Transaction based security vs. Authorization based security

Similar Messages

• Research on the Security of NGDC Based on ASP

  Research on the Security of NGDC Based on ASP
  Zhang Li Gong Jianya Zhu Qing
  Key Words
  active server pages (ASP); national geospatial data clearinghouse (NGDC); geographic information system (GIS); Internet
  Abstract
  On the basis of the authors? experience of setting up an NGDC Web site, this paper attempts to present some significant aspects about the security of NGDC based on ASP. They include data storing, database maintenance, new technical support and so on. Firstly, this paper discusses how to provide the security of data which is saved in the host of NGDC. The security model of ?New works ?DB Sever-DB-DB Object? is also presented. In Windows NT Server, Internet Information Server (I IIS) is in charge of transferring message and the management of Web sites. ASP is also based on IIS. The advantages of virtual directory technique provide by IIS are emphasized.
  An NGDC Web site, at the Research Center of GIS in Wuhan Technical University of Surveying and Mapping is also mentioned in this paper. Because it is only an analogue used for case study, the transmission of digital spatial products is not included in the functions in this NGDC Web site. However, the management of spatial metadata is more important and some functions of metadata query are implemented in it. It is illustrated clearly in the functional diagram of the NGDC Web site.
  1 Introduction
  Needless to say, it is very important for most GIS users to acquire and integrate the geospatial information from various districts. However, the current situation of geospatial information production and dissemination in the world is still unsatisfactory. On one hand, users do not know where the geospatial data files are stored and what geospatial data is useful for their applications, or have not necessary computer facilities. On the other hand, due to the lack of coordination and cooperation, the duplication of geospatial data production widely exists. Most of geospatial information is stored by different organizations including governmental organizations, commercial companies. What?s more, the lack of geospatial data exchange and sharing mechanism results in relative low benefit of geospatial data use. It is difficult for some products to get necessary information from other producers to integrate with or to update their own databases. In short, the value of geospatial information has not been shown exactly in GIS industry of China.
  It is obvious that the information distribution technique based on Internet can play a great role in GIS industry. National Geospatial Data Clearinghouse users will be able to query what geospatial data is being produced, how about is quality, where it is produced, and how to get the geospatial data economically and conveniently.
  2 NGDC and ASP technology
  As mentioned above, NGDC is a geospatial information distributed network system which is concerned with geospatial data producers, managers and users. So the relationship among them must be harmonized. The NGDC provides the service of geospatial information through internet. In detail, it will allow various data formats to exist in this opened geospatial information service system and it supports the share and query of the geospatial data from different sources. The main mission of NGDC is to offer a means of fast, efficient, safe, economical service of geospatial data provision to users. At the same time, it will offer means for data providers to advertise their new products and collect users? demands and feedbacks in order to promote the geospatial data production.
  To date, the model of NGDC is usually described as a provider-oriented model. In this model, every geospatial data provider is linked with internet as an NGDC node... user?s access NGDC nodes through internet and browses the catalogues of geospatial data stored in NGDC, and then they query the metadata about the available products for their applications. After selecting the desired data set, the user can send an order to the relevant producer on-line or by E-mail system. If users can not find the geospatial data available in this NGDC node for their applications, they will be able to access other NGDC nodes.
  So the construction of NGDC is concerned with the planning and maintenance of dynamic Web sites linked with internet. Since Active Server Pages (ASP) came out with its peculiar characteristics several years ago, which is applied to the construction of more and more dynamic Web sites in the diverse fields? In comparison with common gateway interface (CGI), ASP is more effective and flexible as a server scripts environment.
  With html pages, script commands and active X components, ASP can set up dynamic, interactive and efficient Web server programs. It is not important whether browsers can run those ASP codes, because all of ASP programs including scripts plugged in html, such as VBScript, JScript, are executed in servers. ASP programs will send a series of commands to the script engine, and then the script engine translates the commands into some codes which can be executed by servers. After running the executive codes, the results will be sent by servers to users? browsers in html. In this way, it is sufficient for browsers to have basic function of browse. As a result, the speed of the system increases rapidly.
  NGDC Web site provides users with a catalogue of geospatial data entity, data entity and the relevant metadata. Therefore it is inevitable to access various databases in the construction of NGDC. It is convenient to connect database systems with ASP plug-in Active X components, so Web pages can be linked to all kinds of databases which provide ODBC interfaces for other programs. Active X components provide the objects whose tasks are to finish certain functions. So Active X components are of great significance in setting up Web programs.
  3 Research on security of NGDC
  This paper attempts to present some significant aspects about the security of NGDC base on ASP, such as data storing, database, maintenance, new technical supporting and so on.
  3.1 Security of data storing
  The information stored in NGDC includes geospatial data, relevant metadata and catalogues of data products. The maintenance of all the information is a very hard task. Of course, the security of data storing is included in it. From the point of system maintenance, the security of data storing in NGDC is concerned with disk error-tolerance and back-up supporting.
  With the rapid development of manufacturing technique of hard disk, the life-span of hard disk has been lengthened. Disk error-tolerance decreases usually the possibility of data-losing because of errors of hard disks. It is inevitable that some errors cannot be limited in spite of any error-tolerance system. In order to maintain the security of data, the significance of data should be assessed firstly and so should the loss of data-losing. There are three kinds of dump plans for database or data files: full data dump, increment data dump and combination of them. As in NGDC the need of data back-up depends on its significance.
  3.2 Security of database maintenance
  As for popular large-scale database systems such as Microsoft SQL Server, Sybase, Oracle, Informix, security maintenance is implemented by four levels of ?New works ?DB Sever-DB-DB Object? security model. Every user has his network login ID and his password, with which the user ID and the password, users can login into network. Take Windows NT Server for example, Windows NT Server provides some security maintaining methods such as encoded password, minimum password length and so on.
  In general, network cannot automatically permit its network users to access databases in it. The fact that a user can access databases does not mean that he can automatically access databases in it. Only those users who have their database user IDs stored in system tables in database can access database.
  3.3 Security with ASP
  In the environment of Windows NT Server, Internet Information Server (IIS) is in charge of distributing information and maintenance of Web sites. ASP is also based on IIS. When users access some ASP files in their browsers, the relevant ASP scripts will run in server and the results will be sent users in Web pages.
  Virtual directories are different from physical directories in hosts or servers. Net work administrators may make good use of the mechanism of virtual directory in order to maintain the security. IIS supports virtual directory which plays a great role in the security maintenance of Web sites. Firstly, virtual directory conceals the information about actual directory structure. In normal browsers, users can get the path information of a certain Web site; the directory information of Web sites will be exposed to users linked with Internet. As a result, it is easy for the Web sites to be attacked by hikers. Secondly, it is convenient to transfer the WWW service from one server to another without updating the code in Web pages if there is the same virtual directory structure in two servers. Finally, when putting Web pages into virtual directories, administrators can assign different attributes to the directories. For example, in the construction of NGDC Web site, it is important to put normal html files and ASP files into different virtual directories. The attribute of directories in which normal html files are stored may be ?Read? while the attribute of directories in which ASP files are stored may be ?Execute?. On one hand, it simplifies the maintenance and management of NGDC Web sites. On the other hand, ASP source files will never be sent to user browsers. In other words, hikers cannot get the ASP source codes through their browsers. Thus it improves the security of ASP files.
  4 An NGDC model Web site in WTUSM
  Some other security aspects in operational model, programming, management in the plan and construction of NGDC should be concerned. As an example the construction of an NGDC model Web site is presented below in order to explain the security maintenance of NGDC in detail. On the basis of authors? research on relevant problems, this NGDC model Web site was planned and deployed in early 1999. As a model project, the purpose of construction of this Web site is to provide some useful experiences for other projects on NGDC. Therefore the process of geospatial metadata plays a great role in this Web site. In fact, there are not actual geospatial data products stored in this NGDC model Web site. The main task of this Web site is to provide relevant geospatial metadata services, so the functions of data product maintenance cannot be found. Geospatial metadata is stored into meta-database in Microsoft SQL Server. With ?New works -DB Sever-DB-DB Object? security model in Microsoft SQL Server, the relations between user and access rights are set up. In order to simplify the problem, those two tasks are assigned to two DB users. One is a user who is the owner of DB objects. (Of course, he has all rights to access, update and delete DB objects); the other is a normal user who can only access DB objects such as tables. While developing ASP programs in the integrate developing environment of Microsoft Interdev, the functions may be fulfilled by script programs running either in clients or in servers. As a result, it improves the confidentiality of ASP programs and the efficiency of NGDC service system.
  In the NGDC Web site, something has been done in order to improve the security of operation: a table named providers? information table is stored in NGDC to keep some useful information about relevant geospatial data providers, such as name, ID, passwords, contact methods and son on. The information may be a long, irregular string whose length is less than 1024. It is produced and maintained by NGDC. The providers? information table is stored in the server in NGDC. In this way, data producers provide geospatial products together with their identifying information through Internet.
  5 Conclusions
  In short, it is very convenient and efficient to distribute geospatial data in the NGDC nodes through internet. On the other hand, with the development and construction of NGDC, there will come more and more challenges and problems about the security of NGDC. Obviously some researches and discussions in this field need to be further carried on.

  Jaya
  We have two ways to achieve this scenario
  1.Going with PCR where we Query No of Years Completed
  2. Going for Custom Function
  In the above two ways  we have to maintain the year of completion in Date Specification Either Manually or Thorugh Dynamic Action which shd automaticallly update....IT00041
  I prefer the second one since PCR is some wht complicated

• Migrating ADF Security from file-based provider to LDAP provider

  We have deployed a small application using ADF Security with file-based provider in OAS and it works fine.
  Now we want to migrate to ADF Security using LDAP provider.
  In order to make this possible we followed the next steps:
  - Migrate all the roles and policies from the file to OID with JAZNMigrationtool.
  - In OAS we've changed the Application Security Provider to 'Oracle Identity Management'.
  - Reset the OC4J instance.
  But there was no success, the application continues working with the file-based provider.
  What more is necessary to configurate?

  Hi,
  if you use EM make sure you change the setting for the application, not the general OC4J setting.
  You can also deploy the provider settings with the orion-application.xml file added to your project
  Frank

• Security for value based hierarchy + OLAP

  Hi,
  I am using row-level security mechanism described here: http://www.rittmanmead.com/2012/03/obiee-11g-security-week-row-level-security/
  It works well for level based hierarchies... but is there a way to apply it to value based OLAP hierarchy in OBIEE 11.1.1.6?
  My case is:
  - I have parent-child value based hierarchy representing management structure with various depth.
  - of course facts are always linked to leaf members of hierarchy
  - I need to apply security at different levels. E.g. Office manager should have access to one/multiple offices information (basically all employees he manage currently + his previous office before he was moved)
  - In report I display presentation hierarchy that starts at country level and then manager drill to his offices
  - At country level, manager should see a measure aggregate only for his offices (not whole country)
  In relational database there is no problem:
  - I follow rittman blog
  - create session variable that store list of all leaf members of hierarchy (employees) managed by manager
  - with OBIEE "Manage"->"Identity" I apply filter on fact table and get right measure aggregates at all levels of hierarchy
  Issue for OLAP:
  - with OBIEE "Manage"->"Identity" I apply filter on OLAP value based hierarchy
  - in case of filter "MY_BMM"."Org Str"."Org Str Key" = VALUEOF(NQ_SESSION."LEAFS_LIST") -> when manager include hierarchy column to report there are no results because hierarchy starts at country level and he have no access to country data
  - to workaround it I tried: "MY_BMM"."Org Str"."Org Str Key" = VALUEOF(NQ_SESSION."LEAFS_LIST_AND_ALL_ANCESTORS") -> manager can see all aggregates at country level because he have access to country, and OLAP just use country level aggregate
  - IsDescendant("MY_BMM"."Org Str" , VALUEOF(NQ_SESSION."OFFICE_ID")) will work only for single office as we can not use row wise variables here
  One solution I can imagine is to create additional level based dimension that have only 2 levels: "All"->"Org Str Leaf". Then apply filter on this "artifitial" dimension. It is not perfect solution to duplicate dimensions only for security purposes... that's why I ask you for advice if you know better way?
  Regards,
  mudi

  Here is an example, how to set security in OBIEE 11.1.1.5 (or future versions)  against  Oracle OLAP dimensions.
  *(1). Create the Oracle OLAP Hierarchy Descendant View against Value-based hierarchy*
  These views return a row for each ancestor-descendent relationship in the hierarchy. As you can see how easy it is.
  CREATE OR REPLACE VIEW DEPT_DESCENDANTS
  AS
  SELECT 'DEPT' "DIMENSION", 'DEPTHIER' "HIER", ancestor, descendant
  FROM TABLE(OLAP_TABLE('BAWOLAP.BNSOLAP DURATION QUERY', null, 'LIMIT DEPT_HIERLIST TO 'DEPTHIER''',
  'DMNS DESCENDANT AS VARCHAR2(60) FROM DEPT
  DMNS GID_VAL AS NUMBER FROM ___AW_GID_DIMENSION
  MSR ANCESTOR AS VARCHAR2(60) FROM DEPT_FAMILYRELVAL'
  where ancestor is not null
  *(2). Create the User ACL Tables and Populate with Data*
  Create an Access Control list test table by user and Dept. Later this will be populated with production data.
  create table user_dept_acls
  username varchar2(30),
  dept varchar2(60)
  insert into user_dept_acls(username, dept) values ('user1', 'GWM');
  insert into user_dept_acls(username, dept) values ('user1', 'GT');
  insert into user_dept_acls(username, dept) values ('user1', 'SC');
  insert into user_dept_acls(username, dept) values ('user2', 'GWM');
  insert into user_dept_acls(username, dept) values ('user2', 'GT');
  insert into user_dept_acls(username, dept) values ('user3', 'SC');
  commit;
  *(3). Create an Init Block Connection Pool*
  Oracle BI EE requires a separate Connect Pool for Init blocks. It does not allow the default query connection pool to be reused for init blocks. So, we need to create a new init block.
  *(4). Create the ACL Session Variables*
  These session variables hold the list of all members that the user may access.
  Example Session Variable: DEPT_ACL
  Init Block: "Init DEPT_ACL"
  SQL:
  select 'DEPT_ACL', account from user_DEPT_acls where username = ':USER'
  union all
  select 'DEPT_ACL', descendant
  from DEPT_descendants
  where ancestor in (select account from user_DEPT_acls where username = ':USER')
  union all
  select 'DEPT_ACL', ancestor
  from DEPT_descendants
  where descendant in (select account from user_DEPT_acls where username = ':USER')
  The first query block of the init block SQL just selects the members explicitly entered into the ACL table. The second block selects all the descendants of those members from the descendants view. The third block selects all the ancestors to ensure that the user has access to all the members in the drill path starting from the root member.
  Make sure that row-wise initialization is checked in the Variable Target section of the init block.
  *(5). Add the Data Filters*
  In our test case we assigned the data filters to the BIAuthor role, but the filters should be added to whatever role makes the most sense.
  Data filter on "BNSGL"."Department":
  "BNSGL"."Department"."Dept" = VALUEOF(NQ_SESSION."DEPT_ACL")
  *(6). Log in as a Normal User and Query the Hierarchy*
  The user can only see to the members to which they are granted access in the ACL table plus all ancestors and descendants of those members.
  Drill down to the bottom of the hierarchy.
  *(7). Look at the Query Log*
  In the nqquery.log we see that the session variable is expanded into an IN list in the physical SQL query. The BI Server breaks the IN list into two IN lists to avoid the Oracle SQL limit of 1,000 items per IN list.
  Edited by: Nasar Ali-Khan on Jul 2, 2012 8:14 AM

• In system settings 15 item are not accessible, get the message: cannot open it, is not possible on intel based MAC. Items like security, i cloud user and groups network and more

  in system settings 15 item are not accessible, get the message: cannot open it, is not possible on intel based MAC. Items like security, iCloud user and groups network and more.
  Genius bar told me to erase the harddisk and install OSX Maverick again. This has not changed the problems with the system settings

  You need to Repartition the drive as One partition which will erase all data from it and then reinstall OS X. then with the initial setup system you chose the language on the first screen that comes up. That sets the language for the whole system.
  There is no other way of completely removing certain information created by a previous owner. this hold strue whether you are selling or give a Mac to someone.
  To do the repartitioning you need to use the Online Internet Recovery system, if the Mac came with Lion 10.7 or above, or from the original system reinstall discs that came with it when it was new.

• New Technical Article: Securing a Cloud-Based Data Center

  Securing a Cloud-Based Data Center
  by Orgad Kimchi, Ron Larson, and Richard Friedman
  Orgad, Ron, and Richard and explain the precautions you need to take when deploying a private cloud in a data center, and show you how to employ the security features in Oracle Solaris 11 to protect its infrastructure. Part 2 of a three-part article on cloud deployments that use the Oracle Solaris Remote Lab as a case study.
  - Rick

  The beautiful curve drawn by LDPC code caught my eyes, but several points hardly built up user confidence.Some details should be submitted carefully, especially comparison with BCH codes. In my opinion, X-axis is exact error bit count and Y axis is frame error rate. Then, BCH comparison is a theoretical vertical line. LDPC code will be well described in a group of points.
  Moreover, can Xilinx provide more codes with different rate to support flexible design?

• How to restrict authorization based on profit center in ke80 report

  hi friends
  we have a situation where we need to maintain the authorization based on profit center in ke80 report. The authorzation object K_PCA is not working. whenever we assign a particular profit center and then generate the profile, we still get the message no autjorization and when we check su53 it shows it needs '' asterisk. but we cant assign the asterisk as we have 5 subsidaries and there are using 5 different set of profit centers so assigning asterisk () would be comprimising on our security.
  does anybody came across this situation and if yes how did they resolve this?
  I need your suggestions on how to maintain this restriction.
  Regards,
  Imran

  Hi Friends
  The problem has beend solved. It turns out that this is a report writer issue. We raised the issue with SAP and they informed that 'For Report Painter/Writer every item is checked if you have the authori-zation or not. Only the items with authorization fullfilled will be displayed afterwards'.
  Based on SAP answer we created different reports for each profit center/company code.
  I would like to thank you all for your time and inputs.
  Regards,

• Authorization based on t.code and screenvariant

  All,
  Suppose I have created screenvariant in particular transaction .
  For eg MB52 , I have created one variant , ZVAR1
  Is it possile to give authorization based on t.code MB52 and screen variant  ZVAR1?
  Or t. code and layout of report.
  For eg I have changed the layout and save the report as Z111.
  Now is it possible to give authorization ,MB52 and Z111?
  Please advise.
  regards

  Thanks Alex.
  Suppose I am creating new t.code for MB52 program .
  Now in SE93 which object I should I select :
  - program and screen
  - program and selection screen
  - Method of a class
  - transaction with variant
  - transaction with parameters
  Pls advice.
  regards

• Analysis Authorization based on Hier node with multiple display hierarchies

  Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
  Requirement:
  Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
  Preferred solution:
  The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
  u2022     A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
  u2022     The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
  u2022     The display level will be specified as required (here: Level 7)
  u2022     The Authorization granted should be independent of hierarchy name and version (validity 3).
  Reporting Scenario and technical impact:
  As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
  My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
  Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
  Thanks everyone for your input...
  Claus
  Edited by: Claus64 on Jul 13, 2009 4:10 AM

  HI CLause,
  On Jul 14 2009, you wrote in SDN and said:
  FYI: Found a solution...
  The hierarchy analysis authorization will be based on a navigational attribute of cost center.
  With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
  The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
  Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
  As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
  If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
  Claus
  See this thread:
  Analysis Authorization based on Hier node with multiple display hierarchies
  I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
  I appreciate if you can share your solution from the past in more details.
  many thanks

• Variable value to be populated based on user authorization

  Hi all,
  I want to have a variable with single value on plant.
  when the user executes the report, value of the variable has to be populated automatically based on the authorization of the login user and it has to show the output without displaying the selection screen.
  Kindly guide me of, what type of variable to create and to proceed.
  Thanks.
  I

  Hi
  Restriction Plant from user authorization can be achieved by the following steps
  1. Plant infoobject should be authorization relevant.
  2. make authorization object including plant and restrict to the plant u needed and assign the profile to the user
  3. in BEX create variable of authorization type on plant. this variable will get the default values for the plant from the user authorization on the selection screen of the query.
  4. if you dont want to display the variable on the selection screen then remove the chek box in variable that " variable is not ready for input"
  thanks
  radhika

• How to check the authorization based on webdynpro application

  Hi Experts,
  I was asked to develop a webdynpro component with two webdynpro applications, one each for internal party and external party to be used.
  So how to restrict or check the authorization based on webdynpro application used?
  Do we have any authorization object like S_TCODE for webdynpro application in roles and authorizations?
  Please enlighten me.
  Regards,
  Ajay Matam

  You can assign an authorization object to the Web Dynpro Application within SICF -
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/61/d93822a88e15489a9391f309767366/frameset.htm
  Of course you could also programatically check which web dynpro application is being used from within the component and then call a custom auth-check. However maintain at the SICF is probably better for visibilty and long term maintenance costs.

• Credit management Authorization Based on Value.

  Hi All,
  Can help me out to find whether we can implement Credit management based on different level of Values or not.As i know we can do authorization based on % like 100%, 110% etc.
  But i want to activate release authorization based on the Amount like
  level 1              Rs 1 lakh( Can release upto 1 lakh) when it reaches to above of 1 lakh
  level2               Rs  2 lakh ( it will release upto 2 lakh)
  like wise.As what i understand whatever the standard roles are given relevant to % basis only.

  hello, friend.
  yes, you can do this in a few ways...
  1.  try 'Document Class' - a document class is assigned a certain value, which is assigned to a user (the link to credit management is indirect)
  2.  the traditional way is to use 'Risk Category', and you can set specific values (e.g. maximum document values) when doing OVA8. 
  i seem to recall there may also be a way to assign values to risk category, but i will check on this.
  regards.

• Implementing authorization based on database roles

  Hi,
  I am trying to implement authorization in my sample jdeveloper application.
  I have the list of users stored in LDAP and my database table contains the roles for those users.
  Now how can I get the roles from the database table and implement authorization based on the roles?
  I am using jdev 11 and weblogic 10.3
  Thanks

  Hi,
  Checkout [this post|http://forums.oracle.com/forums/thread.jspa?threadID=928304]
  Sireesha

• SEM-BCS authorization or Security Guide

  Hello,
  Last year We went Live with SEM-BCS Project.Now We need to restrict all the t-Code's in SEM-BCS. During the Go-Live We have provided  Full authorization's to everyone.Now Auditor's are bugging us to restrict the access in the SEM-BCS system.If Possible anyone can provide authorization or Security Guide for BCS Project
  Vijay

  Hello Again,
  Guide Contain's Only Authorization Object's & Default SAP Defined Roles. But Here it a different Scenario. SEM-BCS team has provided me 30 T-Codes & I am supposed to Pick all the Default Values for all the T-Codes.
  I am doing it from T-Code: SU24 & Updating it in Excel. My Question's are
  1. How to get more Knowledge on the Tcodes
  2. How it will Function
  3. In what way we can restrict the Feild values & Activities for the T-codes.
  My functional team Have no Knowledge on this Objects & what activities should be there.
  Now i need to explain them each & every T-Code & what does each feild & Activity Do. If there is any Go-Live document for this it will be really helpful for me.
  For All 30 T-codes I need to create Custom Roles &  Audit need's No Astrick for new custom Roles.
  Vijay

• Bw related security and authorizations

  Hi,
  Can anyone please explain in details about BW security and authorizations related?What are tools used for Bw security?
  Sridhar

  Hi,
  Take a look at the links below also search in SDN then you can find many threads , materials related BW security.
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI
  http://www.*********************/bw_security/bw_security.htm
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/39f29890-0201-0010-1197-f0ed3a0d279f
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/fda2a990-0201-0010-5497-b81b1556df24
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/adeac294-0501-0010-5a97-9ac5d562b1be
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144
  Regards.