set it at global level, remember to keep it a higher value for sysadmin kind of users that run scheduled jobs.
  Hope this helps,
  Sandeep Gandhi

• Restrict the number of users logging onto the JAVA engine

  hi
  IS it possible to restrict the number of users logging on the JAVA Engine, if YES, how ?
  Thanks
  Jonu Joy

  Thanks for the replies, here's a little more info...
  We're working on project which allows a company to buy user licenses to access our portal.  So if a company has bought 5 licenses, the 6th user for that company will not be able to login.
  *Note: We treat each Access Key in the portal as a company.
  The way we determine if the user belongs to a company is by the AccessKey that is assigned to that user. We're not depending on IP addresses at all.
  Hope this clears the issue !
  I think we'll have to write some custom code to accomplish this.
  Thanks,
  harman

• Restrict the role of User Administrator

  Hello all,
  I need to know that if it is possible to restrict the Role of an User Administrator to assign only a specific set of Roles to the end user.
  For example : The user administrator should be able to assign only say Managers, Employees Roles to the Users and not any other roles like Super Administrators etc.
  If so, how can we achieve that?
  Regards
  Avik

  There is a authorization object (combined with a parameter) that does this restriction:
  S_SPO_PAGE
  Definition
  Using authorization object S_SPO_PAGE, you can restrict the maximum number of pages of a request that can be printed on a particular printer.
  This authorization check is only active if profile parameter rspo/auth/pagelimit is set to 1.
  Defined fields
  SPODEVICE       Device name for which the restriction is to apply.
  SPOPAGES        Maximum number of pages allowed; enter a range (0 to n) here

• Restricting the IT0002 for user

  Hello,
  I am trying to restrict the infotype 0002 for certain group of users
  with same role.
  I took out Infotype 0002 from PORIGINCON Auth obj for Infotype field.
  When I login with test user and went back to PA20.
  I still can see the personal data information including Dob and SSCno.
  I also see message  "Data hidden by screen modifications
  Message no. RP014"
  Diagnosis
  This infotype contains data which is not displayed.
  In table T588M (Infotype Screen Control), you can enter screen fields which are to be suppressed. If one of these fields contains an entry, the system issues a warning.This has no effect on evaluations.
  How can restrict the Infotypes 0002 and 0000 ?
  Please advise.
  From,
  PT.

  in order to restrict access to IT0000 & IT0002 you have a look at the P_ORGINCON objects as Auke has mentioned above. 
  the message you see has to do with usergroup specific settings. for example the information you see in IT0002 may differ per country and therefore you can set the different fields to be seen in the infotype in T588M per usergroup (UGR parameter).

• How to Restrict the users in oracle applications

  Hi,
  I want to Restrict the users in oracle applications without using database
  can any one please expalin me how to resttrict the users using middletier
  Thanks
  Gita

  HI srini ,
  my application version 12.0.4 and database is 10.2.0.4
  and i want to restrict the No of users
  exp i have have 500 users and i want restrict to 100 only
  how can i do that please explain
  Thanks,
  Sudheer

• Defining Authorizations for User to restrict the data in report.

  Hi Gurus,
  I have no idea on authorization concept in BI. Please give me anyone steps to creating authorization objects, roles and profiles to restrict the data for users.
  Ex.
  i have functinal location info object checked as authorization relavent with below data.
  FL001
  FL002
  FL003
  FL004
  FL005
  FL006
  FL007
  FL008
  FL009
  We have users like below.
  User1
  User2
  User3
  Now, if User1 is analysing a report he can see only FL001, FL005, FL009 only, remaining have to be omited.
  If User2 is analysing that report he can see only FL002, FL003, FL009. And like wise.
  So, Please help me providing the completed steps. I have done somting but failed.
  Thanks in advance
  Peter.

  Hello Peter,
  Please go through the following links
  Authorization :
  http://help.sap.com/saphelp_nw70/helpdata/en/59/fd8b41b5b3b45fe10000000a1550b0/frameset.htm
  SAP Authorization Concept :
  http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
  Thanks.
  With regrads,
  Anand Kumar

• How to restrict the FBL5N (user wise restriction)

  Hi experts
  I want to restrict the FBL5N TCODE user wise.
  In FBL5N one parameter is there Serch Help ID In serch help id when we select Customers per sales group
  we see Sales office and Sales group .If we select sales grop and execute it report gives op under sales group.
  My requirment is restrict the sales group or sales office for user wise.(if 5 sales office and 3 user id is there then,i want to give one user id for 2 sales office  and if enter another sales office then he cant show the data)
  THANKS
  AJAY.

  Hi Ajay,
  I am not quite sure if it is recommended to tweak standard elementary search help. However, I would suggest you to create your own search help and attach it to the standard collective search help as an append search help.
  You can write what so ever logic the business demands in that custom search help exit there by restricting the entries that gets displayed as a result of value help.
  Hope this gives you a brief idea on how to proceed.
  Regards,
  Hemanth

• Limiting the number of users/connections

  We currently have a very large user community (120000)who will be accessing the portal for ESS/MSS functionality.
  We would like to limit the number of users to around 20000. Any more connections should get a nice error message (rather than a standard IE no more connections or a time out message).
  We can obviously throttle the number of connections via the load balancer or via max connections in unix. Is there any method in the Portal itself, that will automatically direct the users to a seperate web page in the event of pre determined number of users/connections being reached.
  I have search high and low but can't find a solution.
  Thanks in advance
  Fenton

  Hi Tim,
  No, there is nothing like this as a standard functionality within the portal. Similar requests are regulary asked on SDN (like: restrict the number of users logging in as you ask, restrict the number of parallel logins of one user, and things like this).
  A possibility would be to implement your own login module which tries to check how many users are online. All techniques - independent if on portal or on WAS side - that try to count this have the problem that they cannot be sure who is "online" as you have no definite information if a user is online or not; one can only use more or less heuristic methods.
  Hope it helps
  Detlev

• Limiting the no. of users for a particular application in Portal?

  Hi,
  I want to know how this can be done. Following is the requirement:
  1)I have an iView in Portal which is showing some BSP appliation. Now i want to restrict the no of users to only 600 for that particular iView only i.e. even though our portal can have 1000 concurrent users but if 600 concurrent users are already accessing that particular BSP iview, then the 601th user will not be allowed to access that iView & still browse around in portal. So whenevr any user goes out of the BSP application & the values goes less than 600, then only new users can go in.
  2) same req as above but for diff kind of iviews i.e. PAR based, WebDynpro etc.
  one thing i would like to clear is that the figure of 1000 is actually the portal session & the figure of 600 comes from the Backend sessions.So if the backend seesion through portal reaches 600, i have to stop showing the application,& instead show some message..
  Any kind of ideas are welcome..
  Regards
  Gaurav
  Message was edited by: Gaurav Gandhi

  Hi Gaurav,
  > HttpSession by an HttpSessionBindingListener,
  > reacting on valueUnbound
  Google is your friend
  See http://java.sun.com/products/servlet/2.2/javadoc/javax/servlet/http/HttpSessionBindingListener.html and http://java.sun.com/products/servlet/2.2/javadoc/javax/servlet/http/HttpSession.html - explanation at the class definition as well as for setAttribute.
  > if i develop something like a proxy, i would be a very
  > probability that with all these manipulation, the
  > final iView loading will take time & it will be slow
  No. You would have to define the iView as URLIsolated and then redirect by using request.redirect(destinationString) to the original component, passing the parameters as request parameters to the destinationString.
  We are just in contact with SAP why the J2EE RequestDispatcher does not work to include and if there at least is a workaround for embedded iViews.
  All your proxy iView would do is getting the HttpSession, putting the session (or it's ID) in a static HashSet, registering by this (implementing HttpSessionBindingListener) through setAttribute to the session, reacting on valueUnbound (removing the session/ID from the HashSet) and counting the number of members in the static HashSet. I think this will need about 20 ms (plus redirect).
  Hope it helps
  Detlev

• How to restrict the user(Schema) from deleting the data from a table

  Hi All,
  I have scenario here.
  I want to know how to restrict a user(Schema) from deleting the values from a table created in the same schema.
  Below is the example.
  I have created a table employee in abc schema which has two values.
  EMPLOYEE
  ABC
  XYZ
  In the above scenario the abc user can only fire select query on the EMPLOYEE table.
  SELECT * FROM EMPLOYEE;
  He should not be able to use any other DML commands on that table.
  If he uses then Insufficient privileges error should be thrown.
  Can anyone please help me out on this.

  Hi,
  kumar0828 wrote:
  Hi Frank,
  Thanks for the reply.
  Can you please elaborate on how to add policies for a table for just firing a select DML statement on table.See the SQL Packages and Types manual first. It has examples. You can also search the web for examples. This is sometimes called "Virtual Private Database" or VPD.
  If you have problems, post a specific question here. Include CREATE TABLE and INSERT statements to create a table as it exists before the policies go into effect, the PL/SQL code to create the policies, and additonal DML statements that will be affected by the policies. Show what the table should contain after each of those DML statements.
  Always say which version of Oracle you're using. Confirm that you have Enterprise Edition.
  See the forum FAQ {message:id=9360002}
  The basic idea behind row-level security is that it generates a string that is automatically added to SELECT and/or DML statement WHERE clauses. For example, if user ABC is only allowed to query a table on Sunday, then you might write a function that returns the string
  USER  != 'ABC'
  OR      TO_CHAR (SYSDATE, 'DY', 'NLS_DATE_LANGUAGE=ENGLISH') = 'SUN'So whenever any user says
  SELECT  *
  FROM    table_x
  ;what actually runs is:
  SELECT  *
  FROM    table_x
  WHERE   USER  != 'ABC'
  OR      TO_CHAR (SYSDATE, 'DY', 'NLS_DATE_LANGUAGE=ENGLISH') = 'SUN'
  ;If you want to prevent any user from deleting rows, then the policy function can return just this string
  0 = 1Then, if somone says
  DELETE  employee
  ;what actually gets run is
  DELETE  employee
  WHERE   0 = 1
  ;No error will be raised, but no rows will be deleted.
  Once again, it would be simpler, more efficient, more robust and easier to maintain if you just created the table in a different schema, and not give DELETE privileges.
  Edited by: Frank Kulash on Nov 2, 2012 10:26 AM
  I just saw the previous response, which makes some additional good points (e.g., a user can always TRUNCATE his own tables). ALso, if user ABC applies a security policy to the table, then user ABC can also remove the policy, so if you really want to prevent user ABC from deleting rows, no matter how hard the user tries, then you need to create the policies in a different schema. If you're creating things in a different schema, then you might as well create the table in a different schema.

• Restrict the user   based on document type on migo transaction-prepare GRN

  Hi,
  We are running ECC6.0 R/3 system.We had a requirement as follows
  In MIGO transaction , we want to restrict the user on document type i.e. we want that a particular user can  prepare GRN for document type  STO only. He cannot prepare GRN for other document type.
  We checked  SU24->maintain check indicators for transaction codes->enter migo->execute->check indicator.This returned us the authorisation objects present in Migo transaction.We checked the help of all these objects,but none of them we found suitable for above mentioned requirement.We were planning to find out the proper authorisation object to add to Profile generater.
  The following is the objects which we have checked for.
  A_B_ANLKL-->     Asset Postings: Company Code/Asset Class
  A_B_BWART-->     Asset Postings: Asset Class/Transaction Type
  B_USERSTAT-->     Status Management: Set/Delete User Status
  B_USERST_T-->     Status Management: Set/Delete User Status using Process
  C_AFKO_AWK-->     CIM: Plant for order type of order
  C_CACL_DSG-->     Interface Design
  C_DRAW_BGR-->     Authorization for authorization groups
  C_DRAW_DOK-->     Authorization for document access
  C_DRAW_TCD-->     Authorization for document activities
  C_DRAW_TCS-->     Status-Dependent Authorizations for Documents
  C_KLAH_BKP-->     Authorization for Class Maintenance
  C_STUE_BER-->     CS BOM Authorizations
  C_STUE_WRK-->     CS BOM Plant (Plant Assignments)
  C_TCLA_BKA-->     Authorization for Class Types
  C_TCLS_BER-->     Authorization for Org. Areas in Classification System
  C_TCLS_MNT-->     Authorization for Characteristics of Org. Area
  F_BKPF_BUK-->     Accounting Document: Authorization for Company Codes
  F_BKPF_BUP-->     Accounting Document: Authorization for Posting Periods
  F_BKPF_KOA-->     Accounting Document: Authorization for Account Types
  F_FICA_FOG-->     Funds Management: authorization group of fund
  F_FICA_FSG-->     Funds Management: authorization group for the funds center
  F_FICB_FKR-->     Cash Budget Management/Funds Management FM Area
  F_KNA1_APP-->     Customer: Application Authorization
  F_LFA1_APP-->     Vendor: Application Authorization
  F_SKA1_BUK-->     G/L Account: Authorization for Company Codes
  G_GLTP  -->       Spec. Purpose Ledger Database (Ledger, Record Type, 
                                 Version)
  J_1IDEP_SL-->     Authorization object for depot sale transaction
  J_1IEXC_OT-->     Authorization object for Other Excise Invoice Create
  J_1IEX_PST-->     Autorization object for posting Other Excise invoice
  J_1IGRPT1-->     Auth. for PART1 at GR
  J_1IINEX  -->            Incoming Excise Invoice
  J_1IRG23D-->     Authorisation object for Depo Transactions
  K_CCA-->                     CO-CCA:  Gen. Authorization Object for Cost Center 
                                  Accounting
  K_CSKS     -->                CO-CCA:  Cost Center Master
  K_CSKS_SET-->     CO-CCA: Cost Center Groups
  K_PCA-->                    EC-PCA: Responsibility Area, Profit Center
  L_TCODE-->                    Transaction Codes in the Warehouse Management System
  M_ANFR_BSA-->     Document Type in RFQ
  M_ANFR_EKG-->     Purchasing Group in RFQ
  M_ANFR_EKO-->     Purchasing Organization in RFQ
  M_ANFR_WRK-->     Plant in RFQ
  M_BEST_BSA-->     Document Type in Purchase Order
  M_BEST_EKG-->     Purchasing Group in Purchase Order
  M_BEST_EKO-->     Purchasing Organization in Purchase Order
  M_BEST_WRK-->     Plant in Purchase Order
  M_MATE_CHG-->     Material Master: Batches/Trading Units
  M_MATE_STA-->     Material Master: Maintenance Statuses
  M_MATE_WRK-->     Material Master: Plants
  M_MRES_BWA-->     Reservations: Movement Type
  M_MRES_WWA-->     Reservations: Plant
  M_MSEG_BMB     -->Material Documents: Movement Type
  M_MSEG_BWA-->     Goods Movements: Movement Type
  M_MSEG_BWE-->     Goods Receipt for Purchase Order: Movement Type
  M_MSEG_BWF-->     Goods Receipt for Production Order: Movement Type
  M_MSEG_LGO-->     Goods Movements: Storage Location
  M_MSEG_WMB-->     Material Documents: Plant
  M_MSEG_WWA-->     Goods Movements: Plant
  M_MSEG_WWE-->     Goods Receipt for Purchase Order: Plant
  M_MSEG_WWF-->     Goods Receipt for Production Order: Plant
  M_RAHM_BSA-->     Document Type in Outline Agreement
  M_RAHM_EKG-->     Purchasing Group in Outline Agreement
  M_RAHM_EKO-->     Purchasing Organization in Outline Agreement
  M_RAHM_WRK-->     Plant in Outline Agreement
  Q_TCODE     QM -->         Transaction Authorization
  S_ADMI_FCD-->     System Authorizations
  S_ALV_LAYO-->     ALV Standard Layout
  S_BDS_DS-->     BC-SRV-KPR-BDS: Authorizations for Document Set
  S_BTCH_ADM-->     Background Processing: Background Administrator
  S_BTCH_JOB-->     Background Processing: Operations on Background Jobs
  S_CTS_ADMI-->     Administration Functions in Change and Transport System
  S_DATASET-->     Authorization for file access
  S_DEVELOP-->     ABAP Workbench
  S_DOKU_AUT-->     SE61 Documentation Maintenance Authorization
  S_GUI-->                     Authorization for GUI activities
  S_OC_DOC-->     SAPoffice: Authorization for an Activity with Documents
  S_OC_ROLE-->     SAPoffice: Office User Attribute
  S_OC_SEND-->     Authorization Object for Sending
  S_PACKSTRU-->     Internal SAP Use: Package Structure
  S_PRO_AUTH-->     IMG: New authorizations for projects
  S_RFC-->                     Authorization Check for RFC Access
  S_SCD0     -->                Change documents
  S_SPO_DEV-->     Spool: Device authorizations
  S_TABU_DIS-->     Table Maintenance (via standard tools such as SM30)
  S_TCODE     -->                Transaction Code Check at Transaction Start
  S_TRANSLAT-->     Translation environment authorization object
  S_TRANSPRT-->     Transport Organizer
  S_WFAR_OBJ-->     ArchiveLink: Authorizations for access to documents
  V_LIKP_VST-->Delivery: Authorization for Shipping Points
  V_VBAK_AAT-->Sales Document: Authorization for Sales Document Types
  V_VBAK_VKO-->Sales Document: Authorization for Sales Areas

  Have you executed a trace while a functional user executes the transaction code for the specific parameters? (i.e. document type). The trace will then show which objects are being checked; then look at the object documentation in txn Su21 to determine if there are any ways to restrict on the particular value; in some cases, if the authorization group field is being checked, additional configuration is needed in order to implement the security (Su21 will explain in detail for the particular object).

• How to restrict the Request and Response process in that cookies should be Secure way SAP Portal 7.0 ?

  Dear Experts,
  Please any one can help me i am getting one security issue.Some third party tools using and hacking the Request and Response of the Server.That time there taking one successfully Request (GET http://1.1 302 found)   and Response (http://1.1 200 ok).In this request based on again there giving some invalidate credential in that time server giving request replacing for success fully Request that time there login in to portal successfully(Bypassing).In this Request level only getting the information for URL and set-cookies only.Here any process is there to restrict the set cookies.like JSESSIONMARKID and JSESSIONID SAP_LB.
  We are using 7.0 Version and SP 12. Please share you are solutions because of this is very high problem here.
  Thanks for Advance
  Thanks and regrades,
  Durga Rao. 

  Dear Samuli,
  Thanks for the Replay,
  We are using HTTPS and SSL confined but man in the middle types of attack is happening here there using one tool based one there taking the Request and Response.The below given cookie are available in that request.
  According to this , set-cookie: JSESSIONMARKID , JSESSIONID and MYSAPSSO2 values are user login time it will change every time  are not.
  After  capturing above response HTTP/1.1 302 etc , when user gives valid credentials and logs in ,
  and now ill give wrong password and wrong user id and on click of log on button, i can intercept the request and response coming from the server and when i replace this valid response stil i am able to loggin in to the portal , which should not happen as JESSIONMARKID is changed , server should not allow , but it is loggin in.Standard Login page also allowing to login in this case.
  My server version is EP 7.0 SP 12.
  Please suggest a solution so that if we restric the hacker at this stage , no matter he can never hijack the sesiona and login  with invalid username and  password.
  Thanks for Advance
  Thanks and regrades,
  Durga Rao.

• How to Restrict the users from changing the Default variant of report.

  Hello everybody,
  The requirement is to restrict the users to save and overwrite  the default layout variant (Layout for higher managenet)set for the report, but at the same time they should be able to change and save the other layouts for which they are having access.
  I have written the logic in the program which is working fine for all the scenario when we execute the report. But the logic doesnt work if the user is selecting the layout on the output screen of the report.
  for e.g if the user runs the report using the layout varaint for which he is having the authorization then he gets the all 4 options so he then he can select the layout for which he is not authorized and he can overwrite.
  i have debugged and check as i have found that after the report output is shown all the layout paramater is controllled by the statndard SAP objects.
  Can anyone help me out in this issue.
  Thankyou in advance.
  *to get the default layout variant.
    w_save = 'A'.
    if p_vari is initial.
      clear disvariant.
      disvariant-report = sy-repid.
      w_variant = disvariant.
      call function 'REUSE_ALV_VARIANT_DEFAULT_GET'
        exporting
          i_save     = w_save
        changing
          cs_variant = w_variant
        exceptions
          not_found  = 2.
      if sy-subrc = 0.
        p_vari = w_variant-variant.
      endif.
    endif.
  *logic to check user authorization to change the layout setting.
    if p_vari = c_layout.
      if not sy-uname is initial.
        select single * from agr_users
                where agr_name = c_role
                and   uname    = sy-uname.
        if sy-subrc = 0.
          w_save = 'A'.
        else.
          w_save = ' '.
        endif.
      endif.
    endif.
  Regards,
  Satish.

  Hi Maine,
  Thanks for your reply.
  As you mentioned for your own program, you can control the parameter "I_SAVE", when calling "REUSE_ALV_GRID_DISPLAY".
  so already i have use the same logic and control the parameter through I_SAVE and here i am calling method ALV_GRID->SET_TABLE_FOR_FIRST_DISPLAY instead of "REUSE_ALV_GRID_DISPLAY".
  and it works fine when we execute the report but the logic doesnt work when the user tries to change and save the layout variant on the output screen of the report.
  Regards,
  Satish