User based authorization

Similar Messages

• User based authorization to create Purchase Orders out of Purchase Req.?

  Hello,
  I have the following requiment for my client:
  User based authorization to create Purchase Orders out of Purchase Req.?
  I am told the same can be achieved using same standard menu path in IMG/Customizing.
  Please advise with the menu path and detials, Usefull answers will be rewarded.
  Thanks

  Using OMET Function Authorization, you can restrict users to create Purchase orders without Purchase Reqn.
  Using OMET trxn code Create one Function Authorixation Called pr and in General Parameters tab Select the Field Selection and in Possible reference Objects Tab Mark the With ref to Prs check box and save.
  Next, you've got to associate via SU01 
  Click Parameters, insert a new parameter id EFB to the authorization code. 
  Type in Parameters value you want e.g. XX 
  You have to assign the control for ALL the SAP buyers via thier SAP users id.
  Logoff and login again. Then try to create a Purchase Order without a reference.
  From Next time whenever you try to create with out referring PR it will not allow you to Save PO.
  Regards,
  Ashok

• User Based Authorization with ISE

  I am trying to configure ISE to limit the activitiy of individual users once they have logged in from an authorized PC into our netowrk. We basically only want them to be able to connect to specific systems. Is ISE able to do this on a per user basis?

  Yes.
  One of the things you can do via your Authorization policy is to push a downloadable ACL (dACL) to the port (for wired users). For wireless users you can apply a pre-defined Airespace ACL from the WLC to the user session. 

• User based Authorization for Documents

  Hi All,
  Is it possible to have following scenario?
  1)
  There is a folder A. Inside this folder there is a file abc.txt & xyz.txt.
  Now User 1 & User 2 both has access to folder A.
  User 1 can read / download the file abc.txt & xyz.txt
  User 2 can see only the name of the file inside this folder, but he cant download this file. And he can read / download xyz.txt file.
  and instead of user can it be given role based also???
  like abc.txt can be downloaded only by R&D role and noth any other users.
  The main perpose of this feature is to let user know there is a document stored in a particular folder but he can only see the name of this document.
  Regards,
  Purav

  Hi Jitendar,
  From permission we can do only read, write, read & write, Full control thats it.
  see the scenario I have given.
  User2 cant even read the file, he can only see the name of that file.
  I have seen the KM Permission link http://help.sap.com/saphelp_nw04/helpdata/en/4c/9d953fc405330ee10000000a114084/frameset.htm
  but still counldnt find the solution to my scenario.
  Regards,
  Purav

• BI Bex Query prompt based on User's Authorization....

  Hi
  In BI, I created 1 BEx Query based on Authorization. If a user runs the query, it prompts for 'Customer Name' to get data of particular customer. And Customer values are populated in the prompt based on User's Authorization.
  For example:
  User1 is authorized to see data of Customer1 & Customer2. So, Query prompt will show 2 values: 'Customer1' & 'Customer2'.
  But User2 is authorized to see data of Customer1, so Query prompt will show 'Customer1' only.
  I created 2 variables on Customer field:
  1) Authorization Variable in Filter Section
  2) Manual, Single Entry, Mandatory on Default Value section.
  My Requirement:
  If user is authorized to link with only 1 Customer, he should not get prompt & on the background prompt value should be populated from his authorization value. But if user is authorized to see multi-customers, then prompt should appear.
  If possible pls. provide some suggestions....
  Thanks...

  Yes, this can be done.
  but there is little work around.. Using guided navigations
  1. Create a report with column fx as case when 1=0 then markets.region else user() end
  2. apply filter on this column is equal to User_1
  3. Create another report with column fx as case when 1=0 then markets.region else user() end
  4. apply filter on this column is equal to User_2
  5. Now add all your prompts to dashboard, but each prompt should in each section object of dashboard.
  6. For first section click on section properties, go to Guided Navigation...
  7. Browse Source Request as first report.. and keep If request returns rows selected.
  8. Repeat above step for another section.. but this time browse 2nd report.
  9. Just save dashboard.
  Check now..
  Hope you understood..
  Regards
  Kishore Guggilla
  Edited by: Kishore Guggilla on Feb 18, 2009 12:57 PM

• Broadcast based on user's authorization

  Hi
  I have to broadcast the reports based on the user authorization. What are the possible ways of achieving this?
  1. Is it possible to execute the report only once and send the reports to different users based on thier authorization?
  2. For example, there are four sales organization and i want to send reports to users with only the sales org data he/she authorized to see. For this, do we have to create four user roles restricting it to the sales org? if any other way, please suggest.
  3. Is it possible to apply user's authorization on the file created by broadcasting? Basically i want to execute the report only once through broadcasting and apply the user's authorization and then burst the report data to the different users based on thier authorization.
  Thanks in advance.
  Regards
  Sadeesh

  Dear Sadeesh,
  We have teh similar Req in our project. We need to Broadcast BI Repotrt to Multiple User based on Their Authorization which has been maintained in BI. Do you have solution for this? Do we need to make some necesssary Settings in User Profile?
  Thanks In Adv.
  Deepika

• Row-/instance-based authorization

  Hi,
  I'm looking for ways to implement row-/instance-based authorization using Toplink 9.0.4+ and Oracle DB 9.204. The domain objects are represented by standard Java objects (POJO's) not entity-beans.
  My question: what are well-know working approaches to implement this? How did you do that in a project using Toplink and POJO's?
  I guess Label security/Virtual Private Databases would be interesting to consider. But I wonder if it's possible to use that with Toplink. Issues that I see right now:
  - how to propagate the credentials of the user to the database and still use connectionpooling?
  - can Toplink generally make use of Label Security
  Another approach would be to implement a JAAS extension following the lines of the article "Extending JAAS for class-instance authorization" http://www-106.ibm.com/developerworks/java/library/j-jaas/
  I expect this can easily result in a separate query per object. Which probably results in atrocious performance.
  Or this could be implemented by an aspect. But still this would probably necessitate n+1 queries for n objects. In other words: this would still let the appserver do the constraining of results while that is right task for the database of course.
  Your comments and advice are highly appreciated,
  Joost de Vries
  the Netherlands

  The main decision to make is whether to handle the instance level security in the application, or the database.
  As you mentioned there are many ways to handle security in the application.
  Oracle database supports VPD and OLS for row level security. The TopLink 10g 10.0.3 preview has added support for this refer to:
  http://otn.oracle.com/products/ias/toplink/preview/index.html

• How to set role based Authorization in JAAS

  how to set role based Authorization in JAAS
  i had user name , password and role in FileLogin
  thanks
  arun .v.

  http://dev2dev.bea.com/pub/a/2003/04/Kemp_Helton.html?page=last

• Person responsible based Authorization in Projects is not working for me

  Hi,
  Does 'Person responsible' based authorization for WBSE works for the WBS element only, or for the hierarchically sub-ordinate non-WBS objects (meaning Networks, Activities, Materials etc) as well?
  Details:
  (Authorization objects: C_PROJ_VNR and C_PRPS_VNR)
  -- User1 is assigned with role TESTROLE1. This role has the Project manager based WBS & project authorization objects, with person number 101.
  -- User2 is assigned with role TESTROLE2. This role has the Project manager based WBS & project authorization objects, with person number 102.
  Following sample project is created by a super-user:
  PROJ123 (Details: person responsible - 101)
    WBS-1 (Details: person responsible - 101)
      WBS-1/1 (Details: person responsible - 101)
        NETWORK1
        ACTIVITY11
        MATERIAL111
        MATERIAL112
      WBS-1/2 (Details: person responsible - 102)
        NETWORK2
        ACTIVITY21
        MATERIAL211
        MATERIAL212
  Now the requirement of super-user is that WBS-1/1 and its subordinate elements (Activities, Materials etc) should be editable only by User1. And similarly, WBS-1/2 and its subordinate elements should be editable by User2 only.
  My issue:
  Although WBS-1/1 is not accessible to User2, BUT User2 can edit the subordinate elements (NETWORK1, ACTIVITY11, MATERIAL111, MATERIAL112) of WBS-1/1. I do not want User2 to have edit access to subordinate elements of WBS-1/1.
  Above issue is with User1 for WBS-1/2 as well.
  Hope I am clear in explaining my issue. Can anyone please help me understand the standard authorization concept of Person responsible based roles. I suspect that I am going wrong somewhere but I am not able to identify the problem.
  I want to allow access of a part of project to one user, and another part to some other user. And I do not want to go for an ABAP option if I can do above using basis authorizations.
  (Above mentioned problem is not just with part of projects, but with a complete project as well.)
  Hope to see some quick replies. Thanks in anticipation.

  Thanks for the inputs Sreenivas.
  Are you aware of any authorization objects which can restrict access to Networks, Activities, Material components and Milestones, using 'Person responsible' or any other suitable field? I hope you got what I am looking for.
  Restricting WBSE based on 'Person responsible' without restricting sub-ordinate elements is not much useful according to me. It helps only with simple project structures (having only WBSE) and nothing much. Right?
  Thanks again

• Restrict users based on Customers

  Hi ,
  In ECC system, we have general requirements to restrict users based on customer account group where customer account group is represented as Site/Store.
  Possible values for Customer Account group -
  - Reference Store
  - Head Store
  - Wholly Owner Store etc.
  Till this point everything is fine. However, Client has few additional External Stores which are represented as one Dummy Site and Customers belonging to that store are actual external Stores.
  Example, we have additional Value for Customer Account Group -
  - Dummy Site
  And now all the Customers part of dummy site is actual stores and we are needed to drill down our restriction to this Customer (So called Stores).
  To restrict used based on customer account group/Stores, we can utilize F_KNA1_GRP with filed KTOKD (Customer Account Group). However, is it possible to create roles based on individual customers of these Stores?
  If yes, how can we do that? 
  P.S. I had a look at authorization object F_KNA1_BED with filed BRGRU. Can this object help us in fulfilling our requirement? Or there is any other SAP provided authorization object which can help us to restrict on Customer values?
  Thanks,
  Sheenam

  You could use F_KNA1_BED, I guess - but that would mean excessive maintenance of both: BEGRU and customers, if I understood your scenario correctly and you really, really want to break that down to single customers.
  It would be even more excessive to utilize F_KNA1_GRP. Can be done, though.
  Both solutions are completely un-elegant and I am not happy proposing them. But I am curious as a cat: what exactly is the business process expecting you to restrict access to customer data down to a single customer?
  Edited by: Mylène Dorias on Mar 24, 2010 8:39 AM

• Time-Based Authorization

  I would like to know if is't posible deploy time-based authorization commands. In order to rescrict the operator modify the configuration router only in windows maintenance. ACS 4.1

  Please refer to this link,
  Setting Default Time-of-Day Access for a User Group
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMgt.html#wp478788
  Regards,
  ~JG
  Do rate helpful posts

• Instance Based Authorization

  I am trying to find a way to access the instance of a Resource in an AuthorizationProvider
  in order to be able to determine if a specific user can access one instance of
  that resource.
  Example, my Resource is an EntityBean named: TestEntityBean, the code is as follow:
  public abstract class TestEntityBean implements EntityBean{
  // some defaul methods
  public java.lang.Long ejbCreate(Long key, String name) throws CreateException
  System.out.println("TestEntityBean.ejbCreate");
  setSecurityid(key);
  setSecurityname(name);
  return getSecurityid();
  public abstract Long getSecurityid();
  public abstract void setSecurityid(Long securityid);
  public abstract String getSecurityname();
  public abstract void setSecurityname(String securityname);
  public void ejbPostCreate(Long key, String name) throws CreateException {
  System.out.println("TestEntityBean.ejbPostCreate");
  I am using CMP, and my DB is ORACLE. When my authorization provider intercepts
  the request to getSecurityName() I can see:
  This defines my resource being used (aka my TestEntityBean and the method) but
  how can I find out what is the EntityBean content? i.e. for example how can I
  define what is the primary key of this object?
  If I am offline, would u have recommendations on how to implement an instance
  based authorization model? (ref to articles...?)
  Thank you

  This is what the AuthorizationProvider named MmlFileAuthorizationProviderImpl gives
  me:
  MmlFileAuthorizationProviderImpl.isAccessAllowed
  subject = Subject:
  Principal: user1
  Principal: myGroup
  Principal: developers
  Principal: mySecondGroup
  Private Credential: principals=[user1, myGroup, developers, mySecondGrou
  p]
  roles = Anonymous,writer_user,reader_user,creator_user
  resource = type=<ejb>, application=_appsdir_mml_ear, module=tests
  ecurity.jar, ejb=TestEntityEJB, method=getSecurityname, methodInterface=Local,
  s
  ignature={}
  direction = ONCE
  handler = weblogic.ejb20.internal.DummyContextHandler@1c32369
  MmlFileAuthorizationProviderImpl.isAccessAllowed
  subject = Subject:
  Principal: user1
  Principal: myGroup
  Principal: developers
  Principal: mySecondGroup
  Private Credential: principals=[user1, myGroup, developers, mySecondGrou
  p]
  roles = Anonymous,writer_user,reader_user,creator_user
  resource = type=<ejb>, application=_appsdir_mml_ear, module=tests
  ecurity.jar, ejb=TestEntityEJB, method=getSecurityname, methodInterface=Local,
  s
  ignature={}
  direction = ONCE
  handler = weblogic.ejb20.internal.EJBContextHandler@1372a7a
  Resource hashcode: -1318771256
  ID: 2145579658558124
  Type: <ejb>
  Keys[0]: application
  Keys[1]: module
  Keys[2]: ejb
  Keys[3]: method
  Keys[4]: methodInterface
  Keys[5]: signature
  Values[0]: appsdirmml_ear
  Values[1]: testsecurity.jar
  Values[2]: TestEntityEJB
  Values[3]: getSecurityname
  Values[4]: Local
  Values[5]: {}
  Looking for policy for resource(type=<ejb>, application=_appsdir_mml_ear, module
  =testsecurity.jar, ejb=TestEntityEJB, method=getSecurityname, methodInterface=Lo
  cal, signature={})
  I get all the information about the resource ... i.e. which entitybean object
  is being used, but I can not have access to nay of the bean onformation, and this
  is what I need to enable Instance base Authorization for this bean.
  Basically how else can I say:
  User Paul can do anyhting with this TestEntityBean being object "123" ?
  User Jonh can only read the TestEntityBean "123" but can access and write in all
  other bean TestEntityBean ?
  Am i making sense? Can anyon help?
  "Seyvet" <[email protected]> wrote:
  >
  I am trying to find a way to access the instance of a Resource in an
  AuthorizationProvider
  in order to be able to determine if a specific user can access one instance
  of
  that resource.
  Example, my Resource is an EntityBean named: TestEntityBean, the code
  is as follow:
  public abstract class TestEntityBean implements EntityBean{
  // some defaul methods
  public java.lang.Long ejbCreate(Long key, String name) throws CreateException
  System.out.println("TestEntityBean.ejbCreate");
  setSecurityid(key);
  setSecurityname(name);
  return getSecurityid();
  public abstract Long getSecurityid();
  public abstract void setSecurityid(Long securityid);
  public abstract String getSecurityname();
  public abstract void setSecurityname(String securityname);
  public void ejbPostCreate(Long key, String name) throws CreateException
  System.out.println("TestEntityBean.ejbPostCreate");
  I am using CMP, and my DB is ORACLE. When my authorization provider
  intercepts
  the request to getSecurityName() I can see:
  This defines my resource being used (aka my TestEntityBean and the method)
  but
  how can I find out what is the EntityBean content? i.e. for example how
  can I
  define what is the primary key of this object?
  If I am offline, would u have recommendations on how to implement an
  instance
  based authorization model? (ref to articles...?)
  Thank you

• Aurgent: Can any body help of User-based sizing

  Hi Experts.
               iam new to the implementation .can anybody help on Inital user based sizing.Do n't send the links of service market place.I want know abt wat type of  user has to consider for the A/s Ecc6.0 and how to consider their roles in the appli.server. And also give me the information of users Like low,medium,high in the Quizertool.
                Replied  answer could be rewarded.
  Thanx.....

  Hi,
  Sizeing basically doesn't depends on users. It is based on active users only.
  Sit with y'r functional leads , and discuss roles and authorizations also.
  Roles will be parent and child etc.
  In the initial project blue print, we can find or estimation of no. of users and active users.
  Initially go with normal settings according to Installation guide.
  Read the Sizer well.
  Note: Points always encourage me to reply !!

• Can't use role-based authorization

  We can't use role-based authorization because the permissions
  and their assignments change frequently. Is there any alternative
  where we can still use WLS to handle security?

  Dave,
  If you're using WLS6 the console supports dynamic user updates so you could
  change each users configuration as needed.
  Alex
  Dave <[email protected]> wrote in message
  news:3a672c81$[email protected]..
  >
  We can't use role-based authorization because the permissions
  and their assignments change frequently. Is there any alternative
  where we can still use WLS to handle security?

• OIM - Email notification to a specific user based on a dynamic rule

  Hello, After creation of account in a particular target resource I need to send an email to a specific user based on the location of the user (e.g area admin).
  In the notification tab of process tasks, I see only "Assignee", "Requestor", "User", "User Manager"? How can I achive the above specified requirement?
  Before posting this question, I tried to search the forum for any previous posts related to this. But I couldn't find any. May be I was not searching with right key words.
  Any help is appreciated. Thanks in advance.

  You'll need to custom code an adapter to send the email, then you can send to any user you want. Create a new task and trigger it off the completion response code. You can use the following apis:
  tcEmailNotificationUtil sendMail = new tcEmailNotificationUtil(ioDatabase);
  sendMail.setBody("Type your body here or use a string variable");
  sendMail.setSubject("Type your subject here or use a string variable");
  sendMail.setFromAddress("[email protected]");
  sendMail.sendEmail("[email protected]");
  Just populate the above pieces with the information needed.
  -Kevin