UME authorization on object level
Hi,
I understand the concept of roles / actions / permissions in the UME, but this only means you have a permission or you don't have a permission.
What if (and thats the common case in my mind) I need object level permissions, like I have a hierarchy of application objects and the user only should have access to a branch of the object tree?
Is the application developer supposed to implement this solely himself or does UME support such scenarios when it comes to "how do I setup those permissions?" and "where are those permissions stored?" or in other words: Do I have to create a configuration UI in the application and store the permission data in our own database tables with saving the user id?
Regards
Bruno
Hi Bruno
To give object level permissions,
0.Include the security API in your java build path.
com.sap.security.api.jar
1. you need to create a permission class which extends NamePermission for each object. Ex: Button B1. Have a permisson class for Button B1 in any of the package.
2. Create the UI elements and set the visibility property to a context attribute so that you can set the property at run time.
3. Get the user information in you view as follows
IWDClientUser user = null;
try{
user = WDClientUser.getCurrentUser();
}catch(WDUMException e){
e.getLocalizedMessage();
4. Now check whether the user has a permisson as follows
if (user.hasPermission(new ButtonB1("But1View")))
but1.setVisible(WDVisibility.VISIBLE);
5. Now create a XML file with permission as follows.
<!-- $Id: //shared_tc/com.sapall.security/630_VAL_REL/src/_deploy/dist/configuration/shared/UMErole.xml#3 $ -->
<BUSINESSSERVICE NAME="TEMP" >
<DESCRIPTION LOCALE="en" VALUE="Access Management Engine"/>
<!-- Business Service Actions -->
<ACTION NAME="But1_Admin" >
<DESCRIPTION LOCALE="en" VALUE="Button 1 Permission" />
<PERMISSION CLASS="temp.authorization.perm.ButtonB1"
NAME="But1View" VALUE="*" />
</ACTION>
</BUSINESSSERVICE>
6. Deploy the XML File in the Visual administrator in services/Configuration Adapter/cluser-data/server/persistent/com.sap.security.core.ume.service
7. Restart the J2EE engine
8. Log on to UME Engine and try creating a role. There you can see the action you created in the XML file.
Assing the action to the role and assign the role to the user
9. Now only those users where the role you created is assined will be able to see the button.
Regards
NagaKishore
Similar Messages
-
Authorizations for object level
Hi
Normally BI query I can get object level authorizations,
I have customer.
I can restrict customer ( 1-10) for 1 user , this query is with me now.
if i build universe, and web intelligence
in BO this authorizations will get automatically?
or i need to restrict customer also in web intelligence.
is there any radio buttons, drop boxes for my reports in BO?
how to publish BO reports in my portal for end user purpose?Hi,
when you use a BI query with authorization variables the authorization variable will take care of the BI security and yes the OLAP universe will leverage it as well.
there is nothing "special" to do in the Universe
Ingo -
Dear experts,
We are using CRM 5.0 (WebIC and PCUI). We have 3 services orders (business transactions) that we use as templates . We want only users with admin role to be able to display and change them. Currently, everyone has access to them.
How could we do that?
Thanks in advance
StephanieHi Stephanie,
Check authorization objects in SU24-> your t-code -> execute.
Click on check indicator->Field values.
You will get authorization object for given t-code.
Regards,
Payal Patel -
Authorizations at Object level
Hi Guru's,
I have a query regarding Authorizations i.e i have a Cost center hierarchy and have more than 40 users with different costcenter eligibility. Now i need to restrict particular user id with selected costcenters....please give me suggestion for comp this task....
Regards
Jagadeesh.MHi,
In RSSM, you will have to create all the nodes for the cost center hierarchies - here is how you can proceed:
make sure that you have loaded the cost center hierarchy in BW side
(ii) in RSSM, under 'authorisations' - under 'authorisation definition for hierarchies' - you will have to introduce all the nodes of the cost center hierarchies
(iii) subsequently, when you create a role, you can use each or multiple nodes to restrict the cost center
(iv) assign this role to a userid - when this user logs in - the output of the query will be restricted by the cost center node values that were used to restrict the role.
Hope this is clear.
Pinaki -
UME security vs ABAP security object level
We installed Virsa Compliance Calibrator & Access Enforcer and trying to configure security in UME to control user access so that besides action level security, we need further restriction on for example, Functional Area, cost center & department access. Does UME have lower level authorization restriction capabilities similar to that of ABAP authorization object level security? If not, how can we utilize ABAP Virsa security objects to control JAVA front end access?
Your advice is much appreciated.
Thanks,I'm not aware of a way to limit requestor access (you can request anything visible); however, you can provide direction by populating an attribute field (i.e. company) with valid company values for each role. When a requestor searches for a role, if they filter by the appropriate company, they will only see valid roles for the request. I did, however, point the request authentification towards a 'fake LDAP'. This prevents individuals without specific UME credentials from submitting a request.
However, you can restrict approvers using a custom approver/determinator. In my case, I wanted to use a combination of "role" and "usergroup" to determine approver, rather than use one approver set for all requests. I have implemented and confirmed this works. The unfortunate side affect, is that you have to maintain a seperate file for this custom A/D (which you have to refer to /append for any request for role approver information). -
Object level authorization for SLT Configuration schema in HANA DB
Hi All,
We have connected SLT with HANA DB (& ECC as source system).
Now for certain users we wanted to restrict the access for certain tables ( tables owned by SLT Schema, i.e schema created in HANA DB with the configuration name provided in the SLT configuration).
With the SYSTEM user object level authorization's of another schema is not possible hence , an error is thrown when we are trying to provide/control the access of single table for a user.
Is it ok that we generate a password for SLT schema and try login with schema owner. Is it the best practice or Is there any other way around.
Regards,
KumarHi Santosh,
You can find more info about SLT Roles and Authorization from below security guide.
http://help.sap.com/hana/SAP_HANA_Security_Guide_Trigger_Based_Replication_SLT_en.pdf
Regards,
V Srinivasan -
How to trace the missing authorizations using NWBC at object level
Hi all,
In SAP R/3 any authorization issue can be tracked down till authorization object level using SU53 tcode and ST01 tcode.
1 - I have a super user who has all the roles in Solution manager system and test user which I created with just 1 role Incident management role. But when I login with Super user ID I can see in tcode (WDY_APPLICATION - Incident Management ) I have 4 tabs (Overview,Messages,Reports and Queries) but when I execute the same tcode using test ID I can only see Overview and Messages tab. Report and Query tab were missing . Please advice on how to trace the missing authorizations using NWBC at object level? or how to solve this issue......
2 - How to add a Web dynpro Transaction code (example WDY_APPLICATION - Incident Management )while building a role in PFCG?
Thanks
LAKHi Gurus,
Can anyone please help me with my questions.
In addition here are few more info that I need
How to bring in the new authorizations without logiing off and logging in back in NWBC ( Equivalent to Menu-->Refresh in SAP GUI)
Thanks
LAK -
How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level, There is a requirement from my client and i propose two methode
1- Creation of Ztcode ZVL32N and do changes ABAP program level
2- Disablement via Authorization/Role level - but how can i find the auth object/ Authorization corresponds to POST GOODS RECEIPT button in VL32NI think you can make use of SHD0 - Transaction variant to achieve this. You can make it as grayed out while recording steps in SHD0.
-
No authorization for object ALVL in integrated planning
while transfering aggregation level in IP,raises the following error,
'No authorization for object ALVL <name of the aggregation level'.
i see a OSS Notes for the same - Note 913852 - IP: Content-transferring aggregation levels release on 10/01/2006.while importing notes 913852 go the following error:
Error Message - Bad ObjectID
What happened?
Invalid Format of ID
What can you do?
ObjectIDs must be at least 24-digits and numeric
Error code: WEBSMP207-20061006191004-0009
Error details: 21A1D7E-702/1A00C/3162-71D8CFB9-3CB9265-29AB5B
Service Name: SAPIDB
Service Server: PWDF1724
Process-ID: 1640
Thread-ID: 1428
1) Is there any otherway to handle this error giving more authorization of JCO user or delevoper user?
2) I see no delevered aggregation level or planning functions in 2004s sp09.is there any way we can import delevered content?
3) is there any best practices for implementing Manufacturing Cost Planning ( MCP) using BI-IP?
Thanks .Hi,
I am having the same problem, did you come to a conclusion?
Rds, Thomas -
Setting permissions at entity object level using JAAS and LDAP
Hi,
I am using ldap-based provider for authorizaton. Every thing works fine. Authorization works fine based on the roles created in web.xml file.
Could you please let me know how I can define permissions at entity object level when using ldap based provider.
Following line is the permission created for an entity object (SpcStrBdgt) when using XML-based provider.
<permission>
<class>oracle.jbo.server.security.jazn.JboJAZNEntityPermission</class> <name>model.SpcStrBdgt/READONLY</name>
</permission>
Above is defined in jazn-data.xml file.How can I define the same thing when using ldap-based provider?
Thanks,
SeatreHi,
There is an enhancement request Bug2692994 for this feature.
Thanks,
Yvonne -
Object level security will be done by bi-server or presentation server
hi all
object level security will be done by bi-server or presentation server?
r both will be done by bi-server?
TnksHi,
object level security will be done by bi-server or presentation server?It would be maintained by both the servers,as the end user sends a request that would be sent to presentation server and then in turn to BI server....while in this processboth checks is there any security implemented on it.
Ya in simple words authorization and authentication.
Hope it helps you.
By,
KK -
'Protecting' your derived roles from being maintained on object level
I'm redesigning an authorization concept that has been polluted in the past by maintaining object level values in the derived roles instead of the master roles.
Now I would like to build in a kind of warning or authorization so that future role administrators can adjust master roles on object level, and derive the roles from the master, but are not allowed (or get a warning) to change object level values in the derived roles themselves.
I'm looking for a warning similar to the warning you get when you are trying to change an organizational level value within the object rather than change the orglevel table.
I have looked for entries in table PRGN_CUST, but found none.
Also, the authorization checks for deriving roles [seem to be similar|http://help.sap.com/saphelp_nw04/helpdata/en/2b/84653f1b76b11ae10000000a114084/frameset.htm] to actually maintaining a role, so no distinction can be made here.
Knowing al this, II think the answer is: 'no, this is not possible' but if you have dealt with the same problem successfully, please let me know.
Kind regards,
Lodewijk BorsboomHi Lodewijk,
There are exit paths in SU01 and PFCG which might (have) help(ed) but SAP removed the documentation on them because as (to my knowledge) as the code was integrated into BAPIs and org. management these exits (like many which have gone before them) caused no end to confusion over time.
I heard that they would at some ponit be replaced by BADI's but I guess the same problem exists there and I have to date not seem any of them released.
I have the documentation if you are interested but which release are you on? I suspect that SAP might even remove the exit coding anyway.
As the other's have stated, I would also go for a detective control. You can always wipe the mistake out again from the master and this will let you know that someone is not sticking to the rules or doesn't understand the concept.
This is also an advantage when compared to an error message or warning which only they see...
Cheers,
Julius -
Object Level Security Profile-Collaborators
Dear All,
I the document collaborator security profile one permission is change master data state, is master data considered all fields within the contract.Also what will happen if this permission is changed to not set.
Thanks,
JayHi,
object level security will be done by bi-server or presentation server?It would be maintained by both the servers,as the end user sends a request that would be sent to presentation server and then in turn to BI server....while in this processboth checks is there any security implemented on it.
Ya in simple words authorization and authentication.
Hope it helps you.
By,
KK -
Hi all ,
I have a requirement wherein I have a put an authorization at domain level.
The authorization group and object have been created.
How to find the exit where i can use thse objects for the domain.
Domain is BANKN .
Pls help .
Thanks
SupriyaHi all ,
I have a requirement wherein I have a put an authorization at domain level.
The authorization group and object have been created.
now i need to put an auth check for all the transactions that use this domain ...
For eg in FK03 , enter ant vendor and company code , go to 'DISPLAY VENDOR : PAYMENT TRANSACTIOn' . if that user is auth then he should be able to see the bank acc number ellse 'XXXXXXXXXX' ...
This is the scenario .
How to find the exit where i can use thse objects for the domain.
Domain is BANKN .
Pls help .
Thanks
Supriya -
Object level checking for some of the basis tcodes(internal audit)
Hi masters,
in our company every month we check access controls for some of basis tcodes,i am giving it below,is the selection for Tcode and object level values combinations are correct or is there any modifications please notify.
Tcodes Imp Auth Objects Auth fields Auth values
SCC1 S_CLNT_IMP Actvt 21,60
S_TABU_CLI CLIIDMAINT X
SCC4 S_TABU_CLI CLIIDMAINT X
S_TABU_DIS Authorization Group *
Actvt 01,02
SCC5 S_CLNT_IMP Actvt 21,60
S_TABU_CLI CLIIDMAINT X
SCC7 S_TRANSPRT Request type *
Actvt 43,60,75
S_CLNT_IMP Actvt 21,60
SCC8 S_DATASET PROGRAM *
Actvt 06,34,A7
S_TRANSPRT Request type *
Actvt 43,60,75
SCC9 S_TABU_CLI CLIIDMAINT X
S_CLNT_IMP Actvt 21,60
SCCL S_TABU_CLI CLIIDMAINT X
S_CLNT_IMP Actvt 21,60
SCU0 S_TABU_DIS Authorization Group SS
Actvt 01,02
S_TABU_RFC Actvt 3
OBR1
SM01 S_ADMI_FCD TLCK
SM04 S_ADMI_FCD PADM
SM12 S_ENQUE S_ENQ_ACT DPFU,DLOU
SM13 S_ADMI_FCD UADM,UMON
SM50 S_ADMI_FCD PADM
SM54 S_ADMI_FCD NADM
SM55 S_ADMI_FCD NADM
SM56
SM59 S_ADMI_FCD NADM
RFCA
SMLT S_LANG_ADM Actvt 02,16,61
Table *
SPAD S_SPO_DEV SPODEVICE *
SP01 S_SPO_DEV SPODEVICE *
S_ADMI_FCD SP01,SP0R
ST01 S_ADMI_FCD ST0M,ST0R
ST05 S_ADMI_FCD ST0M,ST0R
RZ04 S_RZL_ADM Actvt 1
RZ06 S_RZL_ADM Actvt 1
RZ10 S_RZL_ADM Actvt 1
RZ21 S_RZL_ADM Actvt 1
S_BTCH_JOB JOBGROUP *
JOBACTION DELE,RELE
SM49 S_LOG_COM Command *
Opsystem *
Host *
S_RZL_ADM Actvt 1
SM69 S_RZL_ADM Actvt 1
SM63 S_RZL_ADM Actvt 1
SMLG S_RZL_ADM Actvt 1
SE16 S_TABU_DIS Authorization Group *
Actvt 01,02
SM30 S_TABU_DIS Authorization Group *
Actvt 01,02
SM31 S_TABU_DIS Authorization Group *
Actvt 01,02
SPRO S_PROJECT PROJECT_ID *
APPL_COMP *
PROJ_CONF *
Actvt 02,06
S_DOKU_AUT DOKU_ACT MAINTAIN
DOKU_DEVCL *
DOKU_MODE *
SPRO_ADMIN S_PROJECTS APPL_COMP *
PRCLASS *
Actvt 01,70
S_PROJECT PROJECT_ID *
APPL_COMP *
PROJ_CONF *
Actvt 02,06
PFCG S_USER_AGR ACT_GROUP *
Actvt 01,02
S_USER_PRO Actvt 01,02
PROFILE *
SM19 S_ADMI_FCD AUDA,AUDD
SU01 S_USER_AGR *
01,02
S_USER_GRP Class *
Actvt 01,02
SU02 S_USER_PRO Profile *
Actvt 01,02
SU03 S_USER_AUT OBJECT *
AUTH *
Actvt 01,02
S_USER_PRO Profile *
Actvt 01,02
SU05
SU10 S_USER_GRP Class *
Actvt 01,02
SU12 S_USER_GRP Class *
Actvt 01,02
SU20 S_DEVELOP DevClass *
ObjectType SUSO
ObjectName *
P_Group *
Actvt 01,02
SU21 S_DEVELOP DevClass *
ObjectType SUSO
ObjectName *
P_Group *
Actvt 01,02
SU22 S_DEVELOP DevClass *
ObjectType SUST
ObjectName *
P_Group *
Actvt 01,02
CMOD S_DEVELOP DevClass *
ObjectType CMOD
ObjectName *
P_Group *
Actvt 01,02
SA38 S_PROGRAM P_Action SUBMIT,BTCSUBMIT
P_Group *
SD11 S_DEVELOP DevClass T,Y,Z*
ObjectType UDMO,UENO
ObjectName *
P_Group *
Actvt 01,02
SE11 S_DEVELOP DevClass T,Y,Z*
ObjectType DOMA,DTEL.ENQU
ObjectName *
P_Group *
Actvt 01,02
SE12 S_DEVELOP DevClass T,Y,Z*
ObjectType DOMA,DTEL.ENQU
ObjectName *
P_Group *
Actvt 01,02
SE13
SE14 S_DEVELOP DevClass T,Y,Z*
ObjectType INDX.MCID,TABL
ObjectName *
P_Group *
Actvt 01,02
SE15 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 3
SE37
SE38 S_DEVELOP DevClass T,Y,Z*
ObjectType FUGR,PROG
ObjectName *
P_Group *
Actvt 01,02
SE93 S_DEVELOP DevClass T,Y,Z*
ObjectType TRAN
ObjectName *
P_Group *
Actvt 01,02
SE41 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 01,02
SE43 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 3
SE43N S_DEVELOP DevClass '
ObjectType '
ObjectName '
P_Group '
Actvt 01,02
SE51 S_DEVELOP DevClass T,Y,Z*
ObjectType FUGR,PROG,DYNP
ObjectName *
P_Group *
Actvt 01,02
SE80 S_DEVELOP DevClass T,Y,Z*
ObjectType *
ObjectName *
P_Group *
Actvt 01,02
SE81 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 01,02
SE82 S_DEVELOP DevClass Y,Z
ObjectType APPLTREE
ObjectName *
P_Group *
Actvt 01,02
SE91
SE92
SE92N
SNRO S_NUMBER NROBJ *
Actvt 02,17,11
SQ00 S_QUERY Actvt 02,23
SQ01 S_QUERY Actvt 02,23
SQ02 S_QUERY Actvt 02,23
SQ03 S_QUERY Actvt 23
SQVI
SM35 S_BDC_MONI BDCAKTI ABTC,AONL,DELE
SM35P S_BDC_MONI BDCAKTI ANAL
SM36 S_BTCH_ADM BTCADMIN Y
SM37 S_BTCH_JOB Jobaction PROT,SHOW
Jobgroup *
SM39
SM62
SM64 S_BTCH_ADM BTCADMIN Y
SE01 S_CTS_ADMI CTS_ADMFCT EPS1,EPS2,PROJ
S_TRANSPRT Actvt *
Ttype *
SE06 S_C_FUNCT PROGRAM SAPLSTRF,SAPLSTRI
CFUNCNAME SYSTEM
ACTVT 16
S_TRANSPRT Actvt 43,60,65
Ttype *
SE09 S_TRANSPRT Actvt 43,60,65
Ttype *
S_CTS_ADMI CTS_ADMFCT EPS1,EPS2,PROJ
SE10 S_TRANSPRT Actvt 43,60,65
Ttype *
S_CTS_ADMI CTS_ADMFCT *
SPAM S_CTS_ADMI CTS_ADMFCT IMPA,IMPS
S_TRANSPRT Actvt 43,60,65
Ttype PATC,PIEC
STMS S_CTS_ADMI CTS_ADMFCT *
S_RFC Actvt 16
RFC_NAME EPSF,STPA
RFC_TYPE FUGR
Edited by: rameshbabu muddana on Mar 2, 2009 10:56 AMhi,thanks for reply "you should not care about the transaction start s_tcode at all - only check the object required"
It has made manditory policy to check for users and roles every month with given criteria of Tcode and object,now i have been given the task to check the combination of Tcode and object value combination are correct or not,please validate the combinations and suggest,we are using ECC 5.0,i had gone through wild card use (#) when we check in SUIM,i am getting confused that when i give # followed by value, data i am getting different from without #.please provide an example for SE16 with S_TABU_DIS
how to check?
i am checking in this way
S_TCODE SE16
S_TABU_DIS
Activity
Value 01or 02
Authorization Group
Value #&NC&
Maybe you are looking for
-
SQL to include/exclude groupings based on set relations of sub-groupings
Hello clever people, I am struggling to write SQL to enable me to include or exclude groupings (or even better sub groupings). It's taken a lot of SQL (using analytic functions) to get my data grouped as I wish (detail hopefully unimportant but basic
-
HT201389 Update apps purchased in another country's App Store?
Will I be able to update apps purchased in another country's App Store?
-
Closed Indicator in PR automatically Tick by click on Delivery Comp. in PO
Hi, When we create a PR with 10 Qty..create PO with same quantity..and create MIGO for 6 Qty. Now we want to short close the PO. Now Requirement is: - Can the closed indicator in PR be made to get automatically checked once the delivery complete indi
-
My adobe acrobat pro 9 cd has corrupted
Where can I download software and use my existing licence.
-
Is there a log somewhere that I can check to see what files are synced during a Mobile Account sync session? Something like a sync log file? I looked though the WGM'er and didn't find anything. Thanks...