User Administration - how to lock or disable user access?

How can I disable a user or prevent the user from accessing BPC and yet still maintain the user info in the BPC? This is for future reference (tracing) and audit purpose.
Currently we disable the user by removing all team profiles, member access proflles, and task profiles from the user.
Thanks.

Hi Nilanjan,
I am still confused. Maybe my question is not clear. Here what I want to do.
User U currently is assigned to a team EndUserTeam.
EndUserTeam has task profile EndUserTaskPrf and has member profile EdUserMbrAccPrf.
EndUserTaskPrf can excute, submit data, analyze, add comment, etc (typical norma end user tasks)
EndUserMbrAccPrf has access to certain members of applications.
Now, what I want to do is to not allow the user to log into the BPC.
Should I remove the user from team EndUserTeam (which in turns remove EndUserTaskPrf and EndUserMbrAccPrf)?
Or is there a way to block the user from logging into BPC without removing his/her from teams, task profiles, or member access profiles?
From your answers, it seems i have to remove all tasks, all member access permissions, all teams.
Thanks.

Similar Messages

  • How do you Enable/Disable a user's ScreenSaver and set it's time

    How do you Enable/Disable a user's ScreenSaver and set it's "Start Screen Saver" time.
    I am writting an application in java which uses JNI and a screen saver to lock users out of the computer unless they enter the correct username and password.
    If they enter the correct password I need to Enable the ScreenSaver at a specific about of time (time can be changed remotely) so I can "log out" the user.
    I need to disable the screen saver after the screen saver runs so that it doesn't run while the java login program is running.
    I have this working already on Windows XP but can't find any way to program this on Mac OS X.
    Thank you for any help!

    http://forums.macosxhints.com/showthread.php?t=61525
    Disable
    defaults -currentHost write com.apple.screensaver idleTime 0
    Enable for 180 seconds
    defaults -currentHost write com.apple.screensaver idleTime 180

  • How to lock multiple user for a transcation code at same time is der any tc

    how to lock multiple user for a transcation code at same time is der any tc
    suppose i hav 15 user and i want to lock 10 user for mm02 who can i to it

    Basis can do a export and import transport, still if don't have connection between boxes.
    or
    check this
    http://www.sap-basis-abap.com/abap/copy-program-variants-from-one-to-another.htm

  • How to lock sap users in os level

    Dear consultants,
    how to lock the sap users in OS level.please tell me any one.

    Hi Pradeep,
    The table is usr02. The command is as below:
    update <schema>.usr02 set uflag=128;
    in case you need to mention any particular user to be locked, mention in the where clause.
    Before using this command, use the select statement to check the current status of the users.
    Regards,
    Meenu Hans

  • How to turn greyish/disable a field in ME52N/ME53N (working on a user exit)

    Hi experts,
    simple question: I'm working on an user exit that is used by ME5?N, and I'd like to do something like:
    "looping on the items of a purchase req., if position X has a particular value as attribute, then don't allow any change to the field PSTYP".
    I can easily implement the check in the code of the user exit; I don't know how to turn grey/disable for any change the field PSTYP at screen as a consequence of a positive check. Can anybody guide me thru this - I hope simple - operation? Thanks in advance

    You will not get any answer here, Post your question in correct section after mark this thread as answered
    Oracle Discussion Forums » Oracle Database » Application Express

  • How do you selectively disable users validated by nt domain?

    We are validating our sw vpn users on our 3030 via nt domain. Therefore there are no individual userids.
    How can we selectively disable certain users? e.g. A few office workers not allowed to come in from home.
    If this were Windows / RAS we could uncheck the dialin box on their user profile - is there some similar setting within Windows for sw VPN users?
    Or even better, are these domain authenticated users authenticated against any particular nt group, from which we could then remove them?

    With NT Domain Authentication, what you are trying is not possible. What you need to do is to configure the concentrator to use Radius. You could refer to http://www.cisco.com/warp/public/471/cisco_vpn_msradius.html and http://www.cisco.com/warp/public/471/vpn3k_ias.html for more configuration information.

  • Disable User Access to Accessibility Pane in System Preferences

    Hello Everyone,
    What I want to do is have a user account which does not have administrator access have access to the System Preferences App but not access to certain functions. Things I want to disable are Accessibility, App Store, Dictation and Speech, Keyboard, Parental Controls, Secuirty and Privacy, and Users and Groups. The reason for this is that this is something I am trying to get setup for as a new design for the user allowances to assist with some issues that have been reported by teachers for sets of student laptops. As a note they need to be able to access things like the Printers and Network menus because these are laptops which are assigned to the students. They will go home with them so they need to be able to have access to change the settings for networks and add printers.
    For some background of changes to the system that I have made. I have given access to the students using Directory Utility so they can edit the print settings without having to use an Admin password by updating the groups settings and adding them to the Pritner Admin's group manually. I am planning on blocking access to certain programs like Terminal because the students are using it to force the laptops to "talk" in class which they think is funny but the teachers are finding it disruptive and have asked that I disable this for them. I also am using Netinstall to mass deploy the image that I am making because I need to deploy this to around 100 devices.
    I look forward to any suggestions everyone may have for this.
    PegasusN

    Hello Baltwo,
    I usually post over in the education section when I am posting questions. This is more a question of how do I modify what is available in the system preferences pane than related to me doing a mass deployment. I put those notes in because usually people start off with comments like disable system preferences or why would you want to block access. What I really need is OS specific rather than mass deployment. The search system also loves to look in the iPad forums and just reports back thinks like how to turn the settings back off once they have been turned on. As it stands I do disable the keyboard shortcuts but that does not keep the students out of the pane sadly.
    Thanks for the ideas though. If I cannot get an answer here I will try over there next.

  • Disable User Access

    We have a number of changes we are looking to implement and estimate we would need a 3 hour window to complete.  We are proposing the changes be completed during normal hours of operation as it will require support from different teams in our IT department should we run into any issues.  We will send a notification informing the users of the planned outage but do we have any way to disable their access so they are unable to connect at all?  Our security setup controls access using a combination of team and data access profiles which would require of number of changes so I was looking for an easier solution if possible.
    Thanks

    Hi Pablo,
    you have a lot of unanswered questions, are they all still open?
    If you have solved then please close in a correct manner these threads assingning a "correct answer" and eventually add the solution if not present, read please How to close a discussion and why and Are you a responsible person in SCN?
    About this issue, putting offline the appsets you're sure that no users can send data or execute packages only admins are allowed to work.
    If you have management console installed you can see which users are connected and contact these to exit.
    You can also prepare, useful for the future update queries to automatically backup the involved tables, exclude all the user from the teams, hoping you give the security rights to the teams and not to the users, so they will exists in BPC but without rights and when finished to restore the tables.
    Regards
         Roberto

  • I want to disable Internet access to user using GPO

    I am using Win Server 2008 R2, I want to disable the users from accessing Internet which are in that OU. Can anyone tell me how is it possible ?

    Hi,
     Disabling Internet access using software on the client is inherently difficult. The client isn't aware of what is an internal resource (like an Intranet page for example) as opposed to an Internet resource. You can use GPOs to disable specific programs
    (like browsers) or to change how traffic is routed by the client but in order to effectively control who can and can't access the Internet, your best bet is a perimeter device like a proxy or firewall that sits between your clients and the Internet and is
    integrated with AD so it can manage access to the Internet based on users, groups, IP addresses, etc.
     The closest you can come without a proxy is to configure a proxy server address for those users using the Internet Explorer Maintenance component (found under User Configuration\Windows Settings). This proxy can either be a non existent address or
    if you want more control over the error messages users get, it can be an internal web server with a page that provide a custom message. The same configuration will allow you to list specific URLs that are exempt in case you have specific web sites, internal
    or external that must be available.
     Note that this option will apply to all browsing, internal and Internet based, but will only impact IE. Internet access using other browsers or other software will not be impacted unless that software leverages the IE proxy configuration (which many
    applications do). 
    Hope this helps,
    Guy

  • How to trace an user access

    Even if I've got no DBA permission (for example I don't see the v$session table), have I got any way to trace the users accessing the DB? How can I do? I was told about trace but can someone tell me more? I'd like to know the user accessing the DB and the operation that he's launching. Is it possible?
    Thanks!

    Anything is possible if you have the correct privileges. But then you probably don't have those privileges, and probably for a reason, as you probably also don't have the DBA role for a reason.
    If you are to enable trace in a different session, you would need execute access on an Oracle provided package, which differs by version, and of course you assume Oracle never changes, and there is only one version out there: yours.
    For a DBA it would be the easiest to grant you the select_catalog_role and the execute_catalog_role.
    But then again one would ask why you think you should spy on him, and why you don't cooperate with him and/or try to convince him.
    Sybrand Bakker
    Senior Oracle DBA

  • WebLogic 10.3.0 WLI Domain - Microsoft AD administrator user access issue.

    Hi SOA Experts,
    We are facing issue of getting noaccess exception on console (below) when doing datasource testing using Microsoft AD administrator user. The same works fine when testing using WLS embedded LDAP administrator user in WLI domain. In plain WLS 10.3.0 domain (without WLI) with same Microsoft AD configuration they do not see this issue, they are able to successfully test data source using both embedded WLS administrator and Microsoft AD administrator user.
    I enabled security ATN and ATZ debug flags and below is my observation.
    In plain WLS 10.3.0 domain I see that default weblogic administrator user in embedded LDAP is part of administrators group. Microsoft AD administrator user is part of Administrators group from MS AD.
    Whereas in WLI domain I see that default weblogic administrator user is part of Administrators & IntegrationAdministrators groups. In WLI domain Administrators group is again part of IntegrationAdministrators group (below is debug logs).
    Below is Plain WLS Domain Debug log
    ####<Dec 6, 2010 5:20:14 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)
    '> <<WLS Kernel>> <> <> <1291674014123> <BEA-000000> < Subject: 2
    Principal = weblogic.security.principal.WLSUserImpl("weblogic")
    Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
    Below is WLI Domain Debug Log
    <> <1291669863989> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
    ####<Dec 6, 2010 4:11:03 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
    <> <1291669863989> <BEA-000000> < Subject: 3
    Principal = weblogic.security.principal.WLSUserImpl("weblogic")
    Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
    Principal = weblogic.security.principal.WLSGroupImpl("IntegrationAdministrators")
    The issue of Microsoft AD administrator user not able to test datasource in WLI domain seems to be happening because of IntegrationAdministrators group which comes by default with WLI domain (in plain WLS domain we do not have this group). Looks like the datasource which is being created in WLI domain seems to be being treated as WLI resource and user accessing it is being checked if it part of IntegrationAdministrators group. In this case weblogic default administrator user is part of IntegrationAdministrators, for which we do not see issue where as Microsoft AD administrator user which is not part of IntegrationAdministrators seems to be having problem.
    Below is snipper of Microsoft AD administrator user in Debug logs
    ####<Dec 6, 2010 4:13:31 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
    <> <1291670011687> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
    ####<Dec 6, 2010 4:13:31 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
    <> <1291670011687> <BEA-000000> < Subject: 2
    Principal = weblogic.security.principal.WLSUserImpl("MSADAdminUser")
    Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
    Also one more observation about datasource which is created is in plain WLS & WLI domain created datasource resource type is shown as “jdbc” which is expected, but in addition in WLI domain I observe that created datasource resource type is marked as JMX and DS is being considered as application (below), not sure if this has something to do with the issue.
    Below is WLS domain debug log, below you can see that datasource is being treated as JDBC resource which is expected.
    ####<Dec 6, 2010 5:21:03 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1291674063776> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<jdbc>, application=, module=, resourceType=ConnectionPool, resource=testDS, action=reserve>
    Below is WLI domain debug log, below you can see that datasource is being treated as application and it says resource type as JMX
    ####<Dec 6, 2010 4:12:17 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1291669937755> <BEA-000000> < Resource: type=<jmx>, operation=get, application=testDS, mbeanType=weblogic.j2ee.descriptor.wl.JDBCDataSourceBean, target=Name>
    I created user in embedded LDAP in WLI domain with same name as MS AD administrator user and assigned it to Administrators group, that obviously works but is not acceptable solution.
    Below is exception thrown on console when testing datasource using Microsoft AD administrator user.
    weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[MSADAdminUser, Administrators], on Resource weblogic.management.runtime.JDBCDataSourceRuntimeMBean Operation: invoke , Target: testPool at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:205) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222) at javax.management.remote.rmi.RMIConnectionImpl_1030_WLStub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:978) at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544) at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380) at $Proxy92.testPool(Unknown Source) at com.bea.console.actions.jdbc.datasources.testjdbcdatasource.TestJDBCDataSource.begin(TestJDBCDataSource.java:114) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:870) at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:809) at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:478) at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:306) at
    - BoyelT

    This issue has been resolved.
    The problem of Microsoft active directory administrator user not able to test the datasource in WLI domain is caused because of IntegrationAdministrators group & IntegrationAdmin role which comes in WLI domain. Assigning the Microsoft Administrator group to IntegrationAdmin role from WebLogic console has resolved the issue.
    Below are steps for assigning the MS AD administrator group to IntegrationAdmin role from console in WLI domain.
    ======================================================
    - Login to console and click on "Security Realms" and "myrealm"
    - Go to "Roles and Policies" tab and expand "Global Roles" tree and "Roles" tree view under it.
    - Click on "View Role Conditions" link for "IntegrationAdmin" role.
    - Click on "Add Conditions" button select Group (default) for "Predicate List" drop down box and click Next button.
    - Specify MS AD admin group name for "Group Argument Name" text box and hit on Add button.
    ======================================================
    - BoyelT
    Edited by: BoyelT on Dec 20, 2010 1:36 PM

  • How to Apply a Newly Created Access Policy on Existing Users in OIM????????

    How to Apply a Newly Created Access Policy on Existing Users in OIM?
    When the rule is getting failed the user is getting removed from the group but resource is not getting revoked. This is happening only for the old uses..for the users which i created now it working fine..i mean its resource is getting revoked.
    (Retrofit access policy" is checked on the Access Policyand Revoke if not longer applied is checked.)
    For the old users i see the POl_Key is null, for new users i see a value '10'. So i updated the pol_key for old users same as it got generated for new users '10'.
    i even updated the form version too but still revoke doesn't work.
    I cant go for the below approach..
    In order to apply a newly created Access Policy on existing users, one has to make sure that:
    1) "Retrofit access policy" is checked on the Access Policy.
    2) Then run the "Set User Provisioned Date" Schedule task to apply the Access Policy on the existing users in OIM.
    Note: After 9.1.0.1 BP03 the access policy execution has been moved to a new scheduled task "Evaluate User Policies" as mentioned inDocument 839368.1 :How to Use Access Policies to Provision with Groups.
    Is there any other approach i can try.. if you have any idea please reply me asap
    Thanks..

    Thanks for the reply kevin..
    We decided to try the Schedule task (Set User Provisioned Date).
    But i see one problem here after seeing this post in metalik --> Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation? [ID 1136540.1]
    According to this post Access Policies framework does not manage users who are obtained either through trusted reconciliation or target reconciliation.
    Is there any custom way to achieve this??
    How does the access policy framework revoke resource work? (revoke if no longer applies)??
    Edited by: IDMuser19 on Jun 21, 2011 11:43 PM

  • After recording text using the dragon dictation app, it is converted, it can be copied to the iOS system clipboard for use in any app, how does the user access the clipboard to retrive this information if it is no longer on the screen?

    after recording text using the Dragon dictation app, it can be copied to the iOS systme clipboard for use in any app, how does the user access the clipboard to retrive this information if it is no longer on the screen?

    You need to do a long-press in any data entry field, then select Paste.

  • How can know which user accessing specific form in ERP application

    Hi,
    In our organization we have ERP application that is developed based on Orace forms and reports 10g.
    My question is how can i know which user accessing specific form in ERP application based on their login.
    Please do the needful.
    Regards,
    M. Satish

    What I infer from your statements now, significantly different from your OP, is that you do not have any logging mechanism and now want to introduce logging with minimum effort.
    If that is the case you can add the logging code in your Menu(s), before the CALL_FORM/NEW_FORM. Fewer object(s) to modify, but roughly the same lines of code get added.
    Regards,

  • How to restrict user access in Oracle Application Server 10g (9.0.4)?

    Can anybody please let me know how to restrict user access in 10g AS? To be specific, how to allow http requests from specific IPs only?

    Hi,
    You have to edit httpd.conf and modify acces rights for each protected directory
    e.g.
    <Directory /var/www/sub/payroll/>
    Order allow,deny
    Allow from 192.168.1.0/24
    </Directory>
    then you have to restart Oracle HTTP Server
    jm--

Maybe you are looking for

  • HTML in EMAIL templates

    Hi Everyone, I am trying to embed HTML in an email template. Here is what I am trying to do. Google I would like it to appear as Google but it appears as Google <http://www.google.com> Any ideas?

  • Should InDesign be used for an academic journal?

    Hi, As an editor, I have been looking into the possibility of using InDesign as a layout program for an academic journal at our university. We currently use Word. I was wondering what the experts think of using InDesign for this function, in light of

  • Absturz von InDesign CS6 bei älteren Dokumenten

    Ich kann ganz normal mit CS6 arbeiten, nur wenn ich Dokumente öffnen will, die ich vor einigen Wochen erstellt hatte, stürzt InDesign mit der Fehlermeldung ab: Adobe InDesign funktioniert nicht mehr. Das Programm wir auf Grund eines Problems nicht ri

  • V1.6 "Item count exceeds maximum of 100" is still in law?

    Hello everybody, I have warning "Item count exceeds maximum of 100" but it seems the page works and saves data properly nevertheless. Should I still pay attention to this message in version HTML DB 1.6?

  • Can't Turn Off Zen Micro with V2 Firmware

    I just decided to upgrade my firmware to V2 for the hell of it. The new firmware seems odd at best, but I just don't feel like going back to V. One thing that really annoys me is that I can't charge the Zen to full anymore. It always seems to be stuc