Tables of user and profile
I need the information on the tables user and profiles, for the information of the SOX of the company, as they are the names?
Hi Mauricio Ariza ,
Check these tables, these will be helpful
Table Name Short text
USH02 Change history for logon data
USH04 Change history for authorizations
USH10 Change history for authorization profiles
USH12 Change history for authorization values
Regards,
S.Manu
Similar Messages
-
hi
Please tell anybody what is the table for User Status Profile in Sales Orders? where it will stores?
Regards
RajendraHi,
Use table JEST
Here you will have to enter the object number as an input field
Get object number from table VBAK or VBAP based on whether the status profile is attached at sales order header or at sales order item.
Status which is active will start with letter E and the status inactive flag will be blank.
Regards
Ravi -
Single firefox profile across all users and profiles on networks
I'm in the process of setting up Firefox as the standard browser for an entire building, and part of this is ensuring that everyone's firefox profiles are saved to personal network drives as opposed to the local machines. I can use the profile manager to do this on a user-to-user basis, but what if I want all the users of any machine to use the same firefox profile that points to a specific network drive? (This will ensure users always have their browser settings and such regardless of where they access them, allow us to switch machines out without losing anyone's browser settings, etc. The contents of this drive are specific to the user account, but always have the same path.)
As far as I can tell, profiles created in the profile manager are specific to each (domain) user, which would mean an awful lot of manual profile creation. Is there some way to ensure Firefox always uses a specific Firefox profile or path? Is there some way to have firefox check which profiles exist (in a .bat file, for example), so I can create the proper one if needed? Can I use a command line to set which profile to use by default, or can that only be done from the profile manager GUI?
Finally, and this one may warrant a separate query, but I've found that when using profiles that point to a network drive, trying to open firefox on multiple computers will fail (another instance of firefox is open, close it or restart). Can I tell Firefox to force the old instance closed, or will I have to firefox.exe -no-remote -p "differentProfile" every time?
We're on Windows 7, by the way, for references' sake.We just deploy images, so everyone should have firefox already, but we're pretty good about keeping all data on mapped network drives instead of letting windows save things locally, so I'm trying to find the best way to integrate Firefox in that system as well.
Every user has a network domain account, which can be accessed from anywhere in the building. While mostly people use their own computers, due to the nature of the place, that is often not the case, and several people will need to sign on to the same machine on a given day.
If there are command-line ways of checking for firefox profiles, I can have them run in our logon script to ensure everyone always has access to their personal profiles, but I'm not sure the best way to go about that, yet. I suppose that's the main part of my second question--what is the cleanest way to check for and create/map/assign firefox profiles automatically? -
Our database in Access 2000 has tables named "user" and "file". The Migration Work Bench is converting those to "USER_" and "FILE_". I'm guessing the words are reserved words in Oracle. Is there any way I can adjust the migration script to create the tables using those words without the trailing underscore?
We had a similar problem in the Access database with a table named "text", which is a reserved word in Access. (What can I say? We use the word that's most appropriate, DBMS be damned!) We were able to access it in Java code by wrapping it in square brackets. Does Oracle have a similar trick?Our database in Access 2000 has tables named "user" and "file". The Migration Work Bench is converting those to "USER_" and "FILE_". I'm guessing the words are reserved words in Oracle. Is there any way I can adjust the migration script to create the tables using those words without the trailing underscore?
We had a similar problem in the Access database with a table named "text", which is a reserved word in Access. (What can I say? We use the word that's most appropriate, DBMS be damned!) We were able to access it in Java code by wrapping it in square brackets. Does Oracle have a similar trick? -
Users And Security Best Practice
Dear Experts
I am designing an application with almost fifty users scattered in different places. Each users should access tables according to his/her criteria. For example salessam, salesjug can see only the sales related tables. purchasedon should access only purchase related tables. i have the following problems
Is it a best practice to create 50 users in the DB i.e. 50 Schemas are going to be created? Where are these users normally created?
or is it better for me to maintain a table of users and their passwords in my design itself and i regulate through the front end. seems that this would be risky and a cumbersome process.
Please advice
thanks
Manish SawjianiYou would normally create a single schema to own the
objects and 50 users to use them. You would use roles
and object privileges to control access.Well, this is the classic 'Oracle' approach to do this. I might say it depends a bit on what you want to achieve. Let's call this approach A.
The other option was to have your own user/pwd table. You can create your own custom authentication but I would go for the built-in Application Express Users - authentication scheme. You can manage the users via the frontend (Application builder > manage Application Express Users) . There you can manage the groups and end users which you can leverage in your Apex app. You can even use the APIs to create the users programmatically. It is all done for you. Let's call this approach B.
Some things to consider:
1) You want to create a web application and also other applications that access the data stored in Oracle (another PHP / Oracle Forms / Perl ) or allow access via SQL/Plus. Then you should use approach A. This way you don't need to reimplement security for these different approaches.
2) You want to create one (or multiple) Apex applications only. This will be the only mechanism the users will access your data. Then I would go for approach B.
3) When using approach A some users didn't like that all users will have access to their workspace, including the sql command line and having the capability of building applications and possibly being able to change the data they have access to through the Oracle roles. Locking down this capability is possible but it takes some effort and requires an Apache as a proxy.
4) When using approach A you will need DBA privileges to manage the users and assign the roles. This might not always be possible nor desired. Depends on who will manage the Oracle XE instance.
5) Moving the application including the end users to another machine is a bit easier using approach B since they are exported via the application export mechanism. Using approach A you would have to do it yourself. Be aware that the passwords are lost when you install the users into a different Oracle XE instance.
6) If you design the application using approach B you will have to design security in a way that doesn't rely on the Oracle roles / grants security mechanisms. This makes it easier to change the authentication scheme later. For example, later you want to use a LDAP directory, a different custom authentication scheme or even SSO (SSO is not available out of the box but feasible). This is directly possible.
Using approach A you would have to recode the security mechanisms (which user is allowed to update/delete which data).
Hope that clarifies your options a bit.
~Dietmar.
Message was edited by:
Dietmar Aust
Corrected a typo in (5): Approach B instead of approach A , sorry.
Message was edited by:
Dietmar Aust -
VIRSA tables for users, roles and profiles sync?
Hello,
I am in a customer, implementing CC 5.2. At the first time, we tried CC 5.2 in DEV environment, and when everything was OK, we redirect RFC connectors to QA environment.
After doing user, roles and profiles sync in DEV and in QA environment too, I have 4.500 user (1.100 from DEV + 3.400 from QA) when I recover all users "*" with "user level - risk analysis" from the "Informer" tab.
It seems that "users, roles, profiles, sync" works like and "APPEND", but I did a COMPLETE syncronization not an INCREMENTAL.
If I start an analysis for QA environment, CC works properly and only analyse QA users (3.400). But I would like to clean CC tables (users, roles and profiles) in order to have a clean copy of QA in CC.
Which VIRSA tables (users, roles and profiles) I need to clean?
It is necessary to do the same with authorization and text objects? Which would be these tables?
Thanks in advance,
VictorHi all,
SAP GRC Support provides a script which allows you to remove a connector since it does delete all data link to it. Anyway, I would recommend a deep analysis of it and find out if it does what you really want to do.
Víctor, if what you want to do it is just to remove all user, role and profile master data (stored in tables VIRSA_CC_SYSUSR and VIRSA_CC_GENOBJ) you could upload a text file using data extractor functionality with the delete field set to X. Doing so user, role and profile master data will be removed from CC database.
In order to use data extraction functionlaity you connector must be of type "File Local".
Be careful about removing data directly from DB since, as Prem states, you might loose the DB consistency.
Hope it helps. Best regards,
Imanol -
Trying to understand "User/Role/Profile Synchronization" and Batch Analysis
Hello,
Im trying to understand what exactly and from which tables these jobs are copying to which tables in CC. I have a understanding that these jobs are moving also deleted roles from backend. This is causing unnecessary delay to long lasting job.
I would appreasite if some one could explain the logic behind these jobs. What the fullsync and incremental is reading ? What kind of changes are causing a role/user/profile to be included to the full and incremental jobs?
How the incremental analysis logic is built ?
br JanneJanne,
In my current implementation we are going for an offline risk analysis due to the heteregoneus system landscape of our client (several SAP and non SAP systems and several SAP systems under 4.6C). Eventhough within our approach we don't perfrom the backend synchronization (we use CC data extractor to pull data from backend into CC) hope the following info could hel you:
The tables such jobs you mention access to, are all the SAP backend system tables related with users, roles, profiles, action and permissions. If you check the data mapping appendix of the "user and configuration guide for 5.2" you will see all the data that CC retrieves. For instance, in order to extract user info (UserID, FName, LName, Email, Phone, Email, Department) tables USR21, USR02, ADRP, ADR6 and ADCP must be accessed.
In terms of CC tables:
VIRSA_CC_SYSUSR >> UserIDs and Systems ID relationship
VIRSA_CC_GENOBJ >> User, Role and Profile master data
VIRSA_CC_GENACT >> User-action, role-action and profile-action data
VIRSA_CC_GENPRM >> User-permission, role-permission and profile-permission
VIRSA_CC_SAPOBJ >> Action-permission
VIRSA_CC_OBJTEXT >> Objects descripcions (ACT, PRM, FLD, VAL, ORG)
Hope this helps.
Regards,
Imanol -
BAPI to get all user lists for input object,authorizations, and profiles
Hi Experts,
BAPI to get all user lists for input specific object, authorizations, profiles and values?
Any useful answer will be rewarded with suitable points.
Thanks,
RohanHi
use the fun module/Bapi's
BAPI_USER_GET_DETAIL
BAPI_USER_LOCPROFILES_ASSIGN
BAPI_USER_LOCPROFILES_DELETE
BAPI_USER_LOCPROFILES_READ
BAPI_USER_PROFILES_ASSIGN
BAPI_USER_PROFILES_DELETE
SUSR_BAPI_USER_PROFILES_ASSIGN
SUSR_BAPI_USER_PROFILES_DELETE
also you can use the tables UST12 for user based authorizations
AGR_USERS -roles assignment for users
AGR_PROF - Profile data for roles
AGR_DEFINE - Auth Profiles for users
See the AGR_* and US* tables further
Reward points if useful
Regards
Anji
Message was edited by:
Anji Reddy Vangala -
hello Everyone
1.- i don't know how to merge the two qys to see in the same select (user, name, profile, role, table_name, privilege table)
Im using the tables usuarios and view dba_users : See next qry
SELECT Nvl(US.IDUSUARIO,DU.USERNAME) USUARIO,
US.DESCRIPCION NAME,
ACCOUNT_STATUS STATUS,
DU.PROFILE,
CREATED FECHA_CREACION
FROM USUARIOS US,
SYS.DBA_USERS DU
WHERE DU.USERNAME = US.IDUSUARIO(+)
UNION
SELECT Nvl(US.IDUSUARIO,DU.USERNAME) USUARIO,
US.DESCRIPCION NAME,
ACCOUNT_STATUS STATUS,
DU.PROFILE,
CREATED FECHA_CREACION
FROM USUARIOS US,
SYS.DBA_USERS DU
WHERE DU.USERNAME = UPPER(US.IDUSUARIO)
ORDER BY NAME;
this extract me, USER, REAL NAME, STATUS, PROFILE, CREATION_DATE
JP01 Johan Pena OPEN DEFAULT 05-07-2010
on the other hand:
select * from role_tab_privs
this extract me, ROLE, TABLE_NAME and PRIVILEGE
DBA TABLE1 SELECT
DBA TABLE1 INSERT
DBA TABLE2 DELETE
1.- i don't know how to merge the two qys to see in the same select (user, name, profile, role, table_name, privilege table)
2.-i want something like this.
USER, REAL NAME, STATUS, PROFILE, CREATION_DATE ROLE, TABLE_NAME PRIVILEGE
JP01 Johan Pena OPEN DEFAULT 05-07-2010 DBA TABLE1 SELECT
JP01 Johan Pena OPEN DEFAULT 05-07-2010 DBA TABLE1 DELETE
Ect Ect. Ect.
who can HELP ME.I have part understood your requirement and assumed the rest! Hence, I have used dba_role_privs in addition to the list of tables you used.
Also, I think your LEFT OUTER JOIN on sys.dba_users is incorrect. I think you are trying to get all users from USUARIOS table for which roles / privileges exist in the database. If that is what you want the following query should help out. If not change the LEFT keyword in the MAIN query (NOT the one in WITH clause) to RIGHT but the results might be unpredictable.
Note: Using ANSI standard keywords for JOIN allows you to use functions in the JOIN clause (such as UPPER(column name), which the Oracle propreitary notation does not allow and hence made you opt for the UNION option).
WITH OS AS
SELECT
DU.USERNAME
,DU.ACCOUNT_STATUS
,DU.PROFILE
,DU.CREATED
,DRP.GRANTED_ROLE
,RTP.TABLE_NAME
,RTP.PRIVILEGE
FROM
sys.dba_role_privs drp
LEFT OUTER JOIN
role_tab_privs rtp
ON
( drp.granted_role = rtp.role )
LEFT OUTER JOIN
sys.dba_users du
ON
( du.username = drp.grantee )
SELECT
NVL (US.IDUSUARIO, OS.USERNAME) USUARIO
,US.DESCRIPCION NAME
,OS.ACCOUNT_STATUS STATUS
,OS.PROFILE PROFILE
,OS.CREATED FECHA_CREACION
,OS.GRANTED_ROLE ROLE
,OS.TABLE_NAME TABLE_NAME
,OS.PRIVILEGE PRIVILEGE
FROM
USUARIOS US
LEFT OUTER JOIN
OS -- temporary result set created using WITH clause above
ON
UPPER (US.USERNAME) = OS.USERNAME
ORDER BY 2 ;Edited by: VishnuR on Jul 5, 2010 8:44 PM
Edited by: VishnuR on Jul 5, 2010 8:47 PM -
I would like to download a list of all users and what roles and profiles each has. I did it once before but now I can't remember the table names. Can anyone help?
Hi,
Roles:
SAP_BW_DEVELOPER
Profile:
SAP_ALL
S_BW_D____
S_BW_D____1
Authorizations are
S_Rs_Admwb_a
S_rs_adw_a
S_rs_exp_a
S_rs_wb_all
Links for user roles:
http://help.sap.com/saphelp_nw2004s/helpdata/en/52/6714b6439b11d1896f0000e8322d00/content.htm
http://help.sap.com/saphelp_nw2004s/helpdata/en/42/271d24d86211d2961a0000e82de14a/content.htm
http://help.sap.com/saphelp_nw2004s/helpdata/en/e4/15e48efd6c11d296430000e82de14a/frameset.htm
http://help.sap.com/saphelp_erp2005vp/helpdata/en/d3/559a4271c80a31e10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_erp2005vp/helpdata/en/4e/52b74065448431e10000000a1550b0/frameset.htm
For profiles and authorisations:
http://help.sap.com/saphelp_nw2004s/helpdata/en/52/67151e439b11d1896f0000e8322d00/frameset.htm
http://help.sap.com/saphelp_erp2005vp/helpdata/en/20/efcbfed8a511d397110000e82de14a/frameset.htm
Also chk this link..
http://www.bwexpertonline.com/archive/Volume_04_(2006)/Issue_10_(Nov_and_Dec)/V4I10A2.cfm?session=
screenshots..
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
Hope this helps,
regards
CSM reddy -
Different user status profile for network header and activities
Hi everyone!
Is there any way to define different user status profile at network header level and at network activity level? As far as I know, it is only possible to enter a user profile at network type level, and both netwok headers and activities use the same statuses. Does it work this way?
Thanks!
Regards.
Edited by: Thalos on Jul 2, 2011 12:27 AMHi Punith, Hi abdul!
Thanks for the reply!
I've gone through the OPSC, but the thing is that here you define a user status profile at network plant level. But I need to define it at network activity level.
The reason why I need this is because we have types of activities. We use network activities for client activities, for internal activities, to identify and follow-up risk management, etc. Each group of activities -since they have different usages- has different user status associated. But as I don't have any way to assign different user status profiles, all the activities have the same statuses, although they will only use some of them.
Thanks!
Regards,
Thalos. -
IBots - Delivers: Selected Users and E-Mails based on SA_SYSTEM table
Hi
I have the following request and I am having issues with the setup.
1) A report request that has a columned named Assigned to:
2) Setup Scheduler
3) Need to create an ibot to generate the report from step 1 and email it to selected people
4) Setup SA_SYSTEM table with user information.
a) This does work with reference to updating delivers information when I look at My Account
5) Now I am attempt to do the following:
1) The report listed above will generate a report that has many records that belong to different Assigned To people
2) I would like to have the iBot generate the report(s) based on the Assigned To and that report only have that persons records in that specific report
3) The iBot would have to generate several reports based on the Assigned to
4) Automatically email the report to the correct person based on the email address setup in the SA_SYSTEM table that I created
--- This system table is also been added to the Presentation Layer of the RPD file
5) The users WILL not be subscribing to the ibot
6) The user may never log into OBIEE ... Just receive reports from the iBot
Questions:
1) Has anyone ever done this?
2) Can I do this
3) Can someone help me out
Other things I have done.
1) I have created a simple iBot to create the report... But is has all records
2) I can email the report to "Me"
3) I does run on a regular scheduled basis
Thank for any help
SteveRudimentary automated PDF generation using Delivers Hi Steve,
When the iBot runs in personalisation mode it is in essence logging each user into the system. The user that runs the report e.g. Administrator will impersonate the users one by one and run the queries per user. If you are not able to populate the Authentication block you will need to do something a little more "out there" to achieve your goals.
I have submitted a post a couple of days ago explaining a rudimentary method to generate customised pdf's based on session variables when running as a single user. You could modify this approach to achieve your desired result.
Rudimentary automated PDF generation using Delivers
Regards
Chris
Edited by: ChrisMarais on 23-May-2011 20:46 -
How to create User and Database in different Table spaces
How to create User and Database in different Table spaces using oracle 10g
Regards
dayaI am sorry but your question does not seem to make much sense.
Can you please rephrase your question? -
Table contain user name and tcode
Dear Experts,
Can you tell me which Table contained user name and tcode field?
Thanks and Best regards,
wilsonYou need to be even more carefull with parameter transactions.
If SU24 is not maintained for them, PFCG will pull the proposals from the core transaction (via which the parameters are used in the skip screen feature...). If the core transaction has authority proposals for S_TCODE, then you will get those tcodes and their proposals as well.
A carefull choice of menu objects (not only limited to Tcodes), taking heed of SU24 defaults and tuning it to meet your needs is the key. But it requires organizational discipline and good training, otherwise rather dont use it for anything other than important objects which you want to control manually only, even if your business roles are a mess.
You can also restrict the authorizations of the security admins for example (as unpopular as that may sound... to segregate authorization concept development (SU24 etc), role building development (PFCG etc) and user administration (SU01 etc). Object S_USER_TCD also has a field called TCD...
There are also other objects (as Dipanjan has pointed out) which have TCD as a field of an object which is not S_TCODE. In addition to I_TCODE, Q_TCODE, P_TCODE, see also S_IDOCMONI for example.
To be honest I have given up on trying to find them all
The easiest solution is to use the menu and maintain SU24 when the transaction is configured or the application is developed and tested. That is what SAP does as well in SU22. It is more work upfront, but more sustainable in the long run.
If your users (and auditors) only see the menu (and use the SUIM --> Executable transactions) options, then you can get away with it in the short or even medium term. Latest when someone else need to maintain the roles they will hate it...
My 2 cents,
Julius -
ADMT migrate users and preserve profile
I'm testing an Interforest migration using ADMT 3.2 on Windows 2008 servers. I have a one-way trust established. I'm able to successfully move user accounts and computer accounts. I'm running into problems with preserving the users profile. I'm doing the
following steps
1. Migrate User Account to new target domain
2. Migrate Computer Account to new domain
3. Run Security Translation Wizard with the User profiles & groups selected
When I login with my migrated user account to the new domain, it creates a new profile, instead of using the profile from the source domain. What am I missing?Hello Matthew
I would like to point out a few things from my recent/ongoing experience with ADMT:
When ADMT performs the SECURITY TRANSLATION on files/folders/registry etc., it looks for accounts in its LOCAL DATABASE(SQL Express) and not in AD directly.
This means if an account is migrated using ADMT on SERVER1, that will only be present in the database of SERVER1.
If we migrate the computer account using SERVER2, then in the AGENT DETAIL it says:
Files - 100
Changed - 0
Unchanged - 100
i.e. NO SECURITY TRANSLATION AT ALL and therefore A NEW PROFILE CREATED
BEST PRACTICE - use only 1 ADMT server in the environment
On Santhosh's portal there is a comment:
vadimp
says:
May 30, 2010 at 5:02 AM Reply
Not always change profileimagepath value is enough: if new profile is a result of ADMT mistake, then you must also add new SID ACL to old user profile folders and to
NTUSER.Dat Hive in regedit. I obscure this ADMT v3.0 mistake when many users have profiles on the same PC
http://portal.sivarajan.com/2010/04/workstation-profile-migration.html
I can't find out NTUSER.DAT HIVE in REGISTRY
I would like to know what makes the user retain the profile?
How can I ensure that the users retain their profile when they logon to the TARGET domain for the 1st time.
Changing the Registry is a REACTIVE STEP, user raises an incident - and we address it.
But how can we prevent it?
I wish someone could tell me a way, even if it is manual, but atleast ensures that no NEW PROFILES are created.
Maybe you are looking for
-
Can I move Itunes money from one account to another? Also can I change my security questions? unfortunately I forgot my secuirty qustions and therefore I cannot buy things on my account. Any help would be gladly appreciated. Thanks in advance
-
Sorting of PO Line Attachments in PO Output for Communication
Hi, I have created a RTF template to generate PDF output of the "PO Output for Communication" program. The Short text and Long Text attachments of PO Line are appearing correctly but not in the same sequence as user has entered in the Purchase Order.
-
How to reset the TMP password?
Hi, to all, this is my first post on this forum. I've got Lenovo ThinkPad Z61m, and got problem with the Client Security Solution. This is the message when I try to configure this program: " The Trusted Platform Module (TPM) on this system has been c
-
Can't see my documents/pictures on all my devises since I update software to SO8
can't see my documents/pictures on all my devises since I update software to SO8- Apple said the drivers are not updated on my Mac - that an update will coming soon to fix this problem - now I see an update to OS X Yosemite - but for the reviews/comm
-
Hello, I'm only getting the left channel when I playback in multitrack. I'm using 2.0 on Windows 7. Is this a 64-bit compatability issue? Thanks.