Structual authorization set up for departments
Hello all,
We are trying to figure out the best way of setting up a structual authorizations for the following scenario. I appreciate your inputs relating to this.
We have a 'Purchasing department' head by a Vice president. Under him are the two Purchasing Managers and we have executives reporting the purchasing managers. We would want to make 'Purchasing department' as one organization unit. However, in structural authorization what is the best way to restrict the purchasing managers assigned to same organization unit such that they do not access executives that report to other managers. We thought of using position to position however heard that SAP standard roles delivered in areas such as MSS are organization unit driven and not position driven.
Instead of creating multiple organization units and control the structural authorization through them, what will be easiest way in this scenario ?.
Thanks,
Girish
Hi
Normally I would prefer using separate org units here - But as understand your requirement - that's not an option.
I would advice against building this based on position, but what can be done is:
1. Create a new/find a relation in HR describing the relation the reporting relation between the Purchasing managers and the executives.
2. Create an evaluation path (Transaction OOAW) defining the path from the purchasing managers to executive.
3. Now you can create a structural profile using this evaluation path.
Regards
Morten Nielsen
Similar Messages
-
Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets
Hello All,
I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
My Steps:
Created a user in ACS
Shared Profile Components
Create Shell command Autorization Set - "ReadOnly"
Unmatched Commands - Deny
Unchecked - Permit Unmatched Arg
Commands Added
permit interface
permit vlan
permit snmp contact
permit power inline
permit version
permit switch
permit controllers utilization
permit env all
permit snmp location
permit ip http server status
permit logging
Created a group - "GroupTest" with the following
Confirgured - Network Access Restrictions (NAR)
Max Sessions - Unlimited
Enable Options - No Enable Privilege
TACACS+ Settings
Shell (exec)
Priviledge level is check with 1 as the assigned level
Shell Command Authorization Set
"ReadOnly" - Assign a Shell Command Authorization Set for any network device
I have configured following on my Router/Switch
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ if-authenticated
privilege exec level 1 show log
I have attached below the documention I have gone over.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi -
Shell Command Authorization Sets ACS
hi i followed this guide step by step http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
but still all my user can use all the commands
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R3
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login milista group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
multilink bundle-name authenticated
username admin privilege 15 secret 5 $1$CS17$3oeNpzTvJAyZTvOUP2qyB1
archive
log config
hidekeys
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
interface Serial0/0
no ip address
shutdown
clock rate 2000000
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1
ip address 20.20.20.2 255.255.255.252
clock rate 2000000
interface Serial0/2
no ip address
shutdown
clock rate 2000000
interface Serial0/3
no ip address
shutdown
clock rate 2000000
router eigrp 1
network 20.0.0.0
network 192.168.20.0
no auto-summary
ip forward-protocol nd
no ip http server
no ip http secure-server
tacacs-server host 192.168.20.2 key cisco
control-plane
line con 0
exec-timeout 0 0
logging synchronous
login authentication milista
line aux 0
line vty 0 4
end
i copy the authorization commands from the cisco forum and follow the steps but no thing all my users have full access to all commands
heres my share profile
name-------------admin jr
Description---------for jr admin
unmatched commands------- ()permit (x)deny
permint unmatched args()
enable
show -------------------------- permit version<cr>
permit runnig-config<cr>
then i add this profifle to group 2 and then i add my user to the group 2
then i log in to the router enter with the user and i still can use ALL the commands i dont know what i am doign bad any idea?
can you give me if you can a guide to setup authorization with ACS i cant find any good guide jeremy from CBT gives a example but just for authentication i am lost i am battling with this prblem since wednesday without luck"you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
Correct me if I am wrong."
Regards
Vamsi -
Shell Command Authorization Sets for device using NDGs??
Hello. I NDGs configured, there is a group called "GR1" with 30 switch.
This group is set up a Shell Command Authorization set called "Monitoring", in which only show commands, ping and traceroute are allowed.
I want to let users switch in only 10 of the group "GR 1" to configure certain interfaces and IP addresses, switch to the other not. ! Note: The number of interface is not the same for each switch, one can be FA0 / 1, but for others it may fa0/3.etc.
I want to retain these 10 switch within the group "GR1", it is possible to make this configuration?
- ThanksI've edited my earlier post to make it more clear. You can assign Shell Auth. Sets at the user,group or NDG level.More details are mentioned on the following link:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wpmkr697610
AFAIR, one device (AAA Client) can be part of only one NDG, so you cannot achieve your requirement by using per-NDG Shell Command Authorization sets. Unless you break up the NDG into more than one NDG.
You can assign the authorization set at the user or group level (after putting the appropriate users in the group) to achive your requirement.
You could also use the 'privilege' command on the switch to make sure that users can see only the commands you want. E.g. when a user logs in he will be placed at level 7. Now you can keep the undesired commands at level 15 and bring down the desired commands at level 7. All other users would be assigned a lower level (e.g level 5), so they wont be able to run these commands.
Regards
Farrukh -
Hi All,
Our client has a specific requirement for controlling Structual Authorization.
when we create a strucutral profile, we have the Parameter 'Period' which can have following values :
Setting Period of Responsibility
<BLANK> ( = all) 01.01.1800 - 31.12.9999
D ( = key date) no period
M ( = current month): no period
Y ( = current year): no period
P ( = past): 01.01.1800 - today
F ( = future): today - 31.12.9999
We have the requirement to control the authorization on FISCAL YEAR based i.e the period should be current fiscal year ( April to March ).
Can we acheive this through any exit, badi or enchancement ? Any hit on this will be helpful.
Regards,
Dadarao.Hi,
When you configure structural authorization profiles you can use functional module to select objects. There you can create the logic that you need. Please check following existing modules:
RH_GET_MANAGER_ASSIGNMENT (Determine organizational units for manager)
RH_GET_ORG_ASSIGNMENT (Organizational assignment)
Cheers -
while trying to sync with my iphone I recieve the message: This computer is no longer authorized for apps that are installed on the iPhone “Terri George’s iPhone”. Would you like to authorize this computer for items purchased from the iTunes Store? When I put in my password and hit authorize, I get a message telling me there was an unknown error (-50). Would love to sync today. Any help would be appreciated.
The -50 error is documented in this article:
iTunes: Specific update-and-restore error messages and advanced troubleshooting
Here is a synopsis:
Error 13, 14, 35 and 50 (or -50)
These errors are typically resolved by performing one or more of the steps listed below:
Perform USB isolation troubleshooting, including trying a different USB port directly on the computer. See the advanced steps below for USB troubleshooting.
Put a USB 2.0 hub between the device and the computer.
Try a different USB 30-pin dock-connector cable.
Eliminate third-party security software conflicts.
There may be third-party software installed that modifies your default packet size in Windows by inserting one or more TcpWindowSize entries into your registry. Your default packet size being set incorrectly can cause this error. Contact the manufacturer of the software that installed the packet-size modification for assistance. Or, follow this article by Microsoft: How to reset Internet Protocol (TCP/IP) to reset the packet size back to the default for Windows.
Connect your computer directly to your Internet source, bypassing any routers, hubs, or switches. You may need to restart your computer and modem to get online.
Try to restore from another known-good computer and network. -
I've got an iPad and iPhone 4S, both of which are set up for facetime. When someone calls me, both the iPad and phone ring, even though the phone is set to receive facetime calls on the number and the iPad is set for an email account.
How can I change the setup so on the email only the iPad rings and on the phone number only the phone rings?No it's not stealing. They have an allowance that you can share with so many computers/devices. You'll have to authorize her computer to play/use anything bought on your acct. You can do this under the Store menu at top when iTunes is open on her computer.
As far as getting it all on her computer....I think but I am not sure (because I don't use the feature) but I think if you turn on Home Sharing in iTunes it may copy the music to her computer. I don't know maybe it just streams it. If nothing else you can sign into your acct on her computer and download it all to her computer from the cloud. Not sure exactly how to go about that, I haven't had to do that yet. I wonder if once you authorize her computer and then set it up for automatic downloads (under Edit>Preferences>Store) if everything would download. Sorry I'm not much help on that. -
How to use a macro with AAA Authorization set?
So!
We have ACS version 4.1, and one goal is to start working on authorization sets for groups. I am able to get basic commands to work, but was curious about making a macro work without having to allow all of the commands that are actually contained wihtin the macro itself.
I'm looking into this to promote standardization and minimize confiugration issues/inconsistencies on ports accross swtiches in our environment.
The macro I created is used for configuring a port on a swtich to change its VLAN. Basically as follows:
macro name T2
Description $DESC
switchport mode access
no cdp enable
switchport access vlan $STATIC
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
storm-control broadcast level 25.00
storm-control action trap
switchport nonegotiate
no lldp transmit
no lldp receive
#macro keywords $DESC $STATIC
In ACS I've created a shell command authorization set, and allowed 'macro' with 'permit apply T2' and 'permit trace T2'. This works fine and allows me to use those macro commands. The problem I'm having is that every command in the macro is not allowed in the authorization set, so when I run the macro it fails for each command.
I don't want to allow each individual command in the authorization set as it would then allow jr. admins the ability to make config changes on ports that would be outside of our standard. For example they could get into a port and forget to disable CDP and LLDP, casuing inconsistencies accross the envrionment. Is there a way to run these macros without putting all of the commands in the authorization set?Hello Eric,
Please see the below link for configuring Macro and how you can use them with AAA
http://www.cisco.com/en/US/docs/switches/lan/auto_smartports/12.2_55_se/configuration/guide/configure.html -
When transfer posting (MB1B, MTy 301) from storage location 3030 in plant 1000 to storage
location 8000 in plant 1910, authorization object M_MSEG_LGO is checked. The activity is 01,
movement type is 301, storage location is 3030, and plant is 1000. But when transfer posting
(MB1B, MTy 301) from storage location 8000 in plant 1910 to storage location 3030 in plant
1000, the fields of M_MSEG_LGO are also need to be set 01 for activity, 301 for movement
type, 3030 for storage location and 1000 for plant. Why not 8000 for storage location and
1910 for plant? If I set 8000 for storage location and 1910 for plant and do transfer
posting (MB1B, MTy 301) from storage location 8000 in plant 1910 to storage location 3030 in
plant 1000, the system says "You do not have authorization for this transaction in storage
location 3030".Thank you.
I know the reason now. In SAP standard the authorization for storage locations is not active. We activate the authorization for storage location 3030, but not activate authorization for 8000.
the menu path is:
Customizing(IMG)
- Materials Management
- Inventory Management and Physical Inventory
- Authorization Management
- Authorization Check for Storage Locations -
ACS - Shell Command Authorization Sets
Hi,
I have had a problem where a set of users in two groups in ACS are struggling entering commands. The commands are set in the Shell Command Authorization Sets and this hasnt changed. Other commands are working. As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
permit port-security
permit mac address-table'
I've also ticked 'Permit unmatched args'
At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
Test Timed out for service: CSAdmin
Test Timed out for service: CSAuth
Test Timed out for service: CSDbSync
Test Timed out for service: CSLog
I have looked at other posts and have restarted CSMon. This then stops the messages for some time, then a day or so later I get the messages again.
Could this be tied in with the command issue? Is there something else I should look at other than restarting the server and the CSMon service again? All other CS' services are running.
Thanks!!
SteveThanks for your reply!
there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised. On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode. The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
I am using ACS v 4.1.
While I receive the service messages and also when they go away - I always have the authorisation problem.
Thanks
Steve -
Cisco ACS command authorization sets
I need help on the following please.
1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
2. Does anyone know where I can read up on command authorizations sets for ACS ??
3. What is the debug command for CatOS to see cli output ?
Many thanks
RodThanks for your info. I have solved my problem -
1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
Problem resolved.
Many thanks. -
Tacacs problem with ACS 4.2 NDG and shell authorization sets
Hi all,
I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
Did anyone had similar problem or is there something that I am doing in a wrong way? Is there another way to achieve such thing without using NDG's?
Thanks everyone....Please upgrade to patch 6, there is a bug in patch 5 and you can check the release notes or the readme for more information.
What is your user setting set to while you are testing command authorization, did you set it back to the group setting?
Thanks,
Tarik Admani -
Authorization in VKM1 for users based on credit limit?
hi all,
Does anybody heard about authorization for users in VKM1 to release blocked commercial documents? In my project, they want to set ranges for users :
Analyst 40%
Manager 100%
Director 100%
I looked for all SAP doc and i think its not possible, any thoughts?
Thanks and regardsDear Monica,
You can do this with Roles & Profile (Authorizations).
Go to T-Code PFCG - Either enter the roles that currently exists or create a new role. Insert T-code VKM1in Menu tab page & then go to Authorizations tab
Expand the Thread Standard - Sales & Distribution,
Once again expand the thread Standard - Credit Doc. Value Class: Processing of SD Documents
Then expand the sub-thread - Credit Doc. Value Class: Processing of SD Documents
Here There is a option Document value class (credit management) - Here you can enter the Document Value that user is Authorized to release the block...
You might have to take help og your Basis person to create Roles & do the above...
Hope this helps...
Give points if Useful...
Thanks,
Jignesh Mehta
Edited by: Jignesh Mehta on Aug 30, 2008 12:43 PM -
How to define authorization by department for Query in BW
Hello:
How to define the authorization by department for Query in BW. as follow:
The Northern part manager can run any Query, and return the data of Northern part only.
pls give me the method.
Regards&Thanks!Hi zagory,
I am assuming that you have some infoobject which contains the department data.
here is a step by step process to add authorisation on this object.
1) Define the InfoObject as Authorization Relevant (from the BeX tab in the IO properties.
2) Create a reporting authorization object for this InfoObject (This would be done through Transaction RSSM).
3) This new authorization object needs to be added to the relevant roles (Transaction PFCG). For examle your North region manager should be in a role which has access to all the departments in the northern region.
4) A variable needs to be added to the query. This is required because the query needs to be able to restrict data by department dynamically. You would need to ensure that that the variable you create on the department InfoObject is of type authorisation,can take multiple single values and picks up data from the relevant authorisation object. Just add this InfoObject with restriction on this variable in the filter section in your query.
5) Finally the new authorization object created in step 2 would need to be assigned to the relevant cubes. This is again done through transaction RSSM. This will force the reporting authorization object to be checked when ANY query on any of these cubes is executed.
Hope it helps,
Regards,
Nikhil -
Unable to authorize This Computer for iTunes
About 8 months ago I installed iTunes on one of my desktops (Windows) and setup the store access and actually purchased the OS update for my iTouch. Yesterday I purchased an iPad for my wife and started to set it up on her laptop. I've installed iTunes 9.1 and attempted to "Authorize This Computer" for iTunes purchases, I also attempted to do this on my laptop (both are running Win7 x64). Per the iTunes screen an email was sent to my account but I never receive it. Prior to the attempt to authorize the two computers from my wife's laptop I issued a request to reset my password. This email I received and reset the password. I then received a confirmation email that the password was reset.
Why cannot I receive the emails to authorize my two laptops?In the iTunes window click on Store > Authorize This Computer
In the "Authorize This Computer" I enter my email and password, click on the "Authorize" button.
A new window pops up title "You have not verified your account", Click OK to review the instructions on how to verify your account.
I click on the OK button and then the iTunes main window informs me that an email as been sent to my account and it displays my email address.
I never receive the email and I have zero idea what to do at this point.
The link you provided is about "Authorizing a computer allows you to manage which computers can play music, videos, audiobooks, or other content purchased from the iTunes Store" - This sounds like what I want to do but I cannot authorize either my computer or my wife's computer. At this point nether of us have or can purchase anything using my iTunes account.
At this point I'm totally confused and upset and very close to returning the **** iPad. I thought this was going to be a simple process but it is turning into a can of worms.
What I'm attempting to do is have one iTunes store account where either myself or my wife can purchase.
Maybe you are looking for
-
I lost itunes. When I attempt to reinstall I get error 7 (Windows error 193)
Recently I lost iTunes connection on my Windows 7 pc. I uninstalled iTunes and other associated Apple programs. However when I reinstall iTunes, I get error 7 (Windows error 193). Any help on how I can remedy this.
-
Quadrature encoder counter with 8 channels
Hi, I need to acquire the signals (A and B) of four quadrature encoders. The signals have a maximum frequency of about 5kHz and should be read out with about 100 Hz. Is there a device that fulfils these requirements? It seems that a frequency of 5kHz
-
Transfer itune library to external drive then back to PC
In preparation for the re-install of Windows on my machine I would like to save my itune library on an external drive then to reimport it. I have more music than my current iPod can store so can't use it for the transfer and my Pc can only burn CDs t
-
My visa card suddenly was declined from the itunes store. What's going on?
My visa card suddenly was declined from the iTunes store. Is it because the amount on it is too small (less than a euro)?
-
Is it better (faster) to download Mavericks via WiFi or Cable?
I want to download the Mavericks update. I currently have Snow Leopard. Is it faster to do it via WiFi or Cable? I first tried WiFi but it seemed to take forever, so I cancelled and want to find out which is better.